Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
franz_forsthofer
Employee
Employee
In SAP Cloud Integration, you can upload a PGP secring.gpg for using secret keys in the PGP decryption or encryption step of your integration flow. The SAP help documentation describes how to export and import PGP public keys with the help of the Gnu Privacy Assistant. Yet, there are no details on how to export and import PGP secret keys. Here, we provide a step by step description on how to import and export PGP secret keys from a PGP secring deployed on your Cloud Integration tenant via the GPG command line tool. Furthermore, we also provide a description on how to change the password of a secret key.

Prerequisites



  • You have a SAP Cloud Integration tenant and you have a user for the WEB UI of your Cloud Integration tenant with Administrator permission (AuthGroup.Administrator for NEO environment or AuthGroup_Administrator for the Cloud Foundry environment).

  • You’ve already deployed a secret keyring to your Cloud Integration tenant.

  • You’ve installed the GPG tool (Version 2.3.4 as described in https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/b55c02524afc42cd99086a16871...) on your Windows machine.


Export a PGP Secret Key


Download your PGP secret keyring from the Cloud Integration WEB UI using the Administrator user. The downloaded file must have the name "secring.gpg".

In case you got the PGP secret keyring "secring.gpg" from somewhere else (because you want to add the secret keys of this secring to the secring uploaded to your Cloud Integration tenant), you can use also the following steps to first export the secret keys and you can use the commands of the following chapter "Import PGP Secret Key" to import the secret keys.

  1. Enter the downloaded file secring.gpg into an empty directory. In the following, we assume that the directory path is given by C:/source.

  2. List the content of the secring with the following gpg command:
    ​gpg  --homedir=C:/source --list-secret-keys

    Example output of the command:
    ...
    C:/source/secring.gpg
    ---------------------
    sec 2048R/BBB29842 2021-01-17
    uid source <souce@source.com>
    ssb 2048R/64FACE2B 2021-01-17​


  3. Find out the uid (user ID) of the secret key you want to export. You can see the uid(s) of the secret keys from the output display of the previous command. In the example above, we only have one secret key with uid="source <souce@source.com>". We will use this uid in the following command.

  4. Export the secret key with the found uid with the following command into a file (below we use the file name "my-secret-key.pem"):
    gpg  --homedir=C:/source --armor --export-secret-key "source <souce@source.com" > my-secret-key.pem​



You can now use the exported file "my-secret-key.pem" in the following chapter to import the secret key into another PGP secring.

Import PGP Secret Key


You now need the secrete key file which was produced in a similar why as shown in the previous chapter "Export a PGP Secret Key".  In the following, we assume that you have such kind of file with the name "my-secret-key.pem" in the directory where you execute the gpg commands. Execute the following commands to import a PGP secret key into a PGP secret keyring with the name "secring.gpg". For example, you can get the secring.gpg by downloading this file from your Cloud Integration tenant.

  1. Store the PGP secret keyring with the name "secring.gpg" into the empty directory C:/target. You can also choose another directory name but keep in mind that the following commands assume that the directory name is C:/target.

  2. List the secret keys which are already contained in the PGP secret keyring:
    gpg  --homedir=C:/target --list-secret-keys​

    Output Example of this command:
    C:/target/secring.gpg
    ---------------------
    sec 2048R/5D629E05 2021-01-17
    uid target <target@target.com>
    ssb 2048R/18A00B85 2021-01-17


  3. Import the secret key (as an example, we use the file "my-secret-key.pem" which contains the secret key):
    gpg --homedir=C:/target --import my-secret-key.pem​

    Output Example of this command:
    gpg: key BBB29842: secret key imported
    gpg: key BBB29842: public key "source <souce@source.com>" imported
    gpg: Total number processed: 1
    gpg: imported: 1 (RSA: 1)
    gpg: secret keys read: 1
    gpg: secret keys imported: 1​


  4. List the secret keys of the PGP secret keyring to check whether successful import was successful:
    gpg  --homedir=C:/target --list-secret-keys​

    Output example of the command:
    C:/target/secring.gpg
    ---------------------
    sec 2048R/5D629E05 2021-01-17
    uid target <target@target.com>
    ssb 2048R/18A00B85 2021-01-17

    sec 2048R/BBB29842 2021-01-17
    uid source <souce@source.com>
    ssb 2048R/64FACE2B 2021-01-17​



Once you’ve imported all the secret keys you need, you can use the PGP secret keyring file secring.gpg for uploading into the Cloud Integration tenant. Note: All secret keys in the secret keyring must have the same password. If this is not the case, read the following chapter on how to change the password of a secret key in a PGP secret keyring.

Change Secret Key Password


In the following, we assume that you have a secret keyring with the name secring.gpg in the folder C:/target and that you want to change the password of a the secret key in this keyring.

We use the tool GNU Privacy Assistant which provides a UI.

Prerequisites:

Now execute the following steps:

  1. Execute run_gpa.bat in the folder C:/target. You will get the following UI:

  2. Select the private key for which you want to change the password and right-click it. From the menu, choose the option "Edit Private Key...". The following pop-up appears:

  3. Now, select “Change passphrase" and follow the instructions.


After you have adapted the passwords of the secret keys you can upload the secring.gpg file to your Cloud Integration tenant.

 
2 Comments