Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
0 Users Guide
Target Audience
Copyright 20072010, AEDAPTIVe Solutions BV. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of AEDAPTIVe. The information contained herein may be changed without prior notice. Some software products marketed by AEDAPTIVe and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, MaxDB, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by AEDAPTIVe Solutions and its affiliated companies (AEGroup) for informational purposes only, without representation or warranty of any kind, and AEDAPTIVe shall not be liable for errors or omissions with respect to the materials. The only warranties for AEDAPTIVe products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by AEDAPTIVes Support Services and may not be modified or altered in any way. AEDAPTIVe PGP incorporates code copyrighted by The Legion of the Bouncy Castle (www.bouncycastle.org). Used with permission.
AEDAPTIVe Solutions BV
P.O. Box 2011 4200 BA Gorinchem The Netherlands T +31/183/693738 www.aedaptive.com
Contents
Short Introduction to PGP ............................................................................................................... 6 2.1 Encryption ............................................................................................................................... 6 Symmetric Key Cryptography.......................................................................................... 6 Public Key Cryptography ................................................................................................. 7 Encryption with PGP ....................................................................................................... 7
Digital Signatures .................................................................................................................... 8 Signing Messages Using Message Digests....................................................................... 9 Signing and Encrypting Messages ................................................................................... 9
Conclusion ............................................................................................................................. 10
Technical Features of PGP............................................................................................................. 11 3.1 3.2 3.3 3.4 3.5 3.6 3.7 Public Keys, Private Keys, and Key Ring Files ........................................................................ 11 Signing Keys and Encrypting Keys ......................................................................................... 11 Public Key Algorithms ........................................................................................................... 12 Symmetric Key Algorithms .................................................................................................... 12 Hash Algorithms .................................................................................................................... 13 Compression ......................................................................................................................... 13 ASCII Armoring ...................................................................................................................... 14
Key Management .......................................................................................................................... 15 4.1 Managing Keys with Key Manager ........................................................................................ 15 Creating a New Key ....................................................................................................... 15 Importing Keys .............................................................................................................. 16 Using the Key Ring Files with PGP Module ................................................................... 16
Managing Keys with PGP Desktop ........................................................................................ 16 Creating a New Key ....................................................................................................... 17 Importing Keys .............................................................................................................. 18 Using the Key Ring Files with PGP Module ................................................................... 18
Managing Keys with Gnu Privacy Guard ............................................................................... 19 Creating a New Key ....................................................................................................... 19
About This Guide | AEDAPTIVe Solutions
4.3.1
3
4.3.2 4.3.3 5
Importing Keys .............................................................................................................. 21 Using the Key Ring Files with PGP Module ................................................................... 21
AEDAPTIVe PGP Module Configuration ........................................................................................ 22 5.1 PGP Encryption Module ........................................................................................................ 22 Adding the PGP Encryption Module to a Communication Channel.............................. 22 Module Parameters ...................................................................................................... 23 Dynamic Configuration of the Recipient(s) ................................................................... 25
PGP Decryption Module........................................................................................................ 26 Adding the PGP Decryption Module to a Communication Channel ............................. 26 Module parameters ...................................................................................................... 26
5.2.1 5.2.2 6
Troubleshooting ............................................................................................................................ 28 6.1 Message Details .................................................................................................................... 28 Errors Reported by the PGP Encryption Module .......................................................... 29 Errors Reported by the PGP Decryption Module .......................................................... 30
Index.............................................................................................................................................. 33
1.1
References
The following is a list of additional documents and references that provide information that might be useful in relation to this guide: information about See AEDAPTIVe PGP Installation Guide AEDAPTIVe Release Notes Philip Zimmermanns Home Page: http://www.philzimmermann.com Information about PGP on Wikipedia: http://en.wikipedia.org/wiki/Pretty_Good_Privacy
2.1
Encryption
Encryption obscuring the contents of a message has been around since ancient times, but has traditionally been used by the military or by large organizations. Since the digital age, cryptography has become more accessible but has also become more important as we transmit large amounts of sensitive data over the Internet.
