Skip to Content
Author's profile photo Frank Schuler
Frank Schuler
August 19, 2016 2 minute read

Secure your HANA Cloud Connector with OpenSSL certificates – Part 2

In part 1 of this blog series, I showed how to secure your SCC with a trusted UI Certificate:

2 Green.png

Therefore, in this blog, I will show how to further secure your SCC with a trusted System Certificate, put your CA certificate in the Trust Store, install a SCC CA Certificate and with that enable Principal Propagation.

Installing a SCC System Certificate is very similar to installing a UI Certificate. The steps are:

  1. Generate and export a Certificate Signing request (CSR)
  2. Import and sign the CSR in your CA tool
  3. Export the resulting certificate and subsequently import it into the SCC

System Certificate.png

To import your CA certificate into your SCC, you have to export it in DER format:

DER.png

Then you can import it into your SCC Trust Store:

Trust Store.png

Generating the CSR for your SCC CA Certificate is similar to the SCC System Certificate, but there is one important difference and that is 2 additional X.509 Extensions, i.e. Certificate Sign and CRL Sign. These are generated automatically by the SCC, but make sure they are present prior to singing the request:

Extensions.png

Subsequently, your SCC CA Certificate can be imported:

CA Certificate.png

And with that, Principal Propagation can be activated:

Principal Propagation.png

As a result, we got 2 more green boxes in the SCC General Security Status:

4 Green.png

In my next and final blog of this series I will show how to Configure local LDAP authentication of your Cloud Connector administrators.

Assigned tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Naveen Kumar
      Naveen Kumar

      Frank, Nice document Thank you for that.

      I have one issue may be you can help, we are trying to update UI certificate in newer version of SCC 2.9, and we always get the error when we try to import

      Below are the logs:#importing certificate chain failed
      java.security.cert.CertificateException: Error parsing certificates! iaik.asn1.DerInputException: Next ASN.1 object is no OBJECT IDENTIFIER!
      at iaik.x509.CertificateFactory.engineGenerateCertificates(Unknown Source)
      at com.sap.scc.servlets.ConfigurationServlet.readX509Certificate(ConfigurationServlet.java:900)
      at com.sap.scc.servlets.ConfigurationServlet.importCertificate(ConfigurationServlet.java:845)
      at com.sap.scc.servlets.ConfigurationServlet.importUiCsrReply(ConfigurationServlet.java:824)
      at com.sap.scc.servlets.ConfigurationServlet.uploadCertificate(ConfigurationServlet.java:993)
      at com.sap.scc.servlets.ConfigurationServlet.dispatch(ConfigurationServlet.java:120)
      at com.sap.scc.servlets.ServletUtilities.service(ServletUtilities.java:41)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      at com.sap.scc.ui.rt.UTF8Filter.doFilter(UTF8Filter.java:23)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      at java.lang.Thread.run(Thread.java:812)|

       

       

      Can you please suggest something on it?

      Author's profile photo Frank Schuler
      Frank Schuler
      Blog Post Author

      Hello Naveen,

      On what OS and with which JVM do you run your SCC?

      Best regards

      Frank

      Author's profile photo Naveen Kumar
      Naveen Kumar

      Hello Frank,

      Linux X_86 and JVM version 8.