Skip to Content
Author's profile photo Frank Schuler
Frank Schuler
July 29, 2016 2 minute read

Secure your HANA Cloud Connector with OpenSSL certificates – Part 1

Out of the box, the HANA Cloud Connector (SCC) is not secure, as clearly documented by the General Security Status:

General Security Status.png

Therefore, in this blog series, I will show how to secure your SCC with OpenSSL certificates item by item, until the General Security Status is all green.

In my pervious blog series, I showed how to setup a Certification Authority with OpenSSL and with this to securely single-sign-on to your Fiori Launchpad. In this blog, I start with the SCC UI Certificate, leveraging the results from the above blogs.

As mentioned in the General Security Status, the out of the box SSL certificate does not use the host name as its common name (CN) and is therefore not trusted:

Connection is Not Secure.png

It is still possible to work with the SCC in this state via a browser security exception, but I will show how to properly secure the connection.

First I crate a Certificate Signing Request (CSR) with the correct hostname as CN:

Create CSR.png

And save it as a file:

/wp-content/uploads/2016/07/scc_ui_csr_1005589.png

I then import this file into TinyCA:

Import Request from File.png

And check that the details are correct:

Import Request scc_ui.png

Next, I sign the request:

Sign Request.png

And export the resulting certificate to file:

Export Certificate to File.png

After importing it into my SCC:

Certificate was imported.png

I restart my SCC and the connection becomes secure:

Secure Connection.png

Given that my CA certificate had already been imported into my browser:

Certificate Manager.png

And of course I also get my green light for the UI Certificate in the General Security Status:

Certificate configured.png

In my next blog of this series I will show how to install a SCC trusted System Certificate, put your CA certificate in the Trust Store, install a SCC CA Certificate and with that enable Principal Propagation.

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Thanks for the post Frank. This has been an important question from lots of customers - How to setup SCC to be secure and you have well explained it in this blog series.

      Author's profile photo Joerg Aldinger
      Joerg Aldinger

      Hello Frank!

      I would like to import a wild-card certificate to SCC that I have already issued from a trusted CA. I currently have that certificate in PKCS12 format, but could convert it to PEM if required. However, I can't see how to "override" the CSR generated from within SCC, since the CSR and private key would not match.

      Is it possible at all to use an externally requested and issued certificate in SCC?

      I have tried to fiddle with the configuration in the default-server.xml file and managed to the get the UI certificate set up correctly, but then apparently something else breaks down the line since I start getting weird internal errors.

      Please let me know...

      Thanks!

      Joerg.

      PS: We are currently using this wildcard certificate (Let's Encrypt) for all SAP-related services (and a few others, too), so it would be nice to achieve this for SCC, too.