During transport the message is encrypted and cannot be read by anyone who does not have the key. The cryptographic systems used in the Engima machine and their modern counterparts are implementing symmetric key cryptography. An important characteristic of this form of cryptography is that a message is encrypted and decrypted using the same key. There are several algorithms so called ciphers available implementing symmetric key cryptography and new ones are still being developed. One of the disadvantages of symmetric key cryptography is that the problem of obscuring the message has been replaced with another one: how to communicate the key while making sure that only the indented recipient receives it. This problem has been tackled in the nineteen seventies with the introduction of public key cryptography.
2.1.2
Public key cryptography uses two keys instead of one: one key the public key can be shared with anyone even with persons that have no business with your data; the other the private key needs to be kept secure and should not be shared with anyone, not even with the persons with whom you want to exchange data. This form of cryptography uses very advanced mathematics that allows the use of the public key to encrypt messages which then can only be decrypted by someone who has access to the private key. This means that unlike with symmetric cryptography you can share your public key freely without compromising the messages that have been encrypted with it. Lets go back to our example and assume that Olivia has gone with the times and wants to use public key cryptography to relate a message back to John. Then the first thing she needs to do is to ask John for his public key. John can give this key to her but he can also publish it on a message board as this public key cannot be used to decrypt messages that are encrypted with it. Next Olivia encrypts here message with Johns public key and sends it to John. Now John can use his private key to decrypt the data to obtain Olivias message.
Now this is very convenient, but there is one drawback to public key cryptography: the speed of the encryption and decryption process is considerably slower then with symmetric key cryptography.
generates a symmetric key and encrypts the message with it (fast), and then encrypts the key with the public key of the intended recipient (convenient key exchange). So lets assume John wants to send Olivia a message using PGP. First he will generate a symmetric key and encrypt his message with this key. Next he will use Olivias public key to encrypt the symmetric key. The combination of encrypted message and encrypted key will then be forwarded to Olivia. Before she can read the message, she first needs to decipher the symmetric key with her private key. Then she can use this symmetric key to decrypt the message.
2.2
Digital Signatures
With symmetric key exchange you need to keep the key you use secret. So if you receive a message that is encrypted with a symmetric key, you know it has to come from someone who has access to that key. And as long as the key is not compromised this is someone that you trust. One of the characteristics of public key cryptography is that there is no need to keep public keys secret. This is convenient but means that anyone can use your public key to encrypt a message. Lets go back to our love story and assume that Jeff has got word of the merry message exchange between John and Olivia and is not happy with it. Being the kind of nasty person he is, he believes that he has found a way to end their bliss: he sends a confusing message to John using Olivias public key.
John, being the gullible guy he is, believes that the message has been sent by Olivia, but actually he has no proof of that fact. It would be nice if he would have a way to verify that the message has really been sent by Olivia. Fortunately public-key cryptography can solve this problem by adding a digital signature to a message. Hereby it relies on the fact that not only the public but also the private key can be used to encrypt messages. Of course when you use your private key to encrypt a message it is not really encrypted as anybody can decrypt it using your public key. However the fact that they can obtain the original message using decryption does prove something: it proves that the message was encrypted using your private key. Now since that key is by nature private, this proves that the message originated from you. This encrypted message functions as a kind of signature, similar to a signature under a letter. That is why encrypting a message with a private key is not called encryption but signing. Now for this to work you will have to send the original message and the signed message to your partner. And if you also want to make sure no one can read the message, you also need to encrypt this package. This not only takes a lot of clock cycles on your computer but also doubles the size of the data. 8 Short Introduction to PGP | AEDAPTIVe Solutions
Therefore PGP does not sign the whole message but first creates a so called message digest.
