PGP Package Service

Pretty Good Privacy (PGP) is an open standard data encryption and decryption tool. The PGP Package service, with the PGP Server Manager, encrypts and digitally signs documents by using PGP.

The following table provides an overview of the PGP Package service:

Category Description
System name PGP Package service
Graphical Process Modeler (GPM) category All Services
Description This service encrypts and digitally signs a document based on the Open PGP standard, by using public key or conventional cryptography.
Business usage Use this service to encrypt and sign a document in the document area of process data.
Usage example A business process is executed to encrypt and sign a document, based on the information stored in a PGP profile.
Preconfigured? Yes. A configuration that is called PGP Package Service is installed with Sterling B2B Integrator.
Requires third-party files? No
Platform availability All supported Sterling B2B Integrator platforms, with a supported PGP software version installed that is also supported for the installed version of Sterling B2B Integrator.
Related adapters and services The PGP Package service works with the following services:
  • Command Line Adapter 2
  • PGP Unpackage service
Application requirements Before using this service, install one of the supported PGP software versions. For more information, see Create a PGP Server Profile.
Initiates business processes? This service does not initiate business processes. This service cannot be used without a business process.
Invocation A user who has permission to perform this activity must execute the business process that invokes this service.
Business process context considerations The configuration parameters and the outgoing documents are picked up by the service in the business process context. In the receiving mode, the service puts the incoming documents into the business process context.
Returned status values Returned status values:
  • 0 - Success
  • 1- Error
See Advanced Status Messages for a list of advanced statuses. Exit Codes will be displayed in the Advanced Status column, pre-pended by [PGPErrorCode].
Restrictions None
Persistence level None
Testing considerations Create the profile in the PGP Server Manager. This profile stores information about the PGP server, including PGP Type, PGP Executable, PGP Path, the location of the public key ring, the secret key ring, and the random number seed. It enables you to create key maps for secret key sets and conventional key sets. A pre-defined Command Line Adapter 2 (PGPCmdlineService) is installed with Sterling B2B Integrator. The Command Line Adapter 2 is used for large file support (streaming). Start the remote Command Line 2 client. For more information about enabling and installing the Command Line Adapter 2, see Command Line Adapter 2 (V5.2.4.1 and interim fix 5.2.4.1_2 or later).

Implementing the PGP Package Service

To implement the PGP Package service, complete the following tasks:
  1. Activate your license for the PGP Package service. See Managing Services and Adapters.
  2. Create a PGP profile, using the Sterling B2B Integrator PGP Server Manager. See PGP Server Manager.
  3. Create a PGP Package service configuration. See Managing Services and Adapters.
  4. Configure the service. See Configuring the PGP Package Service.
  5. Use the PGP Package service in a business process.

Configuring the PGP Package Service

Before configuring, consider the following:
  • public_user (if using Public Key Cryptography) or conv_keymap_name (if using Conventional Cryptography) must be present for PGP Package service to perform encryption.
  • secret_keymap_name must be present for PGP Package service to perform signing.
  • To perform encryption and signing, a combination of both the previous statements applies.
  • If public_user and conv_keymap_name appear in the same business process, public key encryption will take precedence.

To configure the PGP Package service, specify settings specify the settings for the fields in the GPM. These fields are described in the following table:

