You can secure both outbound and inbound messages using payload security. Payload security is the securing of payment files and other files using payment file encryption and digital signature based on the open PGP standard.
You can update existing transmission configurations to use encryption and digital signature for your existing connectivity with banks.
For outbound messages, Oracle Payments Cloud supportsencryption and digital signature for:
-
Payment files and positive payfiles for disbursements
-
Settlement batch files for fundscapture
For inbound messages, the application supports decryptionand verification of digitally signed encrypted files for:
-
Funds capture acknowledgment files
-
Bank statements
You can also secure payment data using secured transmissionprotocols, such as SFTP or HTTPS.
Note:
Oracle Applications Cloud supports decryption ofpayment files that are encrypted using version BCPG 1.45 or lowerof the OpenPGP standard.
Configuring encryption and digital signature foroutbound and inbound messages includes the following actions:
-
Generating keys
-
Setting up outbound transmissionconfiguration
-
Setting up inbound transmissionconfiguration
-
Uploading the bank-provided publickey file
-
Downloading the system-generatedpublic key file
Generating Keys
Encryption and digital signature verification requiresa public key. Conversely, decryption and signing a digital signaturerequires a private key. A private key and public key pair is knownas the key pair. The party who generates the key pair retains theprivate key and shares the public key with the other party. You cangenerate or receive a public key subject to the agreement with yourbank.
The following table provides typical generation detailsof the public and private key pair:
Key Pair Generated | Generates Outbound Messages from Payments | Generates Inbound Messages to Payments |
---|---|---|
PGP Public Encryption Key and PGP Private SigningKey | Bank | Deploying company |
PGP Public Signature Verification Key and PGP PrivateDecryption Key | Deploying company | Bank |
If you're generating the key pair, you can automaticallygenerate them within Oracle Applications Cloud.
You must import the public encryption key or thepublic signature verification key that you receive into the OracleApplication Cloud using UCM.
Setting Up Outbound Transmission Configuration
For outbound messages, such as payment files, positivepay files, and settlement batch files, you must:
-
Encrypt your payment file usingthe bank-provided public encryption key.
-
Optionally, sign the payment filedigitally using the private signing key that you generate.
On the Create Transmission Configuration page, youcan see the outbound parameters as described in the following table.
Outbound Parameters | Description |
---|---|
PGP Public Encryption Key | A key given to you by your bank that you use to encryptyour outbound payment file. To upload the bank-provided public encryption key,use UCM by navigating to Tools > File Import and Export. Lastly, on the Create Transmission Configurationpage for the PGP Public Encryption Key parameter, select the publicencryption key file from the Value choice list. |
PGP Private Signing Key | A key generated by you to digitally sign the outboundpayment file. To generate the private signing key, select Quick Create from the Value choice listfor the PGP Private Signing Key parameter. The application:
Note: You must provide a key password to generate a privatesigning key using the Quick Create feature. This password is alsoused for exporting and deleting this key. |
Setting Up Inbound Transmission Configuration
For inbound payment messages, such as acknowledgmentsand bank statements, you must:
-
Verify the digital signature usingthe bank-provided public signature verification key.
-
Decrypt the file using the privatedecryption key that you generate.
On the Create Transmission Configuration page, youcan see the inbound parameters as described in the following table.
Inbound Parameters | Description |
---|---|
PGP Public Signature Verification Key | A key given to you by your bank that you use to validatethe digital signature of inbound acknowledgment files or bank statements. To upload the bank-provided public signature verificationkey, use UCM by navigating to Tools > File Import and Export. After uploading the bank-provided public signatureverification key using UCM, you can select the key file on the CreateTransmission Configuration page. Select it in the Value choice listfor the PGP Public Signature Verification Key parameter. After youselect the public signature verification key file, it's automaticallyimported. |
PGP Private Decryption Key | A key generated by you to decrypt the inbound encryptedfile. To generate the private decryption key, select Quick Create from the Value choice listfor the PGP Private Decryption Key parameter. The application:
Note: You must provide a key password to generate a privatesigning key using the Quick Create feature. This password is alsoused for exporting and deleting this key. |
Creating Private Keys Using the Advanced CreateFeature
You can also generate private keys by selecting Advanced Create from the Value choice list.Advanced Create feature lets you configure certain properties to generatestronger keys. This enhances the security of payment files transmittedto your bank. Here are the properties you can configure for PGP privatesigning keys:
Option | Description |
---|---|
Key Type | The type of private signing key generated.
|
Length | The number of bits in the private signing key (orkey size).
|
Expiration Date | The date when this private signing key expires. |
Encryption Algorithm | The encryption algorithm of the private signing key.
|
Hashing Algorithm | The hashing algorithm of the private signing key.
|
Compression Algorithm | The compression algorithm of the private signingkey.
|
Configuring these properties lets you meet bank-specificpayment file security requirements. When you generate a private keyusing the Advanced Create option, a corresponding public key is exportedto UCM from where you can download it. Similar to Quick Create, youmust provide a key password when you use Advanced Create to generatea private key.
Uploading the Bank-Provided Public Key File
To upload or import the bank-provided PGP PublicEncryption Key or the PGP Public Signature Verification Key into OracleApplications Cloud, perform these steps:
-
Rename the bank-provided key fileby including _public.key as thesuffix. Ensure that the key file name doesn't have any special charactersother than the underscore.
-
Navigate to: Navigator > Tools > File Import and Export.
-
Import the bank-provided key fileinto account fin/payments/import.
-
Navigate to the Create TransmissionConfiguration page.
-
From the Value choice list forthe applicable parameter, select the uploaded key file.
Tip:
The key name in the choice list is the same as theone you uploaded using UCM.
-
After you select the key and savethe transmission configuration, the key is automatically importedinto the Payments.
Downloading the System-Generated Public Key File
To download the system-generated public key filefrom Payments to share with your bank, perform the follow steps:
-
On the Create Transmission Configurationpage, select Quick Create forthe applicable parameter.
-
Click the Save and Close button.
-
Navigate to: Navigator > Tools > File Import and Export.
-
From the Account choice list, select fin/payments/import and search for the system-generatedpublic key file.
-
Download the system-generated publickey file.
Tip:
The file name is similar to the private key filethat was generated and attached to the transmission configuration.
Note:
SSH (Secure Socket Shell) key-generation for SFTPtwo-factor authentication is generated by Oracle Support based ona service request.
Exporting and Deleting Keys
The Export and Delete option lets you securely exporta selected private or public key. This lets you use the same key fordifferent environments. When you export a key using this feature,the key is exported to UCM from where you download it. If the selectedkey is a private key, you must provide the key password that was usedwhile generating the key. No key password is required for exportingpublic keys.
You can also use this feature to delete PGP. However,you can't delete a key that's currently attached to a transmissionconfiguration. When you delete a system-generated private key, thecorresponding public key is also deleted. Just like how exportingworks, deleting a key also requires the key password, if the selectedkey is a private one. No password is required for deleting a publickey.
The Export and Delete feature works not only forthe application-generated keys but also for imported keys.