Let us go back to our friends one more time to see how John relates a signed and encrypted message to Olivia. First John uses his private key to create a signature for his message. Next he generates a cipher and encrypts the message with it. Then he uses Olivias public key to encrypt the cipher so no one can decrypt the message but Olivia. The resulting signed encrypted message he sends to Olivia. Now Olivia has first to decrypt the message with her private key to obtain the cipher. Then she can use this cipher to obtain the signed message. And finally she can use Johns public key to validate the message.
Since John used signing and encryption, he and Olivia enjoy all three benefits of PGP: Encryption: Because the message has been encrypted with Olivias public key, only Olivia is able to read it. Nasty characters like Jeff can intercept the message but can not read it. Authenticity: Since the message has been signed with Johns private key, Olivia can be sure it was really John who created the message and that Jeff has not tampered with its contents. Non-repudiation: If John starts to deny his offer in public, Olivia can use the signed message to prove to the world that John really did ask her.
2.3
Conclusion
This concludes our short introduction to PGP. We have not introduced some basic features of PGP such as key servers as they are not really relevant in intra or inter company scenarios. For more information about PGP please refer to the Internet. The next chapter contains a more technical description of PGP and gives an overview of the PGP features that are supported by the AEDAPTIVe PGP Module.
10
3.1
In chapter 2 we saw how PGP uses a combination of public key cryptography and symmetric key cryptography to encrypt data. We saw how you use a public key of your partner to encrypt data and use your own private key to sign data. What we did not describe is how PGP stores the public and private keys and the more technical details of encryption and decryption. PGP stores public and private keys in two files, the so called public and secret key ring. The first file, the public key ring, contains your partners public keys and the public part of your own private keys. The second, the secret key ring, contains the secret part for your own private keys. Since the secret key ring contains all your private keys, you need to be very careful with this file, even though PGP does offer additional protection for your private keys. If someone obtains your secret key ring, he does have immediate access to your private keys, because private keys are stored in the secret key ring in encrypted form. For this reason you need to specify a passphrase when using a private key. Keys are identified in the key rings with a key id which is a hexadecimal number. Fortunately you do not need to specify this number to identify a public or private key. Instead PGP uses a name and email address to identify your or your partners keys in the public and secret key rings. Before you can exchange encrypted messages with your partners you need to export your public key and import the public keys of your partners. These exported public keys can be safely exchanged via email. How you import and export public key is described in chapter 4.
3.2
In general at least two keys are associated with a name and email address. The reason is that it is good practice to use different keys for signing data and for encrypting data. This means that when you generate your keys you need to generate at least one private key for signing and one private key for encryption. Likewise for public keys you receive from your partner. 11 Technical Features of PGP | AEDAPTIVe Solutions
When you create keys for a specific name or email address, the first key that is generated, is always a signing key. This key the master key can be used to sign your own keys or to sign the public keys you obtained from your partners. By signing public keys, you can set a level of trust which can be used by PGP products to validate keys before use. If you also want to decrypt data, you also need a second or sub key pair that is linked to your signing master key. Both keys, the signing master key and the encryption sub key, will be linked to the name and email address you have specified. PGP products automatically use the master key for signing and the encryption sub key for encryption.
3.3
In the previous section you saw how PGP commonly uses two keys per user: one master key for signing and a sub key for encryption. When generating your own signing and encryption keys, you do not only need to specify a name and email address but also the public key algorithms you want to use for the keys. Three public key algorithms are available with PGP: RSA, DSA, and ElGamal (also called Diffie-Hellman or DH). RSA performs well for both encryption and signing. DSA is a good signing algorithm but is slow when used as an encryption algorithm. For ElGamal the opposite is true. Therefore DSA and ElGamal are used together: DSA for signing and ElGamal for encryption. PGP supports different key sizes for RSA and ElGamal keys from 1024 up to 4096 bits. DSA keys are created according to the DSS standard of USA National Institute for Standards and Technology (NIST; http://www.nist.gov) and are always 1024 bits. When choosing a key strength, remember that encrypting and decrypting with larger keys require more computing resources. Recommended key sizes for RSA and ElGamal keys are: 2048 and 4096 bits.
