Skip to Content

Providing OpenSSL certificates for domains defined in HANA XSA

In my previous blog, Tips & tricks for an optimized HANA 2.0, express edition installation on an Intel 6th generation NUC, I mention SAP Note 2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced model and show the provisioning command, but do not go into much detail.

In this blog, I would therefore like to share a bit more insight. There are of course many CA tools, but I am using EJBCA.

To start with, I create a server certificate for my HANA XSA system as usual:

This provides me with two crucial files:

  1. hxehost.dyndns.org.p12 (private key – Download to Firefox)
  2. hxehost.dyndns.org.pem (host certificate – Download PEM file)

Per SAP Note 2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced model however, I need the complete chain of X.509 PEM-encoded certificates. Therefore, I download the CA certificate as PEM:

Unfortunately, these certificates are not in the format required yet. Therefore I am converting them per How to convert a certificate into the appropriate format.

Convert the key file into an unencrypted RSA private key in PKCS8 format encoded as PEM:

C:\openssl-1.0.2k-x64_86-win64>openssl pkcs12 -in hxehost.dyndns.org.p12 -nocerts -nodes -out hxehost.dyndns.org-key.pem
Enter Import Password:
MAC verified OK

C:\openssl-1.0.2k-x64_86-win64>openSSL pkcs8 -in hxehost.dyndns.org-key.pem -topk8 -nocrypt -out hxehost.dyndns.org-key.pk8

Combine the host certificate and CA certificate so that the certificate-chain file includes the complete chain of X.509 PEM-encoded certificates, and the order of the certificates must ensure that a signed certificate is always followed by the signing certificate. In other words, put the root certificate last:

C:\openssl-1.0.2k-x64_86-win64>copy hxehost.dyndns.org.pem + compriseitcom.pem hxehost.dyndns.org-cert.pem
hxehost.dyndns.org.pem
compriseitcom.pem
        1 file(s) copied.

Finally, I use the SAP HANA XS advanced command-line client to upload my custom certificates for my domain:

C:\XS_CLIENT00P_46-70001792\bin>xs set-certificate hxehost.dyndns.org -k \openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-key.pk8 -c
\openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-cert.pem

Setting SSL certificate for domain hxehost.dyndns.org as xsa_admin...
OK
TIP: Restart the SAP XS Controller to ensure your changes take effect for all applications.
Alternatively use 'xs restage' and 'xs restart' for all applications.

After a restart, I got a Secure Connection to all my HANA XSA services for this domain:

This might have looked a bit tedious to start with, but now you got it. Well done.

7 Comments
You must be Logged on to comment or reply to a post.
  • Hi Frank –

    Nice document, can you please explain how to create the below certs.

    1. hxehost.dyndns.org.p12 (private key – Download to Firefox)
    2. hxehost.dyndns.org.pem (host certificate – Download PEM file)

    Gokul

     

  • Hi, Frank

    I am trying to fix the SSL not trusted error on the Hana cockpit 2.0. Hana cockpit is xsa apps, I believe. How do you download the PEM and private key from the XSA server? I suppose you need to create a cert request and sign it with a CA authority just like the usual process?

    Thanks, Jonathan.

    • Got it working.  Key phrase in note https://launchpad.support.sap.com/#/notes/2666262

      There is also a workaround for this issue, if the chain is in the reversed order the automatic ordering works successfully and sorts the chain correctly.
  • Hi Frank

     

    In the First set of openssl transformations where you converted p12 file to pkcs12 with extension .pem why is it needed ?

    then .pem to pkcs8 format actually after i did the above then imported the *.pk8 file intoi browsers like Firefox or Chrome gave me errors

    I could import the p12 file as it is into browsers Firefox plus Chrome ?

     

    Iam using ejbca with jboss on Ubuntu linux (as a windows sub system in windows 10 prof) so may be that is why while your commands are using windows open ssl version may be that is why so that means ejbca + jboss is on windows os for you correct

    thanks

    rama anne