Trading Partner PGP or SSH key rotation
Posted: Fri Aug 10, 2018 1:01 pm
Many trading partners require key rotation of the keys/certificates used to encrypt or transport files to their server.
For Example, one of the larger banks sends out a notification to their customers requesting that they rotate the PGP/SSH Keys and sign with their existing PGP Key.
Review your current projects to see what keys they are using as well as protocol.
If you Encrypt or Sign a file, then your Public PGP key is sent to the trading partner.
If the file is sent using the SFTP protocol, then you send your public SSH key to the trading partner.
<description>Project to sign new PGP key & send to JPMC</description>
<variable name="New_PGP_Public_Key" value="/Helpsystems/Goanywhere/Userdata/keys/pgp/MyPGP.asc" />
<variable name="New_PGP_Key" value="xx" description="Enter the Key ID for your New PGP Key. The PGP Key should be RSA and 2048 bites or more" />
<variable name="Current_PGP_Password" value="password" description="enter the password for your current PGP Key" />
<variable name="Current_PGP_Key" value="xx" description="Enter the Key ID for your Current PGP Key" />
<variable name="Partner_ID" value="COBOAT" description="this is an unique ID assigned to you by JPMC. The Partner ID may be referenced in your renewal letter from JPMC" />
<module name="Main" logLevel="debug">
<createWorkspace version="1.0" />
<pgpSign keyLocation="File" resourceId="Linoma Key ring" inputFile="${New_PGP_Public_Key}" outputFile="${Partner_ID}.PAYLOAD.IN.DAT" outputFilesVariable="FileToSend" version="1.0">
<secretKey keyID="${Current_PGP_Key}" passphrase="${Current_PGP_Password}" passphraseIsEncrypted="false" />
</pgpSign>
<sftp resourceId="TradingPartnerSFTP" version="1.0">
<put sourceFilesVariable="${FileToSend}" destinationDir="/Inbound/Encrypted" />
</sftp>
<deleteWorkspace version="1.0" />
</module>
</project>
For Example, one of the larger banks sends out a notification to their customers requesting that they rotate the PGP/SSH Keys and sign with their existing PGP Key.
Review your current projects to see what keys they are using as well as protocol.
If you Encrypt or Sign a file, then your Public PGP key is sent to the trading partner.
If the file is sent using the SFTP protocol, then you send your public SSH key to the trading partner.
- Before the current PGP Key expires, Create a New PGP Key Pair
PGP Keys should be an RSA key and at least 2048 in size - expire in 2years (unless otherwise specified)
SSH Keys must use the RSA algorithm.
Export the Public Key from the NEW PGP Key pair. (or export Public SSH key)
Using the project below, PGP Sign the NEW Public Key with the CURRENT PGP secret key
The PGP signed PGP Key file should be named ${Partner_ID}.PAYLOAD.IN.DAT
The PGP signed SSH key file should be named ${Partner_ID}.TRANSPORT.IN.DAT
SFTP PUT that file to the JPMC's "/Inbound/Encrypted" folder
<description>Project to sign new PGP key & send to JPMC</description>
<variable name="New_PGP_Public_Key" value="/Helpsystems/Goanywhere/Userdata/keys/pgp/MyPGP.asc" />
<variable name="New_PGP_Key" value="xx" description="Enter the Key ID for your New PGP Key. The PGP Key should be RSA and 2048 bites or more" />
<variable name="Current_PGP_Password" value="password" description="enter the password for your current PGP Key" />
<variable name="Current_PGP_Key" value="xx" description="Enter the Key ID for your Current PGP Key" />
<variable name="Partner_ID" value="COBOAT" description="this is an unique ID assigned to you by JPMC. The Partner ID may be referenced in your renewal letter from JPMC" />
<module name="Main" logLevel="debug">
<createWorkspace version="1.0" />
<pgpSign keyLocation="File" resourceId="Linoma Key ring" inputFile="${New_PGP_Public_Key}" outputFile="${Partner_ID}.PAYLOAD.IN.DAT" outputFilesVariable="FileToSend" version="1.0">
<secretKey keyID="${Current_PGP_Key}" passphrase="${Current_PGP_Password}" passphraseIsEncrypted="false" />
</pgpSign>
<sftp resourceId="TradingPartnerSFTP" version="1.0">
<put sourceFilesVariable="${FileToSend}" destinationDir="/Inbound/Encrypted" />
</sftp>
<deleteWorkspace version="1.0" />
</module>
</project>