Product Information
HANA 2.0 Cockpit Certificate issues and resolution
Have been struggling with this issue for sometime. Sharing this knowledge with SAP community.
Problem:
HANA Cockpit runs on XSA and while accessing with HTTPS , we get error for privacy. You connection is not private:
Environment: HANA 2.0 SPS03 with cockpit SPS 07 Patch and XS xs v1.0.86
Reason for Error: Signed Certificate not installed.
- Create SAN.CNF having domain name. ( You can have multiple domain named signed as shown in below example):
Where CN can be customer name FQDN we can include multiple domain names. - Create Certificate using openssl commands:
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
It will create sslcert.csr file with key private.key - Now you have to get it signed by signing authority SAP internal or External depending on your scenario. We have used SAP Internal Signing Authority, which i cannot paste in Public domain.
A) : Copy content of sslcert.csr file (Please do not copy any extra space)
B) : Generate X.509 certificate
Select X.509 for Java Based XSA applications. - C) It will generate signed certificate , save it as “Signed.cert”. It will have 3 Certificates (Server, Intermediate, Root) as shown below. All certificates are required to create Chain.cert (chain of signed certificate) S
- Now we will have to change private.key to pk8 format using below command:
openssl pkcs8 -in private.key -topk8 -nocrypt -out uekey.pk8
- Now create chained.cert by combining the signed certificates :
A) Create new notepad file and paste content of signed.cert, Inter.cert and Root certificate
- Now run the below command to include the signed certificate:
XSA set-certificate domain –cert chain.cer –key uekey.pk8 - Now HANA cockpit/Cockpit Manager and other XSA applications open without giving any error:
Simply follow SAP note : 2631903 - HANA Basic How-To Series - Securing HANA 2.0 Cockpit via SSL / HTTPS (EXAMPLE: Microsoft CA edition)
There can be notes available along with blogs. This is extremely simplified version. Following the note did not solve the issue in my environment and did not find this simplified simple blog and hence it is there.
Hi ,
I followed note 2631903 , but I am facing issue at the final step
Implement private key and combined certificate file to XSA
XSA set-certificate --cert combinedcerts.pem --key privatekey.key
Giving error "FAILED: Could not verify the certificate chain: Provided chain does not include all certificates up to the root certificate"
Hana cockpit version - xs v1.0.98
Kindly suggest
Regards,
Sumit
Hello Sumit,
Something is not right with Root certificate. I understand it might be little confusing to make chain of all certification.
Suggest you to recreate the chain certificate again n reapply. It should work.
BR,
Naveen
Hi Naveen,
As per the note 2631903
I tried to perform below steps again
Implement private key and combined certificate file to XSA
XSA set-certificate --cert combinedcerts.pem --key privatekey.key
Again facing same error.
Regards,
Sumit
Hello Naveen,
Thanks for sharing the procedure, I have successfully added the certificate and it's working. Any pointers on how this will work if we are having 2 Cockpit systems with SAP HANA system replication? I found some blogs but they do not explain about the certificates for 2 cockpit systems.
Regards,
Bilal
Hello Bilal,
When you get certificate signed, it usually covers all the address what a cockpit can have. so I think same certificate can server the purpose.
BR,
Naveen
Thanks Naveen.
The primary and secondary systems are running on 2 different hosts. During the installing of HANA cockpit, the installer does not ask for certificate host names. So when the replication is happening the secondary system will get everything from primary (SSL certificate) as well. At the time of take-over when calling the HANA cockpit application will it not give SSL error due to system running on different host?
Regards,
Bilal
If you are not having floating VIP and cockpit is installed with physical IP then it would be challenging n difficult.
otherwise you can install primary and secondary , setup replication and then install cockpit with floating VIP, which is replicated to secondary system. and register certificate with floating VIP, which when failover is performed, still continue to work.
on second thought, if it is just about the certificates, you have option to include both Primary and secondary hostname in same certificate ..by this way you don have to bother where Cockpit is running, it will continue working as certificate already include both hostnames.
Hello Naveen,
Thank you for the quick response, I will try both option.
Regards,
Bilal
Omg I did it !
I only need to convert from DER (Microsoft CA) to PEM
openssl pkcs7 -print_certs -in /tmp/chain.crt -out /tmp/chain.pem
Hi ,
getting same error
Setting SSL certificate for domain <domain> as XSA_ADMIN...
Failed to set domain certificate: Connectivity test for new certificate failed: Error executing request GET https://<hostname>:<port>/v2/info: java.io.IOException: HTTPS hostname wrong: should be <domain>. Please see SAP Note 2243019 for more information.
as per the sap notes 2734515 - xs set-certificate HTTPS hostname wrong not worked.
example :
hostname : sapbasis.sap.com
xs domains --> xs.test.org.com
both xs.test.org.com & pointing to same ip.
sapgenpse get_pse -p cockpithttps.pse -r certificaterequest.req -k GN-dNSName:xs.test.org.com "CN=sapbasis.sap.com, OU=UPM, O=SAP, C=DE"
let me know how can i create the CSR.