2/26/25, 5:57 PM Document 2134791.

1
Copyright (c) 2025, Oracle. All rights reserved. Oracle Confidential.

PGP Encryption and Digital Signature for Payment Files (Doc ID 2134791.1)

In this Document

Abstract
History
Details
Overview

Key Generation
Setup - Transmission Configuration (Outbound)
Setup - Transmission Configuration (Inbound)
Steps to Upload Bank Given Public Key File
Steps to Download Fusion Generated Public Key File
PGP Algorithm Upgrade
References

APPLIES TO:

Oracle Fusion Payments - Version 11.1.11.1.0 and later

Oracle Fusion Receivables Cloud Service - Version 11.1.11.1.0 and later
Oracle Fusion Payments Cloud Service - Version 11.1.11.1.0 and later
Oracle Fusion Payables Cloud Service - Version 11.1.11.1.0 and later
Information in this document applies to any platform.

ABSTRACT

This whitepaper provides details of configuring and using PGP encryption and digital signature for outbound and inbound
Payments messages. This feature will be available in Fusion Cloud Release 11 as a part of patch bundle 9.

HISTORY

Date: 06-May-2016

Author: Mitesh Kumbhat

DETAILS

Overview

Security of payment data can be ensured in two ways:

Channel Security: By using secured transmission protocol such as SFTP, HTTPS etc.
Payload Security: By securing the payment file via payment file encryption and digital signature

The channel security has always been supported by Payments. With the new enhancement, Payments will now support
payload security by providing encryption and digital signature based on open the Pretty Good Privacy (PGP) standard.

Note: Payments will support payload security for both outbound and inbound messages. The outbound messages include
payment file and positive pay for funds disbursements and settlement batch file for funds capture. For inbound files such
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=yqligfi3h_53&id=2134791.1 1/7
2/26/25, 5:57 PM Document 2134791.1
as funds capture acknowledgement file and bank statement (CE), Payments will support decryption and verification of
digitally signed encrypted file.

Note: For PGP digital signing, encryption is a mandatory pre-requisite.

Key Generation

The encryption and digital signature verification requires a public key. Conversely, decryption and a digital signature requires a
private key. The party generating the key pair retains the private key and shares the public key with other parties. The
following table provides details of the key generation ownership:

Key Generation Outbound Messages Inbound Messages

Encryption Bank Customer (Fusion)

Digital Signature Customer (Fusion) Bank

The customer is expected to generate or receive the key as per the matrix shown above, subject to agreement with the bank.
When you are generating the key pair then you should generate the key within Fusion itself. When the bank is sharing the
public key, you need to import that into Fusion via UCM.

Note: You can also import a private key in Fusion.

A wallet needs to exists before any of the setup steps for PGP encryption and digital signature are
performed. Please follow the steps outlined here to check if a wallet is already created and if not to
create one:

Navigate to Setup and Maintenance --->Manage System Security Options.

To create a wallet, click on Apply Quick Defaults button. If a wallet was already created
previously, Apply Quick Defaults button will be disabled
On the Apply Quick Defaults pop-up, check Automatically create wallet file and master encryption
key and click Save and Close.
This action will create a default wallet and populate Wallet Key Location with the value of the
wallet file location and name.
Once completed, the customer can proceed with setup steps outlined below for PGP.

Setup - Transmission Configuration (Outbound)

In case of an outbound payment message, you need to encrypt your file using a bank given public key. You may also wish to
digitally sign the payment file with the digital signature key generated by you. To capture the encryption and digital signature
setup, new parameters have been introduced in the transmission configuration UI. The following information is the details of
such parameters:

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=yqligfi3h_53&id=2134791.1 2/7
2/26/25, 5:57 PM Document 2134791.1

Parameter Purpose

PGP Public Bank given key which will be used for encrypting the outbound payment file. Once you upload the bank
Encryption Key provided encryption public key file via UCM, you can select the same here. Once you select the file, it will be
imported automatically and you do not need to manually submit the 'Import Security Credential Job'.

PGP Private Key generated by you to digitally sign the outbound payment file. You can select the Create option from the
Signing Key LOV which will automatically generate the key and link the private key with your transmission configuration. It
will also generate a public key file which you can download from UCM (File Import and Export) and share with
your bank. The bank will use your public key file to verify the digital signature for the payment files which you
will be transmitting to bank.

