The Need for Encryption
We all have seen the news about companies loosing sensitive customers and business data, about government agencies loosing classified data on USB memory sticks, and about employees stealing credit cards data from their employers. At the same time it becomes more and more important to be able to trace communications and to be able to validate the authenticity the messages from your business partners.
Due to issues like these and governments regulations more and more companies are starting to implement and tighten corporate wide security guidelines. These guidelines cover an extensive realm of topics, from behavior guidelines for employees to building access and systems security. One of the topics that these guidelines should address is how data is secured that is exchanged between employees and customers, between employees and customers and partners, between applications within the company, and between company applications and partner applications. Although in a lot of ways these cases require specific guidelines, it is beneficial to standardize as much as possible. One area that allows for such standardization is encryption. Currently the most versatile encryption standard – that can be use both to secure data on USB memory stick and to encrypt business to business communications – is PGP.
Pretty Good Privacy
PGP (Pretty Good Privacy) is an IETF (Internet Engineering Task Force) standard for signing and encrypting email and file data. Because PGP offers both singing and encryption it is more versatile then transport security standards such as HTTPS. Although there are other standards that offer singing and encryption– for instance XML Security – these are considerable more difficult to implement and are also more limited. XML Security for instance can only be used on XML messages. PGP on the other hand can be used with any kind of data, including flat files and binary data. This makes PGP an excellent candidate for a corporate wide security standard. Due to this versatility PGP has gained popularity as a security standard in banking and insurance.
There are currently several excellent PGP solutions available in the market. However, if you want to integrate these solutions with SAP, you are required to store data unencrypted on disk and call a separate program. This not only adds a potential security breach, but the fact that the PGP encryption and decryption takes place outside of your SAP environment, also greatly complicates monitoring your solutions.
AEDAPTIVe PGP for SAP NetWeaver
AEDAPTIVe PGP is a solution for SAP NetWeaver Process Integration that offers PGP encryption and decryption in the form of SAP NetWeaver PI modules. This means that – unlike other products on the market – AEDAPTIVe PGP is completely integrated in SAP NetWeaver.
This has several benefits. The most important one is that the encryption and decryption process takes place within SAP NetWeaver PI, so that there are no unencrypted data files on disk that can be compromised. A second benefit is that the encryption and decryption process can be monitored completely using the standard monitoring tools of SAP NetWeaver PI. Your support staff does not need to use external monitoring tools to keep track on the PGP encryption process.
Encryption and Decryption
AEDAPTIVe PGP is implemented as two PI modules – the PGP Encryption Module and the PGP Decryption Module. The Encryption Module can be used to encrypt and sign data; the Decryption Module is used to decrypt and verify encrypted data. These modules can be used in combination with any SAP or non-SAP adapter and other modules, provided that there are no license limitations (which might be the case with some third-party adapters).
Keep in mind that after encryption and before decryption the data is in PGP encrypted format. This also puts some limitations to the adapter use. For instance you cannot use the file conversion features of the File Sender adapter as these are executed after the execution of the modules. If you want to convert your data in flat file format, you can use the content conversion module before you call the PGP encryption module.
Both Modules report extensively to the Run Time Workbench. If something goes wrong during encryption, your message in SAP NetWeaver will go into error and the error reason – for instance an expired key – will be clearly visible in SAP NetWeaver Run Time Workbench.
If something goes wrong during encryption or decryption on the data, your message in SAP NetWeaver will go into error and the error reason – for instance an expired key – will be clearly visible in SAP NetWeaver Run Time Workbench.
- A company sends encrypted and signed payments via FTP to their bank and receives encrypted bank statements. The PGP modules are used to encrypt the bank statements before sending them to the bank, and to decrypt the received bank statements.
- A company needs to send sensitive BI reports to senior management. The reports are processed via SAP NetWeaver PI and are send using the SMTP adapter. The PGP Encryption module is used to encrypt the report before it is attached to the email as an attachment.
Data is transferred between two applications using file transport. To ensure that the data is secure during transport, the data is encrypted using the PGP Encryption Module before it is send.
|Public key encryption and decryption||Yes|
|Creating digital signatures||Yes|
|Public key encryption and decryption for multiple recipients||Yes|
|Compatibility with the OpenPGP standard||Yes||The PGP Module is compatible with RFC 2440 and RFC 4880. Compatibility with RFC 1991 (PGP 2.6.x) is not supported. The first version of PGP that is supported is PGP 5.0. Please see below for some less used features that are not supported by AEDAPTIVe PGP.|
|Supported public key algorithms||RSA, DH, DSS||All public key algorithms and key sizes that are described in RFC 4880 are supported.|
|Supported symmetric key algorithms||AES, 3DES, and others||All symmetric key algorithms and key sizes that are described in RFC 4880 are supported.|
|Compression||Yes||ZIP and ZLIB compression and decompression are supported. BZIP2 decompression is supported.|
|ASCII armoring (Radix64 encoding)||Yes|
|Creating clear signed messages||No||This is not supported in the current version of the adapter.|
|Creating and validating detached signatures||No||Due to the nature of SAP NetWeaver PI this is not supported.|
|Symmetric key encryption and decryption||Yes||Combination with public key encryption.|
|Key management||Yes||Free delivered!|
|SAP NetWeaver Process Integration Features|
|Supported SAP NetWeaver XI/PI versions||2004/2004s||SAP NetWeaver 2004 (XI 3.0), SP 12 or higher. SAP NetWeaver 2004s (PI 7.0), SP 8 or higher. SAP NetWeaver PI 7.1, SP 6 or higher. SAP NetWeaver PI 7.1 and 7.3.|
|Supported adapters||All||There are no restrictions on the adapter that is used with the PGP encryption and decryption module.|
|Monitoring via Run Time Workbench||Supported||The PGP encryption and decryption module can be monitored using the adapter and message monitoring of Run Time Workbench.|