Skip to Content
Author's profile photo Frank Schuler
Frank Schuler
May 25, 2017 2 minute read

Providing OpenSSL certificates for domains defined in HANA XSA

In my previous blog, Tips & tricks for an optimized HANA 2.0, express edition installation on an Intel 6th generation NUC, I mention SAP Note 2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced model and show the provisioning command, but do not go into much detail.

In this blog, I would therefore like to share a bit more insight. There are of course many CA tools, but I am using EJBCA.

To start with, I create a server certificate for my HANA XSA system as usual:

This provides me with two crucial files:

  1. hxehost.dyndns.org.p12 (private key – Download to Firefox)
  2. hxehost.dyndns.org.pem (host certificate – Download PEM file)

Per SAP Note 2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced model however, I need the complete chain of X.509 PEM-encoded certificates. Therefore, I download the CA certificate as PEM:

Unfortunately, these certificates are not in the format required yet. Therefore I am converting them per How to convert a certificate into the appropriate format.

Convert the key file into an unencrypted RSA private key in PKCS8 format encoded as PEM:

C:\openssl-1.0.2k-x64_86-win64>openssl pkcs12 -in hxehost.dyndns.org.p12 -nocerts -nodes -out hxehost.dyndns.org-key.pem
Enter Import Password:
MAC verified OK

C:\openssl-1.0.2k-x64_86-win64>openSSL pkcs8 -in hxehost.dyndns.org-key.pem -topk8 -nocrypt -out hxehost.dyndns.org-key.pk8

Combine the host certificate and CA certificate so that the certificate-chain file includes the complete chain of X.509 PEM-encoded certificates, and the order of the certificates must ensure that a signed certificate is always followed by the signing certificate. In other words, put the root certificate last:

C:\openssl-1.0.2k-x64_86-win64>copy hxehost.dyndns.org.pem + compriseitcom.pem hxehost.dyndns.org-cert.pem
hxehost.dyndns.org.pem
compriseitcom.pem
        1 file(s) copied.

Finally, I use the SAP HANA XS advanced command-line client to upload my custom certificates for my domain:

C:\XS_CLIENT00P_46-70001792\bin>xs set-certificate hxehost.dyndns.org -k \openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-key.pk8 -c
\openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-cert.pem

Setting SSL certificate for domain hxehost.dyndns.org as xsa_admin...
OK
TIP: Restart the SAP XS Controller to ensure your changes take effect for all applications.
Alternatively use 'xs restage' and 'xs restart' for all applications.

After a restart, I got a Secure Connection to all my HANA XSA services for this domain:

This might have looked a bit tedious to start with, but now you got it. Well done.

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Frank -

      Nice document, can you please explain how to create the below certs.

      1. hxehost.dyndns.org.p12 (private key – Download to Firefox)
      2. hxehost.dyndns.org.pem (host certificate – Download PEM file)

      Gokul

       

      Author's profile photo Former Member
      Former Member

      Hi Gokul,

      did you find an answer to your question?

      Regards,
      vahid

      Author's profile photo Frank Schuler
      Frank Schuler
      Blog Post Author

      Hello Gokul,

      As mentioned in my blog, there are of course many CA tools, but I am using EJBCA:

      Best regards

      Frank

      Author's profile photo Jonathan Ma
      Jonathan Ma

      Hi, Frank

      I am trying to fix the SSL not trusted error on the Hana cockpit 2.0. Hana cockpit is xsa apps, I believe. How do you download the PEM and private key from the XSA server? I suppose you need to create a cert request and sign it with a CA authority just like the usual process?

      Thanks, Jonathan.

      Author's profile photo Michael Howles
      Michael Howles

      So after hitting my head against a wall all day, it looks like there’s a bug if your certificate chain is longer than 3.  Leaving this hear so maybe others don’t waste too much time.  PS I’m on HANA Express 2.0 SP03 Rev 31.

      https://launchpad.support.sap.com/#/notes/2666262

       

      Author's profile photo Michael Howles
      Michael Howles

      Got it working.  Key phrase in note https://launchpad.support.sap.com/#/notes/2666262

      There is also a workaround for this issue, if the chain is in the reversed order the automatic ordering works successfully and sorts the chain correctly.
      Author's profile photo rama anne
      rama anne

      Hi Frank

       

      In the First set of openssl transformations where you converted p12 file to pkcs12 with extension .pem why is it needed ?

      then .pem to pkcs8 format actually after i did the above then imported the *.pk8 file intoi browsers like Firefox or Chrome gave me errors

      I could import the p12 file as it is into browsers Firefox plus Chrome ?

       

      Iam using ejbca with jboss on Ubuntu linux (as a windows sub system in windows 10 prof) so may be that is why while your commands are using windows open ssl version may be that is why so that means ejbca + jboss is on windows os for you correct

      thanks

      rama anne