[ic] Setting up GPG with Interchange

David xxxxxxx interchange-users@interchange.redhat.com
Wed Dec 26 00:40:01 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey guys,

After quite a bit of tinkering in my spare time, I was finally able
to get Interchange 4.8.3 to send me orders via e-mail.  Yes, e-mail
orders that actually contained the customers encrypted credit card
number.  I had the help of a few people on the interchange-users
mailing list.  (Thanks Guys!)  I'm going to try to write a set of
comprehensive instructions that will guide you step by step through
setting up gpg to work with Interchange 4.8.3.  This may be useful to
you if you receive orders through your site via e-mail and manually
enter the credit card information in a credit card terminal.

I hope these instructions are accurate.  This is my first time ever
setting up Interchange, so I'm not too familiar with it.  These are
revised instructions that were originally sent to the list by Patrick
J. Walsh.

These instructions reflect the o/s's that I'm running, so you may
have to modofy these to work for you.
Server o/s:		FreeBSD 4.2-STABLE  (machine that Interchange is
installed on)
My o/s:		Windows XP Professional  (machine that will be receiving the
orders)

First, assuming that you're using a similar setup to what I am, you
will need to acquire a copy of PGP Freeware for your Windoze machine.
 I downloaded version 6.5.8 from the following URL: 
http://www.pgpi.org/products/pgp/versions/freeware/

When you are finished installing the PGP application, you will need
to generate a keypair to use for encrypting the orders.  When you
first launch the application, it will prompt you to create your
keypair.  This keypair needs to be generated for the e-mail address
that will be receiving the orders from the server.  When you create
your keypair, it's best to use a password that contains uppercase
letters, lowercase letters, and numbers at the very least, but I hope
you already knew that.  Don't lose this password.  Don't forget this
password.  Don't use a password that you've used for anything else.

Once you have successfully genereated the keypair on your Windoze
box, you will need to make sure gpg is installed on the Server and
available for you to use.  Try using the command `whereis gpg`.  If
gpg is not installed on the system, you can get your very own copy
from http://www.gnupg.org/

I'll assume that the key you made using the PGP application on the
Windoze machine has the e-mail address 'orders@example.com'.

The next step is to get your Public key on the server so gpg can use
it to encrypt the credit card information.  The first step is
exporting the Public key from the PGP application on the Windoze
machine.  To do this, using the PGPkeys utility, select the key that
you generated and wish to export.  

Next, choose the menu option "Keys-->Export".  When prompted, choose
a filename that you will not forget.  We'll assume that you saved it
too the root directory and named it public.asc.  ( C:\public.asc ) 
Upload this file to your server via FTP.  It doesn't matter where you
save it, just don't forget the location.  I saved mine as
/home/interchange-user-name/public.asc

The next step is to import this public key into the keyring of the
Interchange user.  I'm not going to try to explain what that means,
but if you need to know, visit http://www.gnupg.org and read their
faq.  Telnet or SSH into your server as the Interchange user.  Then,
from the server prompt, you can import the public key using gpg.  The
command to do this is:
gpg --import /home/interchange-user-name/public.asc

Make sure you know where your keyring file was placed.  It was
probably put in this directory: 
/home/interchange-user-name/.gnupg/.  Now make sure you can use the
key properly by using this command:
echo "testing" | gpg --no-default-keyring --always-trust --keyring
/home/interchange-user-name/.gnupg/pubring.gpg -e -a --batch -t -r
'orders@example.com'

Note:  You may need to include the gpg path in this command (i.e.
/usr/bin/gpg or /usr/local/bin/gpg)

If it works, great, if not, you need to look into the gpg
documentation and the gpg newsgroups and mailing lists to fix it
before proceeding or bothering the interchange folks.

The next step is setting your variables properly.  To do this, use
the Interchange admin interface and go to
Administration->Preferences->Encryption.  If you don't have all of
the variables listed below, then you should create them.  Use the New
Entry submenu item if you need to create them.

ENCRYPTOR    <blank>
PGP    gpg --no-default-keyring --always-trust --keyring
/home/interch/.gnupg/pubring.gpg -e -a --batch -t -r '%s'
[Note: If you had to include the gpg path in the test that you just
did, you will also need to include it in the above line for it to
work.]
PGP_KEY            orders@example.com


Next, edit your catalog.cfg file.  Search for the EncryptProgram and
EncryptKey lines.  If they exist, edit them, otherwise, add them
before the routes start:

EncryptProgram __PGP__
EncyptKey __PGP_KEY__

Then search through the rest of your file for "Route main" and make
sure
the following entries are set in that section:

credit_card    1
encrypt        0
encrypt_program    "__PGP__"
email        '__ORDERS_TO__'
pgp_key    "__PGP_KEY__"

Now you will want to restart the Interchange server.

Before you try this out to see if it worked, you're probably going to
want to configure the PGP application on the Windoze machine to
decrypt the e-mail messages that you receive.  To do this, open the
PGPkeys application up again.  Click on the Edit-->Options menu. 
Choose the Email tab from the dialog that appears.  Make sure there
is a check box in front of the option that says "Automatically
decrypt/verify when opening messages".  Click OK and exit the app. 
After I did this, Outlook 2000 automatically decrypted my orders
after I typed the password that I hope you havn't forgotten.

Okay, that's it.  (I hope..)  Go to your site and submit an order. 
If everything is set up correctly, you should receive the order via
e-mail with the credit card number enclosed and encrypted.  When you
recieve the e-mail, Outlook should prompt you for the password that
you chose.  Once you enter it, you should see the decrypted credit
card number.  If you have problems decrypting the information, I
would check the PGP documentation.

If you're having problems receiving the order, or the encryption is
not working properly, you'll want to look at the gpg error messages. 
In my environment, this was not simple as I did not have root, or
even interch access.  The logs are stored in the tmp/ directory as
pgp*.err.  In my case, I didn't have permissions to read these files.
 To circumvent this, do the following:

First, figure out which file is the most recent that you want to look
at by typing `ls -lt *.err |head` -- probably the first entry is the
one you're after.  Next, go to the admin interface and navigate to
Content.  Select '..' then 'tmp' and choose the file you are
interested in from the list.
This will give you the details of any errors that gpg is spitting
out.  Ignore the insecure memory errors, the don't stop gpg from
doing anything.

I wish you the best of luck!

Regards,



David xxxxxxx
dxxxxxxx@cyber3dnet.com
Webmaster of... something?

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPClim90DJ7UnV+soEQKSoACdF1Tuo2ZP6vdwyVWni0VddzomPtcAnA3U
dPKbrtCHe1jcJeCYQhLUQfMh
=llEq
-----END PGP SIGNATURE-----