I am working on a project where one of the requirements is to encrypt the traffic between the CI and the HANA back end DB. This is sort of documented in section 4.3 of the HANA Security Guide (http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf), but it still took me some time to figure out. I understand the next version of the security guide will have more detailed instructions, but thought I'd share some details that may help others in the meantime.
The below instructions are based on sapcrypto. In SP7, there is an option to use commoncrypto. OpenSSL is also an option if sapcrypto is not installed.
Loading SQLDBC client runtime ...
C SQLDBC Module : /usr/sap/<SID>/hdbclient/libSQLDBCHDB.so
C SQLDBC Runtime : libSQLDBCHDB 1.00.70.00 Build 0386119-1510
C SQLDBC client runtime is 1.00.70.00.0386119
C connect property [ENCRYPT = TRUE]
C
C Try to connect via secure store (DEFAULT) on connection 0 ...
C
C Sun Jan 12 19:41:31 2014
C Attach to HDB : 1.00.70.00.386119 (NewDB100_REL)
C Database release is HDB 1.00.70.00.386119
C INFO : Database '<SID>/00' instance is running on '<HANA_Host>'
C INFO : Connect to DB as 'SAP<SID>', connection_id=300100
C DB max. input host variables : 32767
I rant into a few errors on the CI that caused the workservers to crash. I've outlined the errors I saw in the dev_w* traces, the cause and the steps to resolve the errors.
C SQLERRTEXT : Connection failed (RTE:[300010] Cannot create SSL context: ERROR in SSL_CTX_set_default_pse_by_name:\
C (4129/0x1021) The PSE does not exist : "/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse",ERROR in ssl_set_pse\
C : (4129/0x1021) The PSE does not exist : "/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse",ERROR in af_open: (\
C 4129/0x1021) The PSE does not exist : "/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse",ERROR in secsw_open: (\
C 4129/0x1021) The PSE does not exist : "/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse",ERROR in secsw_open_ps\
SQLERRTEXT : Connection failed (RTE:[300015] SSL certificate validation failed: host name '<hostname>' does not m\
C atch name in certificate '<DifferentHostname.domain.com')
B ***LOG BV3=> severe db error -10709 ; work process is stopped [dbsh 1244]
B ***LOG BY2=> sql error -10709 performing CON [dblink 550]
B ***LOG BY0=> Connection failed (RTE:[300015] SSL certificate validation failed: host name '<hostname> does not match name in certificate '<DifferentHostname.domain.com') [dblink 550]
M ***LOG R19=> ThDbConnect, db_connect ( DB-Connect 000256) [thDatabase.c 75]
M in_ThErrHandle: 1
M *** ERROR => ThInit: db_connect (step TH_INIT, thRc ERROR-DB-CONNECT_ERROR, action STOP_WP, level 1) [thxxhead.c 2151]
The configuration is really simple once figuring it, but I did run into various issues trying to get it to work. Feel free to ask questions in the comment and I'll do my best to answer right away.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
10 | |
9 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 |