Solved: How to set up encryption between 2 systems?

former_member287500 · ‎04-18-2012

Hi all,

I am trying to set up an encryption process between 2 systems (ERP for encryption and PI for decryption) and wonder what the basic steps are you have to follow.

My current understanding is the following (please correct me):

1. Install SAPCRYPTOLIB on ERP and PI

2. Create & Maintain PSE files for encryption on ERP and PI

3. Use FMs SSF_KRN_ENVOLPE / ~DEVELOP in oder to encryp/decrypt

On step 2 it would be great if someone could give an rough overview how to do it.

I would need a PSE as PAB with the public part of the key from the PI system on ERP. Therefore I need to extract it from PI (how?) and import to ERP (STRUST? how?)

Thanks a lot in advance!

Tobias

mvoros · ‎04-18-2012

Hi, what exactly do you want encrypt? If you want to protect RFC calls between ECC and PI then you need to use SNC. You should be able to fin how to do it in SAP documentation. Cheers

mvoros · ‎04-18-2012

Hi, what exactly do you want encrypt? If you want to protect RFC calls between ECC and PI then you need to use SNC. You should be able to fin how to do it in SAP documentation. Cheers

former_member287500 · ‎04-18-2012

Hi Martin,

I want to encrypt a file which is stored for some time on a server. Until PI picks up the file I want to ensure that noone can read or manipulate the file.

Kind regards,

Tobias

mvoros · ‎04-18-2012

OK, I got it. Yes, you are right. The only encryption supported by ABAP AS is via FM SSF_KRN_ENVELOPE. Basically, it only supports PKCS#7 format. It works exactly same as email encryption. The sender needs to know public key of recipient. Of course, the recipient needs to know private key to decrypt message.

The table SSFARGS can be used to configure encryption for various application. A good example is encryption of credit card details (application CCARD). So maybe creating a new custom application in transaction SSFA would be a good idea. This would mean that PSE would be used only for this purpose. Note 836367 tells you how to set up a new application. You can define it first in PI, generate certificate for it, then just export public key and define same app in ECC but import only public key. So you won't be able to decrypt files in ECC.

Cheers

former_member287500 · ‎04-18-2012

Hi Martin,

Thanks a lot! I already did the setup exactly as you described. Just I created the PSE in ECC for testing, and it works.

I agree with you to create the PSE in PI and then exchange the public key information. And that is where I am stuck now.

I assume I have to create a PSE in ECC as well and use the Import/Export Certificate button at the buttom of the screen and then add the certificate to the existing PSE. Now where can I tell the PI to export the public key and tell ECC to import the public key? Is this determined automatically?

The rest is clear to me!

Cheers,

Tobias

mvoros · ‎04-18-2012

One option could be to copy PSE file. That would mean that ECC could decrypt as well. So have you tried to use standard transaction STRUST for managing various PSEs?

former_member287500 · ‎04-18-2012

Are there also other options? Shouldn't it be possible by exporting the public key data?

I used STRUST to create a PSE for an application Z* with type RSA and AES 1024 bit key.

But again, now I am stuck with the key excahge between ECC/PI.

former_member287500 · ‎04-18-2012

Copying the pse file does work - partially.

Encryption worked. File was successfully decrypted on PI.

But in STRUST the PSE is shown red and message TRUST028 appears. The file does not match the database original.

So this works, but it does not seem to be the 'right' way.

On the other hand, exporting the certificate on PI and importing into ECC did NOT work properly. SSF gave an error during the encryption.

So the 1 000 000 € question is: How to exchange the public key between PI and ECC?

Thansk a lot so far for your help! Highly appreciated!

Tobias

mvoros · ‎04-18-2012

Have you tried to use sapgense and then just import it into ECC. What error did you during encryption?

Moving just PSE should be working. Check note 980000. It explains why you got that error message.

Cheers

Former Member · ‎03-19-2013

Hi Martin,

we have trouble setting up file encryption using SSF for our own application. We get the error "SSF_API_UNKNOWN_SECTK_ERROR (13) Unknown or unspecified error in security product" all the time when using SSF_KRN_ENVELOPE.

We used SSF02 as well an own test program
We've installed SAPCRYPTOLIB 5.5.5pl34
We even tried the test program ZSSF_TEST_PSE from SAP note 800240
We're on SAP NW 7.00

But still no luck. We have no idea how to solve this, do you?

Former Member · ‎03-19-2013

Hi Martin,

never mind. We've solved it.

We looked into system logs in transaction ST11 and found "ERROR in sec_encrypt_key: (1542/0x0606) invalid or unknown alg_id #". This lead us to the fact that our PSE was configured for DSA which was obviously not working. We changed it to RSA and now it's working. We don't fully understand why this is but anyway.

Regards.

André

Former Member · ‎03-19-2013

Hi,

there's actually still one problem we try to solve. What did you use for parameter IO_SPEC of FM SSF_KRN_ENVELOPE? For encrypting files one can use IO_SPEC='F'. Did this work for you? Since there's no clue how the input data table would then look like.

Any ideas?

@Martin too?

Regards.

André

mvoros · ‎03-19-2013

Hi,

I've never tried option 'F'. I could not find any use of this option by SAP. So I would stick to option 'T' and have a look how SAP is using this FM. You can always load file into table and then pass it to this FM.

BTW DSA is an algorithm for signing documents. It can't be used for encryption.

Cheers

Former Member · ‎03-20-2013

Hi Martin,

thank you for your fast reply. In the meantime we found out that option 'F' is disabled by SAP for "security reasons". Whatever that means. We'll now go for the table option.

Thanks for clearing up what DSA is used for.

I very much appreciate you helping us out. Thanks again.

Cheers.

former_member31481 · ‎05-07-2013

Hi Martin,

I plan on encrypting a file which could be developed in several systems based on a custom PSE for this specific purpose.

Therefore I took the following approach:

For enveloping I create a recipient list with one or more recipients based on the certificates stored in the custom PSE and pass the Private Address Book as well as the recipient list to function module SSF_KRN_ENVELOPE.

On the other hand, for developing I only hand over the information of the respective system (based on SSF_GET_PARAMETER ) to form routine SSF_KRN_DEVELOPE.

I tested the functionality in two different ways, once using the certificate from the custom application itself (same system) and once having certificates from system PSEs of different target systems.

In the first case the encryption works as expected. In the second case I obtain error code CRC = 13 "SSF error: Unknown error in external security product". The only parameter that changed in both scenarios is the recipient list, nevertheless field "SSF result for recipient" in table recipient_list does not indicate any error regarding the recipients.

Is there anything wrong with the approach I am following? Do you have a guess on what could be going wrong here?

Regards,

Kathrin

Former Member · ‎05-07-2013

See SAP note 1524196 and the attachments provided in it, using them you should be able to configure your scenario.

https://service.sap.com/sap/support/notes/1524196