Technical Articles
Installing HANA Express 2.0 and XSA: Configuration
This blog post is a part of a larger series. You can navigate the series here:
Deployment Options |
Installation |
Configuration |
In this post we’ll perform some additional tasks to ensure the environment is accessible and secure. The system will not be usable until after the following key tasks are performed:
Hostname & URL | We want our installation to be accessible on the internet with our domain name so we need to change the system configuration to reflect our new name. |
Upgrade SAPCRYPTOLIB | The SAPCRYPTOLIB is used to manage secure stores, certificates etc. The version that ships with the HANA Express install has a bug that is resolved with version 8.5.26+. We need to update to the latest version so we can import our SSL certificates correctly. |
SSL Certificates | In order to communicate with the server we need to establish secure communication with SSL certificates. We will need to create a Certificate Signing Request and have it signed by a CA such as GoDaddy. The certificate with then need to be imported in to the SAP Secure Store as well as XSA. |
Rename the Host & URL
The default installation is not designed to be accessible from the internet. It has a local hostname & API url that we can modify by editing a file and restarting the system.
sudo vi /hana/shared/HXE/global/hdb/custom/config/xscontroller.ini
Change the default_domain and api_url variables to reflect your domain name. The variables should look something like this
default_domain = your-domain-or-ip.com
api_url = https://your-domain-or-ip.com:39030
Save the file by pressing ESC, then :wq, then ENTER.
Next we need to create a password file that can be used by the rename system process so that it knows the appropriate passwords for various accounts.
cd /tmp
vi pwd.xml
Include the following contents in the file and be sure to change the text in the brackets to specify your passwords for these accounts.
<?xml version="1.0" encoding="UTF-8"?>
<Passwords>
<password><![CDATA[your_password]]></password>
<source_password><![CDATA[your_source_password]]></source_password>
<system_user_password><![CDATA[your_system_user_password]]></system_user_password>
<sapadm_password><![CDATA[your_sapadm_password]]></sapadm_password>
</Passwords>
Save the file by pressing ESC, then :wq, then ENTER.
Now we need to stop the SAP HANA database, trigger the rename process, and bring the database back up. Make sure the -certificates_hostmap parameter is equal to your current hostname. Your current hostname was accepted as a default in the installation process and is your AWS public DNS name. This can be found by clicking on your instance in the EC2 Dashboard.
Be sure to replace your source and target domain name in the command below for the -certificates_hostmap parameter and fix the domain name in the -xs_domain_name parameter.
su -l hxeadm
HDB stop
exit
sudo cat ./pwd.xml | sudo /hana/shared/HXE/hdblcm/hdblcm --action=rename_system --nostart --skip_hostagent_calls -certificates_hostmap=ip-172-16-30-83.us-east-2.compute.internal=your-domain-or-ip.com -xs_domain_name=your-domain-or-ip.com --read_password_from_stdin=xml -b
Become hxeadm again and restart the database.
su -l hxeadm
HDB start
When the system comes up you still won’t be able to access much because we haven’t loaded the SSL certificates yet. We need to complete a few more tasks before accessing the system.
Upgrade SAPCRYPTOLIB
If we don’t update SAPCRYPTOLIB we will bang our heads against the wall trying to get the SSL certificates to work.
Exit to the local machine and update SAPCRYPTOLIB using the file downloaded from SAP Software Downloads.
exit
scp SAPCRYPTOLIBP_8530-20011697.SAR ec2-user@your-domain-or-ip:/tmp/SAPCRYPTOLIBP_8530-20011697.SAR
Now we need to log back in to the server, uncompress the image and copy the files to the correct location.
