Administrator

Generate Private Keys Used by On-Device Charging

By default, encrypting communications between the MER and the point of sale, on device charging requires two root keys—Mer Private chargeKey (MPcK) and Mer Private readKey (MPrK)—that are installed into each MER, and generate a specific and separate  keyset for each merchant. The keys, which are 192 bits in size, are used by 3-DES algorithms (DESede/CBC/PKCS5Padding). 

In addition, on device charging requires an addition MPsK key for signing the transactions and producing an eToken (a signed transaction). By default, the encryption algorithm used by on device charing/MER for signing the generated transactions is RSA/ECB/PKCS1Padding.

However, the user can alternatively switch on a 3-DES algorithm (DESede/CBC/PKCS5Padding) to generate a smaller signature size and, thus, increase the number of eTokens that can be stored into the secure element. You must install the Bouncycastle package on the server side for verifying the eTokens.

To generate the required keys:
  1. Uncompress the <SMP_HOME>\Server\tools\mobiliser\com.sap.odc.tool.security.odckeytool-1.0.0.RC7-dist.zip file.
  2. Change directory to com.sap.odc.tool.security.odckeytool-1.0.0.RC7\com.sap.odc.tool.security.odckeytool-1.0.0.RC7.jar .
  3. Execute:
    java -jar com.sap.odc.tool.security.odckeytool-1.0.0.RELEASE.jar gen_odc_keys -url < smp_server_url> -login <mobiliser_user_login> -passwd <passwd> [-desSigning]
where <mobiliser_user_login> and <passwd> authenticates the user against SAP Mobile Platform after having successfully passed the SAP Mobile Platform HTTP gateway.
This command:
  • Automatically generates all the keys used by 3-DES algorithms,
  • Reads the private RSA signing key from the SAP Mobile Platform key store,
  • Encrypts all those private keys by using the mobiliser_odc_se_ks private key, and
  • Stores them into the security keyset database.

You can generate keys only once, during installation.  Attempting to generate on device charging private keys multiple times prevents the deployed MER from communicating with the existing registered merchant point of sale, and also prevents existing customers from using on device charging with new merchants.