Field Description
Config Name of the service configuration.
workingDir The working directory where files used for encryption and signing will be read from or written to. Optional if the cmdline2svcname field is defined in the Command Line Adapter 2.
remoteName Remote name or IP address where the remote adapter implementation is running. Optional if the cmdline2svcname field is defined in the Command Line Adapter 2.
remotePort Remote port that the remote adapter implementation is listening on. Optional if the cmdline2svcname field is defined in the Command Line Adapter 2.
profile_name Name of PGP profile from the PGP Server Manager. Required.
compress Compression to be done before encryption or signing. Valid value is On. Default is On. Required for encryption and signing.
public_user User name or key ID in the public key ring. Required for encryption (public key cryptography).
secret_keymap_name Key name defined in the secret key ring in the PGP profile. Required for signing (public key cryptography).
conv_keymap_name Key name defined in the public key ring in the PGP profile. Required for encryption (conventional cryptography).
conv_cipher The symmetric cipher to use when performing a conventional encryption operation (that is, conv_keymap_name is used). Valid values are: IDEA, CAST5, 3DES, AES128, AES196, AES256, Twofish. Default is IDEA. Optional.
DocumentId The document identifier referenced to the document to be processed specifically. The default document for processing is the primary document. Optional.
cmdline2svcname If not using the default configuration of the Command Line 2 adapter (PGPCmdlineService), enter the name of the configuration to be used. Optional.
ascii_armor Whether to encode the file with E-Business Server's base-64 encoding (ASCII-armored format). Valid values are On and Off. Default is On. Optional.
textmode Whether the input data is ASCII text and should be converted to canonical new lines before encryption. Valid values are On and Off. Default is Off. Optional.
outputfilename Output file name. For E-Business Server outputfilename must have an extension of .asc or .pgp. If a different extension is used, outputfilename will be appended with .asc. For all versions, if outputfilename is not specified, the file name is retrieved from the name of the primary document or the body name of the document and is appended with the following:
  • *.asc during normal encryption
  • .exe during sda process
  • .pga during pgparchive process
Optional.
pgp_partner_name The partner name used in encryption and signing. If specified, the business process uses the parameters you specify in the selected partner profile. Required if you specify a value in the pgp_sponsor_name parameter. The values you specify in the GPM override the values you specify in the profile.
pgp_sponsor_name The sponsor name used in encryption and signing. If specified, the business process uses the parameters you specify in the selected sponsor profile. Required if you specify a value in the pgp_partner_name parameter. The values you specify in the GPM override the values you specify in the profile.
tmpDir The directory location for temporary scratch files. If not specified, the temporary files are written in the current working directory. If the shell environmental variable TMP is defined, PGP stores temporary files in the named directory. Optional.
clearsig Generates a signed message that can be read without PGP. The recipient must still use PGP to verify the signature. Unencrypted PGP-signed messages have a signature certificate pre-pended in binary form. The signed message is compressed. Therefore, it is unreadable by humans even though it is not encrypted. Cannot be used with EncryptAndSign on the command line. If you enable clearsig, it is recommended you enable ascii_armor and textmode also. Valid values are On and Off. Default is Off. Optional.
info How much information is returned. Valid values are:
  • Quiet - Only displays error messages. Not applicable to PGP Command Line. If selected defaults to normal mode.
  • Normal - Displays warnings and error messages. Default.
  • Verbose - Displays helpful messages, warnings, and error messages. Use this setting to diagnose problems. Not available with all PGP software versions.
  • Debug - Displays developer-level output in addition to the output produced by the other levels. This level may include the display of internal data, statistics, trace information, and return codes from internal functions. Do not use unless instructed to do so. Not applicable to PGP Command Line. If selected, defaults to normal mode.
Optional.
sda Not available with all PGP software versions. Used only when conv_keymap_name is specified. Creates a self-decrypting executable file, which is conventionally encrypted using a passphrase. The resulting file can be decrypted by double-clicking it and entering the passphrase. Used to send encrypted files to people who do not have E-Business Server or PGP Command Line installed. SDA files can be created with any platform that E-Business Server supports, but can be executed only on Windows platforms. To create sda files with PGP Command Line, set the target_platform parameter (described later in this table). The default file extension is .exe.
Note: The sda file cannot exceed 4 GB after compression.
Valid values are On and Off. Default is Off. Optional.
pgparchive Not available with all PGP software versions. Used only when conv_keymap_name is specified. Creates a file that can be decrypted using the archive reader, which can be redistributed freely. Used to send encrypted files to people who do not have E-Business Server or PGP Command Line installed. The default extension is .pga. Valid values are On and Off. Default is Off. Optional.
discard_paths Applicable only with sda or pgparchive. Strips relative path information form the list of files in a sda or pgparchive. During the decryption of the archive, the files are placed in the current directory instead of in subdirectories of the current directory. Optional.
target_platform Applicable only with PGP Command Line and sda. Specifies the platform a sda file can be decrypted on. Valid values are:
  • win32
  • linux
  • solaris
  • aix
  • hpux
  • osx
Default is the current platform. Optional.

