Skip to Content
Product Information
Author's profile photo Naveen Kumar

HANA 2.0 Cockpit Certificate issues and resolution

Have been struggling with this issue for sometime.  Sharing this knowledge with SAP community.

 

Problem:

HANA Cockpit runs on XSA and while accessing with HTTPS , we get error for privacy. You connection is not private:

Environment: HANA 2.0 SPS03 with cockpit SPS 07 Patch and XS  xs v1.0.86

Reason for Error:  Signed Certificate not installed.

 

  1. Create SAN.CNF having domain name. ( You can have multiple domain named signed as shown in below example):
                                    Where CN can be customer name FQDN                                                                                     we can include multiple domain names.                 
  2. Create Certificate using openssl commands:
    openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
    It will create sslcert.csr file with key private.key
  3. Now you have to get it signed by signing authority SAP internal or External depending on your scenario. We have used SAP Internal Signing Authority, which i cannot paste in Public domain.
    A) :  Copy content of sslcert.csr file (Please do not copy any extra space)
    B) : Generate X.509 certificate
    Select X.509 for Java Based XSA applications.
  4. C) It will generate signed certificate , save it as “Signed.cert”. It will have 3 Certificates (Server, Intermediate, Root) as shown below. All certificates are required to create Chain.cert (chain of signed certificate) S
  5. Now we will have to change private.key to pk8 format using below command:

    openssl pkcs8 -in private.key -topk8 -nocrypt -out uekey.pk8

  6. Now create chained.cert by combining the signed certificates :
    A) Create new notepad file and paste content of signed.cert, Inter.cert and Root certificate
  7. Now run the below command to include the signed certificate:
    XSA set-certificate domain –cert chain.cer –key uekey.pk8 
  8. Now HANA cockpit/Cockpit Manager and other XSA applications open without giving any error:

 

Assigned Tags

      13 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Yogesh Patel
      Yogesh Patel

      Simply follow SAP note : 2631903 - HANA Basic How-To Series - Securing HANA 2.0 Cockpit via SSL / HTTPS (EXAMPLE: Microsoft CA edition)

      Author's profile photo Naveen Kumar
      Naveen Kumar
      Blog Post Author

      There can be notes available along with blogs. This is extremely simplified version. Following the note did not solve the issue in my environment and did not find this simplified simple blog and hence it is there.

      Author's profile photo Paul Allsopp
      Paul Allsopp

      Which is awesome because many of the links in other posts are dead, and the link to HANA Basic How-To Series - Securing HANA 2.0 Cockpit via SSL / HTTPS (EXAMPLE: Microsoft CA edition) is inaccessible to me.

      Links are great until someone stops maintaining them!

      Author's profile photo Sumit Patel
      Sumit Patel

      Hi ,

      I followed note 2631903 , but I am facing issue at the final step

      Implement private key and combined certificate file to XSA

      XSA set-certificate --cert combinedcerts.pem --key privatekey.key

      Giving error "FAILED: Could not verify the certificate chain: Provided chain does not include all certificates up to the root certificate"

      Hana cockpit version - xs v1.0.98

      Kindly suggest

       

      Regards,

      Sumit

       

       

      Author's profile photo Naveen Kumar
      Naveen Kumar
      Blog Post Author

      Hello Sumit,

       

      Something is not right with Root certificate. I understand it might be little confusing to make chain of all certification.

       

      Suggest you to recreate the chain certificate again n reapply. It should work.

      BR,

      Naveen

      Author's profile photo Sumit Patel
      Sumit Patel

      Hi Naveen,

      As per the note 2631903

      I tried to perform below steps again

      1. Export private key, certificate and CA chain & combine certificate and CA chain into 1 file.
        1. openssl pkcs12 -in cockpithttps.p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > privatekey.key
        2. openssl pkcs12 -in cockpithttps.p12 -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.pem
        3. openssl pkcs12 -in cockpithttps.p12 -cacerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cachain.pem
        4. cat certificate.pem cachain.pem > combinedcerts.pem

      Implement private key and combined certificate file to XSA
      XSA set-certificate --cert combinedcerts.pem --key privatekey.key

      Again facing same error.

       

      Regards,

      Sumit

      Author's profile photo Bilal Siddiqui
      Bilal Siddiqui

      Hello Naveen,

      Thanks for sharing the procedure, I have successfully added the certificate and it's working. Any pointers on how this will work if we are having 2 Cockpit systems with SAP HANA system replication? I found some blogs but they do not explain about the certificates for 2 cockpit systems.

      Regards,

      Bilal

       

      Author's profile photo Naveen Kumar
      Naveen Kumar
      Blog Post Author

      Hello Bilal,

      When you get certificate signed, it usually covers all the address what a cockpit can have. so I think same certificate can server the purpose.

      BR,

      Naveen

      Author's profile photo Bilal Siddiqui
      Bilal Siddiqui

      Thanks Naveen.

      The primary and secondary systems are running on 2 different hosts. During the installing of HANA cockpit, the installer does not ask for certificate host names. So when the replication is happening the secondary system will get everything from primary (SSL certificate) as well. At the time of take-over when calling the HANA cockpit application will it not give SSL error due to system running on different host?

      Regards,

      Bilal

      Author's profile photo Naveen Kumar
      Naveen Kumar
      Blog Post Author

      If you are not having floating VIP and cockpit is installed with physical IP then it would be challenging n difficult.

      otherwise you can install primary and secondary , setup replication and then install cockpit with floating VIP, which is replicated to secondary system. and register certificate with floating VIP, which when failover is performed, still continue to work.

      on second thought, if it is just about the certificates, you have option to include both Primary and secondary hostname in same certificate ..by this way you don have to bother where Cockpit is running, it will continue working as certificate already include both hostnames.

       

      Author's profile photo Bilal Siddiqui
      Bilal Siddiqui

      Hello Naveen,

      Thank you for the quick response, I will try both option.

      Regards,

      Bilal

      Author's profile photo Igor Kostylev
      Igor Kostylev

      Omg I did it !

      I only need to convert from DER (Microsoft CA) to PEM

      openssl pkcs7 -print_certs -in /tmp/chain.crt -out /tmp/chain.pem

      Author's profile photo Vivek Pokhariyal
      Vivek Pokhariyal

      Hi ,

       

      getting same error

       

      Setting SSL certificate for domain <domain> as XSA_ADMIN...
      Failed to set domain certificate: Connectivity test for new certificate failed: Error executing request GET https://<hostname>:<port>/v2/info: java.io.IOException: HTTPS hostname wrong: should be <domain>. Please see SAP Note 2243019 for more information.

      as per the sap notes 2734515 - xs set-certificate HTTPS hostname wrong not worked.

      example :

      hostname : sapbasis.sap.com

      xs domains --> xs.test.org.com

      both xs.test.org.com & pointing to same ip.

       

      sapgenpse get_pse -p cockpithttps.pse -r certificaterequest.req -k GN-dNSName:xs.test.org.com "CN=sapbasis.sap.com, OU=UPM, O=SAP, C=DE"

       

      let me know how can i create the CSR.