Outbound httpS with HANA XS (part 2) – set up the trust relation
Intro
Welcome again to the wonderful world of secure http communication using the HANA XS engine. In this second part of the series you will learn how to set up a XS trust store for outbound http services via SSL (https). As a prerequisite you already need to be able to access your box at
https://<yourHostName>:43<yourInstanceNumber>/sap/hana/xs/admin/
-> tab: trust relations
without any error messages. Should you face issues with this, please go back to the first blog at Outbound httpS with HANA XS (part 1) – set up your HANA box to use SSL/TLS.
If this is already working for you, we can proceed with setting up a trust store and importing our target service’s certificate using the example destination https://api.github.com
Export the target certificate
To receive this certificate we will go to the destination page using your browser and export the certificate to a file. In the case of api.github.com this means:
- Open https://api.github.com with your browser
- Click on the green lock
- Change to the ‘Connection’ tab
- Click on ‘Certificate information’
- Via the ‘Copy to File’ button in the ‘Details’ tab you will be able to export the certificate to a local file (here: ‘apiGutHub.cer’)
- Leaving the default (‘DER encoded binary X.509 (.CER)’) is perfectly fine
Create a trust store and import the certificate
The full documentation on how to do this is available in the HANA Administration guide (chapter 15.3)
The following is just the shortcut description:
- To be able to edit trust stores your user will need the
- role: sap.hana.xs.admin.roles::TrustStoreAdministrator
- To create a trust store open the XS admin tool on your HANA box
- https://<yourHost>:43<yourInstNo>/sap/hana/xs/admin/
- Go to tab ‘Trust Manager’
- Now create a trust store via the icon on the left
and give it a name(e.g.: ‘github api’ ) - By clicking on that trust store you should now see an anonymous ‘own certificate’ and an empty ‘certificate list’
- To finally import the api github certificate
- Click the ‘Browse’ button below the ‘certificate list’
- Provide the path to the exported certificate (here: ‘apiGutHub.cer’)
- Hit ‘Import certificate’
- This should result in something like this
- And finally this one
– Please check that the CN=<target> really matches your target as this is common source for errors
Video
You prefer a video?
OK, here we go:
Conclusion
Congratulations! You are now done with setting up the scenario and can go to the fun part of coding at Outbound httpS with HANA XS (part 3) – call the https outbound service in XS server side JavaScript (xsjs)
Enjoy!
Thanks Kai-Christoph, What an excellent tutorial. You saved my life. ^^
Hi Kai-Cristoph,
I tried the same steps, but I getting error that
User is not authorized to use destination (package: github, name: github)
so can you please help me out with this,
Regards,
Mayank
Hi Mayank,
actually this issue is not directly related to this Blog, so I'll give you a digest solution:
It seems like you have another folder structure than I used. So in order to prevent the
'User is not authorized to use destination' you need to consider:
There is an access restriction to prevent package extensions to access xssql and xshttpdest: XShttpdests can only be accessed in the same folder or in a xsjs* in a parent folder. If you want subpackages to access the dest you need to create a xsjslib file that can see the dest and import it in the sub package.To my knowledge this solution also only works with SP7.
Example:
Let's assume you have got this structure:
To access the destination in the sub-package, you'll need to add a file:
getDest.xsjslib
var getGithubDest = function(){
return $.net.http.readDestination("debugging.github", "github");
};
issuesViaSubPackage.xsjs will then look like:
(rest same as in issues.xsjs)
...
...
Hope that helps
kc
Hi Kai-Cristoph,
When I Import Certificate (export from git hub as step Export The target Certificate) to Trust Store, I got an error: Own certificate cannot be access.
Can you please help me out with this?
Regards,
Nam Lam
Hi Nam Lam,
it looks like you try to import the wrong - your own - certificate instead of the server's one.
Hope that helps,
kc
Hi Kai-Cristoph,
Thank you very much, I solve this issue by using my own certificate (as a trust store required).
Regards,
Nam Lam
I am getting error as HttpClient.request: request failed: SSL requested, but no trust store configured.
Can somebody help me ?