quarta-feira, 23 de julho de 2014

SFG PGP/GPG File Security Step-By-Step (includes layer creation for SFG)

PGP is a security technology that encrypts the files before being transferred through the web. This provides an extra layer of safety even if the files is captured it will still be unreadable without decryption. The producer partner has a private and public key, the public key is provided to consumer partner that uses it to decipher the files.


1. To use PGP with SFG it requires the deployment of local PGP server solution. The open source solution being used is the GPG4Win available at http://gpg4win.org/download.html


2. Install the file using the executable downloaded previously, make sure that Kleopatra and GpgEX are deployed.

3. To use GPG it will require the creation of an extra layer as it is not supported by SFG natively (the supported native solutions are displayed in yellow). Before deploying the new layer to Sterling let’s make sure everything is working on GPG side, once that is complete we can build a BP to test the GPG functionality within SFG and finally deploy the layer and create a Routing Channel to test its functionality. We will only explore the common GPG signing capabilities (that ensure the file was modified by a user) and encryption (that actually obscures the file content). Further can be achieved like compression or more advanced encryption.

4. To get started with GPG first we need to have a certificate deployed in Kleopatra, for this purpose we will generate a self signed OpenPGP certificate. You can leave Advanced settings with default values (it includes encryption and signing options already). On the last step when prompted for a Passphrase we will be using passphrase this is required for each encryption/decryption and other operations.



5. To test the encryption of a file (which will be associated with a consumer at SFG deploy time) we have created a test folder under the c drive and a simple txt test file. The first objective is to encrypt and sign the document and store in the same folder. We have run the following command:

  • echo passphrase|gpg --armor --recipient TestCertificate --batch --yes --passphrase-fd 0 --encrypt --sign test.txt
  • We test GPG4Win is well installed by just running gpg on the cmd
  • After running the command making a dir over the directory and we can find a test.txt.asc file



Test.txt.asc file content:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.22 (MingW32)

hQEMAwPWle2/P5FNAQgAlSc4OoGNVm0nf7kjgNIxd4ElDzopIvLxrPuh8jXcJYrM
UpaCa119QA0mWpWZ66qv/NXLdvpzsCSktQCBAOWpD/LyAPQ6Cr9ae+EsxGYETJfQ
vNUoV7vOo591qxbHgQ9wpEnSQx8oeTuEXNBxGeyt4QZcGde+VOwQ/T09ou9TGH6d
Op4fCme1VIN6FuIAaKGd/jNbuT0banxFE0iWau6hoBy5urEQWRVexgcTOVcBl5fq
CWY4y6rTFA10YXQRFWXVXZvYgzGiNZpjkMk0qWUgx9QAzkhbrv9dKtXg3+FEeqac
ytbQaiedc9XPaPC7vMh3mw9OK9YdoEa7MRwndON/qdLAzAERNquESfx55E/sDh4Z
RACB7Wwf5wnmKaDwnehdhBeWJVgixpUsDxL5L29P3vUGA/YR4FmgXhRBnqp5oGuw
mSH2r3rjgzCcSiWifZafV2PjnWHmEOAO0y+CrmwYE7DyMPbefF9QsjZ1DRa+r3zr
azEviGMm9MDumpV0bf9l0k7s8lFfGw6n2sqrQAFetX9reUkE21omM75nfUQchqC4
vllYXjOCE2qEjRC7NTgTty1kpITwqg/h5z9ZKIZL37+hD85FmpGD0lyHCfOV94NF
li7bsWt9myBEyQWlJPzJ1bsARX7t13coLtoTy7Oj8fSvHD35NGqLiFZLnOExByxy
Le5M0Fs/IfvlHLUdjEacoS4ZjEDgUSsisoGqkREqU+wkEEkpHWSJjTrS2zK9R1s5
XjQG8tApEDhPS0hacf2PxVBLgpQKVhgBTbDLgBaa74weZyUaDuDvjmA7Pl7T5kUH
k5TTxHSuTZEGstlPElVzSYHTVXXF801F2KSnU0X/sWVMfimQvHuNmHAPKHrzsA==
=2K2+
-----END PGP MESSAGE-----


6. Having concluded the encryption phase we can now advance to the actual deployment on the integrator. As a first step lets create a Business Process that achieves the same result but replaces the primary document that is inserted as a non-encrypted file into its encrypted version.

  • In order to run the command line as Administrator we need to change the service to be set to run as Administrator instead of system to do so open the IBM Sterling B2B Integrator CmdLine2Adapter at port xxxxx

  • Change the Lon On to Administrator, note that this account must be the same that creates the keys for GPG, and at the same time should have admin permissions.

  • Create a folder under c drive c:\gpg -> this will be the working directory for the gpg scripting
  • Create a GPGEncryptSign.bat (under the folder c:\gpg) with the following content (passphrase is the value of your key passphrase, it should be replaced along with certificate name):

echo passphrase|gpg --armor --output %2 --recipient TestCertificate --batch --yes --passphrase-fd 0 --encrypt --sign %1
  • Finally under Sterling create a BP with the any name (eg: GPG_Test) and with the following definition



  • Note: cmdLine we pass the Input that is the name of PrimaryDocument that CL Adapter temporarily stores in the system, Output will bring the CL stdout to ProcessData; outputName will be the name of the document in the ProcessData same as input but with .gpg extension; finally we replace the PrimaryDocument with the newly generated document.

  • With this we will have a BP to add as a layer on SFG, we receive a non-encrypted file from producer and encrypt it before we continue the routing

  • Next step is to make this BP generic so we can set the .bat file and working directory dynamically at RCT creation time.

7. Before extending the BP we should first create a service that will hold the obscured passwords of the PGP keys.
1.       
8. Use the updated BP that contemplates the newly created obscure service.



  • Also update the .bat file to receive the password dynamically
echo %3|gpg --armor --output %2 --recipient TestCertificate --batch --yes --passphrase-fd 0 --encrypt --sign %1



9. Finally we can start work in the layer API definition. There are 2 fields to be defined:

a. GPG Batch Full Path: The path to the GPG .bat file you should be able to use a different one for each GPG routing channel template

b. GPG Working Directory: The working directory not really that relevant unless the script contains any code to use the dir where it is located, Sterling can use any working dir and repeat it for many scripts.

  • You can set the value to be displayed in the drop down menu by specifying the value DisplayLabel in FgProducerFileLayerType tag. 
  • The layer deployment must be performed with extreme caution any error on the configuration, e.g. a repeated ProducerFileLayerParameterTypeKey will generate an error in the database and the deletion of the residues must be performed manually 
  • You can delete a layer, if deployed successfully by using a command like this (applies for the layers bellow):

2 comentários:

  1. Dear can you please guide me on PGP configuration and pack/unpack adapters ?

    ResponderEliminar
  2. i tried to use the pgp adapter after defining the PGP server im getting this error

    A remote host refused an attempted connect operation.

    ResponderEliminar