Skip to Content
Author's profile photo Ganesh Munusamy
Ganesh Munusamy
December 1, 2017 5 minute read

Server-side SSL configuration on HANA for inter-node communication and System Replication using openSSL

Hi Everyone,

I am Ganesh Munusamy from HANA Product Support based out of Vancouver, Canada. I am part of support team for more than 3 years.

I have been seeing a growing number of security related questions from customers. This blog will cover step-by-step configuration of SSL for internal communication and system replication. I hope this will help you guys out.

Security is one of the most significant feature any product should posses. In SAP HANA, we can precisely configure both internal and external communication.

Here we will be seeing how to configure server-side SSL manually, when you do not want to use the default system PKI (public key infrastructure). But remember, SystemPKI is the suggested recommendation from SAP to use for securing SSL communication. Follow steps mentioned below if in case you wanted to use own server certificate for internode communication and for System Replication.

Things to know…

  • In a multi-host system, every host requires a public and private key pair and a public-key server certificate
  • Use CommonCrypto library (libsapcrypto.so) as the cryptographic library which should be installed as part of SAP HANA server installation
  • For HANA 1.00, In-Database configuration is not supported for internal communication between servers and for system replication communication.
  • OpenSSL can be used to create server certificate. With CommonCryptoLib, you can also use SAP Web dispatcher administration tool or SAPGENPSE tool.
  • Do not password protect keystore file which contains servers private key.

High Level Overview:

  1. Create server certificate
  2. Self-sign the certificate
  3. Import keystore and public certificate into each host

 

Please note:

The recommendation from SAP is to use a private CA for each host, but here I will only show how to create certificate and sign them in one host. You will just need to follow the same steps in other hosts if you are using multi-host environment.

Create root certificate:

I am here using a 3 node system, MN1, vandevvmlnx011/012/013.

  1. Go to /sec directory in the host machine, here starting with node vandevvmlnx011,  path: /usr/sap/<SID>/HDB<INSTANCE_NUMBER>/<HOST_NAME>/sec

2. Use OpenSSL tool to request for a root certificate, using command:

/usr/sap/MN1/HDB60/vandevvmlnx011/sec> openssl req -new -x509 -newkey rsa:2048 -days 7300 -sha256 -keyout CA_Key.pem -out CA_Cert.pem -extensions v3_ca

This will ask you to enter PEM pass phrase, I used my SYSTEM user password for test, you may use it per your convenience. Also have to enter other details like country, state, locality etc.

3. This should have created two new files CA_Key.pem and CA_Cert.pem

 

Creating server certificate:

  1. Here I use sapgenpse, which is installed with HANA installation, to create server certificate request. sapsrv.pse is the name of the certificate we are requesting for and so make sure there is no file with the same name available in that path. Command used:

/usr/sap/MN1/HDB60/vandevvmlnx011/sec> sapgenpse gen_pse -p sapsrv.pse -r sapsrv.req CN=”*.xxxx.xxxx.sap.corp”,O=”HANA Support”,C=”US”

Very important…

  • Do not enter password when requested for PSE PIN/passphrase as it is not supported!
  • Also, to secure internal communication, canonical name should be host specific, eg CN=”<hostname_with_domain>”. So when creating private CA on each host, parameter CN will be unique. But here in this example below, I specified CN=”*.xxxx.xxxx.sap.com”, which is good for system replication scenario, but not for internal communication between hosts.

2. This should have created new files sapsrv.req and sapsrv.pse

 

Self signing certificate request:

  1. Here again using OpenSSL to self sign the certificate sapsrv.req with command:

/usr/sap/MN1/HDB60/vandevvmlnx011/sec> openssl x509 -req -days 7300 -in sapsrv.req -sha256 -extfile /etc/ssl/ope-out sapsrv.pem

Note: You can also get this signed through your CA, if doesn’t want to self-sign it.

2. A new file with name sapsrv.pem will be created in the same directory, $SECURDIR

Importing server certificate:

  1. Import the signed certificate into file sapsrv.pse using sapgenpse utility as below:

/usr/sap/MN1/HDB60/vandevvmlnx011/sec> sapgenpse import_own_cert -c sapsrv.pem -p sapsrv.pse -r CA_Cert.pem

2. You can see the file sapsrv.pse is updated from timestamp

Copying file to other nodes…

Please note that a private certificate have to be created for each host in the multi-host system. So follow the same steps that we did above to create a sapsrv.pse file and sign & import it, in other hosts as well.

