SAP Knowledge Base Article - Public

2296971 - Generating PGP Keys

Symptom

  • What is PGP and how does it work in SuccessFactors?
  • Customer wants to encrypt their Data
  • Customer requests public key

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors HXM Suite

Resolution

What is PGP?

PGP is a key based encryption/authentication process. It allows users to publicly share keys that are used to sign and/or encrypt messages and data. At SuccessFactors, we only use the encryption function.

How does PGP work?

A user or his company needs to install PGP software. They can also use the compatible GPG (Open Source) software. After the install, the user can create their own keys and install keys provided by business partners. Every key comes in two parts. The Public key that can be shared with partners or even posted publicly somewhere for anyone to access. The Private key that should be kept secure on the system where it was created.

The two keys are used for two different purposes.

  • The Public key is used to Encrypt data you are sending.
  • The Private key is used to Decrypt data you receive.

So any of your business partners can use your Public key to encrypt data they send you. They can safely send the file over a public network. Only you are able to decrypt it.

Working with PGP Keys at SuccessFactors 

SuccessFactors has included the Managing PGP Keys screen in Provisioning. This screen has two sections that relate to the two keys discussed earlier.

SalesDemo.png

IMPORTANT: The first 3 sections of File Encryption Key page in Provisioning (Generate Ecryption Key, Generated Key, Export Encryption Key) will be disabled in the coming b2105 release and will now be a self-service option via Security Center. The "Import encryption key" option will still be available in provisioning, which is used for uploading PGP keys for encrypting export files in BizX (Scheduled FTP export jobs). More details at the bottom of the page.

Generate Key

The first 3 sections of the screen allows us to generate (a private/public key pair) and export the Public key our customer will use to encrypt data before sending it to us.

  • Generate Key creates a new key. We offer two key options. The DSA option creates a 512 bit key. The RSA option creates a 2048 bit key;
  • Choose the RSA key when creating a new one. The smaller DSA key only exists for backwards compatibility. The few customers who require DSA will actually ask for it;
  • Do not generate a new key if one is already listed in the Generated Key Section;
  • The Generated Key area list the key type, key fingerprint and creation date. The last two items can be used to validate that our customer has installed our key properly;
  • Use Remove Key with caution. There is normally never any reason to do this. Once the key is removed, there is no way to recover it. Any customer data encrypted with it won’t be able to be decrypted;
  • Export Key button creates a Public key file you can save and send to the customer. This can be sent in plain email;
  • The Export Key button does not create a key that we can import into another instance;
  • NOTE: After a key has been generated, we can only export the public key from Provisioning however Support has no access to the Private Key or the Passphrase. This is to safeguard your data.
    As a result this screen is NOT suitable for generating keys to use with LMS;
  • To generate a Private / Public Key pair for LMS, it can be done manually by the customer or via a paid engagement (Professional services or customer consultant)

Import Key

The last section allows us to import Public Keys sent by our customers. We will use these to encrypt data we send to them.
Note: Multiple keys can be installed here. They will ALL be used to encrypt data we send. However ANY ONE of them can be used to decrypt the data.

  • Browse on your PC for the Public key file the customer sent you;
  • Select Import Key to install it in provisioning;
  • The key will appear in the list. We can share the UserName, Creation Date and Fingerprint info with a customer questioning if we have the correct key installed;
  • As noted earlier, it’s OK to install multiple keys here;
  • There is no way to export these keys. We can install customer provided keys in multiple instances only if we still have their original key file;
  • It’s OK to remove unused keys. Please be sure they are truly not needed. There is no way to recover them. To remove, select the checkbox and hit Remove Key;
  • We no longer provide or install the old SF PGP key. While it’s still in use for many of our existing customers there is never a reason to use it for a new one;
  • For LMS, this is where the public key generated will be imported so that the BizX scheduled jobs encrypt the file with the right key (LMS connector will then decrypt the file using the private key setup on LMS). For more information on LMS encryption setup please check the references section of this KBA.
  • Both .asc and .pgp file extensions are accepted
  • If Provisioning does not accept the .asc extension, please convert the file to .pgp extension
  • Ensure the file does not contain any spaces as this will cause failutre with the following "Failed to upload the PGP key filename"

How to request a key or to import a key on SuccessFactors?

Please engage your Implementation Partner or Customer Support under the component LOD-SF-PLT-JOBS. To request the generation, please inform:

  • The Company ID of the instance;
  • The type of the key (RSA/DSA).

Note : We recommend that you create an RSA key, for a DSA key is smaller and only for backwards compatibility.

To request the import of the key, please inform:

  • The Company ID of the instance;
  • Attach the key file in the ticket.


New in b2105 release

  • Only applicable for Preview Data Centers. Further updates on the availability of the self-service option for generating PGP keys will be shared on this KBA.
  • For the other data centers not mentioned, you may continue to use the Managing PGP keys option from Provisioning UI.

Generate PGP Keys for Scheduled Jobs in Security Center

As a company administrator, you can now generate PGP keys used in scheduled Import jobs by using Security Center. Note* PGP keys for Export Jobs are still configured in Provisioning.

You can export or remove the newly generated keys and the PGP keys previously generated through Provisioning in Security Center. Prior to b2105, PGP keys used in scheduled jobs could only be generated and managed in Provisioning with the help of SAP Cloud Support.

We built this feature so that you can generate and manage PGP key used in scheduled jobs on your own. For more details are available in SAP help Portal PGP Keys Used in Scheduled Jobs.

Note : In Security Center, you can only generate PGP keys of the RSA type. The DSA type was removed from options due to security enhancements. But the DSA keys previously generated through Provisioning are still valid for use.

Role-Based Permission Prerequisites

Grant permission: Administrator > Manage Security Center > Access to Other Keys
Ensure that you have either the View or the Create, Edit & Delete permission.

Configuration Requirements

This feature is enabled in phases. If you go to Admin Center >  Security Center > Other Keys, and can see the Scheduled Job Key checkbox when creating or editing a decryption key (PGP), then the feature is enabled in your instance. This will result with the PGP keys generation, test, and export features in Provisioning to be disabled.

How to generate PGP keys for Scheduled Import jobs in Security Center?

- Go to Admin Center.

- Go to Security Center, click "Other Keys".

- Click "Add" and choose the category "Decryption Key (PGP)".

- Tick the box "Scheduled Job Key".

- Click "Generate and Save" on the upper right-hand side of the screen

Note* An issue has been identified when generating a new PGP key. The fingerprint doesn't show unless you refreshed it or go to a different page and get back to the key you created. This behavior is already reported to our engineering team.

See Also

2361997 - How to use PGP encryption in LMS connectors

SAP Guide : Managing Scheduled Jobs

Keywords

PGP, Encryption, Securing Data, Scheduled Jobs, Decrypt, Data, Public Key, Private Key , KBA , LOD-SF-PLT-PGP , PGP Encryption , LOD-SF-PLT-SFTP , LOD-SF-PLT-SFTP , LOD-SF-INT-INC , Integration Center , How To

Product

SAP SuccessFactors HXM Suite all versions