Skip to Content
author's profile photo Former Member
Former Member

Encryption types in PI 7.31 SP11

Hi Experts,

The scenario in PI is to drag the file from NFS folder of ECC and drop it to Intermdeiate server after encryption it using the public key. From Intermediate server Bank picks up the files by configuring the schedulers on Intermediate server. So when I made statement to Bank people saying that "I understand you need us to encrypt the file using PGP with AES128 algorithm for which we need public key from your end". They replied saying that "We will be only using AES 128 algorithm, PGP will not be used".

My question is if PI encrypts using PGP module then will it possible for bank to decrypt it by their own mechanism or should I request them to decrypt using only PGP? Please suggest.



Thanks,

Nithin.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

6 Answers

  • Best Answer
    Posted on Feb 03, 2016 at 04:38 PM

    Hi Nithin,

    When you say that you tend to use a public key to encrypt outgoing messages, I would assume you deal with asymmetric encryption (where a pair of private and public keys makes sense), please confirm this. In symmetric encryption, there is no such differentiation between keys as private and public, there is only one single key used for encryption and decryption operations.

    Next, I'd rather differentiate cryptographic standards and algorithms vs. cryptographic systems. AES is a cryptographic standard. AES 128 is an AES cryptographic standard which indicates a 128 bit key is used for an AES cipher.

    PGP is one of cryptographic systems which implements encryption / decryption functionality based on given cryptographic algorithms and compliant with specific cryptographic standards.

    Having written so, it isn't accurate to compare PGP and AES - it is like comparing apples and oranges. Adapter modules PGPEncryption / PGPDecryption of SAP PI/PO use PGP cryptographic system to encrypt / decrypt messages, and implement / support several cryptographic standards and algorithms, AES-128 being one of them. So if you need to encrypt outgoing file with algorithm compliant to AES-128, PGPEncryption adapter module available in SAP PI/PO, shall fulfil this requirement.


    Recipient (bank system) can use any cryptographic system (PGP or some other system) that implements AES-128 and that is capable of decrypting incoming files, it shall work fine.

    Regards,

    Vadim

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Vadim,

      Thank you very much for detailed explanation. In my case it is asymmetric type.Hence,PI should encrypt it by AES128 in PGP module in receiver channel using the public key provided by them. The Bank will pick up the encrypted file from Intermediate server posted by PI to their system and user from bank should be able to decrypt it again by their own Cryptographic system[other than PGP].

      Thanks,

      Nithin.

  • Posted on Feb 04, 2016 at 09:55 AM

    Hi Nithin,

    As the public key is given by Bank to you thus they will have the private key to decrypt it. You use any algorithm to encrypt they will be able to decrypt it using private key.

    1. Have the JCE updated for PGP to work.

    2. The intermediate location should not do any change or do any encoding on the encrypted file.

    Regards,

    Vikas

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Feb 05, 2016 at 07:03 AM

    Hi Vikas,

    Thanks for your time. As elaborated by Vadim, even though PI encrypts by PGP cryptographic system by public key of Bank using AES128 algorithm the user of Bank after file picked up from intermediate server should decrypt it using their own private key by following any cryptographic system other than PGP. Please find below comments :

    1. Have the JCE updated for PGP to work?

    - No not yet, is it required for AES 128 also? I mean do we have any URL to check whether AES 128 is supported or not similarly like we do for blowfish url: http://<host>:<port>/BC//VerifyJCE as per link B2B Adapters - Updating to JCE Unlimited Strength Jurisdiction Policy

    2. The intermediate location should not do any change or do any encoding on the encrypted file.

    - Here, Intermediate server is just a physical server for PI to post the files and where the schedulers are installed to transfer.

    Thanks,

    Nithin.


    BC.jpg (11.3 kB)
    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Feb 03, 2016 at 03:22 PM

    Hi Nithin,

    When you talk about PGP there are 2 ways :

    • Symmetric: For this you need to use a unique key (or call it as a password ) which is used for both encryption and decryption of data.
    • Asymmetric : in this case key( certificates/private/public key ) are shared between parties which is used for encryption(public) and decryption(private).

    in you case i guess the Bank is asking to encrypt with AES with symmetric method in which case their would be no exchange of certificates only you need to decide a unique key (password) and share the same with bank and they decrypt it . Better get a confirmation on this with them first.

    Br,

    Manoj

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Feb 12, 2016 at 11:52 AM

    Hi Experts,

    When I requested the bank team to provide me the public key to implement the above scenario and also to be double sure enquired whether they need symmetric/asymmetric type of encryption? they replied as below:

    "We are providing two layers of encryption.

    1. File encryption- we will use AES 128 bit encryption for encrypt the file which is a symmetric encryption.

    2. Later the file will be transferred through sftp which using RSA which is an asymmetric encryption. Client will share their public key and

    we configure at our end."

    Please find the attached snippet explaining process flow.My question is to Implement the interface they will provide the public key which will be used in PI to encrypt it and later they decrypt it using their private key but why do they need public key from sender in this scenario? or how is the bank interfaces designed generally, do they need PI to encrypt it or cuteFTP client installed on Windows machine will encrypt it before transferring it to the bank server in this case? If PI do not encrypt it I mean just drag and drop the file then what might the security consequences? Can you please help me in this regard.

    Thanks,

    Nithin.


    Screenshot002.jpg (30.9 kB)
    Add a comment
    10|10000 characters needed characters exceeded

    • Hi Nithin,

      It is pretty straight forward

      1. They will share public key with you and you will encrypt in AES 128 and send to them, they will decrypt it.

      2. Later they have to send it some client (may be sender again as a confirmation copy or something) so they send it to them via sftp. In this you don't have to involved it is between those 2 parties whatever asymmetric/symmetric approach they use

      What i understood is you have to do symmetric encryption in AES128 encryption that is all.

      Regards,

      Vikas

  • author's profile photo Former Member
    Former Member
    Posted on Feb 15, 2016 at 10:53 AM

    Hi Vikas,

    Thank you for the reply.

    The requirement got changed, here I am using ICO to drag and drop the file from ECC NFS to FTP. They replied saying:

    "We will provide the encryption utility in the form of java binary file(.jar) file and we need to call the jar file once the payment file is generated from their erp in order to encrypt the payment files "

    Is it possible to encrypt the file using .jar ? or could it be done easily by ABAP team? or should I request them to provide me public key?

    Thanks,

    Nithin.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Vikas Kumar Singh

      Hi Vikas,

      Thanks for your response!

      The client has given us a JAR file say if it is placed in some physical path, then I could call the JAR file by giving full path of the file including file name and could encrypt a file manually and generate it in the same folder where actual file is placed with file name starting with alphabet "e" followed by actual file name. But pls suggest to achieve it automatically using command line feature in SAP PI?

      I could encrypt manually by using the command highlighted here in cmd " Java –jar <<name of the jar file>>.jar <<full path of the file>> ". Now need to do the same using .sh file in Linux and call it in PI.

      The highlighted excel file is the encrypted file produced after executing the commands in first screenshot in cmd manually. Can you pls help on the script and .sh files in Linux and example syntax to be given in the command line feature in PI receiver/sender channel. As explained above this is a drag and drop scenario I am not using mapping objects here.

      Thanks,

      Nithin.

      jar.jpg (22.5 kB)
      snip.jpg (25.8 kB)

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.