Parameters Passed from Service to BP

The following table contains the parameters that are passed from the PGP Package service to the business process:

Parameter Description
Action (PGP/Action) Action of this PGP execution. Valid values are:
  • ENCRYPT
  • ENCRYPT_SIGN
  • SIGN
Required.
FileName (PGP/FileName) Name of the file being processed. Required.
Document (PGP/Document) The processed document is placed in Process Data – not as Primary Document. The attribute is the SCIObjectID, which enables a hyperlink for viewing the content of the processed document. Required.
DocumentId (PGP/DocumentId) Document identifier of the document. Required.
Status (PGP/Status) Process status. Valid values are Success and Error. Required.
ErrorCode (PGP/ErrorCode) Value returned from executing PGP commands. Displayed when the Status is Error. Optional.
ErrorDescription (PGP/ ErrorDescription) This is the error description based on the ErrorCode. Displayed when the Status is Error. Optional.

Business Process Example - Encrypt Operation (Public Key Encryption)

This following business process uses the PGP Package service to encrypt the primary document in the document area. The profile is based on PGP107. In this example, you use the default Command Line2 adapter configuration, PGPCmdlineService, to execute the encrypt command. You want to use the working directory, remote name and port stated in the BPML. Therefore, these values override the pre-configured values in PGPCmdLineService. The public key ID, which must be in the public keyring file specified in the profile, PGP107, is used for encryption. 

<process name="PGP_Encrypt ">
  <sequence name="optional">
   <operation name="One">
      <participant name="PGPPackageService"/>
      <output message="Xout">
              <assign to="." from="*"></assign>
              <assign to="profile_name">PGP107</assign>
              <assign to="compress">on</assign>
              <assign to="workingDir">/server1/tmp</assign>
              <assign to="remoteName">00.000.00.000</assign>	
              <assign to="remotePort">12345</assign>         
              <assign to="public_user">0x2343</assign> 
    </output>
     <input message="Xin">
              <assign to="." from="*"></assign>
     </input>
   </operation>
  </sequence> 
</process>

Business Process Example - Encrypt Operation (Conventional Encryption)

This following business process uses the PGP Package service to encrypt the primary document in the document area of process data. The profile is based on PGP107. In this example, you use the Command Line2 adapter configuration, MyCLA2, to execute the commands. The remote name, port, and working directory are pre-configured in the service configuration. The value of conv_keymap_name, Conv_abc_tp, which must be in the profile's conventional key map, is used for conventional encryption:

<process name="PGP_Encrypt ">
  <sequence name="optional">
   <operation name="One">
      <participant name=" PGPPackageService "/>
      <output message="Xout">
        <assign to="." from="*"></assign>
              <assign to="profile_name">PGP107</assign>
              <assign to="compress">on</assign> 
              <assign to="conv_keymap_name">Conv_abc_tp</assign> 
              <assign to="conv_cipher">CAST5</assign>
              <assign to="cmdline2svcname">MyCLA2</assign> 
    </output>
     <input message="Xin">
              <assign to="." from="*"></assign>
     </input>
   </operation>
  </sequence> 
</process>

Business Process Example - Encrypt and Sign Operation (Public Key Encryption)

The following business process uses the PGP Package service to encrypt and sign the primary document in the document area. For signing, you need to pass in the secret_keymap_name, which must be in the PGP107 profile's secret key map. The public key ID, which must be in the public keyring file specified in the profile, PGP107, is used for encryption. In this example, you choose not to compress the document before signing and encryption.

