cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP PGP-Module: Could not extract private key

Former Member

on ‎03-06-2013 12:23 PM

0 Kudos

I'm trying to use the SAP PGP-Module localejbs/PGPEncryption.

I generated public and private keys in some different ways but it does not work.

I also tried to use this How-To:

http://wiki.sdn.sap.com/wiki/display/XI/Generating+ASCII+Armored+PGP+Key+Pairs

The audit log always shows this:

06.03.2013 12:48:48.360InformationenPGP Encryption Module: Reading public key at /usr/sap/E96/sst/ftp-test/bin/pubring.pkr
06.03.2013 12:48:48.364InformationenPGP Encryption Module: Reading private key at /usr/sap/E96/sst/ftp-test/bin/secring.skr
06.03.2013 12:48:48.371FehlerMP: exception caught with cause org.bouncycastle.openpgp.PGPException: Exception creating cipher
06.03.2013 12:48:48.371FehlerPGP Encryption Module: Could not extract private key (org.bouncycastle.openpgp.PGPException: Exception creating cipher)
06.03.2013 12:48:48.379FehlerAusnahme aufgetreten beim Adapter-Framework: Exception creating cipher

My configuration:

PGPapplyCompressionnone
PGPapplyEncryptiontrue
PGPapplySignaturetrue
PGPasciiArmoredfalse
PGPdynamicFileNametrue
PGPdynamicNamespacetrue
PGPencryptionAlgoAES_128
PGPformatbinary
PGPkeyRootPath/usr/sap/E96/sst/ftp-test/bin/
PGPownPrivateKeysecring.skr
PGPpartnerPublicKeypubring.pkr
PGPpwdOwnPrivateKey****
PGPsigningAlgoRIPEMD160

Note: I also used ASCII-keys - no difference.

1. Any ideas were the problem could be?

2. Do I have to use a special signing or encryption Algo???

3. I also wonder which "user-id" ist used for encrypting, because there can be more than one key in a key ring. But there is no parameter for specifying the receiver or sender.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎09-11-2014 5:00 AM
0 Kudos

Hi guys, I had the same issue and I resolved as soon as I corrected the JCE Policy:

  • The JVM should be installed with unlimited JCE policy (SAP Note 1240081)

I hope it helps

Show replies
Show replies
former_member182455
Active Contributor
‎02-14-2014 9:13 AM
0 Kudos

Hi,

Kindly look into the below PI module configuration.

Show replies
Show replies
former_member733861
Explorer
‎11-06-2013 11:01 PM
0 Kudos

Did you get this error resolved & How.

I got JCE installed too but the below error persists.

MP: exception caught with cause org.bouncycastle.openpgp.PGPException: Exception creating cipher

Show replies
Show replies
Former Member
‎11-08-2013 8:03 AM
0 Kudos

I got it working for our needs. But there seems to be an incompatibility with some types of PGP-keys.

Actually, encrypting works even better than decrypting.

Unfortunately, the error messages are not really helpful in some cases...

Here are some hints, what you can try:

  • Encryption Algo: AES_128 is for 1024 Bit keys, 256 for 2048 Bit
  • Signing: Try not to sign you file. You can disable "applySignature", then you don't need a private key (of course not)
  • Creating keys: My keys only work, when they are generated in the AIX version of PGP. I guess, that might depend on PI's operating system.
  • Not working private-Keys: I got a strange way to make old PGP-Keys work for PI: Use the windows version of GNU-PGP, import the key, change password, change it back, export the key. Now it works.
  • Decrypting of PGP-files that are encrypted with an old PGP and use the IDEA algorythm, cannot be decrypted
former_member226609
Explorer
‎02-06-2014 9:01 PM
0 Kudos

Hi Heiko,

Thanks for helping me out with your insights.

My Encryption works fine after I disabled the signing but my decryption does not work now.

Error is -

"PGPDecryption Module: org.bouncycastle.openpgp.PGPException: Exception creating cipher"

"PGPDecryption Module: Wrong Password for private Key"

But the password we are using is correct since we are able to decrypt the same file using command line.

Trouble-shooting steps:

1.      Deployed unlimited JCE policies and restarted the system.

2.      Tried with .skr format private key & passphrase upon failure tried regenerating the private key in .asc format & passphrase being used is correct.

3.      Tried setting up decryption both ways: sender channel & receiver channel.

4.      Tried without passphrase, same error

5.      Ensured the the file is encrypted with our own public key.

In our case pgpi 6.5.8 from http://www.pgpi.org/, hpux version is used..

We have raised OSS notes but none of the solutions worked for us.

Let me know if there are any alternative solution of getting the decryption done in PI.

Like through PI command line etc. If so please guide me through the steps.

Former Member
‎02-14-2014 8:39 AM
0 Kudos

I got a strange solution for this problem. I don't know why, but for us it seems to work:

  1. Use GNU-PGP (for windows)
  2. Import the private and public key
  3. Change the passphrase and change it back
  4. Export the private key
  5. Use it with PI

Please, let me know, if this also works for your problem!

Former Member
‎02-14-2014 8:55 AM
0 Kudos

Hi

You need to apply decryption on the sender file adapter. Make sure that the file is encrypted with the primary key and you need to decrypt the same with the corresponding  private key .

Below is the module configuration in SAP PI

former_member733861
Explorer
‎02-14-2014 10:29 AM
0 Kudos

Hi Heiko,

Thanks for taking time & helping me out.... Your solution worked out.

Passphrase was right but it was unix version key hence it kept saying "PGPDecryption Module: Wrong Password for private Key".

As soon as I imported & exported with GNU-PGP (WIN), the key worked but it still gave the error message.

And the error message was clear enough to determine the issue.

Vendor used IDEA encryption Algo....

We have requested Vendor to use an alternative one but Vendor due to various security reasons cannot do so.

Trying to implement the same using command line if still stuck then will go with Java code.

I think SAP, for PGP addon should come up with alternative solution for IDEA Algo......

Former Member
‎02-14-2014 4:34 PM
0 Kudos

Yes, the common IDEA problem... We had that, too!!

Fortunatly, we had a SAP consultant in our project and got a SAP consultant solution here. They included the "extended-libraries" of bouncy castle (bouncycastle.org) in the PGP-package.

Now we can encrypt and decrypt IDEA.

Anyway, SAP decided not to include this into the standard package because of licence problems with the IDEA algo. SAP is not allowed to sell this.

However, before we had the solution, I also told some senders to use newer a PGP-version. Downloading GNU-PGP and creating a new "portable version" solved the problem.

Another workaround could be: Install PGP on the fileserver and use a script to decrypt.

Ask a Question