Skip to Content
Author's profile photo Kai-Christoph Mueller

Outbound httpS with HANA XS (part 2) – set up the trust relation

Intro

Welcome again to the wonderful world of secure http communication using the HANA XS engine. In this second part of the series you will learn how to set up a XS trust store for outbound http services via SSL (https). As a prerequisite you already need to be able to access your box at

https://<yourHostName>:43<yourInstanceNumber>/sap/hana/xs/admin/

-> tab: trust relations

without any error messages. Should you face issues with this, please go back to the first blog at Outbound httpS with HANA XS (part 1) – set up your HANA box to use SSL/TLS.

If this is already working for you, we can proceed with setting up a trust store and importing our target service’s certificate using the example destination https://api.github.com

Export the target certificate

To receive this certificate we will go to the destination page using your browser and export the certificate to a file. In the case of api.github.com this means:

  1. Open https://api.github.com with your browser
  2. Click on the green lock
  3. Change to the ‘Connection’ tab
  4. Click on ‘Certificate information’
  5. Via the ‘Copy to File’ button in the ‘Details’ tab you will be able to export the certificate to a local file (here: ‘apiGutHub.cer’)
  6. Leaving the default (‘DER encoded binary X.509 (.CER)’) is perfectly fine

28-10-2013 14-28-48.png

Create a trust store and import the certificate

The full documentation on how to do this is available in the HANA Administration guide (chapter 15.3)

The following is just the shortcut description:

  • To be able to edit trust stores your user will need the
    • role: sap.hana.xs.admin.roles::TrustStoreAdministrator
  • To create a trust store open the XS admin tool on your HANA box
  • Now create a trust store via the icon on the left add_favorite_32.png (32×32)  and give it a name(e.g.: ‘github api’ )
  • By clicking on that trust store you should now see an anonymous ‘own certificate’ and an empty ‘certificate list’

                  

  • To finally import the api github certificate
    • Click the ‘Browse’ button below the ‘certificate list’
    • Provide the path to the exported certificate (here: ‘apiGutHub.cer’)
    • Hit ‘Import certificate’
    • This should result in something like this
    • And finally this one

Please check that the CN=<target> really matches your target as this is common source for errors

Video

You prefer a video?

OK, here we go:

Conclusion

Congratulations! You are now done with setting up the scenario and can go to the fun part of coding at Outbound httpS with HANA XS (part 3) – call the https outbound service in XS server side JavaScript (xsjs)

Enjoy!

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Thanks Kai-Christoph, What an excellent tutorial. You saved my life. ^^

      Author's profile photo Mayank Gupta
      Mayank Gupta

      Hi Kai-Cristoph,

      I tried the same steps, but I getting error that

      User is not authorized to use destination (package: github, name: github)

      so can you please help me out with this,

      Regards,

      Mayank

      Author's profile photo Kai-Christoph Mueller
      Kai-Christoph Mueller
      Blog Post Author

      Hi Mayank,

      actually this issue is not directly related to this Blog, so I'll give you a digest solution:

      It seems like you have another folder structure than I used. So in order to prevent the

      'User is not authorized to use destination' you need to consider:


      There is an access restriction to prevent package extensions to access xssql and xshttpdest: XShttpdests can only be accessed in the same folder or in a xsjs* in a parent folder. If you want subpackages to access the dest you need to create a xsjslib file that can see the dest and import it in the sub package.To my knowledge this solution also only works with SP7.

      Example:

      Let's assume you have got this structure:

      /wp-content/uploads/2014/03/20140304_150903_402929.png

      To access the destination in the sub-package, you'll need to add a file:

      getDest.xsjslib

      var getGithubDest = function(){

              return $.net.http.readDestination("debugging.github", "github");

              };

      issuesViaSubPackage.xsjs will then look like:

      (rest same as in issues.xsjs)

      ...

      var gDest = $.import("debugging.github","getDest");
      var destination = gDest.getGithubDest();

      ...

      Hope that helps

      kc

      Author's profile photo Former Member
      Former Member

      Hi Kai-Cristoph,


      When I Import Certificate (export from git hub as step Export The target Certificate) to Trust Store, I got an error: Own certificate cannot be access.


      Can you please help me out with this?


      Regards,

      Nam Lam

      Author's profile photo Kai-Christoph Mueller
      Kai-Christoph Mueller
      Blog Post Author

      Hi Nam Lam,

      it looks like you try to import the wrong - your own - certificate instead of the server's one.

      Hope that helps,

      kc

      Author's profile photo Former Member
      Former Member

      Hi Kai-Cristoph,

      Thank you very much, I solve this issue by using my own certificate (as a trust store required).

      Regards,

      Nam Lam

      Author's profile photo Nilesh Vakil
      Nilesh Vakil

      I am getting error as HttpClient.request: request failed: SSL requested, but no trust store configured.

       

      Can somebody help me ?