Skip to Content
Product Information
Author's profile photo Bjoern Brencher

How to Configure TLS/SSL in SAP HANA 2.0?

Communication encryption is a key feature to secure data in transit. Usage of encrypted communication channels can prevent attackers to intercept traffic on network level. SAP HANA supports encrypted communication for all client-server (external) communication and HANA internal communication.

SAP HANA recommends using encrypted communication channels where possible.

The aim of this document is to describe one way of configuring secure communication (TLS/SSL) in typical installation scenarios. The initial scenario described is an SAP HANA system installed on a single host with incoming connections from SQLDBC and HTTP clients for database and administrative access. TLS/SSL configuration is explained for following incoming connections to HANA:

  • Database clients via the SQL interface (port 3xx13/3xx15), e.g. SAP HANA studio, SAP HANA cockpit
  • SAP HANA cockpit/studio via SAP start service (sapstartsrv) (port 5xx13/5xx14)
  • SAP HANA database lifecycle manager via SAP Host Agent (port 1128/1129)
  • Web applications via XS advanced application server (ports used depend on XSA routing mode)
  • XS advanced server via the SQL interface (port 3xx13/3xx15)
  • Web applications via the XS classic server (port 43xx)

Detailed instructions can be found in the document “How to Configure TLS/SSL in SAP HANA 2.0

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Werner Flamme
      Werner Flamme

      Nice document, thank you! It seems to cover everything I looked for.

      I assume I can skip a few steps if I already got a ready-signed certificate from my company's CA. To install it into an ABAP host, I use on OS level

      sapgenpse import_p12 -p SAPSSLS_${sid}_$(date +%Y%m%d).pse -x "" -r cert_chain.txt -z $P12PASSWORD cert_and_privatekey.p12

      So I get a PSE without password (-x "") complete with the certificates from Root CA down to Server CA, ready to import into the system. I guess that this may work like Configuration I in Scenario 1. Am I right here?

      As in II V, I already have the data in two separate files, so I don't need to extract it from the PSE, right?

      By the way, Scenario 1 is the only one I see, are there others? Not that I need them, I think all I need has been covered here 🙂

      Regards, Werner

       

      Author's profile photo Nilesh Vakil
      Nilesh Vakil

      Hi ,

       

      I am trying to execute example in link

      https://blogs.sap.com/2013/11/01/outbound-https-with-hana-xs-part-3-call-the-https-outbound-service-in-xs-server-side-javascript-xsjs/.

       

      But somehow i am getting error as " HTTPCLient.request: SSL Requested , but no trust store cnfigured

       

       

      Author's profile photo Saurabh Saxena
      Saurabh Saxena

      Hi,

      We have a software product which gets data from sap hana database 2.0 via jdbc connection.

      Now we want to get the data over secured channel when tls encryption is set up and data access is via tls encryption.

      we have sap hana 2.0 on suse linux and SAP hana studio and my product on Windows machine.

      For this i am following the document : https://www.sap.com/documents/2018/11/b865eb91-287d-0010-87a3-c30de2ffd8ff.html

       

      Steps i am doing :

      on sap hana machine the command is fired :

      sapgenpse gen_pse -p cert.pse -r csr.txt -k GN-dNSName:linux-5h62 "CN=linux-5h62, OU=Sailpoint, O=Sailpoint, C=IN"

      this generates cert.pse and csr.txt in sap hana "/usr/sap/SH1/HDB00/linux-5h62/sec" directory.

      2. Once this is done next step is to sign the certificate with CA. Instead i am trying to self sign the certificate via the folowing commands on my windows machine where sap hana studio is available:

      a) keytool -genkeypair -alias ca -keyalg RSA -keysize 1024 -dname "CN=linux-5h62, OU=Sailpoint, O=Sailpoint, C=IN" -keypass Sailpoint123 -ext bc:c -validity 3650 -keystore SailPointca.jks -storepass Sailpoint123 -deststoretype pkcs12

      b) keytool -exportcert -alias ca -file root.crt -keystore SailPointca.jks -storepass Sailpoint123 -rfc

      c)keytool -gencert -rfc -infile csr.txt -outfile cert.p7b -alias ca -ext bc:c -keystore SailPointca.jks -storepass Sailpoint123 -validity 3650

      where step C) is generating cert.p7b file using csr.txt

      3. i am transferring this cert.p7b on the sap hana machine and then trying the next command :

      sapgenpse import_own_cert -p cert.pse -c csr.p7b -v -x -r

      on sap hana machine.

      I am getting the error : self signed certificate is not supported.

      Please let me know how to get past this error or what i am doing wrong here, as i need to establish the connection between sap hana server and sap hana studio which is intalled on my windows machine.

      Also what are the next steps to be followed in my scenario?

      As this setup in the lab is not working, we cant release our product claiming database connection is made over SSL/TLS , thus release is stalled

      https://launchpad.support.sap.com/#/incident/pointer/002075129400005073952019

      Author's profile photo Anand Tigadikar
      Anand Tigadikar

      Thanks a lot for sharing this , it's a excellent blog, i could follow it and apply it successfully 😉

      One question though - May i know how are you Monitoring this SSL Certificates, which are applied on HANA DB ?

      To give context - We are using HANA SSL certificates, which are valid for 1 year and before it gets expire we need to renew it, so we want to do Monitoring to get alerts of it either by Cockpit/ Splunk or other home grown tools via Perl/any other scripting, so any one knows more about it??

      Author's profile photo Werner Flamme
      Werner Flamme

      Hi Anand,

      I just established this monitoring in my company, so maybe I can help here.

      When adding the certificate to the web dispatcher, the web dispatcher itself shows this certificate when invoked as https://<dbhost>:43<instance>/sap/hana/xs/wdisp/admin/. So you can use any certicate validation check you use for your web servers too. I'm using the nagios plugin check_ssl_cert here.This integrates nicely into our nagios-based company-wide monitoring.

      HTH, Werner

      Author's profile photo Axel Utz
      Axel Utz

      You will find the relevant information in KBA

      2487639 - HANA Basic How-To Series - HANA and SSL / TLS - LEAD KBA