How You Configure Pretty Good Privacy (PGP) Encryption and Digital Signature for Outbound and Inbound Messages

You can secure both outbound and inbound messages using payload security. Payload security is the securing of payment files and other files using payment file encryption and digital signature based on the open PGP standard.

You can update existing transmission configurations to use encryption and digital signature for your existing connectivity with banks.

For outbound messages, Oracle Payments Cloud supports encryption and digital signature for:

Payment files and positive pay files for disbursements
Settlement batch files for funds capture

For inbound messages, the application supports decryption and verification of digitally signed encrypted files for:

Funds capture acknowledgment files
Bank statements

You can also secure payment data using secured transmission protocols, such as SFTP or HTTPS.

Note: Oracle Applications Cloud supports decryption of payment files that are encrypted using version BCPG 1.45 or lower of the OpenPGP standard.

Configuring encryption and digital signature for outbound and inbound messages includes the following actions:

Generating keys
Setting up outbound transmission configuration
Setting up inbound transmission configuration
Uploading the bank-provided public key file
Downloading the system-generated public key file

Generating Keys

Encryption and digital signature verification requires a public key. Conversely, decryption and signing a digital signature requires a private key. A private key and public key pair is known as the key pair. The party who generates the key pair retains the private key and shares the public key with the other party. You can generate or receive a public key subject to the agreement with your bank.

The following table provides typical generation details of the public and private key pair:

Key Pair Generated	Generates Outbound Messages from Payments	Generates Inbound Messages to Payments
PGP Public Encryption Key and PGP Private Signing Key	Bank	Deploying company
PGP Public Signature Verification Key and PGP Private Decryption Key	Deploying company	Bank

If you're generating the key pair, you can automatically generate them within Oracle Applications Cloud.

You must import the public encryption key or the public signature verification key that you receive into the Oracle Application Cloud using UCM.

Setting Up Outbound Transmission Configuration

For outbound messages, such as payment files, positive pay files, and settlement batch files, you must:

Encrypt your payment file using the bank-provided public encryption key.
Optionally, sign the payment file digitally using the private signing key that you generate.

On the Create Transmission Configuration page, you can see the outbound parameters as described in the following table.

Outbound Parameters	Description
PGP Public Encryption Key	A key given to you by your bank that you use to encrypt your outbound payment file. To upload the bank-provided public encryption key, use UCM by navigating to Tools > File Import and Export. Lastly, on the Create Transmission Configuration page for the PGP Public Encryption Key parameter, select the public encryption key file from the Value choice list.
PGP Private Signing Key	A key generated by you to digitally sign the outbound payment file. To generate the private signing key, select Quick Create from the Value choice list for the PGP Private Signing Key parameter. The application: Automatically generates the private signing key and links it to your transmission configuration. Generates a public encryption key file that you can download from UCM and share with your bank. The bank uses your public encryption key file to verify the digital signature of the payment files that you transmit to the bank. Note: You must provide a key password to generate a private signing key using the Quick Create feature. This password is also used for exporting and deleting this key.

Outbound Parameters

Description

PGP Public Encryption Key

A key given to you by your bank that you use to encrypt your outbound payment file.

To upload the bank-provided public encryption key, use UCM by navigating to Tools > File Import and Export.

Lastly, on the Create Transmission Configuration page for the PGP Public Encryption Key parameter, select the public encryption key file from the Value choice list.

PGP Private Signing Key

A key generated by you to digitally sign the outbound payment file.

To generate the private signing key, select Quick Create from the Value choice list for the PGP Private Signing Key parameter. The application:

Automatically generates the private signing key and links it to your transmission configuration.
Generates a public encryption key file that you can download from UCM and share with your bank. The bank uses your public encryption key file to verify the digital signature of the payment files that you transmit to the bank.

Note: You must provide a key password to generate a private signing key using the Quick Create feature. This password is also used for exporting and deleting this key.

Setting Up Inbound Transmission Configuration

For inbound payment messages, such as acknowledgments and bank statements, you must:

Verify the digital signature using the bank-provided public signature verification key.
Decrypt the file using the private decryption key that you generate.

On the Create Transmission Configuration page, you can see the inbound parameters as described in the following table.

Inbound Parameters	Description
PGP Public Signature Verification Key	A key given to you by your bank that you use to validate the digital signature of inbound acknowledgment files or bank statements. To upload the bank-provided public signature verification key, use UCM by navigating to Tools > File Import and Export. After uploading the bank-provided public signature verification key using UCM, you can select the key file on the Create Transmission Configuration page. Select it in the Value choice list for the PGP Public Signature Verification Key parameter. After you select the public signature verification key file, it's automatically imported.
PGP Private Decryption Key	A key generated by you to decrypt the inbound encrypted file. To generate the private decryption key, select Quick Create from the Value choice list for the PGP Private Decryption Key parameter. The application: Generates the private decryption key and links it to your transmission configuration. Generates a public signature verification key file that you can download from UCM and share with your bank. The bank uses your public signature verification key file to encrypt acknowledgments and bank statements. Note: You must provide a key password to generate a private signing key using the Quick Create feature. This password is also used for exporting and deleting this key.