<process name="PGP_Encrypt_Sign">
  <sequence name="optional">
   <operation name="One">
      <participant name=" PGPPackageService "/>
      <output message="Xout">
        <assign to="." from="*"></assign>
              <assign to="profile_name">PGP107</assign>
              <assign to="compress">off</assign>
              <assign to="workingDir">/server1/tmp</assign>
              <assign to="remoteName">00.000.00.000</assign>	
              <assign to="remotePort">12345</assign>         
              <assign to="public_user">0x2343</assign>
              <assign to="secret_keymap_name">my_secret</assign> 
</output>
    <input message="Xin">
              <assign to="." from="*"></assign>
     </input>
   </operation>
  </sequence> 
</process>

Business Process Example - Encrypt and Sign Operation (Conventional Encryption)

The following business process uses PGP Package Service to encrypt and sign the Primary Document in the document area. For signing, the user needs to pass in the secret_keymap_name, which must be present in the PGP107 profile's Secret Key Map. The value of conv_keymap_name, Conv_abc_tp, which must be present in the Profile's Conventional Key Map, is used for conventional encryption. The user chooses not to compress the document before signing and encryption.

<process name="PGP_Encrypt_Sign">
 <sequence name="optional">
    <operation name="One">
      <participant name=" PGPPackageService "/>
      <output message="Xout">
              <assign to="profile_name">PGP107</assign>
              <assign to="compress">off</assign>
              <assign to="workingDir">/localsvr/share/tmp</assign>
              <assign to="remoteName">nn.nnn.nn.nnn</assign>               
              <assign to="remotePort">xxxxx</assign>         
              <assign to="conv_keymap_name">Conv_abc_tp</assign> 
              <assign to="conv_cipher">CAST5</assign>
              <assign to="secret_keymap_name">si_secret</assign>
              <assign to="." from="*"></assign>
     </output>
    <input message="Xin">
        <assign to="." from="*"></assign>
     </input>
   </operation>
  </sequence> 
</process>

Business Process Example - Encrypt Operation (Public Key Encryption) Using a Specific Document ID

The following business process uses the PGP Package service to encrypt a document, with the document ID columbia:1774b9b:feaea8ae12:-6ea8 in the document area.

<process name="PGP_Encrypt ">
 <sequence name="optional">
    <operation name="One"> PGPPackageService
      <participant name="PGPPackageService"/>
      <output message="Xout">
              <assign to="." from="*"></assign>
              <assign to="profile_name">PGP107</assign>
              <assign to="compress">on</assign>
              <assign to="workingDir">/server1/tmp</assign>
              <assign to="remoteName">00.000.00.000</assign>	
              <assign to="remotePort">12345</assign>   
              <assign to="public_user">0x2343</assign>
              <assign to="DocumentId">columbia:1774b9b:feaea8ae12:
                          -6ea8</assign>
    </output>
     <input message="Xin">
              <assign to="." from="*"></assign>
     </input>
   </operation>
  </sequence> 
</process>

Business Process Example - Sign Operation

The following business process uses the PGP Package service to sign the primary document in the document area.

<process name="PGP_Sign ">
  <sequence name="optional">
   <operation name="One">
      <participant name="PGPPackageService"/>
      <output message="Xout">
        <assign to="." from="*"></assign>
              <assign to="profile_name">PGP107</assign>
              <assign to="compress">on</assign>
              <assign to="workingDir">/server1/tmp</assign>
              <assign to="remoteName">00.000.00.000</assign>	
              <assign to="remotePort">12345</assign>         
              <assign to="secret_keymap_name">my_secret</assign>
    </output>
     <input message="Xin">
              <assign to="." from="*"></assign>
     </input>
   </operation>
  </sequence> 
</process>

Business Process Example - OnFault Handling

The following business process shows the onFault handling for the PGP Package service.

