SAP Knowledge Base Article - Public

2296971 - Generating and Importing PGP Keys

Symptom

  • What is PGP and how does it work in SuccessFactors?
  • Customer wants to encrypt their Data
  • How to generate Generate Public Key 

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors HXM Suite

Resolution

What is PGP?

PGP is a key based encryption/authentication process. It allows users to publicly share keys that are used to sign and/or encrypt messages and data. At SuccessFactors, we only use the encryption function.

As part of b2105 Release the options Generate Ecryption Key, Generated Key and Export Encryption Key have been disabled from provisioning. The feature is now a self-service option via Security Center. The "Import encryption key" option will still be available in provisioning, which is used for uploading PGP keys for encrypting export files in BizX (Scheduled FTP export jobs only ).

How does PGP work?

A user or company needs to install PGP software. They can also use the compatible GPG (Open Source) software. After the install, the user can create their own keys and install keys provided by business partners. Every key comes in two parts. The Public key that can be shared with partners or even posted publicly somewhere for anyone to access. The Private key that should be kept secure on the system where it was created.

The two keys are used for two different purposes.

  • The Public key is used to Encrypt data you are sending.
  • The Private key is used to Decrypt data you receive.

So any of your business partners can use your Public key to encrypt data they send you. They can safely send the file over a public network. Only you are able to decrypt it.

Working with PGP Keys at SuccessFactors 

SuccessFactors has included the Managing PGP Keys screen in Admin Center  > Security Center > Other Keys see Sap Help PGP Keys Used in Scheduled Jobs.

Generate PGP Keys for Scheduled Jobs in Security Center

As a company administrator, you can now generate PGP keys used in scheduled Import jobs by using Security Center. Note* PGP keys for Export Jobs are still configured in Provisioning.

When the key is migrated to Security center the existing public key which was downloaded from Provisioning in the past will continue to work with the import jobs no addittional action is required.

You can export or remove the newly generated keys and the PGP keys previously generated through Provisioning in Security Center.

We built this feature so that you can generate and manage PGP key used in scheduled jobs on your own. For more details are available in SAP help Portal PGP Keys Used in Scheduled Jobs.

Note : In Security Center, you can only generate PGP keys of the RSA type. The DSA type was removed from options due to security enhancements. But the DSA keys previously generated through Provisioning are still valid for use.

Role-Based Permission Prerequisites

Grant permission: Administrator > Manage Security Center > Access to Other Keys
Ensure that you have either the View or the Create, Edit & Delete permission.

Configuration Requirements

Navigate to Admin Center >  Security Center > Other Keys, and can see the Scheduled Job Key checkbox when creating or editing a decryption key (PGP), then the feature is enabled in your instance.

How to generate PGP key for Scheduled Import jobs in Security Center?

  1. Go to Admin Center.
  2. Go to Security Center, click "Other Keys".
  3. Click "Add" and choose the category "Decryption Key (PGP)".
  4. Tick the box "Scheduled Job Key".
  5. Click "Generate and Save" on the upper right-hand side of the screen ( See screen shot below

Important Notes :

  • Do not generate a new key if one is already listed in the Generated Key Section. You can create only one decryption key for scheduled jobs
  • In Security Center, you can only generate PGP keys of the RSA type. The DSA type was removed from options due to security enhancements. But the DSA keys previously generated through Provisioning are still valid for use.
  • Use Delete Key with caution. There is normally never any reason to do this. Once the key is removed, it cannot be recovered. Consequently, any inbound integrations that rely on the deleted decrypt key will be unable to decrypt customer data encrypted using the corresponding encrypt key. Therefore, carefully evaluate the necessity of deleting the key before proceeding.
  • The PGP key downloaded from Security Center is in the format of ASCII Armor (a stream of printable ASCII characters), instead of the format used in the PGP key exported from Provisioning (a raw 8-bit binary octet stream). You can convert the key format if necessary.
  • ASCII armored format (.asc) is not supported in decryption process.
  • After a key has been generated, we can only export the public key from Provisioning however Support has no access to the Private Key or the Passphrase. This is to safeguard your data.As a result this screen is NOT suitable for generating keys to use with LMS;
  • To generate a Private / Public Key pair for LMS, it can be done manually by the customer or via a paid engagement (Professional services or customer consultant)

PGP.jpg

How to Import Key

For the PGP keys used in file export jobs, is still managed from provisioning -> Managing PGP Keys

Prov PGP.jpg


Note: Multiple keys can be installed here. They will ALL be used to encrypt data we send. However ANY ONE of them can be used to decrypt the data.

  • Browse on your PC for the Public key file the customer sent you;
  • Select Import Key to install it in provisioning;
  • The key will appear in the list. We can share the UserName, Creation Date and Fingerprint info with a customer questioning if we have the correct key installed;
  • As noted earlier, it’s OK to install multiple keys here;
  • There is no way to export these keys. We can install customer provided keys in multiple instances only if we still have their original key file;
  • It’s OK to remove unused keys. Please be sure they are truly not needed and you have customer's explicit approval. There is no way to recover them. To remove, select the checkbox and hit Remove Key;
  • We no longer provide or install the old SF PGP key. While it’s still in use for many of our existing customers there is never a reason to use it for a new one;
  • For LMS, this is where the public key generated will be imported so that the BizX scheduled jobs encrypt the file with the right key (LMS connector will then decrypt the file using the private key setup on LMS). For more information on LMS encryption setup please check the references section of this KBA.
  • Both .asc and .pgp file extensions are accepted

How to request to import a key on SuccessFactors?

Please engage your Implementation Partner or Customer Support under the component LOD-SF-PLT-JOBS. To request the import of the key, please inform:

  • The Company ID of the instance;
  • Attach the key file in the ticket.

Known Issues

  1. If Provisioning does not accept the .asc extension, please convert the file to .pgp extension
  2. Ensure the file does not contain any spaces as this will cause failutre with the following "Failed to upload the PGP key filename"
  3. Seems to be an isolated case for now with one customer when they reported issue with old PGP keys still being used instead of the newly imported PGP keys (see internal memo for support engineers)

FAQ:

  1. Is there possiblity to have a backup of the “Decryption Key” in Security Center -> Other Key?  ->   As of now, there is no such plan to provide option to have a backup of the private key due to security concerns.

See Also

2361997 - How to use PGP encryption in LMS connectors

SAP Guide : Managing Scheduled Jobs

Keywords

PGP, Encryption, Securing Data, Scheduled Jobs, Decrypt, Data, Public Key, Private Key , KBA , LOD-SF-PLT-PGP , PGP Encryption , LOD-SF-INT-INC , Integration Center , How To

Product

SAP SuccessFactors HCM all versions