3.4
In chapter 2 you saw how PGP speeds up the encryption process by using symmetric key cryptography to encrypt the data and using public key cryptography to encrypt the symmetric key. Now since PGP supports a large number of ciphers or symmetric encryption algorithms, you need to specify which encryption algorithm you want to use. There are two ways of doing this: implicit or explicit. With the implicit method PGP uses a list of PGP algorithms that is stored with your and your partners public keys. Therefore, some PGP products ask you to specify the supported symmetric key algorithms when you generate your keys, and to specify a default algorithm. Other products like Gnu Privacy Guard always store the same algorithm list with the keys you generate. The other way is to specify a symmetric algorithm when you encrypt the data. This explicit method is used by the AEDAPTIVe PGP Module. If you do not specify an encryption method with the PGP Module, the data will not be encrypted. The following table lists all ciphers that are supported by PGP Module and the supported key sizes.
12
Algorithm AES
Remarks The Advanced Encryption Standard is the current encryption standard of the US government, and has become very popular over the last years. The cipher was developed as Rijndael by two Belgian cryptographers and was selected after a kind of beauty contest. The 256 bits version of AES is a good candidate for your cipher. 3DES or Triple DES is a cipher derived from DES by applying the algorithm three times. Before the introduction of AES, Triple DES was very popular. Triple DES is another good candidate for your cipher. Twofish was once an AES candidate. Support for Twofish was introduced in PGP at a time the final AES candidate was not yet selected. The predecessor to Twofish was introduced as a possible replacement for DES. The 128 bits version of CAST5 was the default cipher in older versions of PGP. The Data Encryption Standard was introduced in 1975 as the encryption standard for the US government. It is now outdated.
Triple DES
168
3.5
Hash Algorithms
Hash algorithms are used for the creation of message digests. PGP supports a large number of hash algorithms. Although PGP offers implicit and explicit specification of the hash algorithm, with the AEDAPTIVe PGP Module you always have to explicitly specify the hash algorithm you want to use to sign your data. If you omit the hash algorithm, the data will not be signed. The following table gives an overview of the supported hash algorithms in PGP Module. Algorithm SHA512 SHA384 SHA256 SHA224 SHA1 RIPEMD160 MD5 MD2 Key Strength 512 384 256 224 160 160 128 128 Remarks The SHA2 family of hash functions contains the strongest hash algorithms available in the PGP Module. The 256 bits version generally offers the best balance between reliability and performance. SHA1 was the default PGP hash algorithm until SHA256 became available. Use SHA1 only if the SHA2 algorithms are not available from your partner. A less popular 160-bits algorithm. Use RIPEMD160 only when required by your partner. Message Digest 5 used to be the default hash algorithm in the first versions of PGP. The use of this algorithm should be avoided. Message Digest 2 has been compromised and should not be used.
You can use all these algorithms with RSA keys. With DSA keys however, you are restricted to the SHA hash algorithms.
3.6
Compression
PGP offers compression as a way to create smaller files. Messages can be compressed after the signing process but before encryption. The PGP Module supports encryption and decryption with the two algorithms defined in the OpenPGP standard: ZIP and ZLIB. Some PGP products also offer BZIP2 compression. The PGP Module
13
does not offer BZIP2 compression but is able to decompress BZIP2 compressed data created using other PGP products.
3.7
ASCII Armoring
If you use PGP to encrypt a message the resulting data is in binary form. This is often not desirable especially when transferring the data via email. Therefore PGP offers an option that outputs the encrypted data in text form using so called radix64 encoding. This option is called ASCII armoring as the radix64 encoding only uses ASCII characters in its output. ASCII armored text is less susceptible to corruption as it contains a redundancy check. The downside of using radix64 encoding is that an ASCII armored message is about 33% larger then the original.
