My name is Daniel Gray and I’m a Product Support Engineer. I work in SAP’s Vancouver office and I support the growing database technology known as HANA.
The goal of this blog is to provide an overview of various SSL configurations in HANA. There are already a number of guides that detail how to configure SSL on HANA; I hope these posts will help you understand why each step is necessary. This is a series I will be adding to in the future; I’m currently planning on covering single and multi-node HANA systems with and without certificate authorities, and internal communication in multi-node systems.
As these posts are related to SSL and HANA, I won’t give an in-depth explanation of the mechanics behind SSL. If you are new to SSL the following resource helped greatly when I started learning SSL:
SSL protocols provide methods for establishing encrypted connections and verifying the identity of an entity (client, server, etc). Verifying the identity of a communication partner, however, isn’t mandatory. Many clients will allow you to establish connections with untrusted parties. For the following posts I will assume that our clients will reject untrusted servers.
Configuring clients to reject untrusted connections depends on the client itself. For HANA Studio, this option is found in Systems view -> right click the system connection <SID> (<DBUSER>) -> Properties -> Database User Logon -> Additional Properties tab -> Validate the SSL certificate checkbox.
Additionally, in the following examples I’ll assume that clients already trust certificates (i.e. the trust store contains the root certificate) signed by common CAs such as Verisign and DigiCert.
Should you encounter a term you’re not familiar with, please refer to the glossary at the bottom of this page.
- SSL and single-node HANA systems
- SSL and distributed (multi-node) HANA systems <under construction>
- SSL and internal communication in distributed systems <under construction>
- Certificate Authority (CA): An entity, such as DigiCert, that verifies the identity of another entity, such as Facebook.
- Public key: The key used to encrypt messages/decrypt signatures in asymmetric cryptography.
- Public key certificate: A digital certificate that contains, and identifies the owner of, a public key; this is distributed publicly.
- Private key: The key used to decrypt messages and sign objects in asymmetric cryptography; this is kept private.
- Root certificate: A public key certificate that identifies the root CA. Root certificates from common CAs are generally distributed with clients (e.g. web browsers).
- Certificate Signing Request (CSR): Contains the information required to generate a signed certificate.
- Common Name (CN): Contained in public key certificates and identifies the host the certificate belongs to. The CN of a certificate must match the FQDN the client is connecting to.
- Fully Qualified Domain Name (FQDN): A name that uniquely identifies a host on the internet.
- Key store: A file that contains the information necessary for an entity to authenticate itself to others. Contains the server’s private key, signed server certificate, and intermediate certificates if necessary.
- Trust store: A file that contains the information of trusted entities. Generally contains root certificates of CAs.