Providing OpenSSL certificates for domains defined in HANA XSA
In my previous blog, Tips & tricks for an optimized HANA 2.0, express edition installation on an Intel 6th generation NUC, I mention SAP Note 2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced model and show the provisioning command, but do not go into much detail.
In this blog, I would therefore like to share a bit more insight. There are of course many CA tools, but I am using EJBCA.
To start with, I create a server certificate for my HANA XSA system as usual:
This provides me with two crucial files:
- hxehost.dyndns.org.p12 (private key – Download to Firefox)
- hxehost.dyndns.org.pem (host certificate – Download PEM file)
Per SAP Note 2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced model however, I need the complete chain of X.509 PEM-encoded certificates. Therefore, I download the CA certificate as PEM:
Unfortunately, these certificates are not in the format required yet. Therefore I am converting them per How to convert a certificate into the appropriate format.
Convert the key file into an unencrypted RSA private key in PKCS8 format encoded as PEM:
C:\openssl-1.0.2k-x64_86-win64>openssl pkcs12 -in hxehost.dyndns.org.p12 -nocerts -nodes -out hxehost.dyndns.org-key.pem Enter Import Password: MAC verified OK C:\openssl-1.0.2k-x64_86-win64>openSSL pkcs8 -in hxehost.dyndns.org-key.pem -topk8 -nocrypt -out hxehost.dyndns.org-key.pk8
Combine the host certificate and CA certificate so that the certificate-chain file includes the complete chain of X.509 PEM-encoded certificates, and the order of the certificates must ensure that a signed certificate is always followed by the signing certificate. In other words, put the root certificate last:
C:\openssl-1.0.2k-x64_86-win64>copy hxehost.dyndns.org.pem + compriseitcom.pem hxehost.dyndns.org-cert.pem hxehost.dyndns.org.pem compriseitcom.pem 1 file(s) copied.
Finally, I use the SAP HANA XS advanced command-line client to upload my custom certificates for my domain:
C:\XS_CLIENT00P_46-70001792\bin>xs set-certificate hxehost.dyndns.org -k \openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-key.pk8 -c \openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-cert.pem Setting SSL certificate for domain hxehost.dyndns.org as xsa_admin... OK TIP: Restart the SAP XS Controller to ensure your changes take effect for all applications. Alternatively use 'xs restage' and 'xs restart' for all applications.
After a restart, I got a Secure Connection to all my HANA XSA services for this domain:
This might have looked a bit tedious to start with, but now you got it. Well done.