How You Configure Pretty Good Privacy (PGP) Encryption and Digital Signature for Outbound and Inbound Messages
You can secure both outbound and inbound messages using payload security. Payload security is the securing of payment files and other files using payment file encryption and digital signature based on the open PGP standard.
You can update existing transmission configurations to use encryption and digital signature for your existing connectivity with banks.
For outbound messages, Oracle Payments Cloud supports encryption and digital signature for:
-
Payment files and positive pay files for disbursements
-
Settlement batch files for funds capture
For inbound messages, the application supports decryption and verification of digitally signed encrypted files for:
-
Funds capture acknowledgment files
-
Bank statements
You can also secure payment data using secured transmission protocols, such as SFTP or HTTPS.
Configuring encryption and digital signature for outbound and inbound messages includes the following actions:
-
Generating keys
-
Setting up outbound transmission configuration
-
Setting up inbound transmission configuration
-
Uploading the bank-provided public key file
-
Downloading the system-generated public key file
Generating Keys
Encryption and digital signature verification requires a public key. Conversely, decryption and signing a digital signature requires a private key. A private key and public key pair is known as the key pair. The party who generates the key pair retains the private key and shares the public key with the other party. You can generate or receive a public key subject to the agreement with your bank.
The following table provides typical generation details of the public and private key pair:
Key Pair Generated |
Generates Outbound Messages from Payments |
Generates Inbound Messages to Payments |
---|---|---|
PGP Public Encryption Key and PGP Private Signing Key |
Bank |
Deploying company |
PGP Public Signature Verification Key and PGP Private Decryption Key |
Deploying company |
Bank |
If you're generating the key pair, you can automatically generate them within Oracle Applications Cloud.
You must import the public encryption key or the public signature verification key that you receive into the Oracle Application Cloud using UCM.
Setting Up Outbound Transmission Configuration
For outbound messages, such as payment files, positive pay files, and settlement batch files, you must:
-
Encrypt your payment file using the bank-provided public encryption key.
-
Optionally, sign the payment file digitally using the private signing key that you generate.
On the Create Transmission Configuration page, you can see the outbound parameters as described in the following table.
Outbound Parameters |
Description |
---|---|
PGP Public Encryption Key |
A key given to you by your bank that you use to encrypt your outbound payment file. To upload the bank-provided public encryption key, use UCM by navigating to Tools > File Import and Export. Lastly, on the Create Transmission Configuration page for the PGP Public Encryption Key parameter, select the public encryption key file from the Value choice list. |
PGP Private Signing Key |
A key generated by you to digitally sign the outbound payment file. To generate the private signing key, select Quick Create from the Value choice list for the PGP Private Signing Key parameter. The application:
Note: You must provide a key password to generate a private
signing key using the Quick Create feature. This password is also
used for exporting and deleting this key.
|
Setting Up Inbound Transmission Configuration
For inbound payment messages, such as acknowledgments and bank statements, you must:
-
Verify the digital signature using the bank-provided public signature verification key.
-
Decrypt the file using the private decryption key that you generate.
On the Create Transmission Configuration page, you can see the inbound parameters as described in the following table.
Inbound Parameters |
Description |
---|---|
PGP Public Signature Verification Key |
A key given to you by your bank that you use to validate the digital signature of inbound acknowledgment files or bank statements. To upload the bank-provided public signature verification key, use UCM by navigating to Tools > File Import and Export. After uploading the bank-provided public signature verification key using UCM, you can select the key file on the Create Transmission Configuration page. Select it in the Value choice list for the PGP Public Signature Verification Key parameter. After you select the public signature verification key file, it's automatically imported. |
PGP Private Decryption Key |
A key generated by you to decrypt the inbound encrypted file. To generate the private decryption key, select Quick Create from the Value choice list for the PGP Private Decryption Key parameter. The application:
Note: You must provide a key password to generate a private
signing key using the Quick Create feature. This password is also
used for exporting and deleting this key.
|
Creating Private Keys Using the Advanced Create Feature
You can also generate private keys by selecting Advanced Create from the Value choice list. Advanced Create feature lets you configure certain properties to generate stronger keys. This enhances the security of payment files transmitted to your bank. Here are the properties you can configure for PGP private signing keys:
Option |
Description |
---|---|
Key Type |
The type of private signing key generated.
|
Length |
The number of bits in the private signing key (or key size).
|
Expiration Date |
The date when this private signing key expires. |
Encryption Algorithm |
The encryption algorithm of the private signing key.
|
Hashing Algorithm |
The hashing algorithm of the private signing key.
|
Compression Algorithm |
The compression algorithm of the private signing key.
|
Configuring these properties lets you meet bank-specific payment file security requirements. When you generate a private key using the Advanced Create option, a corresponding public key is exported to UCM from where you can download it. Similar to Quick Create, you must provide a key password when you use Advanced Create to generate a private key.
Uploading the Bank-Provided Public Key File
To upload or import the bank-provided PGP Public Encryption Key or the PGP Public Signature Verification Key into Oracle Applications Cloud, perform these steps:
-
Rename the bank-provided key file by including _public.key as the suffix. Ensure that the key file name doesn't have any special characters other than the underscore.
-
Navigate to: Navigator > Tools > File Import and Export.
-
Import the bank-provided key file into account fin/payments/import.
-
Navigate to the Create Transmission Configuration page.
-
From the Value choice list for the applicable parameter, select the uploaded key file.
Tip: The key name in the choice list is the same as the one you uploaded using UCM. -
After you select the key and save the transmission configuration, the key is automatically imported into the Payments.
Downloading the System-Generated Public Key File
To download the system-generated public key file from Payments to share with your bank, perform the follow steps:
-
On the Create Transmission Configuration page, select Quick Create for the applicable parameter.
-
Click the Save and Close button.
-
Navigate to: Navigator > Tools > File Import and Export.
-
From the Account choice list, select fin/payments/import and search for the system-generated public key file.
-
Download the system-generated public key file.
Tip: The file name is similar to the private key file that was generated and attached to the transmission configuration.
Exporting and Deleting Keys
The Export and Delete option lets you securely export a selected private or public key. This lets you use the same key for different environments. When you export a key using this feature, the key is exported to UCM from where you download it. If the selected key is a private key, you must provide the key password that was used while generating the key. No key password is required for exporting public keys.
You can also use this feature to delete PGP. However, you can't delete a key that's currently attached to a transmission configuration. When you delete a system-generated private key, the corresponding public key is also deleted. Just like how exporting works, deleting a key also requires the key password, if the selected key is a private one. No password is required for deleting a public key.
The Export and Delete feature works not only for the application-generated keys but also for imported keys.