Chapter - 6 : OIDG GnuPG Encryption and Decryption

---

OIDG supports GPG encrypted batch request processing .To support this you need to configure the GnuPG keys in your Linux machine. Following section describes the gpg-key creation.

Verifying GnuPG-Agent

1. Log in to PuTTY.
2. Run the GnuPG agent from application Linux user using below command.
   gpg-agent
   
   Output: gpg-agent: gpg-agent running and available
3. If the output is ‘No gpg-agent running in this session’, follow the steps to run the gpg agent.
   • Enter the following command to run the gpg-agent
     eval 'gpg-agent --daemon'
     
   • It shows the location of the GPG Agent file
     Now copy that file by following command
     cp -fs /tmp/gpg-CENE8e/S.gpg-agent ~/.gnupg/
     
   • Verify the status of GPG- agent
     gpg-agent
     

Generating GnuPG Key

1. Log in to PuTTY as root.
2. Give the permission to the gpg-agent by using the following command.
   chmod o+rw $(tty)
3. Switch to the WebLogic installed user.
4. Enter the following command to create GPG Key.
   gpg --gen-key
   
5. Enter 1 as your section option (RSA and RSA).
   
6. Enter the Key size as 2048 and enter 0 for never expire.
   
7. Enter y, Real name, Email Address and Comment.
   
8. Enter 0.
9. Enter the GPG Password.
   
10. Re-enter GPG Password.
    
11. Now, you can check the key and secret keys using the following command:
    gpg --list-secret-keys
    
12. Enter the below command to check List keys.
    gpg --list-keys
    

Exporting and Importing Secret Sub Keys

Exporting a Secret Key

gpg --export-secret-keys -a ‘<secret key id>’ > Full path/gpgchefsecret.asc

Note: <secret key id> should be highlighted value of step 11 screenshot.

Exporting a Public Key

gpg --armor --export ‘<Email id>’> Full path /gpgchefpublic.asc

Note: <Email id> should be same as the one entered in the step 7.

Backing up the Secret and Public Key and Deleting Secrete Key

gpg --export-secret-subkeys ‘<sub id>’ > Full path /gpgchefsecretsubkey.asc

Note: <sub id > should be highlighted value of step 12 screenshot.

gpg --delete-secret-key ‘<secret key id>’

gpg --import Full path /gpgchefsecretsubkey.asc

Trusting the Keys

Trust the secret key using the below command:

Steps to Find oidx.gpg.backup.key.id:

Enter gpg –list-keys command as shown below.

In the above screen, oidg1 is the backup key id.

Testing the gpg:

Encrypt File:

gpg -e -r " <GPG KeyID> " <InputFilePath>/<InputFileName>

Example: gpg –e –r “oidg1” /scratch/oraBase/FileMove/POLMIG_1.xml

Decrypt File:

gpg --output <OutputFilePath>/<OutputFileName>--batch –passphrase <Password> --decrypt<InputFilePath>/<InputFileName>

Example: gpg --output /scratch/oraBase/FileMove/POLMIG_TEST.xml --batch --passphrase Welcome123 --decrypt "/scratch/oraBase/FileMove/POLMIG_1.xml.gpg”

Digital Signature

To support GPG digital signature following configuration has to do

1. Generate gpg public/private key pair at both sender and receiver end.

Example : sender (Prudential) has a public/private key pair and receiver (SCB) also has a public/private key pair, when Prudential sending files to SCB.

2. Each has to share their public key each other and this public key are imported at their host system's by using Custom key API RESTful web service.
3. The sender has to send a file which has sender has to Sign the file with their sender private key and encrypt with receiver public key.

Example : GPG command : gpg --always-trust --default-key YYY(Sender private key name/id) --passphrase YYY(Sender private key passphrase) --cipher-algo AES256 -e -s -r YYY(receiver public key) payload.xml

Specify the cipher algorithms (--cipher-algo AES256) which has to use if not it will take default cipher algorithm.

4. Admin view application at the Parties Endpoint page, select the gpg needed has true and give the gpg password of host private key and check the Enable digital signature check box. (This setting is used to decrypt the payload xml which has encrypted with the public key).



5. Admin view application at the Notification Endpoint page, check the Enable digital signature check box and enter host private key user id and password. (This setting is used to sign the notification report xml file which needs to send).



6. Admin view application at the Notification Endpoint >> Endpoint Properties page, select System type property and property name has GPGUserKeyId and enter the property value has sender public key name (This setting is used to encrypt the notification report xml file with sender public key).



7. Admin view application at the Configuration >> Property Configuration page enter cipher algorithm value has AES256.



8. Use below GPG command and provide appropriate key values and encrypt payload.xml file and output will be payload.xml.gpg file, which is digitally signed and encrypted with cipher algorithm AES256.

9. GPG command : gpg --always-trust --default-key YYY(Sender private key name/id) --passphrase YYY(Sender private key passphrase) --cipher-algo AES256 -e -s -r YYY(receiver public key) payload.xml

 

Audit Log Configuration:

Below is the configuration required for audit logging.

1. Log in to WebLogic as the admin user.
2. Go to Security Realms, 'myrealm', Providers and select the Auditing tab.
3. Click New and provide a name.
   

   

4. Click the created provider and select the ‘Provider Specific’ tab.
5. Select the Severity and check boxes based on requirements.
   

   

   Note: It is recommended to reduce the value of Rotation Minutes to 6 hours or less, based on requirements.

6. Click ‘Advanced’ and change the marker fields if necessary.
   

   

7. In WebLogic, click on the domain name under ‘Domain Structure’.
8. On the General tab of Configuration, click on the ‘Advanced’ link at bottom of the page.
9. On the ‘Configuration Audit Type’ drop down, select ‘Change Audit’ or ‘Change Log and Audit’, based on requirements.
   

   

10. In setDomainEnv.sh file add the location where the audit log files need to be generated.
    

    AUDIT_LOG_DIR="<path>"

    EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES} -Dweblogic.security.audit.auditLogDir=${AUDIT_LOG_DIR}"

    export EXTRA_JAVA_PROPERTIES

11. Log in to the EM console and navigate to domain → Security → Audit Policy.
12. Select MFT from the Audit Component Name drop down.
13. Change the Audit Level to 'Medium' and then Apply.
14. Navigate to domain → Security → Security Provider Configuration. Expand Security Store Provider and then Identity Store Provider.
15. Click on configure and Add a new property with the name 'virtualize' and a value of 'true'. Then click on OK and OK again.
16. Restart the all the servers and the audit log files should be generated at the given path.
    

Find the following audit log entry for a user login.