1. HCM Extracts
  2. Set up Encryption for File Transfer

Set up Encryption for File Transfer

You use encryption keys to encrypt files for secure transfer between Oracle HCM Cloud and your own servers through the Oracle WebCenter Content server. This PGP-based encryption support is available for secure file transfer using HCM Data Loader and HCM Extracts.

The process for inbound files (into Oracle HCM Cloud) is:

  1. You encrypt files using the Oracle HCM Cloud public key.

  2. The data-loading process decrypts files using the Oracle HCM Cloud private key.

The process for outbound files (generated by Oracle HCM Cloud) is:

  1. Oracle HCM Cloud encrypts files using your public key.

  2. You decrypt files using your private key.

Therefore, before you can encrypt or decrypt files, you must:

  1. Import your public key to Oracle HCM Cloud.

  2. Generate the PGP encryption key pair and download the Oracle HCM Cloud public key.

You can also sign the files, as follows:

  • Outbound files are signed using the HCM Cloud private key. You verify these files using the HCM Cloud public key.

  • Inbound files are signed using your private key. The data-loading process verifies inbound files using your public key.

This topic describes how to set up encryption, decryption, and signing of files.

Encryption and Signature Keys

This table shows you the keys that are used for encryption, decryption, signing, and verification in each supported encryption mode.

Encryption Mode

Encryption Key

Decryption Key

Signing Key

Verification Key

Outbound PGP Signed

customer-key_pub

customer-key_priv

fusion-key_priv

fusion-key_pub

Outbound PGP Unsigned

customer-key_pub

customer-key_priv

N/A

N/A

Inbound PGP Signed

fusion-key_pub

fusion-key_priv

customer-key_priv

customer-key_pub

Inbound PGP Unsigned

fusion-key_pub

fusion-key_priv

N/A

N/A

Importing Your Public Key

You use your public key (customer-key_pub) for encrypting outbound files. You can decrypt the files using your private key (customer-key_priv). If you also want outbound files to be signed, then use the HCM Cloud private key (fusion-key_priv) for signing. You can verify signed outbound files using the HCM Cloud public key (fusion-key_pub).

To import the customer public key:

  1. Sign in to Oracle HCM Cloud with the IT Security Manager job role or privileges.

  2. Select Navigator > Tools > Security Console to open the Security Console.

  3. Click the Certificates tab to open the Certificates page.

  4. Click Import to open the Import page.

  5. Set Certificate Type to PGP.

  6. In the Alias field, enter a name to uniquely identify your key.

  7. Click Browse to identify the location of the customer public key.

  8. Click Import and Close to import the public key into the Oracle HCM Cloud keystore.

Your public key now appears on the Security Console Certificates page.

Generating the PGP Encryption Key Pair

You generate the PGP key pair on the Security Console. You download the public key to encrypt files that are inbound into HCM Cloud (for example, input data files for HCM Data Loader). To sign these inbound files, you can use your private key (customer-key_priv), which is verified using your public key (customer-key_pub) in Oracle HCM Cloud. You must have imported the customer public key.

To generate the PGP Encryption Key Pair:

  1. Sign in to Oracle HCM Cloud with the IT Security Manager job role or privileges.

  2. Select Navigator > Tools > Security Console to open the Security Console.

  3. Click the Certificates tab to open the Certificates page.

  4. Click Generate to open the Generate dialog box.

  5. In the Generate dialog box, set Certificate Type to PGP.

  6. In the Alias field, enter fusion-key.

    Note: You must enter fusion-key in this field. Otherwise, the encryption APIs can't use this key to decrypt all encrypted inbound files.

  7. In the Passphrase field, enter a passphrase for the private key. This passphrase is needed when you edit, delete, or download the private key.

    Note: If you forget the passphrase, then you may have to raise a service request for help to delete the private key. Once the old key is deleted, you can generate a new key using the process described here.

  8. In the Key Algorithm field, select RSA.

  9. In the Key Length field, select either 1024 or 2048.

  10. Click Save and Close. The fusion-key pair is generated and ready for download. You can see the fusion-key pair on the Certificates page of the Security Console.

  11. In the Status actions for the fusion-key pair on the Certificates page, select Export > Public key. Save the HCM Cloud public key (fusion-key_pub.asc) to your desktop. Use the downloaded key to encrypt files that are inbound to Oracle HCM Cloud.