Skip to Content
Actions

Secure your HANA Cloud Connector with OpenSSL certificates – Part 2

August 19, 2016 | 435 Views |
 cloud connector security
Follow

In part 1 of this blog series, I showed how to secure your SCC with a trusted UI Certificate:

2 Green.png

Therefore, in this blog, I will show how to further secure your SCC with a trusted System Certificate, put your CA certificate in the Trust Store, install a SCC CA Certificate and with that enable Principal Propagation.

Installing a SCC System Certificate is very similar to installing a UI Certificate. The steps are:

  1. Generate and export a Certificate Signing request (CSR)
  2. Import and sign the CSR in your CA tool
  3. Export the resulting certificate and subsequently import it into the SCC

System Certificate.png

To import your CA certificate into your SCC, you have to export it in DER format:

DER.png

Then you can import it into your SCC Trust Store:

Trust Store.png

Generating the CSR for your SCC CA Certificate is similar to the SCC System Certificate, but there is one important difference and that is 2 additional X.509 Extensions, i.e. Certificate Sign and CRL Sign. These are generated automatically by the SCC, but make sure they are present prior to singing the request:

Extensions.png

Subsequently, your SCC CA Certificate can be imported:

CA Certificate.png

And with that, Principal Propagation can be activated:

Principal Propagation.png

As a result, we got 2 more green boxes in the SCC General Security Status:

4 Green.png

In my next and final blog of this series I will show how to Configure local LDAP authentication of your Cloud Connector administrators.

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Naveen Kumar

    Frank, Nice document Thank you for that.

    I have one issue may be you can help, we are trying to update UI certificate in newer version of SCC 2.9, and we always get the error when we try to import

    Below are the logs:#importing certificate chain failed
    java.security.cert.CertificateException: Error parsing certificates! iaik.asn1.DerInputException: Next ASN.1 object is no OBJECT IDENTIFIER!
    at iaik.x509.CertificateFactory.engineGenerateCertificates(Unknown Source)
    at com.sap.scc.servlets.ConfigurationServlet.readX509Certificate(ConfigurationServlet.java:900)
    at com.sap.scc.servlets.ConfigurationServlet.importCertificate(ConfigurationServlet.java:845)
    at com.sap.scc.servlets.ConfigurationServlet.importUiCsrReply(ConfigurationServlet.java:824)
    at com.sap.scc.servlets.ConfigurationServlet.uploadCertificate(ConfigurationServlet.java:993)
    at com.sap.scc.servlets.ConfigurationServlet.dispatch(ConfigurationServlet.java:120)
    at com.sap.scc.servlets.ServletUtilities.service(ServletUtilities.java:41)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at com.sap.scc.ui.rt.UTF8Filter.doFilter(UTF8Filter.java:23)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:812)|

     

     

    Can you please suggest something on it?

    (0) 

Leave a Reply