14
4 Key Management
The AEDAPTIVe PGP Module implements the basic PGP functionality: encryption, creating digital signatures, decryption, and validation. Other features, such as key management, are not implemented. AEDAPTIVe offers a tool for this purpose called Key Manager. You can also use an external product to create and manage your keys, such as PGP Desktop of the PGP Corporation or Gnu Privacy Guard. This section describes how to use these tools to manage your key rings.
4.1
Key Manager is a simple key management tool that is offered alongside the AEDAPTIVe PGP Module. For downloads go to the AEDAPTIVe web site http://aeadptive.com and browse to Customer Area Downloads - Software and Documentation for PI 7.1 AEDAPTIVe PGP Latest Release. The instructions in this section pertain to Key Manager, version 1.0.
11. Optionally change the name of the key and click Save. Be careful not to select the option Include Private Key(s). Selecting this option will also export your private keys. This can be useful, for instance if you want to store a backup of your private key in a safe location, but files generated with this option should never been shared with your partners. 12. You can now send the file with your public key to your partners.
2.
5.
4.2
PGP Desktop is one of the PGP products of the PGP Corporation (http://www.pgp.com). It is a commercial product that is owned by and needs to be licensed from PGP Corporation. For downloads go to the following address http://www.pgp.com/downloads/desktoptrial2.php. You have to negotiate a license from PGP Corporation and install the product as described in the installation manual.
16
Note: AEDAPTIVe Solutions does not support PGP Desktop. For questions about installing and using this product, please contact PGP Corporation. The instructions in this section pertain to PGP Desktop version 9.6.
17
Be careful not to select the option Include Private Key(s). Selecting this option will also export your private keys. This can be useful, for instance if you want to store a backup of your private key in a safe location, but files generated with this option should never been shared with your partners. 15. You can now send the file with your public key to your partners.
2. Choose View PGP Keys in the menu bar. Your default key ring will be selected. If you have created multiple key rings in PGP Desktop, select the key ring you want to use with PGP Module. Please refer to the PGP Desktop manuals for more information. 3. Right click on the key ring and select Properties. 4. A window appears with the location of your key rings. (See image below.)
18
5. Start Windows Explorer and open the directory that contains your key rings. 6. Copy both the .pkr and the .skr files and save them on the server containing the NetWeaver installation where you want to use the PGP Adapter. The file with the extension .skr contains your secret key ring; the other file contains the public key ring. 7. On the server, move the files in a directory that is accessible by the user running SAP NetWeaver, otherwise the PGP Module will not be able to use the files.
4.3
Gnu Privacy Guard short name GnuPGP or GPG is a free PGP product suite published under version 2 of the Gnu Public License. Unlike PGP Desktop it can be used by corporations free of charge. However, commercial support for this product is not available. Information about this product can be found on the Internet: http://www.gnupg.org. A Windows version of the product called Gpg4Win can be downloaded from the following address: http://www.gpg4win.org. Note: AEDAPTIVe Solutions does not support Gnu Privacy Guard. For questions about installing and using this product, please refer to the on line documentation and user groups on the Internet. The instructions in this section pertain to Gpg4Win version 1.1.1.
19
3. Type your name and click Forward. 4. Type the email address corresponding to the name and click Forward. Please choose your name and email address carefully as these will be used by your partners to find your key in their key rings. The best policy is to use the name of your company or department as the full name and the generic email address of the corresponding support team for the primary email address. 5. Type your passphrase twice and click Forward. Your passphrase protects your private key so you should use a long passphrase that is difficult to guess. 6. Now you have the option to create a backup of your key. Choose one of the options and click Apply. 7. Now the wizard generates your key. Once this is completed the wizard will close automatically. Perform the following steps to create a key using the GnuPG command line: 1. Select Run in the Windows Start menu. 2. Type cmd and hit Enter. 3. Type gpg --gen-key and hit Enter. 4. Select the key type and hit Enter. If you want to encrypt data, you should select option 1 DSA and Elgamal. 5. Type the key size and hit Enter. Specify a key size of 1024, 2048, or 4096 bits. 6. Specify when you want the key to expire and hit Enter, for instance type 1y for after one year. 7. Type y and hit Enter to confirm the expiry date. 8. Type your name and hit Enter. 9. Type your email address and hit Enter. 10. A prompt appears that asks you for a comment. Type optionally a comment for your key and hit Enter. 11. Confirm your name and email address by typing O. Hit Enter. 12. Now type your passphrase. 13. Confirm the passphrase. 14. GnuPG will now generate your key. Once you have generated your private key, you should export it so you can share the key with your partners. Perform the following steps to export your private key with Gnu Privacy Assistant: 1. 2. Select GnuPG for Windows GPA in the Windows Start menu. Gnu Privacy Assistant starts. Select the key you want to export in the list.
