Skip to Content

Secure Sockets Layer (SSL) with HANA and BI4 Feature Pack 3 requires configuration on the HANA server and BI4 server.  The following steps will show how to configure SSL using OpenSSL and a certificate obtained by from a Certificate Authority (CA).

OpenSSL Configuration

This blog will cover the OpenSSL Crypto Library, however HANA can also be configured using the SAP Crypto Library.

Confirm that OpenSSL is installed

shell> rpm -qa | grep -i openssl

openssl-0.9.8h-30.34.1

libopenssl0_9_8-32bit-0.9.8h-30.34.1

openssl-certs-0.9.8h-27.1.30

libopenssl0_9_8-0.9.8h-30.34.1

Confirm that OpenSSL is 64-bit

shell> file /usr/bin/openssl

openssl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.4, dynamically linked (uses shared libs), stripped

Confirm there is a symlink to the libssl.so file

/wp-content/uploads/2012/05/ssl_5_106373.png

If not, create one as the root user

shell> ln -s /usr/lib64/libssl.so.0.9.8 /usr/lib64/libssl.so

SSL Certificates

This blog won’t go into details of how SSL works, but in generic terms you’ll need to create a Certificate Singing Request (CSR) from the HANA server and send that to a CA.  In return, the CA will give you a Signed Certificate and a copy of their Root CA Certificate.  These, then need to be setup with HANA and the BI4 JDBC and ODBC drivers.

Creating the Certificate Signing Request

shell> openssl req -new -nodes -newkey rsa:2048 -keyout Server_Key.key -out Server_Req.csr -days 365

Fill out the requested information according to your company:

—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

This will create two files

  • Key: Server_Key.key
  • CSR: Server_Req.csr

The CSR needs to be sent to the CA, which in turn will give you a signed certificate and their Root CA Certificate.

Convert the Root CA Certificate to PEM

The Root CA Certificate may come in the DER format (.cer extension), HANA requires the cert in PEM format.  Therefore, we will need to convert it using the command

shell> openssl x509 -inform der -in CA_Cert.cer -out CA_Cert.pem

HANA SSL Configuration

Copy both the Signed Cerficiate and Root CA Certificate to the HANA server.  For HANA SSL to work, we need to create two files:

  • key.pem
  • trust.pem

The key.pem key store file contains the certificate chain, which includes your servers key (Server_Key.key), the CA’s Signed Certificate and the Root CA Certificate.  Whereas the trust.pem trust store file contains the Root CA Certificate.

Create the key.pem and trust.pem trust stores

key.pem

shell> cat Server_Cert.pem Server_Key.key CA_Cert.pem > key.pem

trust.pem

shell> cp CA_Cert.pem trust.pem

Copy the files to the user’s home directory

In the user’s home directory create a .ssl directory and place both the key.pem and trust.pem files here,

/wp-content/uploads/2012/05/ssl_6_106374.png

Configure the certificates in HANA

Once the key.pem and trust.pem files have been created they need to be configured in HANA.

In HANA Studio go to

  • Administration
  • Configuration tab
  • Expand indexserver.ini
  • Expand communication
  • Configure the entries related to SSL

ssl_!.png

Start and Stop HANA to pick up the SSL configuration

  • HDB stop
  • HDB start

HANA Studio Configuration

When setting up the connection to HANA, check the option ‘Connect using SSL’, as seen below.

/wp-content/uploads/2012/05/ssl_7_106747.png

To confirm the connection has SSL, look for the lock icon on the server icon, as seen below.

/wp-content/uploads/2012/05/ssl_8_106784.png

BI4 Feature Pack 3 SSL Configuration

SSL in BI4 needs to configured for the HANA connectivity you plan to use. 

JDBC Configuration

For JDBC SSL configuration, we’ll need to add the trust.pem trust store to the Java Key Store (JKS) using the keytool utility provided by the JDK/JRE.  This is done via the command line.  Change the paths for your own configuration:

Add trust.pem to the JKS

C:\Documents and Settings\Administrator>“C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86\jre\bin\keytool.exe” -importcert -keystore “C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86\jre\lib\security\cacerts” -alias HANA -file trust.pem

You will be prompted for the keystore password.  The default password is: changeit

When prompted to ‘Trust this certificate’ enter yes.  The alias can be any value, however it must be unique in the keystore.

Confirm that your certificate has been added to the keystore

C:\Documents and Settings\Administrator>“C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86\jre\bin\keytool.exe” -list -keystore “C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86\jre\lib\security\cacerts” -alias HANA

If successful, you will see trustedCertEntry in the output, as below

/wp-content/uploads/2012/05/ssl_11_106864.png

Information Design Tool  (IDT) Configuration

In IDT, the connection will need to be setup with the JDBC Driver Property encrypt=true to make the connection use SSL when connecting to HANA,

/wp-content/uploads/2012/05/idt_106863.png

ODBC Configuration

Once the HANA client driver has been installed, you can set up a ODBC connection for HANA.  To connect via SSL, check the box ‘Connect using SSL’, as below:

/wp-content/uploads/2012/05/ssl_2_106371.png

If you added any Special property settings’, they won’t be displayed in the driver configuration.  To view them, launch the Windows Registry Editor and go to the key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ODBC\ODBC.INI\<Your Data Source Name>

/wp-content/uploads/2012/05/ssl_4_106372.png

Installing the CA Root Certificate

Depending on which CA you get the certificate signed from, you may run into SSL errors.  For example, in Crystal you may see this error,

/wp-content/uploads/2012/05/cr1_106786.png

To resolve this, install the CA Root Certificate allowing it to be trusted by the server.

  • Copy the CA Root Certificate to the machine where the error is coming from
  • Double click on the certificate and click ‘Install Certificate’

/wp-content/uploads/2012/05/cr5_106792.png

  • Click next

/wp-content/uploads/2012/05/cr4_106793.png

  • Select the first option and click next

/wp-content/uploads/2012/05/cr3_106794.png

  • Click finish

/wp-content/uploads/2012/05/cr6_106799.png

Confirming if SSL is being used

Using a tool like Wireshark, the communication between the server and client can be traced, as seen below to verify that SSL is being used.

/wp-content/uploads/2012/05/ssl_10_106801.png

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Dayal .t

    Hi Guys

    can some point me to downlink of this Openssl “openssl-0.9.8h-30.34.1”

    I have tried everywhere  I cannot find.

    Thanks

    (0) 
  2. David Wei

    Hi Vishal,


    Good blog, it helped me very much.

    Now I have an issue, how to install ODBC ssl certifacate on the HANA client(Windows 7)?

    I  tested ODBC connectivity of client to HANA server  using SSL on system DSN, but it prompted message:

    —————————

    SAP HDB ODBC Connect

    —————————

    ODBC-Error

    SQLSTATE: 08S01

    NATIVE ERROR: -10709

    MESSAGE TEXT: [SAP AG][LIBODBCHDB DLL][HDBODBC] Communication link failure;-10709 Connection failed (RTE:[300012] Cannot create SSL engine: The certificate chain was issued by an authority that is not trusted.

    And my odbc parameter is as following:

    odbc parameters with ssl.png

     

    What is the matter with my issue? is there anything wrong with my odbc setting? please give me some advice regarding this. Thank you in advance.


    By the way, I also tried setting parameters sslTrustStore and sslKeyStore with local file path, but it did not work either.

    Regards,

    David

    (0) 

Leave a Reply