cancel
Showing results for 
Search instead for 
Did you mean: 

Private Key Requirement for Encryption and Decryption

0 Kudos
1,821

Hello Everyone,

I hope you're all doing well.

We're currently tackling a requirement that involves two authentication options:

  1. Using a One Leaf Certificate (CPI Certificate with Root and Intermediate) along with a Private Key.
  2. Utilizing a PFX File, which requires us to provide a Passphrase Value.

We're working within the Integration Suite (SAP CPI) to accomplish this. We're seeking guidance on the best approach to achieve our goal, and also, how can we obtain either a Private Key or a PFX File with the necessary Passphrase Value.

Thank you in advance for your assistance.

Best Regards,

Ashish

Accepted Solutions (0)

Answers (2)

Answers (2)

iignatius
Explorer
0 Kudos

Hell carlos.roggan

Good Day.

My business requirement is to access the third-party application from SAP CPI iFlow.

The third-party system provides two different certificates (PFX files): “Active” and “Signature”, The active certificate is used to access the system, and the signature certificate is used to access the application. To build the signature, the "private key" is mandatory. So the signature PFX file was added to Keystore and access the same by alias name in Groovy to build PrivateKey. In the signature build, we used this "Privatekey" to sign. I am referring to your blogs to build "Privatekey" as below.

// Private Key

KeystoreService keystoreService = ITApiFactory.getService(KeystoreService.class, null)

KeyPair keyPair = keystoreService.getKeyPair("iflowtonodekeys");

PrivateKey privateKey = keyPair.getPrivate();

Current Situation:

I am able to access the third-party system wherever the target ULR does not require a signature header, but when I try to access the target URL with a signature header as per the specification, I am getting an invalid signature from the third-party system. So I would like to verify my perception about creating the private key. I am giving the logic that I used in iFlow Groovy for your reference. Please let me know if any changes are required.

Server Error :

{"errors":[{"code":"invalidSignature","detail":"The HTTP signature could not be verified. Please refer to https://documentation.ibanity.com/security#http-signature","meta":{"requestId":"000112D599A2D9320A01063301BB6540EA4D263106BED6"}}]}


Private Key Build Logic:

KeystoreService keystoreService = ITApiFactory.getService(KeystoreService.class, null)

KeyPair keyPair = keystoreService.getKeyPair("iflowtonodekeys");

PrivateKey privateKey = keyPair.getPrivate();

Signature Digest:

def buildEncodedSignature(PrivateKey privateKey,String signingString){

String DIGEST_ALGORITHM = MessageDigestAlgorithms.SHA_256;

String SIGNATURE_ALGORITHM = "RSASSA-PSS";

PSSParameterSpec PARAMETER_SPEC = new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1);

String dataToDigest = signingString;

Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM);

signature.setParameter(PARAMETER_SPEC);

signature.initSign(privateKey);

byte [] digest = new DigestUtils(DIGEST_ALGORITHM).digest(dataToDigest);

//byte[] b = signatureString.getBytes();

signature.update(digest);

byte[] signedData = signature.sign();

String signatureDigest = Base64.getEncoder().encodeToString(signedData);

return signatureDigest;

}

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello, 

can you use OpenSSL?

Here are the commands:

create key pair and certificate in one step:

openssl req -x509 -newkey rsa -nodes -keyout privkey.pem -out cert.pem -subj "/CN=myowncert"

extract public key which is contained in the private key:

openssl rsa -pubout -in privkey.pem -out pubkey.pem

then create pfx file

openssl pkcs12 -export -out mystore.p12 -inkey privkey.pem -in cert.pem -passout pass:abcd

replace the abcd with your desired password

you can also use this command to create key pair:

openssl genpkey -algorithm RSA -out privkey.pem -pkeyopt rsa_keygen_bits:2048

Pls let me know if you need further assistence.

Kind Regards,
Carlos

0 Kudos

Dear Carlos,

I hope this message finds you well. I wanted to express my gratitude for the valuable information you have shared.

I would like to inquire whether it is possible to obtain a private key or a PFX file from SAP CPI for authentication purposes. Specifically, we require either a private key or a PFX file to facilitate this authentication process.

Using Open SSL, we need to get the certificate signed by signing authority also. It would be much better if we can achieve this using SAP CPI.

Your assistance in this matter would be greatly appreciated. Thank you in advance for your support.

Best Regards,

Ashish

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Ashish,

I was just typing the following addition, as if foreseeing your comment 😉

In addition to above commands:

In CPI, you cannot use self-signed certificates.
You need to order a certificate at a Certification Authority, which needs to be paid.
Alternatively, for usage within CPI, you can let CPIU generate a certificate for you:

Using the SAP BTP Cockpit

1. Go to Subaccount -> Services -> Marketplace
Create instance of Process Integration Runtime with service plan “integration-flow”

2. Create Service Key
Make sure to choose Key Type : Certificate

3. After creation, “view” the content of the service key.

It contains:
- Certificate with: Root – Intermediate – client certificates
- Private key
You can copy and paste the content into 2 files with file extension as .pem
(can be any other extension, as desired)

Then create the pfx file (or .p12) with above commands

Does this help?

0 Kudos

Hello Carlos,

Thank you for providing this valuable information. It's much appreciated.

Is it for Inbound connection to SAP CPI?, Just to clarify, our current requirement is for an outbound connection with SAP CPI, not an inbound one. Where we will be triggering the third party system API and we need to use our private key or PFX file for Authentication. We have already shared the SAP CPI certificate with them.

Your insights are still very helpful, and we'll keep them in mind for any future needs.

Best Regards,

Ashish

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Ashish,

of course, I was thinking you were asking about Inbound connection.
If you want to call a 3rd party system from iFlow, via HTTP Receiver adapter, things are different.
Of course, you can use above approach to obtain key and cert and pfx and upload to CPI Keystore.
then configure it in the Receiver adapter as "client certificate".
However, will the 3rd party system accept it?
Probably not.
This is a question that only the 3rd party can answer.
A client certificate is like a user/pwd credential, it must probably be issued by the 3rd party system.

If they use IAS, then you can let IAS generate a certificate for you.
Anyways, you have to check with them.

Apologies I cannot provide better info here

Kind Regards,
Carlos