Now re-naming saprv.pse file to sapsrv_internal.pse in all three nodes. For example in node 011:

Configuration in HANA Studio (global.ini):

  1. Open HANA Studio, go to Administration Console -> Configuration -> global.ini -> communication
  2. Set value for parameter ssl = on and make sure sslinternalkeystore and sslinternaltruststore has correct file pointed to.
  3. sapsrv_internal.pse is the file we created and so the parameters sslinternalkeystore and sslinternaltruststore has that value.

 

For System Replication:

In case to secure communication for system replication, primary and secondary each will have one .pse file only. When creating the server certificate, we provide the canonical name (like CN=” *.prod.sap.com”), which should be same for both primary and secondary.

So when creating certificate for system replication scenario, no need to have separate .pse file for each host.

Communication between sites (metadata and data channels) require the same configuration as we did above in global.ini/[communication] section. However to secure data communication, we must set parameter enable_ssl = on, under section [system_replication_communication] of global.ini file.

All these changes in global.ini file requires a complete database restart as below:

>sapcontrol -nr <instance_number> -function StopService

>sapcontrol -nr <instance_number> -function StartService

Now communication between hosts and communication between sites in system replication scenario are all secured using SSL.

Thanks,

Ganesh Munusamy

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Jimmy Yang
      Jimmy Yang

      Awesome!! Thanks Ganesh

      Author's profile photo Former Member
      Former Member

      Thanks Ganesh

      Author's profile photo Mahesh Gadgil
      Mahesh Gadgil

      I am able to connect to SYSTEM database using SSL in HANA studio after following the instructions, but not able to connect to a tenant database in from HANA studio using SSL. I get database connection not available error. I am able to connect to it without SSL though.

      **********************

      Also a correction is needed in the 'self signing certificate' section above. 

      openssl x509 -req -days 7300 -in sapsrv.req -sha256 -extfile /etc/ssl/ope-out sapsrv.pem

      this is what it needs to be -

      openssl x509 -req -days 7300 -in sapsrv.req -sha256 -extfile /etc/ssl/openssl.cnf -extensions usr_cert -CA CA_Cert.pem -CAkey CA_Key.pem -CAcreateserial -out sapsrv.pem

      Actually the gif included in the 'self signing certificate' section has the correct syntax but it's not legible unless you zoom in.)

      Author's profile photo Zheng royes
      Zheng royes

      Hi,I have a problem. Could you please help me....

      I am using HANA express 2.0. and I edit the global.ini as below

      sslCryptoProvider = openssl

sslCipherSuites = ALL:!ADH:!LOW:!EXP:!NULL

sslKeyStore = /usr/sap/HXE/home/.ssl/key.pem

sslTrustStore = /usr/sap/HXE/home/.ssl/trust.pem

sslInternalKeyStore = /usr/sap/HXE/home/.ssl/key.pem

sslInternalTrustStore = /usr/sap/HXE/home/.ssl/trust.pem

      I generate the key.pem and trust as the site

      https://blogs.sap.com/2015/09/28/securing-the-communication-between-sap-hana-studio-and-sap-hana-server-through-ssl/

      then I  exec "HDB stop"

      and then "HDB start"

      but the error msg come out

      hxeadm@hxehost:/usr/sap/HXE/HDB90/hxehost> HDB start


StartService
Impromptu CCC initialization by 'rscpCInit'.
  See SAP note 1266393.
OK
OK
Starting instance using: /usr/sap/HXE/SYS/exe/hdb/sapcontrol -prot NI_HTTP -nr 90 -function StartWait 2700 2


02.12.2021 12:42:31
Start
OK

02.12.2021 12:42:45
StartWait
FAIL: process hdbdaemon HDB Daemon not running

      then I check the log file  - stderr1

      the content as below:

       

      hxeadm@hxehost:/usr/sap/HXE/HDB90/hxehost/trace> cat stderr1 
(4601) New Child Process created.
(4601) Starting local Command:
 Command:  /usr/sap/HXE/HDB90/hxehost/trace/hdb.sapHXE_HDB90
           -d
           -nw
           -f
           /usr/sap/HXE/HDB90/hxehost/daemon.ini
           pf=/usr/sap/HXE/SYS/profile/HXE_HDB90_hxehost
Environment variable IQDIR16 must be set before using HDB configured with Extended Storage Server
Environment variable STREAMING_HOME  must be set before using HDB configured with Streaming Server
Environment variable XSPATH must be set before using HDB configured with XS
Environment variable LSS_HOME must be set before using HDB configured with Local Secure Server
hxeadm@hxehost:/usr/sap/HXE/HDB90/hxehost/trace>

       

      Which step I go wrong ???