Providing https on SAP HANA WebDispatcher using LetsEncrypt
Environments that I manage and use for a range of reasons need to be secured and provide https for connections. Most client connections now require this, and including the main use case of connecting to SAP Analytics Cloud for live interaction with SAP HANA.
Below, I will cover using a no cost approach to providing a public https on a server that doesn’t require a paid https capability. I must mention that all my servers that I deploy on are non production, and relatively short term – so the free https option is perfect. As previously we were paying a reasonable amount in 3rd party paid certificates, which were often redundant even before the year subscription was up.
The process for SAP HANA WebDispatcher (typically port 4300):
- Since typically SAP HANA is on SuSE Enterprise Linux, there is not easy LetsEncrypt bundles. After trying a few, I ended up with using: acme-nosodu – Once this is copied to the server, and verifying openssl and python is installed.
- Making sure the server can also resolve external hostnames in the /etc/resolv.conf
- run the following as root:
openssl genrsa 4096 > user.key openssl rsa -in user.key -pubout > user.pub
- You also need the domain.csr file, this is pulled from the webdispatcher:
- Login to the SAP HANA WebDispatcher: http://server:80<instance>/sap/hana/xs/wdisp/admin/public/default.html
- Recreate the PSE (so it is not localhost, or the internal server name), and ensure it is the CN=fullyqualifieddomainname
- Then “Create CA Request” – save this as the domain.csr file on the server, ideally in the same directory.
- As hdbadm (or the owner of the SAP HANA environment), run:
python sign_csr.py --public-key user.pub domain.csr > signed.crt
As part of this step, you will need to open another session and run additional commands, in the other session. Finally you will see the certificate has been created as signed.crt
6. I will be using the SAP HANA WebDispatcher Web interface to update the certificate, so combine the following into 1 file (in this order):
Intermediate Certificate – Let’s Encrypt Authority X3 (Signed by ISRG Root X1) from https://letsencrypt.org/certificates/
Root Certificate – ISRG Root X1 (self-signed) from https://letsencrypt.org/certificates/
7. Upload this file using the “Import CA Response”
And you should be good to go.
Alternately, if you want to script as much as possible, you can import the certificate directly:
8. First get the certificates into 1 file (note the different order):
cat root.cer inter.cer signed.crt > full.cer hdbadm@server:/usr/sap/HDB/home/keys> sapgenpse import_own_cert -p /usr/sap/HDB/HDB00/server/sec/SAPSSLS.pse -c full.cer CA-Response successfully imported into PSE "/usr/sap/HDB/HDB00/server/sec/SAPSSLS.pse"
It’s also important to note, that these certificates last 3 months.
Yes, there is more automation that can be done. Happy for you to add your comments with them 🙂