20
3. 4. 5. 6.
Right click on the key and select Export Keys in the context menu. Specify the folder where you want to export your keys and type a file name. Finally click OK. The key will be saved on the file system. You can now send the file with your public keys to your partners.
Note: When exporting a 2048 bits key with Gnu Privacy Assistant, you might be confused because in GPA the key size is listed as 1024 bits. The reason is that only the key size of the master (signing) key is visible. In the case of DSA/DH keys this is always the 1024 bits DSA key. If you want to see the key size of the sub keys, you can use the command gpg --list-keys on the Windows command line.
21
The modules can be used as a local enterprise bean on the module tab of a Communication Channel. They are compatible with all standard SAP adapters and most third party adapters for instance the File/FTP, SMTP, and HTTP(S) adapters from SAP and the AS2 and SFTP adapters from AEDAPTIVe but some advanced adapter features that manipulate the data stream can not be used with these modules. This is in particular true for the File Content Conversion of the File adapter. This chapter describes how to configure these two modules.
5.1
The PGP Encryption Module can be used to encrypt and/or sign data. This section describes how to configure this module.
22
Note: Make sure that the default module CallSapAdapter is the last module in the list. Otherwise the behavior of the Communication Channel will be unpredictable. 7. Now enter the module parameters as described in the next section.
secretKeyRing
encryptionAlgorithm
23
Parameter recipient
Description Set this parameter to the user id or email address of the intended recipient. You can specify multiple recipients in a semicolon separated list. The user ids or email addresses you specify should match part of a user id or email address of a public key in the public key ring. The public keys of specified recipients are used to encrypt the data. If you specify the parameter encryptionAlgorihm, you also have to specify a recipient. If you omit the parameter recipient, the PGP Module will search for the recipient in the supplemental data variable com.aedaptive.module.pgp.recipient. This allows for a dynamic configuration of the recipient(s). See section 5.1.3 for more information. If you omit the parameter encryptionAlgorihm , this parameter can also be omitted. In that case the data will not be encrypted. Set this parameter to the desired hash algorithm for signing. The following algorithms are supported: SHA512 SHA384 SHA256 SHA224 SHA1 RIPEMD160 MD5 MD2 If the parameter is not provided the data will not be signed. Refer to section 3.5 Hash Algorithms for more information. Note: The algorithms RIPEMD160, MD5, and MD2 can only be used in combination with RSA private keys. Set this parameter to the user id or email address of the secret key you want to use to sign the message. If you specify the parameter hashAlgorithm, this parameter is required. Otherwise this parameter can be omitted. The parameter should match part of the user id or email address. It is case sensitive. This parameter is the passphrase of the secret key of the signer you have specified. You have to enter the password twice. (There are two input fields in the column Parameter Value). If you specify the parameter hashAlgorithm, this parameter is required. Otherwise this parameter can be omitted. This parameter is case sensitive. If this parameter is set to true, the output will be encoded using radix64 encoding. Valid values for this parameter are true and false. If you omit this parameter, the default value false will be used If this parameter is set to true, encrypted data is treated as text. This allows the recipient to obey local text convention so that Windows line ends can be converted to Unix line ends, and vice versa. Use this parameter to specify the compression algorithm you want to use. The following compression algorithms are supported, ZIP or ZLIB. If the parameter is not provided the data will not be compressed..
hashAlgorithm
signer
pwdPassphrase
armor
textMode
compression
24
Parameter compatibilityMode
Description If this parameter is set to RFC2440, the output will be compatible with the PGP standard outlined in RFC 2440. If you specify RFC4880 or omit this parameter, the output will be compatible with the standard defined in RFC 4880. If your partner is using an older version of PGP (5.0 or later) and is not able to decrypt your data, you can use this parameter to ensure compatibility.
