Quantcast
Channel: SCN : Blog List - All Communities
Viewing all articles
Browse latest Browse all 2548

HCI: Using PGP message level security in HCI

$
0
0

Introduction

HCI comes packed with a lot of security related features. For message level security, it supports the OpenPGP standard. This is a commonly used standard in emails as well as file-based integrations.

 

In this blog, I will share how to create and deploy the OpenPGP keys, as well usage examples for PGP encryption and decryption in HCI.

 

 

Component Details

As HCI is a cloud solution with automatic rolling updates, these steps are valid for the following versions and may change in future updates.

Below are component versions of the tenant and Eclipse plugins.

HCI Tenant Version: 2.8.5

Eclipse Plugin Versions: Adapter 2.11.1, Designer 2.11.1, Operations 2.10.0

 

 

Required PGP Software

The online HANA Cloud documentation below details the steps required to create the keys using Gpg4win.

Creating OpenPGP Keys

 

However, the steps there are more directed towards tenants managed by SAP, and some of the steps can be skipped. I found that the steps can be simplified by just following the Generating Key Pairs section of the following Wiki which is used for PGP encryption/decryption in PI.

Generating ASCII Armored PGP Key Pairs - Process Integration - SCN Wiki

 

Both methods requires the installation of the Gpg4win tool. Additionally, during the installation, I recommend installing Kleopatra which comes with Gpg4win. It is a GUI based certificate manager and unified cryto which I will use for the examples in the following sections.

 

 

Creating OpenPGP Keys

Following the steps in the above Wiki, launch the command prompt to execute Gpg4win. Execute the following command:-

gpg --gen-key

 

When Gpg4win is executed for the first time, the secret and public key rings will be created in the following folder.

C:\Users\<user>\AppData\Roaming\gnupg

Enter the following details based on the instructions of the program:-

  • Key type - RSA and RSA (default)
  • Keysize - 2048
  • Validity - key does not expire
  • Real name & email address - <provide own details>
  • Passphrase - <enter passphrase to secure secret key ring>

 

genkey.png

 

Once everything has been entered, the public and secret key pair will be generated.

keys.png

 

 

Deploying OpenPGP Keys

In order to use the keys, the keyrings have to be deployed into the HCI tenant.

 

Right click on the tenant in Node Explorer and select Deploy Artifacts.

deploy.png

 

First, select PGP Public Keyring and select the public keyring file that was generated above.

pubkey.png

 

Repeat the above steps for PGP Secret Keyring. This will require the passphrase that was used during generation of the keyring above.

 

Once both keyrings have been deployed, they can be viewed on the Deployed Artifacts tab of the tenant.

artifacts.png

 

 

Usage Example 1 - Encrypting & Signing

For the purpose of the following examples, another OpenPGP key pair has been generated which is used to represent the external partner that HCI will integrate with. This key pair is generated under the name PGP Partner.

 

For the first example, HCI will encrypt and sign the message. The encrypted and signed message will then be transmitted to the partner where it will be verified and decrypted. Below is the required set up in HCI for this scenario.

  • Encryption with partner's public key
  • Signed with own private key

 

To simplify the example, the iFlow is designed with a static content in a Content Modifier and the output message is routed to an HTTP receiver.

iflow1.png

 

The PGP Encryptor function is configured as follows:-

  • Signatures are included in the message
  • Encryption algorithm using AES 256
  • Compression algorithm using ZLIB
  • Output in ASCII Armored format
  • Encryption using PGP Partner's public key
  • Signing algorithm using SHA 256
  • Signing using own private key

encrypt.png

sign.png

 

The Content Modifier is populated with the following static text in the message body.

content1.png

 

After the iFlow is deployed and executed, the following encrypted PGP message is sent to the HTTP receiver.

msg1.png

 

The encrypted message is extracted and saved as a text file. We will then use Kleopatra to decrypt and verify the file.

kleo1.png

 

The results of Kleopatra is as shown below. The signature corresponds to the signing configuration in HCI.

kleo_result1.png

 

And the decrypted content matches the original content.

output1.png

 

 

Usage Example 2 - Decrypting & Verifying

The second example is the reverse of the first example. This time round, Kleopatra will be used to simulate encryption and signing of the message by an external partner. The encrypted message will then be decrypted and verified by HCI.

 

Below is the required setup in HCI for this scenario.

  • Verification using partner's public key

 

This example will also use a simplified iFlow setup where the encrypted content is statically configured in the iFlow, and the decrypted output message will be routed to a HTTP receiver.

iflow2.png

 

The PGP Decryptor is configured as follows:-

  • Verification of signatures are mandatory
  • Verification using PGP Partner's public key

 

Note that decryption key does not need to be specify in the function as it is determined implicitly from the message content.

decrypt.png

 

To complete this configuration, we first need to create an encrypted message to simulate content from the external partner.

 

The content of the following file will be encrypted and signed using Kleopatra.

input.png

kleo_encrypt.png

 

The output will be in ASCII armored format.

kleo_encrypt2.png

 

The public key representing HCI is selected during encryption by Kleopatra.

kleo_encrypt3.png

 

Subsequently, Kleopatra will sign using the partner's private key.

kleo_encrypt4.png

 

After the content has been encrypted and signed using Kleopatra, it is populated in the message body of the Content Modifier.

kleo_encrypt5.png

 

content2.png

 

Once all configuration is complete, the iFlow is deployed and executed. At the HTTP receiver, the following decrypted output is transmitted, which matches the original content.

output2.png

 

 

Conclusion

As shown, usage of PGP message level security can be achieved relatively easily in HCI. This can help ensure that message content can be secured in cloud based integrations (especially file-based ones).


Viewing all articles
Browse latest Browse all 2548

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>