<process name="PGP_Sign ">
 <sequence name="optional">
    <operation name="One">
      <participant name="PGPPackageService"/>
     <output message="Xout">
			<assign to="profile_name">PGP107</assign>
			<assign to="compress">on</assign>
			<assign to="workingDir">/localsvr/share/tmp</assign>
			<assign to="remoteName">nn.nnn.nn.nnn</assign>         	
			<assign to="remotePort">12345</assign>         
			<assign to="secret_keymap_name">si_secret</assign>
			<assign to="." from="*"></assign>
     </output>
    <input message="Xin">
        <assign to="." from="*"></assign>
     </input>
   </operation>
  		<assign to="Status">The file is signed successfully</assign>
   <onFault>
      <assign to="Status">General Error Occurred</assign>
    </onFault>
   <onFault code="[PGPErrorCode] Signature Check error">
     <assign to="Status">Incorrect signature</assign>
   </onFault>
  </sequence> 
</process>

Business Process Example - PGP Partner and PGP Sponsor

The following business process uses the PGP Partner and PGP Sponsor services to encrypt and sign documents.

<process name="use_partner_sponsor">
  <operation name="PGP Package Service">
    <participant name="PGPPackageService"/>
        <output message="PGPPackageServiceTypeInputMessage">
     <assign to="pgp_partner_name">partner</assign>
     <assign to="pgp_sponsor_name">sponsor</assign>
     <assign to="profile_name">pgp</assign>
     <assign to="." from="*"></assign>
   </output>
    <input message="inmsg">
     <assign to="." from="*"></assign>
   </input>
  </operation> 
</process>

Advanced Status Messages

The following table contains exit codes from E-Business Server. The content of the Description field is displayed in the Advanced Status column, preceded by [PGPErrorCode]:

Status Description
0 Exit OK, no error
1 Invalid file
2 File not found
3 Unknown file
4 Batch mode error
5 Bad argument
6 Process Interrupted
7 Out of memory error
8 Environment error
20 Signature error
21 Public Key Encryption error
22 Encryption error
23 Compression error
30 Signature Check error
31 Public Key Decryption error
32 Decryption error
33 Decompression error
34 Keyring locked error
101 File parsing error

The following table contains exit codes from PGP Command Line. The content of the Description field is displayed in the Advanced Status column, preceded by [PGPErrorCode]:

Status Description
0 PGP Command Line exited successfully.
64 Parser error.
71 Bad data was received from the operating system at startup.
128 An internal error occurred.
129 An initialization failure occurred on startup.
130 A user interrupt occurred.
145 Error purging a cache: passphrase, keyring, or both.
146 Error creating keyring files.
147 Error during a speed test operation.
160 Complete failure during a file wipe.
161 Partial fail, partial success during a file wipe (one file wiped, one not, for example).
162 Complete failure during an encode.
163 Partial failure during an encode.
164 Complete failure during a decode.
165 Partial failure during a decode.
210 Error during one of the key list operations.
220 Error during key maintenance.
221 Error when checking signatures.
222 Error when checking user IDs.
230 Error during one of the key edit operations.
240 Error during one of the key server operations.
245 Error with supplied license.
251 License is expired.
255 An unknown error occurred.

The following table contains errors that result from the PGP Package service when it validates information before executing PGP commands on the remote server. The content of the status field will be displayed in the Advanced Status column:

Status Description
Error in accessing the document with a given DocumentId The DocumentId value given in the BPML is incorrect.
Fail to get data from Primary Document.: There is no Primary Document Primary Document is mandatory.
Incorrect Profile Name in BPML Param: 'profile_name'. It is not found in the PGP Server Manager The profile_name value given in the BPML is incorrect.
Incorrect Key Name (BPML Param: 'secret_keymap_name'). It is not found in the PGP Profile's Secret KeyMap The secret_keymap_name value given in the BPML is incorrect.
Incorrect Key Name (BPML Param: 'conv_keymap_name'). It is not found in the PGP Profile's Conventional KeyMap The conv_keymap_name value given in the BPML is incorrect.