Inbound Parameters

Description

PGP Public Signature Verification Key

A key given to you by your bank that you use to validate the digital signature of inbound acknowledgment files or bank statements.

To upload the bank-provided public signature verification key, use UCM by navigating to Tools > File Import and Export.

After uploading the bank-provided public signature verification key using UCM, you can select the key file on the Create Transmission Configuration page. Select it in the Value choice list for the PGP Public Signature Verification Key parameter. After you select the public signature verification key file, it's automatically imported.

PGP Private Decryption Key

A key generated by you to decrypt the inbound encrypted file. To generate the private decryption key, select Quick Create from the Value choice list for the PGP Private Decryption Key parameter. The application:

Generates the private decryption key and links it to your transmission configuration.
Generates a public signature verification key file that you can download from UCM and share with your bank. The bank uses your public signature verification key file to encrypt acknowledgments and bank statements.

Note: You must provide a key password to generate a private signing key using the Quick Create feature. This password is also used for exporting and deleting this key.

Creating Private Keys Using the Advanced Create Feature

You can also generate private keys by selecting Advanced Create from the Value choice list. Advanced Create feature lets you configure certain properties to generate stronger keys. This enhances the security of payment files transmitted to your bank. Here are the properties you can configure for PGP private signing keys:

Option	Description
Key Type	The type of private signing key generated. RSA: Key is generated using the RSA algorithm.
Length	The number of bits in the private signing key (or key size). 2048: 2048-bit key 3072: 3072-bit key 4096: 4096-bit key
Expiration Date	The date when this private signing key expires.
Encryption Algorithm	The encryption algorithm of the private signing key. AES128: 128-bit cryptographic key generated using Advanced Encryption Standard. AES192: 192-bit cryptographic key generated using Advanced Encryption Standard. AES256: 256-bit cryptographic key generated using Advanced Encryption Standard. 3DES: Cryptographic key generated using Triple Data Encryption Standard.
Hashing Algorithm	The hashing algorithm of the private signing key. SHA256: 256-bit hash computed using Secure Hash Algorithm. SHA384: 384-bit hash computed using Secure Hash Algorithm.
Compression Algorithm	The compression algorithm of the private signing key. ZIP: Cryptographic key compression using ZIP algorithm. ZLIB: Cryptographic key compression using ZLIB algorithm. BZIP2: Cryptographic key compression using BZIP2 algorithm.

Configuring these properties lets you meet bank-specific payment file security requirements. When you generate a private key using the Advanced Create option, a corresponding public key is exported to UCM from where you can download it. Similar to Quick Create, you must provide a key password when you use Advanced Create to generate a private key.

Uploading the Bank-Provided Public Key File

To upload or import the bank-provided PGP Public Encryption Key or the PGP Public Signature Verification Key into Oracle Applications Cloud, perform these steps:

Rename the bank-provided key file by including _public.key as the suffix. Ensure that the key file name doesn't have any special characters other than the underscore.
Navigate to: Navigator > Tools > File Import and Export.
Import the bank-provided key file into account fin/payments/import.
Navigate to the Create Transmission Configuration page.
From the Value choice list for the applicable parameter, select the uploaded key file.

Tip: The key name in the choice list is the same as the one you uploaded using UCM.
After you select the key and save the transmission configuration, the key is automatically imported into the Payments.

Downloading the System-Generated Public Key File

To download the system-generated public key file from Payments to share with your bank, perform the follow steps:

On the Create Transmission Configuration page, select Quick Create for the applicable parameter.
Click the Save and Close button.
Navigate to: Navigator > Tools > File Import and Export.
From the Account choice list, select fin/payments/import and search for the system-generated public key file.
Download the system-generated public key file.

Tip: The file name is similar to the private key file that was generated and attached to the transmission configuration.

Note: SSH (Secure Socket Shell) key-generation for SFTP two-factor authentication is generated by Oracle Support based on a service request.

Exporting and Deleting Keys

The Export and Delete option lets you securely export a selected private or public key. This lets you use the same key for different environments. When you export a key using this feature, the key is exported to UCM from where you download it. If the selected key is a private key, you must provide the key password that was used while generating the key. No key password is required for exporting public keys.

You can also use this feature to delete PGP. However, you can't delete a key that's currently attached to a transmission configuration. When you delete a system-generated private key, the corresponding public key is also deleted. Just like how exporting works, deleting a key also requires the key password, if the selected key is a private one. No password is required for deleting a public key.

The Export and Delete feature works not only for the application-generated keys but also for imported keys.