By Srikanth Srinivasan
In
this article, I have tried to explain, in a step-by-step fashion, on how to build
a scenario that involves PGP encryption. In my view, anyone who is reading this
blog is already expected to be fluent in creation of regular objects in iSM
such as channels, inlets & listeners, routes & pFlows and outlets &
emitters. Hence, we will not deep-dive into their nitty-gritty.
Entities
Involved:
è iWay Service Manager 6.1.9;
è iWay Integration Tool;
è A tool to generate PGP keys, I am
using Kleoptra;
è Text editor;
Keywords
& Extensions:
.PGP [Pretty
Good Privacy], iSM [iWay Service Manager], iIT [iWay Integration Tool]
Assumptions:
èBasic knowledge on using iSM;
Procedure:
There are three
sections in implementing this scenario.
Section-1: Create PGP Keys
Launch Kleopatra
and choose File – New Certificate from the menu bar, like seen in the following
image:
Upon selecting a New Certificate option from the menu, select "Create a Personal OpenPGP Key Pair" and cofnigure the values for your keys, as seen in the screens below:
Provide passphrase when prompted during the course of key generation which will land in screen like what is seen the following image to indicate successful end of activity.
Now that wehave successfully created a key, take a back-up copy of your key pair by choosing "Making a Backup of Your Key Pair" option from the screen seen above. The next step will prompt for a destination location, provide one and store it with ".pgp" extension.
Note: The extension ".pgp" does seem to matter as the tool seem to produce the content based on the extension. Feel free to try with other options.
For those who wonder, what is the "ASCII armor" option - it is a feature that encodes the encrypted machine-only-readable secret key into ASCII form which will look a base64 content. Feel free to try with the option checked & unchecked and open both files in a text editor to see the difference yourselves.
We now have a qualified version of secret key which will later be used for decryption of data in this article. Now, let us try & export the public key and save it with ".pgp" extension. Public key can be exported by selecting the keypair entry in Kleoptra, right-clicking on it and choosing "Export Certificates", like seen in the screen below.
Provide a destination location when prompted.
Finally, make a note of the "User-ID" [the email id is user-id here] & "Key-ID" of the secret key we just produced. Open the key and look for them as seen in the screen below:
Section-2: Create an Inbound & Outbound
scenario
Alright, now lets head back to design-mode. We first create an Outbound scenario to build an encrypted data and emit then. Then we create an Inbound scenario to receive & decrypted incoming data.
Outbound:
Launch
iIT and create a simple pFlow that has PGPEncrypt Agent for encryption. Supply the values for properties of PGPEncrypt Agent accordingly. There are four sections in the agent, namely, General, Signature, Compression & Encryption.
The first section, General, lets us choose the type of output the agent should produce. That is, in encrypted machine-only-readable format or in ASCII format. We can set the Armor property to true when we transmit the data over HTTP or SOAP, as in my opinion, the receiving party will get the data as we send it, if they are in parsable format.
The second section, Signature, can used to sign the content to send it out for transmisison. We'll not use this feature in this article, feel free to try it out.
The third section, Compression, as self-explanatory can be used to compress the content of the PGP encrypted message. We'll use this here.
The fourth & the last section, Encryption, is the section we will use the public key we generated in section 1. Every encryption is regarded as a session and they can have a session key for every encryption. The agent has a provision to mention a session key for encryption. If configured with a session key, the same key should be provided in the decryption agent. My configuration of PGPEncrypt looks like this:
Create an emitter [the type of emittter should be the type of the listener in the Inbound scenario] in the pFlow, publish to the registry. Feel free to build the pFlow according to your need. My version of the pFlow looks like this:
Create a channel and other dependant components, build and deploy the channel on a managed server.
Inbound:
Create a simple pFlow that will handle the incoming encrypted message. It can simply have a PGPDecrypt Agent and a File emitter to store the decrypted content.
The PGPDecrypt Agent has two sections and they are Decryption & Signature Verification.
The first section, Decryption, should be configured with the secret key we generated in section 1 along with its passphrase and a session key if the encrypted data should require one.
The second section, Signature verification, will be used to verify the signature of the content, if it was signed during packaging & encryption. We are using it here as we have not signed out content.
Create a file emitter next to it, to store the decrypted content and publish the pFlow to the registry. Feel free to build the pFlow according to your need. My version of the pFlow looks like this:
Create a channel and other dependant components, build and deploy the channel on a managed server.
Section-3: Publish, Build, Deploy & Test
our efforts
Test our efforts. Following screens are samples of an input file, a pgp secret key file and a pgp public key file.
Sample input file:
Sample PGP secret key file [un-armored]:
Sample PGP secret key file [armored]:
Sample PGP public key file [un-armored]:
Until something interesting next time, Good luck!
No comments:
Post a Comment