Skip to Content
Product Information

HANA 2.0 Cockpit Certificate issues and resolution

Have been struggling with this issue for sometime.  Sharing this knowledge with SAP community.

 

Problem:

HANA Cockpit runs on XSA and while accessing with HTTPS , we get error for privacy. You connection is not private:

Environment: HANA 2.0 SPS03 with cockpit SPS 07 Patch and XS  xs v1.0.86

Reason for Error:  Signed Certificate not installed.

 

  1. Create SAN.CNF having domain name. ( You can have multiple domain named signed as shown in below example):
                                    Where CN can be customer name FQDN                                                                                     we can include multiple domain names.                 
  2. Create Certificate using openssl commands:
    openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
    It will create sslcert.csr file with key private.key
  3. Now you have to get it signed by signing authority SAP internal or External depending on your scenario. We have used SAP Internal Signing Authority, which i cannot paste in Public domain.
    A) :  Copy content of sslcert.csr file (Please do not copy any extra space)
    B) : Generate X.509 certificate
    Select X.509 for Java Based XSA applications.
  4. C) It will generate signed certificate , save it as “Signed.cert”. It will have 3 Certificates (Server, Intermediate, Root) as shown below. All certificates are required to create Chain.cert (chain of signed certificate) S
  5. Now we will have to change private.key to pk8 format using below command:

    openssl pkcs8 -in private.key -topk8 -nocrypt -out uekey.pk8

  6. Now create chained.cert by combining the signed certificates :
    A) Create new notepad file and paste content of signed.cert, Inter.cert and Root certificate
  7. Now run the below command to include the signed certificate:
    XSA set-certificate domain –cert chain.cer –key uekey.pk8 
  8. Now HANA cockpit/Cockpit Manager and other XSA applications open without giving any error:

 

10 Comments
You must be Logged on to comment or reply to a post.
  • Simply follow SAP note : 2631903 – HANA Basic How-To Series – Securing HANA 2.0 Cockpit via SSL / HTTPS (EXAMPLE: Microsoft CA edition)

  • There can be notes available along with blogs. This is extremely simplified version. Following the note did not solve the issue in my environment and did not find this simplified simple blog and hence it is there.

  • Hi ,

    I followed note 2631903 , but I am facing issue at the final step

    Implement private key and combined certificate file to XSA

    XSA set-certificate –cert combinedcerts.pem –key privatekey.key

    Giving error “FAILED: Could not verify the certificate chain: Provided chain does not include all certificates up to the root certificate”

    Hana cockpit version – xs v1.0.98

    Kindly suggest

     

    Regards,

    Sumit

     

     

    • Hello Sumit,

       

      Something is not right with Root certificate. I understand it might be little confusing to make chain of all certification.

       

      Suggest you to recreate the chain certificate again n reapply. It should work.

      BR,

      Naveen

      • Hi Naveen,

        As per the note 2631903

        I tried to perform below steps again

        1. Export private key, certificate and CA chain & combine certificate and CA chain into 1 file.
          1. openssl pkcs12 -in cockpithttps.p12 -nocerts -nodes | sed -ne ‘/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p’ > privatekey.key
          2. openssl pkcs12 -in cockpithttps.p12 -clcerts -nokeys | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > certificate.pem
          3. openssl pkcs12 -in cockpithttps.p12 -cacerts -nokeys | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > cachain.pem
          4. cat certificate.pem cachain.pem > combinedcerts.pem

        Implement private key and combined certificate file to XSA
        XSA set-certificate –cert combinedcerts.pem –key privatekey.key

        Again facing same error.

         

        Regards,

        Sumit

  • Hello Naveen,

    Thanks for sharing the procedure, I have successfully added the certificate and it’s working. Any pointers on how this will work if we are having 2 Cockpit systems with SAP HANA system replication? I found some blogs but they do not explain about the certificates for 2 cockpit systems.

    Regards,

    Bilal

     

    • Hello Bilal,

      When you get certificate signed, it usually covers all the address what a cockpit can have. so I think same certificate can server the purpose.

      BR,

      Naveen

  • Thanks Naveen.

    The primary and secondary systems are running on 2 different hosts. During the installing of HANA cockpit, the installer does not ask for certificate host names. So when the replication is happening the secondary system will get everything from primary (SSL certificate) as well. At the time of take-over when calling the HANA cockpit application will it not give SSL error due to system running on different host?

    Regards,

    Bilal

    • If you are not having floating VIP and cockpit is installed with physical IP then it would be challenging n difficult.

      otherwise you can install primary and secondary , setup replication and then install cockpit with floating VIP, which is replicated to secondary system. and register certificate with floating VIP, which when failover is performed, still continue to work.

      on second thought, if it is just about the certificates, you have option to include both Primary and secondary hostname in same certificate ..by this way you don have to bother where Cockpit is running, it will continue working as certificate already include both hostnames.