How to Configure TLS/SSL in SAP HANA 2.0?
Communication encryption is a key feature to secure data in transit. Usage of encrypted communication channels can prevent attackers to intercept traffic on network level. SAP HANA supports encrypted communication for all client-server (external) communication and HANA internal communication.
SAP HANA recommends using encrypted communication channels where possible.
The aim of this document is to describe one way of configuring secure communication (TLS/SSL) in typical installation scenarios. The initial scenario described is an SAP HANA system installed on a single host with incoming connections from SQLDBC and HTTP clients for database and administrative access. TLS/SSL configuration is explained for following incoming connections to HANA:
- Database clients via the SQL interface (port 3xx13/3xx15), e.g. SAP HANA studio, SAP HANA cockpit
- SAP HANA cockpit/studio via SAP start service (sapstartsrv) (port 5xx13/5xx14)
- SAP HANA database lifecycle manager via SAP Host Agent (port 1128/1129)
- Web applications via XS advanced application server (ports used depend on XSA routing mode)
- XS advanced server via the SQL interface (port 3xx13/3xx15)
- Web applications via the XS classic server (port 43xx)
Detailed instructions can be found in the document “How to Configure TLS/SSL in SAP HANA 2.0“
Nice document, thank you! It seems to cover everything I looked for.
I assume I can skip a few steps if I already got a ready-signed certificate from my company's CA. To install it into an ABAP host, I use on OS level
So I get a PSE without password (-x "") complete with the certificates from Root CA down to Server CA, ready to import into the system. I guess that this may work like Configuration I in Scenario 1. Am I right here?
As in II V, I already have the data in two separate files, so I don't need to extract it from the PSE, right?
By the way, Scenario 1 is the only one I see, are there others? Not that I need them, I think all I need has been covered here 🙂
I am trying to execute example in link
But somehow i am getting error as " HTTPCLient.request: SSL Requested , but no trust store cnfigured
We have a software product which gets data from sap hana database 2.0 via jdbc connection.
Now we want to get the data over secured channel when tls encryption is set up and data access is via tls encryption.
we have sap hana 2.0 on suse linux and SAP hana studio and my product on Windows machine.
For this i am following the document : https://www.sap.com/documents/2018/11/b865eb91-287d-0010-87a3-c30de2ffd8ff.html
Steps i am doing :
on sap hana machine the command is fired :
sapgenpse gen_pse -p cert.pse -r csr.txt -k GN-dNSName:linux-5h62 "CN=linux-5h62, OU=Sailpoint, O=Sailpoint, C=IN"
this generates cert.pse and csr.txt in sap hana "/usr/sap/SH1/HDB00/linux-5h62/sec" directory.
2. Once this is done next step is to sign the certificate with CA. Instead i am trying to self sign the certificate via the folowing commands on my windows machine where sap hana studio is available:
a) keytool -genkeypair -alias ca -keyalg RSA -keysize 1024 -dname "CN=linux-5h62, OU=Sailpoint, O=Sailpoint, C=IN" -keypass Sailpoint123 -ext bc:c -validity 3650 -keystore SailPointca.jks -storepass Sailpoint123 -deststoretype pkcs12
b) keytool -exportcert -alias ca -file root.crt -keystore SailPointca.jks -storepass Sailpoint123 -rfc
c)keytool -gencert -rfc -infile csr.txt -outfile cert.p7b -alias ca -ext bc:c -keystore SailPointca.jks -storepass Sailpoint123 -validity 3650
where step C) is generating cert.p7b file using csr.txt
3. i am transferring this cert.p7b on the sap hana machine and then trying the next command :
sapgenpse import_own_cert -p cert.pse -c csr.p7b -v -x -r
on sap hana machine.
I am getting the error : self signed certificate is not supported.
Please let me know how to get past this error or what i am doing wrong here, as i need to establish the connection between sap hana server and sap hana studio which is intalled on my windows machine.
Also what are the next steps to be followed in my scenario?
As this setup in the lab is not working, we cant release our product claiming database connection is made over SSL/TLS , thus release is stalled
Thanks a lot for sharing this , it's a excellent blog, i could follow it and apply it successfully 😉
One question though - May i know how are you Monitoring this SSL Certificates, which are applied on HANA DB ?
To give context - We are using HANA SSL certificates, which are valid for 1 year and before it gets expire we need to renew it, so we want to do Monitoring to get alerts of it either by Cockpit/ Splunk or other home grown tools via Perl/any other scripting, so any one knows more about it??
I just established this monitoring in my company, so maybe I can help here.
When adding the certificate to the web dispatcher, the web dispatcher itself shows this certificate when invoked as https://<dbhost>:43<instance>/sap/hana/xs/wdisp/admin/. So you can use any certicate validation check you use for your web servers too. I'm using the nagios plugin check_ssl_cert here.This integrates nicely into our nagios-based company-wide monitoring.