This document will outline the configuration steps to establish a successful (SAML) Certificate import without a HANA system restart.

The example below will follow a SAP BI 4.x SAML certificate imported into HANA.

1 Prerequisites

– HANA SP9+

– CommonCryptoLib

The following authorizations need to be added to the HANA user profile who will execute these steps.

  1. sap.hana.xs.admin.roles::SAMLAdministrator
  2. sap.hana.xs.admin.roles::TrustStoreAdministrator
  3. sap.hana.xs.wdisp.admin::WebDispatcherAdmin
  4. sap.hana.xs.admin.roles::RuntimeConfAdministrator

2 Accessing the SAP WebDispatcher on HANA

The connection URL towards the SAP WebDispatcher on HANA:

http(s)://<FQDN>:(80<SID>/43<SID>/sap/hana/xs/wdisp/admin/public/default.html

This will give you the following screen:

02 - WebDispatcher.png

3 PSE Management

From the left under “SSL and Trust Configuration” select “PSE Management”

03 - PSE Management.png

On the right part of the screen select the drop down behind “Manage PSE” and select sapsrv.pse

04 - sapsrv.pse.png

On the right side of the page select “Import Certificate”.

05 - Import Certificate.png

Copy past the BI 4.x certificate into the screen and press “Import”.

06 - SAML.png

4 Switch on Authentication Trace

In order to pick up the new certificate you can switch on the authentication trace.

ALTER SYSTEM ALTER CONFIGURATION (‘indexserver.ini’, ‘SYSTEM’) set (‘trace’, ‘authentication’) = ‘debug’ with reconfigure;

Alternatively you can do it via the Trace Configuration tab if you choose to do this manually.

Now you can test the connection to see if SSO is picking up. In case it won’t pick up there is an alternative.


5 Alternative push for SSO

In case the steps above were followed and SSO is not yet picking up for your application, the following can be done to ensure it will work. DISCLAIMER: If you proceed to do this on Production ensure you have requested an operating time! As this will only take a few second, it can disrupt your current traffic.

Go to “Core System” and select “Monitor”. Here you will see the current status of your Web Dispatcher. Click on the drop down from the “Status” line and select “Soft Shutdown SAP Web Dispatcher”.

07 - Alternative.png  

This will re-establish itself within a few seconds!

Now you should have SSO working and enabled.


6 Switch off Authentication Trace

Lastly don’t forget to switch of the authentication trace if you don’t need it anymore.

ALTER SYSTEM ALTER CONFIGURATION (‘indexserver.ini’, ‘SYSTEM’) set (‘trace’, ‘authentication’) = ‘default’ with reconfigure;

Alternatively you can do it via the Trace Configuration tab if you choose to do this manually.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply