(Re-)Establish Trust with XSUAA and HANA DB
You installed XSA with MDC and you assigned your application in a organization / space to a logical database. This assignment can be done in XSA Admin in Service Broker Config (l#/serviceBrokerConfig)
Now the identity propagation fails.
The reason is that there is not automatic trust between UAA and HANA MDC. The trust creation will come with HANA 2 SP01 during MDC creation. The installation creates a trust to system DB only.
You can create this trust with the attached bash script yourself. You need to following parameters to do this.
- system user (of logical database)
- system password (of logical database)
- xsa admin user (is optional but if you provide this name this user is enable to logon with SAML / JWT)
- jdbcURL This URL can be taken from uaa.log. In case you can create trust to a logical database you need the database name
Step 1
Download the files from https://github.com/strehle/xsuaa-scripts/tree/master/saml to your XSA machine.
Step 2
Prepare execute. Configure settings in xsuaa_settings.cfg. Example for HANA with SID : XSA on instance 00 with logical database ABC
HANA_SID=XSA
HANA_INSTANCE=00
HANA_SYSTEM_USER=system
XSA_USER=xsa_admin
XSA_UAA_ENDPOINT=”https://`hostname -f`:30032/uaa-security”
# documentation about jdbc url, see http://help.sap.com/saphelp_hanaplatform/helpdata/en/ff/15928cf5594d78b841fbbe649f04b4/frameset.htm
# this is the jdbc url for a multiple instance database with connect to tenant DB ABC
JDBC_HANA_ENDPOINT=”jdbc:sap://`hostname -f`:30013/?databaseName=ABC”
Save this to file xsuaa_settings.cfg
Step 3
Execute the shell script xsuaa_hdbtrust.sh. Best you execute it on the XSA instance under the <sid>adm user of your XSA installation, however you can also call if from another machines. For xs login you need xs command tool.
./xsuaa_hdbtrust.sh xsuaa_settings.cfg
The script creates the trust and executes the test. Typical successful output is:
Result:
{“SESSION_USER”:”SYSTEM”,”CURRENT_USER”:”SYSTEM”,”SESSION_CONTEXT(‘XS_APPLICATIONUSER’)”:”XSA_ADMIN”}
In case you can here an error you can check in uaa.log the error reason or in HANA trace you will find the reason.
Am I correct, that I have to modify the SQL Port accordingly to the Tennants sql port, on which Iam working? Thanks in advance
Hi Dominik,
if you are on MDC then you always use 30013 but set DB tenant by query, e.g. ABC as tenant db name
”jdbc:sap://`hostname -f`:30013/?databaseName=ABC
I've modified the .cfg file.
Create oauth token....
...retrieved token
===============================================================================
Create Trust via REST call https://mo-04xxxxxx.mo.sap.corp:30032/uaa-security/sap/rest/samltrust/add
Response failed with HTTP errror: 000
uaa.log doesn't have errors
Any idea ?