25
5.2
The PGP Decryption Module can be used to decrypt and/or verify PGP encrypted and/or signed data. This section describes how to configure this module.
Note: Make sure that the default module CallSapAdapter is the last module in the list. Otherwise the behavior of the Communication Channel will be unpredictable. 7. Now enter the module parameters as described in the next section.
26
Processing Sequence. Do not forget to set the Module Key of each parameter to the Module Key of the PGP Decryption Module in the processing sequence. The following table gives an overview of the PGP Decryption Module parameters. Optional parameters are in italics. Parameter publicKeyRing Description Set this parameter to the full path of the PGP public key ring, e.g. C:/share/AEDAPTIVE_TEST_SCENARIOS/PGP/Keys/pubring.gpg. The key ring must be readable by the SAP J2EE engine. Set this parameter to the full path of the PGP secret key ring, e.g. C:/share/AEDAPTIVE_TEST_SCENARIOS/PGP/Keys/secring.gpg. The key ring must be readable by the SAP J2EE engine. This parameter is the passphrase of the key that was used to encrypt the data. You have to enter the password twice. (There are two input fields in the column Parameter Value). If the data is not encrypted, this parameter can be omitted. This parameter is case sensitive. This parameter is used to validate if the message is signed. If you set this parameter to true, the PGP Decryption Module will validate if the data has been signed. If this is not the case, the message will go in error. This is an optional parameter.
secretKeyRing
pwdPassphrase
isSigned
27
6 Troubleshooting
This chapter contains tips and tricks that can be used to pinpoint configuration errors with the PGP Module.
6.1
Message Details
The PGP Module reports its activities in the Run-Time Workbench. To access this information, proceed as follows: 1. Start Run-Time Workbench and click Message Monitoring. Next Select the after Messages from Component the option Adapter Engine and select after From the option Database. Click Start.
2.
Select the message details and go to the tab Audit Log. Browse through the log until you reach the entries generated by the PGP Module. The following image shows details from the encryption module.
You see that the module reports the specified module parameters (with the exception of the passphrase). It also reports any activities it has executed. The image on the next page shows details from the decryption module. Please note the key ids.
28
3. 4.
If an error is reported, check the error lists in this chapter for more information. In some cases, the information in the message details will not be enough to troubleshoot your issue. In that case you can use the logs and traces from SAP NetWeaver to obtain more information. This is also described in this chapter.
The given signature algorithm (<xxx>) is not supported. Check the parameter hashAlgorithm and specify a supported hash algorithm. The specified compression method (<xxx>) is not supported. Check the parameter compression and specify a supported compression algorithm. Incorrect compatibility mode specified: <xxx> Check the parameter compatibilityMode and specify a supported value. Supported values are: RFC2440 and RFC4880. Cannot sign: public key with keyID <keyID> is expired The key of the specified signer or recipient has expired. Use PGP Desktop or GNU Privacy Guard to create a new signing key or ask your partner for a new key. Parameter signer missing; this parameter is required if the parameter hashAlgorithm is specified Self explanatory. Unsupported keysize or algorithm parameters If you see this error, please check if you have installed the "unlimited strength" version of JCE (Java Cryptography Extension). See section 2.2 of the AEDAPTIVe PGP Installation Guide.
