Technical Blog Post
Abstract
PGP decryption in Sterling File Gateway
Body
Pretty Good Privacy (PGP) is a program developed by Phil Zimmermann to encrypt/decrypt and sign data. There are several commercial and non-commercial implementations available.
In this article we would like to describe how a PGP can be used by Sterling File Gateway (SFG) to decrypt a pgp-encrypted file.
We assume that the reader is familiar with PGP and the basic functionalities of SFG, like e. g. creation of communities, partners, routing channel (templates).
Decryption scenario
A PGP encrypted file is put in the mailbox of producer trading partner gwsProvider1 via ftp. This file is decrypted by SFG and put in the mailbox of a (internal) consumer trading partner gwsConsumer1. The decrypted file is then transferred via FTP to a destination directory.
In our scenario we are using GNU Privacy Guard (GnuPG or GPG) as an implementation of PGP. GnuPG is part of the GNU Project and is available under the GNU GPLv3 license. GnuPG version 2 is supported by ISBI 5.2.6 and higher.
We run this scenario with SFG 2.2.6.2 and DB2 10.1 on RHEL 6.1.
The output of the GnuPG version including the supported algorithms can be found with the gpg --version command:
$ gpg --version
gpg (GnuPG) 2.0.14
libgcrypt 1.4.5
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
To list the keys in your gpg public key ring:
$ gpg --list-keys
/home/siadmin/.gnupg/pubring.gpg
--------------------------------
pub 2048R/F045694C 2017-01-21
uid Joe User (gws10) <joe.user@example.net>
sub 2048R/BEB1234A 2017-01-21
1) Create PGP Server Profile AFTPGPProfile and configure gpg:
First of all we need to create the PGP server profile named AFTPGPProfile. The profile needs to have exactly this fixed name to get PGP working with SFG.
Go to the IBM Sterling B2B Integrator (ISBI) Dashbord (not the SFG UI):
ISBI Dashboard > Trading Partner > PGP > PGP Server Manager > Create
Create a new PGP Server Profile called: AFTPGPProfile (the name of the PGP Server Profile must be exactly: AFTPGPProfile)
When creating the AFTPGPProfile you need to add a Secret Key Map Information (Decryption or Sign) to your profile. Click add “New Secret Key Map” and make the following configurations:
Key Name is the name that is later used in the community configuration for referencing the PGP key.
Key ID is the hex-value of the public key and passphrase is the one which was set during the gpg key ring creation.
2) Configure PGPCmdlineService Command Line Adapter 2 service
In ISBI Dashboard > Deployment > Services > Configuration
Edit the PGPCmdlineService configuration:
After configuration of the service assure that the service is enabled.
The port in the configuration of the PGPCmdlineService is the CLA2 port given in the sandbox.cfg file. Also set LAUNCH_CLA2_SERVER=true in sandbox.cfg. This starts the CLA2 server which is a prerequisite for getting the PGPCmdlineService to work. In order to get the setting LAUNCH_CLA2_SERVER=true in sandbox.cfg to work you need to stop ISBI and run setupfiles.sh (Linux/Unix) or setupfiles.cmd (Windows) and then restart ISBI.
3) Create the Community gwsCommunityA
In the SFG UI in the main menu go to Participants > Communities and click on the “add” button.
Add a community called gwsCommunityA and fill out all relevant information for this community:
4) Create Producer trading partner gwsProvider1
In SFG go to Participants > Partners and create partner gwsProvider1. During creation add gwsProvider1 to community gwsCommunityA. Also configure gwsProvider1 as Producer of Data and accept the defaults in the PGP set-up dialog. After creation the gwsProvider1 has the following settings:
5) Create Consumer trading partner gwsConsumer1
In the SFG UI go to Participants > Partners and create partner gwsConsumer1. During creation add gwsConsumer1 to community gwsCommunityA. gwsConsumer1 will be configured to listen for FTP connections. Also accept the defaults for the PGP set-up. In summary we have the following configuration for partner gwsConsumer1:
6) Create a Routing Channel Template
In SFG go to Routes > Templates and click Templates. Create template gws_PGP_Decrypt.
We cannot go through all details in creating the Routing Channel Template because this would excess the scope of this article. But the summary will all relevant configuration information of the Routing Channel Template is depicted in the next figure:
7) Create the Routing Channel
In the SFG UI go to Routes > Channels and create a new channel.
Select Routing Channel Template: gws_PGP_Decrypt
Select Producer: gwsProvider1
Select Consumer: gwsConsumer1
8) Running the decryption scenario
We use a FileZilla Client to put the pgp file in mailbox gwsProvider1. For transferring the pgp file to the mailbox gwsProvider1 the FTP server adapter in ISBI needs to be enabled. The FileZilla Client will connect to the port of the FTP server adapter. The pgp file needs then to be put to the mailbox gwsProvider1:
SFG decrypts the file and puts it in mailbox gwsConsumer1. The file is transferred via the SI FTP client adapter to a FileZilla Server:
The name of the decrypted file located in the C:\temp directory is test1.txt_20170329115340.
UID
ibm11121157