Setup SAP Assertion SSO principal propagation from HCP to HANA
A while ago we implemented some HTML5/UI5 applications on HCP. As backend services we used HANA XSOData and XSJS services running on a HANA system available in the same HCP account. The access was done via a destination configured in the HCP cockpit. During the first phases of development we used basic authentication, but of course this was already cumbersome during development and this also no solution for an operation in test and production. For an SSO connection we setup a SAP Assertion SSO destination from HCP to HANA. Because we had some issues and the online help (SAP Assertion SSO Authentication) is not detailed enough (from my point of view) at the moment writing this post, I wanna share the setup steps. Thanks to the SAP support team for giving us some hints.
Setup of SAP Assertion SSO connection
There are some pre-conditions which have to be considered:
- On the HANA system a certificate store must be setup.
- The user IDs on HCP and the HANA system have to be the same.
- Latest version of openssl and the Java SDK (containing the Java keytool) have to be installed on the local machine to generate a DSA (Digital Signature Algorithm) key pair.
Generate keys and certificate
For the generation of the DSA key pair and the transformation to a certificate (.cer file) and base64 encoded representation of the key pair (.pem file) openssl and the Java keytool are necessary. The openssl and Java keytool can be found in the bin folder of the respective installation folders for openssl and the Java SDK. For an easier usage on the command line the paths to the corresponding files can be configured in the environment variable settings. Otherwise it is necessary to specify the full path to the tools or to operate in the tools folder. In the following steps I only use the tool names itself without path information. Please consider to execute the commands with admin rights.
Generate DSA key pair
The following command creates a key pair file scn_dsa.jks with a distinguished name “CN=SCN”. “SCN” is the common name which is necessary later for the HCP destination setup. The common name can be any identifier you wanna choose. For the keystore file you have to enter a keystore password.
keytool -genkey -keyalg DSA -alias alias -keystore scn_dsa.jks -dname “CN=SCN”
Export public key as certificate
The public key is exported from the generated scn_dsa.jks keystore file into a scn_cert.crt certificate file. As keystore password the password defined in the step before has to be used.
keytool -exportcert -keystore scn_dsa.jks -alias alias -file scn_cert.crt
Transfer keystore to a PFX file (P12 format)
The keystore file is transferred to a P12 format file containing the public and private certificate pair. Again as keystore password the password entered for the keystore in the first step has to be used.
keytool -importkeystore -srckeystore scn_dsa.jks -destkeystore scn_dsa.p12 -srcstoretype jks -deststoretype pkcs12
Transfer PFX file (P12 format) to PEM file
The base64 encoded representation of the public and the private key is created using following command. As import password again the password from before has to be used.
openssl pkcs12 -in scn_dsa.p12 -nodes -out scn_dsa.pem
In the HANA system some settings have to be done so that a propagated user (from HCP) can be authenticated.
In the Trust Manager of the HANA system the created certificate (scn_cert.crt created before) has to be imported. To access the Trust Manager, the XS Admin tool (URL path /sap/hana/xs/admin on your HANA system) has to be opened for the HANA system. The Trust Manager can be accessed via the menu on the top left corner. To be able to access and edit the settings, the user needs to have the role sap.hana.xs.admin.roles::TrustStoreAdministrator.
For trust store SAPLOGON on tab Certificate List the certifcate needs to be imported. After a successful import the certificate is displayed in the certificate list.
Enable User for usage of SAP Logon/Assertion Tickets
That a user can be authenticated via SAP Logon/Asserting Tickets, in the user administration the options SAP Logon Ticket and SAP Assertion Ticket have to be set.
Enable SAP Logon/Assertion Ticket authentication for HANA XS app
The last thing to be done on HANA side is to enable the usage of SAP Logon/Assertion Tickets for the required HANA XS applications. This needs to be done in the XS Artifact Administration of the XS Admin tool (role sap.hana.xs.admin.roles::RuntimeConfAdministrator is necessary). Following a sample is shown for the public.sap package. If an application is located for instance in package mycompany.app1 the setting has to be done for that package.
HCP Destination Configuration
To be able to consume services from the HANA system in an HTML5 (or Java) application a SAPAssertionSSO destination has to be set up for the HANA system in the HCP Cockpit destination area.
The destination must have following settings:
- Name: any name for the destination can be choosen
- URL: The URL for the HANA system in the HCP has to be entered. It follows the scheme “https://<hana_system_id><hcp_account_id>.hana.ondemand.com”. The HANA system ID can be found in the Database Systems area of the HCP Cockpit and the HCP account ID information in the Account area.
- Authentication: SAPAssertionSSO
- Issuer SID: the Common Name (CN) entered for the keystore created before
- Issuer Client: 000
- Recipient SID: the HANA system ID (can be found in the Database Sytems area of the HCP Cockpit)
- Certificate: Here the certificate of the .pem file created before has to be entered (second marked area in the second screenshot below). The certificate has to be entered as “one line” without new line characters.
- Signing Key: Here the private key of the .pem file has to be entered (first marked area in the second screenshot below). The key has to be entered as “one line” without new line characters.
- Optional properties are the “Additional Properties” displayed for the destination configuration below. They are necessary if you wanna use the destination in the SAP Web IDE.
After all the settings are done and the HCP destination was successfully configured, the destination can be used for the required applications. SAP Assertion SSO will be used and you do not need to enter your credentials anymore. Here is a quick test example which shows the usage of an XSOData service by the project wizard of the SAP Web IDE.
its a great post Florian, thanks for sharing
Thanks for sharing!
Very good post related to this scenario is: Principal Propagation between HTML5- or Java-based applications and SAP HANA XS on SAP HANA Cloud Platform
Jep, seems that the responsible SAP people finally wake up. I would love to find such things in the official documentation.
Thanks for your post!
You are right that the official documentation is missing End-to-end scenarios 🙂
This is something, which we are going to start improving now. (In fact we were just about to publish a blog with the same scope as yours, but then we saw that you've done it quite comprehensive as well)
I would just like to note that those are two different scenarios, which make sense in different cases. Both cover Principal Propagation from HCP to Hana, but the approach described here covers PP using SAP Assertion Tickets. And the approach described by Martin Raepple (in the linked post) covers PP using HCP App2App SSO, which was enabled as such just last week.
thx. We know that these are two different scenarios. Good to have both described now 🙂 .