In this blog we will see, how we can integrate McAfee E-Business server with SAP PI for encryption and decryption of data.
It is assumed that you are aware of the steps for creating Adapter module for PI.
In many projects, there is a requirement of encrypting or decrypting the document before sending or receiving the file from partner. So in that case if you are using file adapter, you need to encrypt the data before you write the file to the target directory.
There are many encryption algorithms available and PGP (Pretty Good Privac) is one of them.
You can either develop your own method for PGP encryption using some java API and call it from your Adapter Module OR you can use tools like McAfee E-Business server.
McAfee E-Business Server:
Using PGP Encryption technology, McAfee E-Business Server allows IT administrators and developers to embed automatic encryption, decryption, digital signing, and verification to protect data everywhere it is accessed by users, allowing full control of who has access to what information. PGP 128- bit encryption incorporates the industry's strongest encryption algorithms.
Prior to executing PGG command, McAfee E-Business server needs to be installed on the PI server.
After installation the next step is to create a key pair. PGP is a highly trusted public key encryption. The public key and private key is generated and used in the encryption and decryption algorithm. For encryption public key is needed. With reference to our scenario the vendor has to generate a key pair and will distribute the public key. This public key can be stored in a file and saved on to the SAP PI Server. Every time the file is encrypted key will be read and pass it for encryption. The vendor will decrypt the file with the public and private key pair.
Integration with SAP PI:
There are two approaches available for calling McAfee from SAP PI.1. Using Command line
Calling PGP encryption / Decryption from command line is very simple and easy to use. You can just focus on PI module development.
However the drawback of this approach is that the command line only operates on files and not on the raw data. So internally in the PI module you need to create temporary files using message payload onto the SAP PI server File system and perform the encryption/decryption operation on that file. Encrypted/Decrypted file will be created on SAP PI Server file system.
Handling files from the Adapter module may create problems while running on SAP PI in clustering environment. So you should carefully choose your calling method.
For PGP commands refer : ftp://ftp.pgpi.org/pub/pgp/6.5/docs/english/PGPCmdLineGuide.pdf
2.McAfee E-Business Server Native APIs
The Native APIs allows developers to easily implement market-leading data protection into their existing applications, batch processes, and transfers using their choice of language with simple commands native APIs (including C, Visual Basic, Perl, and Java) ensuring that all data communicated with partners from any back-end system can be encrypted.
In our project we had used the first approach.
We had designed single module for both Encryption and Decryption. Based on the input parameter "Operation" , it performs one of the operations.
Parameter List:
| Parameter Name | Value | |
| Operation | Encryption/Decryption | Type of the operation. |
| Sign | Sign Key. | Signing of the document in case of Encryption using Sign Key. |
| Verbose | Y/N | Provides details error log if Verbose is set to "Y" |
| UserName | UserName | User using which encryption needs to be done. |
1. Parameters can be accessed inside adapter module using :
Operation = (String) moduleContext.getContextData("Operation");
2. Trace log which will be appear in the communication channel log can be printed using following code :
Message msg = (Message) inputModuleData.getPrincipalData();
AuditMessageKey amk =
new AuditMessageKey(msg.getMessageId(), AuditDirection.OUTBOUND);
Success Message :
Audit.addAuditLogEntry(
amk,
AuditLogStatus.SUCCESS,
"Inside the PGP module");
Failure Message :
Audit.addAuditLogEntry(
amk,
AuditLogStatus.ERROR,
"Oopps caught with exception in decryption .." + e);
3. Calling of MacAfee PGP commands :
XMLPayload xmlpayload = msg.getDocument();
** ibs - Byte stream for the XML payload
byte[] ibs = xmlpayload.getContent();
** path - Temporary file path created using payload data
write(ibs, path);
** Call the PGP command
String command = "cmd /c pgp --encrypt "
+ path
+ " --user "
+ UserName
+ " -o "
+ pgppath
+ " 2> "
+ errorpath;
Process p = rt.exec(command);
p.waitFor();
** errorpath - path for the error file to be generated.
** pgppath - Encrypted file after command execution
bs = read(pgppath);
** Set back the xml payload after encryption.
xmlpayload.setContent(bs);
** Return from module
return inputModuleData;
Similarly, you can implement the decryption operation.
String command =
"cmd /c pgp --decrypt "
+ path
+ " --output "
+ pgppath
+ " 2> "
+ errorpath;
Communication channel log and error file created from the module can be used for tracing & debugging.
Some one may argue to use command line functionality of Adapter instead of creating the adapter module. However the major advantage of creating the adapter module is that, you can fail adapter and trigger the Alert message in case of any error occurs, while this functionality would be missing in the command line call from Adapter.
Below is the screenshots for the call from the communication channel and log message for the same.
Encryption:
Decryption:
Communicaion Channel Log :
The communication channel must be call in binary mode.
Limitation : Module works on complete payload, So the module would not work with file content conversion. As, If you configure FCC along with this module, FCC would be called after module and hence the module will encrypt XML data which we don't want. We want text data to be encrypted or decrypted.
Workaround : Use adapter module even for the file content conversion. There is one standard adapter module provided by sap for the same.