Configuring Browsers for SSL Communication with an on-premise instance of SAP HANA XS Advanced
The Web IDE for SAP HANA is a web application running on XSA. All applications in XSA are accessed via HTTPS. Now the Web IDE itself loads components needed for its “plug-ins” and the “features” on behalf of other components already running in it (think for example about building a java module, which would then need application or server dependencies listed in the maven specific pom.xml). If you haven’t installed or configured SSL (meaning HTTPS) correctly, you would end up with a warning in the browser that the communication is not secure (see the screen shot below).
In releases prior to SPS02 those were cosmetic flaws in the browser invoking the Web IDE. In SPS02 I found that the lack of the SSL certificates can lead to severe errors:
The problem is that the browser does not trust the XSA (server) components. Now you have two ways out of this maze. The officially recommended way is to properly configure SSL in your HANA system(s). This is something a system admin would do in HANA systems residing in “his” data center, where XSA based solution development takes place. He would then consult the admin and security guide form the official HANA/XSA documentation and at some point most likely come across the SAP Note 2243019, which describes the process very well. He will basically generate officially signed certificates by a certain certification authority (CA) and install them on the server side (XSA).
The second way is really a work-around, which you can use to test and prototype the Web IDE for SAP HANA for your solution, prior to set up the recommended SSL infrastructure in XSA.
How does it work? Well, after or during installation, XSA generates “self-signed” certificates, which can be used in the browser for trusted communication with the server components. You would have to import those certificated in your browser.
In the following I will describe an easy way to do this for the Chrome browser. Please observe that I will not explicitly access the underlying Linux file system on the server side, where the certificates are stored. All I need are the developer tools of the Chrome browser to do so. Basically I am downloading the self-signed certificate from the server and importing it to my local Chrome browser, where I run the Web IDE for SAP HANA. I am sure, many of you are familiar with this process.
- Open the Web IDE in Chrome (proceed to the website if you get a warning screen). You will see a red icon next to the URL with the “https” crossed out, if the certificate is not in place (as in the screen shot above).
- Invoke the Developer Tools (F12)
- Go to the “Security” tab
- Click on “View Certificate”
- Go to the “Details” tab
- Click on “Copy to file”
- Keep the default options and save the file on your local machine
- Open Chrome Settings
- Scroll down and click on “Show advanced settings”
- Under HTTPS/SSL click on “Manage certificates”
- Go to “Trusted Root Certification Authorities” tab
- Click on Import
- Select the file you saved
- Keep the default options until you click on “Finish”
- In the warning popup click on “Yes”
- Restart Chrome
That’s it. This is the result and you will get rid of all those annoying and nasty errors about the Web IDE not being able to load plug-ins, features, components etc.
I hope you will find this post useful.