I am working on a project where one of the requirements is to encrypt the traffic between the CI and the HANA back end DB. This is sort of documented in section 4.3 of the HANA Security Guide (http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf), but it still took me some time to figure out. I understand the next version of the security guide will have more detailed instructions, but thought I’d share some details that may help others in the meantime.

The below instructions are based on sapcrypto. In SP7, there is an option to use commoncrypto. OpenSSL is also an option if sapcrypto is not installed.

  • Install sapcrypto on both CI and HANA systems
    • This is well documented, so I won’t provide details here
    • Copy libsapcrypto.so to …/lib directory
      • cp libsapcrypto.so /usr/sap/<sid>/SYS/global/security/lib
  • Create PSE files for both the CI and HANA systems
    • See 1718944 – SAP HANA DB: Securing External SQL Communication (SAPCrypto)
    • If a Certificate Authority (CA) is not available, SAP provides an option to create a test cert that is valid for 8 weeks: https://websmp110.sap-ag.de/tcs
      • This option can be used to sign the sapcli.req from Note 1718944
    • In my case, the customer created a PFX file using their own CA
      • This requires a conversion of the *.PFX files provided by customer to PSE using command below
        • sapgenpse import_p12 -p sapcli.pse <existing_cert>.pfx
    • copy sapcli.pse to sapsrv.pse
        • cp sapcli.pse sapsrv.pse
    • sapsrv.pse is required for server authentication – HANA DB
    • sapcli.pse is required for client authentication – CI ABAP system
      • Even though only the above files are required on the respective systems for our scenario, it is easy to create both pse files on both systems.
  • Enable SSL on HANA
    • su to <sid>adm
    • Create $SECUDIR
      • mkdir -p $SECUDIR
    • Copy both pse files to $SECUDIR
      • cp sapcli.pse sapsrv.pse $SECUDIR
    • Restart the HANA DB to enable SSL
  • Configure CI to connect via SSL
    • Copy sapcli.pse to /usr/sap/<SID>/DVEBMGS00/sec
      • If sec directory above doesn’t exist, then create it while logged on as <sid>adm
    • Add the following parameter in the DEFAULT.PFL to enable encryption on the DB connection
      • dbs/hdb/connect_property = ENCRYPT=TRUE
    • Stop and start CI.
    • Check dev_w0 and verify connection to DB. Should look something like below.

Loading SQLDBC client runtime …

C  SQLDBC Module  : /usr/sap/<SID>/hdbclient/libSQLDBCHDB.so

C  SQLDBC Runtime : libSQLDBCHDB 1.00.70.00 Build 0386119-1510

C  SQLDBC client runtime is 1.00.70.00.0386119

C  connect property [ENCRYPT = TRUE]

C

C  Try to connect via secure store (DEFAULT) on connection 0 …

C

C Sun Jan 12 19:41:31 2014

C  Attach to HDB : 1.00.70.00.386119 (NewDB100_REL)

C  Database release is HDB 1.00.70.00.386119

C  INFO : Database ‘<SID>/00’ instance is running on ‘<HANA_Host>’

C  INFO : Connect to DB as ‘SAP<SID>’, connection_id=300100

C  DB max. input host variables  : 32767

I rant into a few errors on the CI that caused the workservers to crash. I’ve outlined the errors I saw in the dev_w* traces, the cause and the steps to resolve the errors.

  • Troubleshooting –
    • Error message
      • “Cannot create SSL context” – This message does not provide additional details as the below error messages do. Very generic.
        • Possible Causes
          • sapcrypto library is not accessible
          • PSE key/trust store is not available or not properly filled
        • Solution
          • Ensure sapcrypto is installed correctly and the PSEs are created properly
    • Error message

C SQLERRTEXT : Connection failed (RTE:[300010] Cannot create SSL context: ERROR in SSL_CTX_set_default_pse_by_name:\

C                (4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in ssl_set_pse\

C               : (4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in af_open: (\

C               4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in secsw_open: (\

C               4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in secsw_open_ps\

        • Solution
          • Verify Sapcli.pse is available in the directory and SIDADM has permissions to it.
    • Error message

SQLERRTEXT : Connection failed (RTE:[300015] SSL certificate validation failed: host name ‘<hostname>’ does not m\

C               atch name in certificate ‘<DifferentHostname.domain.com’)

B  ***LOG BV3=> severe db error -10709    ; work process is stopped [dbsh         1244]

B  ***LOG BY2=> sql error -10709 performing CON [dblink       550]

B  ***LOG BY0=> Connection failed (RTE:[300015] SSL certificate validation failed: host name ‘<hostname> does not match name in certificate ‘<DifferentHostname.domain.com’) [dblink       550]

M  ***LOG R19=> ThDbConnect, db_connect ( DB-Connect 000256) [thDatabase.c 75]

M  in_ThErrHandle: 1

M  *** ERROR => ThInit: db_connect (step TH_INIT, thRc ERROR-DB-CONNECT_ERROR, action STOP_WP, level 1) [thxxhead.c   2151]

        • Cause/Solution
          • Ensure that the CI is using the hostname that exists in the certificate to establish the connection
          • Force the connection to use the hostname specified in the cert by updating the dbs/hdb/connect_property in DEFAULT.PFL
            • Example: dbs/hdb/connect_property = ENCRYPT=TRUE, sslHostNameInCertificate=DifferentHostname.domain.com

The configuration is really simple once figuring it, but I did run into various issues trying to get it to work. Feel free to ask questions in the comment and I’ll do my best to answer right away.

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Candy Zhan

    Hi Jake,

     

     

    Did you see any error in trans.log?

     

     

    LOG BY2=>sql error 4321   performing CON?

     

     

    Thanks and regards,

    Candy

    (0) 
  2. Chris O'Haire

    Hi Jake,

     

    Thank you for taking the time to create such a helpful blog.  This has really helped us during the setup of SSL between ABAP and HANA.

     

    Regards,

    Chris

    (0) 
  3. Luis Rosado

    One question about the below error, with sslenforce=true in file global.ini of HDB.:

     

    (CI)

    hdbsql -U DEFAULT

    \s

     

    4321: only secure connections are allowed SQLSTATE: HY000

     

    Any idea?

    (0) 
    1. Luis Rosado

      Hi,

       

      The test wasn’t working because the command missed encrytion test:

       

      hdbsql -e -U DEFAULT

       

      – e = for encryption test

      (0) 
      1. Jake Echanove

        Great catch. There are some considerations when you set “sslenforce=true”. I never got around to blogging about this, but you i’d suggest you test your transports. The TP connection isn’t encrypted by default and this may fail. Test and let me know what you find.

         

        -Jake

        (0) 
  4. Raghuveer Balimi

    Hi Jake,

     

    Nice post.

    We are configuring SLL and realized, SAP no longer provides Test cert now.

    Are you aware of other alternative for this step ?

     

     

     

    ******************************

    If a Certificate Authority (CA) is not available, SAP provides an option to create a test cert that is valid for 8 weeks: https://websmp110.sap-ag.de/tcs

     

     

    ******************************

    Thanks for sharing

     

    regards,

    Rv

    (0) 

Leave a Reply