Setup - Transmission Configuration (Inbound)

In case of inbound payment messages (acknowledgement / bank statement), you need to verify the digital signature and
decrypt the file. Therefore you will see the different parameters compared to outbound transmission configuration.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=yqligfi3h_53&id=2134791.1 3/7
2/26/25, 5:57 PM Document 2134791.1

Parameter Purpose

PGP Public Bank given key which will be used for validating the digital signature of inbound acknowledgement file or
Signature bank statement. Once you upload the bank provided signature verification public key via UCM, you can
Verification Key select the same here. Once you select the file here, it will be imported automatically and you do not need to
manually submit the 'Import Security Credential Job'.

PGP Private Key generated by you to decrypt the inbound encrypted file. You can select the Create option from the LOV
Decryption Key which will automatically generate the key and link the private key with your transmission configuration. It
will also generate a public key file which you can download from UCM (File Import and Export) and share
with your bank. The bank will use your public key file to encrypt the acknowledgement / bank statement
file.

Steps to Upload Bank Given Public Key File

1. Rename the bank-provided key file by including ‘_public.key’ as a suffix. Also, make sure the key file name doesn’t have
any special characters other than an underscore (_).
2. Navigate to File Import and Export.
3. Upload the bank given key file in account ‘fin/payments/import’.
4. Navigate to your desired transmission configuration in the transmission configuration page and select the uploaded key
file from LOV in the related parameter. The key name in the LOV will be the same which you uploaded in UCM.
5. Once You select the key and save the configuration, the key will be automatically imported in Fusion.

Steps to Download Fusion Generated Public Key File

1. Select the Create option in the transmission configuration for the key related parameter.
2. Navigate to File Import and Export.
3. Search the generated key file using account ‘fin/payments/import’.
4. Download the key file which will have similar name as private key file generated and attached in the transmission
configuration.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=yqligfi3h_53&id=2134791.1 4/7
2/26/25, 5:57 PM Document 2134791.1

PGP Algorithm Upgrade

From R12 PB5, changes were introduced to fine-tune PGP algorithm usage to allow for the use of higher-strength ciphers and
hashing algorithms. The following is the current default behavior in R12 PB6+ and R13:

Encryption: AES128
Hashing: SHA256

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=yqligfi3h_53&id=2134791.1 5/7
2/26/25, 5:57 PM Document 2134791.1
You can switch the default algorithm and configure any of the supported algorithms. Algorithm control is done by creating new
lookup types and values in the Manage Standard Lookups work area under FSM. Below is an example of creating the lookup
switch to enable AES-256 strength encryption in place of the default 128 bit strength. The following are the two lookup type
switches for PGP security:

Setup Encryption Hashing

Lookup Type IBY_PGP_ENC IBY_PGP_HASH
* AES128 (default, not set)
* MD5 (not allowed)
* AES192
Lookup Code * SHA256 (default, not set)
* AES256
* SHA384
* 3DES
Meaning and Description Any Any

Notes:

1. You can update the existing transmission configurations if you wish to use encryption and digital signature for your
existing connectivity with banks.

2. You can generate the keys for decryption and digital signature on your own as described in this note. However SSH key
generation for SFTP two-factor authentication will be generated by support based on a service request as it is currently
generated.

3. Fusion currently supports decryption of payment files that are encrypted using software that uses version ‘BCPG 1.45’
(or lower version) of OpenPGP standard.

4. For outbound messages, when both encryption and digital signature is enabled, the order will always appear first
signature and followed by encryption.

5. For inbound messages, when both decryption and digital signature verification is enabled, the order will always
appear decryption followed by signature verification.

6. When importing a private key, you need to upload the key to UCM ‘fin/payments/import’ folder with suffix ‘_secret.key’
and select it from the transmission configuration UI LOV. You must also specify the private key file password in the
transmission configuration.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=yqligfi3h_53&id=2134791.1 6/7
2/26/25, 5:57 PM Document 2134791.1
7. You should keep the public key file name less than 28 characters.

8. PGP signature key generated from Payments is generated with an expiration date of two years.

REFERENCES
NOTE:1984935.1 - Fusion Payment File Transmission Using Universal Content Managment (UCM) Protocol
NOTE:1901745.1 - How To: Fusion Payment And Positive Pay File Transmission Using SFTP PUT Protocol
NOTE:2144051.1 - Testing Payment File Transmission Configuration Setup
NOTE:2540702.1 - External Bank Account REST APIs
NOTE:2025869.1 - ISO/SEPA Direct Debit Guide
NOTE:2433249.1 - Searching Supplier Bank Account Assignments in Fusion
NOTE:1413989.1 - Working With Fusion Payments Formats
Didn't find what you are looking for?

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=yqligfi3h_53&id=2134791.1 7/7