Public key found in key ring. The specified public key ring does not contain the public key of the key pair that was used to sign the message. Ask your partner for the correct public key and use PGP Desktop or GNU Privacy Guard to import this key in the public key ring. Secret key not found in key ring. The specified secret key ring does not contain a secret key that can be used to decrypt the message. Your partner is using an incorrect public key to encrypt this message or you have not imported your key pair in the specified key rings. No usable private key found in the secret key ring. Check the parameter pwdPassphrase. You either have specified an incorrect value for this parameter or your partner is using an incorrect key to encrypt the data. Look In the communication channel logging for the line Found a secret key in the secret key ring for keyID <keyID>. Use PGP Desktop or Gnu Privacy Guard to see if the specified key ID belongs to the key you have provided to your partner. Public key with keyID <keyID> is expired The key that was used to sign the message has expired. Your partner has to provide you with a new key. The PGP Decryption Module does not have an option to override this error. Unsupported keysize or algorithm parameters If you see this error, please check if you have installed the "unlimited strength" version of JCE (Java Cryptography Extension). See section 2.2 of the AEDAPTIVe PGP Installation Guide.
6.2
This section describes how to enable and use the logging features of the AEDAPTIVe Software. These can be useful to troubleshoot connections with your partners. As with standard SAP modules, the logging can be enabled using Visual Administrator. Proceed as follows to change the log level for one or more AEDAPTIVe components: 1. Start a web browser and go to the following address: http://<server>:<port>/nwa/log-config where <server> is de server name of your SAP NetWeaver PI server and <port> is de J2EE port of this server (default 50000). 2. 3. 4. Log on to NetWeaver Administrator. NetWeaver Administrator Log Configuration appears. After Show select Tracing Locations. Browse to ROOT LOCATION/com/aedaptive.
31
5.
Open the node aedaptive and select the AEDAPTIVe component for you want to change the log level and select the desired logging level in the column Severity.
6.
You can change the log level for all underlying nodes, by selecting a node, changing the log severity and choosing Copy to Subtree. Save the changed log severity by clicking on Save Configuration.
7.
To view the logging from NetWeaver Administrator, perform the following steps: 1. Start a web browser and go to the following address: http://<server>:<port>/nwa/logs where <server> is de server name of your SAP NetWeaver PI server and <port> is de J2EE port of this server (default 50000). 2. 3. Log on to NetWeaver Administrator. NetWeaver Administrator Log Viewer appears. In the Log Viewer screen select the General View for the last 24 hours, or another view that will contain the desired log information. In the filter row under Location specify the desired location e.g. com.aedaptive.pgp.module and press Enter. The log data is now displayed on the screen.
4.
5.
32
7 Index
AES, 13 ASCII armoring, 14 authenticity, 6 Blowfish, 13 CAST5, 13 common errors, 29 compression, 13 DES, 13 digital signature, 8 DSA, 12 ElGamal, 12 encryption, 6 Gnu Privacy Guard, 18 creating new keys, 18 importing keys, 20 GPG. See Gnu Privacy Guard key management, 15 key ring public. See public key ring key rings, 11 secret. See secret key ring logging, 31 MD2, 13 MD5, 13 message digest, 9 non-repudiation, 6 PGP ASCII armoring. See ASCII armoring compression. See compression digital signature, 9 hash algorithms, 13 key management. See key management public key algorithms, 12 symmetric key algorithms, 12 technical features, 11 PGP Decryption Module, 26 common errors, 30 parameters, 26 PGP Desktop, 15 creating new keys, 15 importing keys, 17 PGP Encryption Module, 22 common errors, 29 dynamic configuration of recipient, 25 parameters, 23 public key cryptography, 7 public key ring, 11 radex64, 14 RIPEMD160, 13 RSA, 12 secret key ring, 11 SHA1, 13 SHA2, 13 sign and encryption, 9
33
troubleshooting, 28 Twofish, 13
34
AEDAPTIVe Solutions B.V. P.O. Box 2011 4200 BA GORINCHEM The Netherlands
AEDAPTIVe Solutions B.V. is a private limited company of the AEGROUP and is registered at the Chamber of Commerce with number 11065386.
35