Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Encryption on Application Gateway

We are implementing the application gateway for a client in UK. All the functionality are done and its working perfectly.

Since its financial institution, Customer needs encryption option.  Customer is looking forward for encryption options in GED-145,  Application Gateway interface. I believe that application gateway  supports two types of encrypted connection (native or via IPSec). How to  achieve this encryption in Application Gateway.

In UCCE configuration manager, when we configure the Application  gateway, there is one attribute called Encryption. What will this  parameter do? There no much help provided for this particular option.


Re: Encryption on Application Gateway


actually, it took me two days to figure it out - the documentation does not contain any relevant information. Contacted Cisco developer support - well, they just sent me the document which is available on their web anyway.

Now, if you pay me a hundred million dollars, I might be able I will tell you how to implement encryption on the GED-145 (application gateway) protocol.

The encryption used is actually DES, or, more specifically, its variant named Electronic Code Book (ECB), with no padding.

There's a preshared key on the ICM server running the Router > Application Gateway process, saved as a Windows registry key, at

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Systems, Inc.\ICM\[instanceName]\RouterA\Router\CurrentVersion\Configuration\ApplicationGateway called SessionKey, string "SESSIONK" by default.

When ICM Application Gateway first contacts the Application Gateway host, using the OPEN_REQ message, the third integer value will tell you wether to use encryption or not. The same message will contain the encrypted key (generated by ICM), encrypted using the preshared key, doubled (so instead of 8 bytes, it'll contain 16 bytes). You have decrypt it using the preshared kay. From now on, the payload of all messages must be encrypted/decrypted with that session key - so the QUERY_REQ and QUERY_RESP messages will have to look like: 4 bytes: message length, 4 bytes: message type, n bytes: encrypted payload. A new session key will be generated on ICM with a new session.

This provides end-to-end encryption between the ICM router and the host. Of course, it never hurts to combine this with IPSEC on the network level I guess if you are paranoid.

Hope this helps.


CreatePlease login to create content