Hello All,

I recently had to configure my server to use https with signed certificate (signed by certificate authority and not only self-signed). It took me quite a while because all the tutorials, manuals did not seem to work for me on SP9. After lots of research I finally made it. I would like to share my findings with you so that you can save days of research. Please notice that I’m working on SAP internal cloud platform therefore the steps below might need adjusting depending on your server location and configuration.

I found this post very helpful and it explains many things in details, it is good place to start:

http://scn.sap.com/community/developer-center/hana/blog/2013/11/02/outbound-https-with-hana-xs-part-1–set-up-your-hana-box-to-use-ssltls

The difference in the SP9 version is that it is by default configured to use https with self-signed certificate therefore you and other users will get red warning message all over to warn that the connection is not safe. In SP9 you do not need to import sapgenpse or libsapcrypto.so because it’s already there. You do not need to configure web dispatcher to use SSL and those libraries because it’s already done.

My system is internal SAP server hosted on SAP cloud platform. If you are using different platform/server the certificate request might be different for you.

In my commands below I’m using place holders. Please replace them with the data of your server:

[host_name] – in my case: mo123456

[host_url] – in my case: mo123456.mo.sap.corp

[instance_number] – in my case 00

[instance]- in my case MV1

First upload to SAPNetCA_G2.cer to  /usr/sap/[instance]/HDB[instance_number]/[host_name]/sec

I use winscp tool for this.

If you are working on SAP internal system you can find certificates here:

https://security.wdf.sap.corp/SAPNetCA_G2/

If you use this link to sign certificates please make sure that you select response encoding to: PKCS#7 because X.509 did not work for me.

Log on to your system via putty. Log on as admin – [instance]adm for example mv1adm.

Define 2 variables to shorten up the script later:

export SECUDIR=/usr/sap/[instance]/HDB[instance_number]/[host_name]/sec

This is the folder with signed certificates and where the requests file will be placed.

export TEMPEXELIB=/usr/sap/[Iinstance]/exe/linuxx86_64/HDB_1.00.090.00.1416514886_1804508

This is the location of sapgenpse. As of SP9 you don’t need to copy those files manually like in previous tutorial, you can run this program from this library. Please notice that the location of the file might be slightly different in your case depending on the version of HANA. Please check the folder: /usr/sap/[instance]/exe/linuxx86_64/ for subfolders. In my case it’s: DB_1.00.090.00.1416514886_1804508 . Please check if sapgenpse is in that fodler .

SP9 comes with self-signed certificates (at least my came) therefore you need to delete those before you import new certificates signed by certificate authority. Please delete following files: SAPSSLS.pse , sapsrv.pse, sapcli.pse from security folder /usr/sap/[instance]/HDB[instance_number]/[host_name]/sec

Run sapgenpse to generate request:

$TEMPEXELIB/sapgenpse get_pse -p $SECUDIR/SAPSSLS.pse -x ” -r $SECUDIR/SAPSSLS.req “CN=[host_url], OU=00, O=SAP, C=DE”

It’s important that the request and pse file are named SAPSSLS in other tutorials I found different name and that did not work form me. Web dispatcher is already configured to look for the certificate with SAPSSLS name therefore it’s easier just to replace those.

View the request:

cat $SECUDIR/SAPSSLS.req

Copy the text, sign it at your certificate authority, and copy the response text.

Create new file for the response:

vi $SECUDIR/SAPSSLS.cert

Press “i” to start text editing.

Paste the response to command line (in putty it’s just right mouse click)

Press escape key and type:

:wq

Press enter/return key.

Alternatively you can copy the request text into text file on your local pc and upload it to the server as $SECUDIR/SAPSSLS.cert . However I read on couple of other posts that there might be problem with the way windows editors encode new line sign therefore it’s recommended to create the text under linux.

Import the certificate:

$TEMPEXELIB/sapgenpse import_own_cert -c $SECUDIR/SAPSSLS.cert -p $SECUDIR/SAPSSLS.pse -x ” -r $SECUDIR/SAPNetCA_G2.cer

Check the message if operation was successful.

Create credentials for the file:

$TEMPEXELIB/sapgenpse seclogin -p $SECUDIR/SAPSSLS.pse -x ” -O [instance]adm

Make sure that only admin has access to this file:

chmod 600 $SECUDIR/cred_v2

Follow similar steps for sapsrv.

$TEMPEXELIB/sapgenpse get_pse -p $SECUDIR/sapsrv.pse -x ” -r $SECUDIR/sapsrv.req “CN=[host_url], OU=00, O=SAP, C=DE”

cat $SECUDIR/sapsrv.req

Copy the text, sign it at your certificate authority, and copy the response text.

vi $SECUDIR/sapsrv.cert

Press “i”.

Paste response text.

Press esc, type  :wq

$TEMPEXELIB/sapgenpse import_own_cert -c $SECUDIR/sapsrv.cert -p $SECUDIR/sapsrv.pse -r $SECUDIR/SAPNetCA_G2.cer

$TEMPEXELIB/sapgenpse seclogin -p $SECUDIR/sapsrv.pse -x ” -O [instance]adm

Create request for sapcli

$TEMPEXELIB/sapgenpse gen_pse -p $SECUDIR/sapcli.pse -x ” “CN=[host_url], OU=00, O=SAP, C=DE”

In the previous post I did not see that this request was signed therefore I just left it like this.

There is no need for additional web dispatcher configuration.

Afterwards it’s important to restart web dispatcher; I personally prefer to restart the whole server.

You can check the link https://[host_url]:43[instance_number]sap/hana/xs/admin/

If the certificate was imported successfully you should not see any red warning messages.

Best regards and good luck,

Marcin

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Gregory Misiorek

    Hi Marcin,

    looks like I will have to try it again,

    thx for the motivation,

    greg

    PS started reading your blog in detail and I’m trying to get past this step:

    If you are working on SAP internal system you can find certificates here:

    so, if i’m NOT working on SAP internal system, where can i get the SAPNetCA_G2.cer file?


    google finds crl, crt, and der files but no cer.

    (0) 

Leave a Reply