ssh ec2-user@your-domain-or-ip.com
su -l hxeadm
/usr/sap/HXE/HDB90/exe/SAPCAR -xvf /tmp/SAPCRYPTOLIBP_8530-20011697.SAR
cd /tmp
sudo cp sapgenpse /usr/sap/HXE/HDB90/exe/sapgenpse
sudo cp sapcrypto.lst /usr/sap/HXE/HDB90/exe/sapcrypto.lst
sudo cp libsapcrypto.so /usr/sap/HXE/HDB90/exe/libsapcrypto.so
sudo cp libslcryptokernel.so /usr/sap/HXE/HDB90/exe/libslcryptokernel.so
sudo cp libslcryptokernel.so.sha256 /usr/sap/HXE/HDB90/exe/libslcryptokernel.so.sha256
sudo cp sapcrypto.mf /usr/sap/HXE/HDB90/exe/sapcrypto.mf
sudo cp sapcrypto.lst /usr/sap/HXE/HDB90/exe/sapcrypto.lst
Install SSL Certificates
Of the full end-to-end installation and configuration process, the SSL certificates portion is the most variable component of the tutorial and most likely where your situation will differ than mine. If you have any issues, this is where it will probably happen. I”ll be using GoDaddy and hopefully your experience is similar.
We will start by making a backup of the secure store where SAP stores the security keys and other encrypted info.
cd $SECUDIR
mv SAPSSLS.pse SAPSSLS.pse.OLD
Next, we need to create a few files that will be used in command line parameters in upcoming steps.
The first file we will call test.conf:
vi test.conf
Paste the following text into the file and be sure to change the domain name to match your domain with the SSL certificate.
[SAN]
subjectAltName = @alt_names
[alt_names]
DNS.1=your-domain-or-ip.com
Save the file by pressing ESC, then :wq, then ENTER.
Now we generate a certificate signing request that we will give to our certificate authority for signing. Be sure to replace the domain names with your domain. Go ahead and the change Organization Unit, Organization, and Country as well.
sapgenpse get_pse -p SAPSSLS.pse -r hanaradeio.csr -k GN-dNSName:your-domain-or-ip.com "CN=your-domain-or-ip.com, OU=HANA, O=RADE, C=US"
Let’s verify that we have a valid request
openssl req -text -noout -in hanaradeio.csr
Open the .csr file and carefully copy all characters. Your certificate authority will have a section for you to past a signing request and get a certificate in return. In my case, GoDaddy looks like this:
It may take a few minutes to process but eventually your certificate authority will have a file for you to download that will contain your certificate and possibly additional intermediate and/or root certificates.
Next, SAP will require the intermediate and root certificates of the certificate authority. Your CA makes these available publicly. In my case, GoDaddy has a repository of certificates available when I login to my account.
vi godaddy_chain.pem
We need to create a single file with both the intermediate and root certificates together. Be sure to include the intermediate first, then the root. Save the file by pressing ESC, then :wq, then ENTER.
vi hanaradeio.crt
Create the file and carefully copy the contents of the certificate (.pem or .crt) received from the CA and paste it into the file. Save the file by pressing ESC, then :wq, then ENTER.
Import the certificate into the PSE.
sapgenpse import_own_cert -p SAPSSLS.pse -c hanaradeio.crt -r godaddy_chain.pem
Finally we need to import the certificate to the XSA server. To do that we need the key which can be exported from the PSE.
sapgenpse export_p12 -p SAPSSLS.pse -C 0 SAPSSLS.p12
sudo openssl pkcs12 -in SAPSSLS.p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > hanaradeio.key
Due to a bug, we need to import the certificates to XSA in reverse order, starting with root, then intermediate, and finally the server certificate. Create a file with the certificates in this order.
vi combinedcerts_rev.pem
Save the file by pressing ESC, then :wq, then ENTER.
Now set the certificate for XSA
xs set-certificate your-domain-or-ip.com -k hanaradeio.key -c combinedcerts_rev.pem
At this point, you can bounce the XSA server with the following command
xs restart
However, I prefer to do a full system restart. Be patient and let the system come up with the new certificates in place. Once the server is up you can SSH into the server, become hxeadm, then use the command below to list the URLs for WebIDE, the Cockpit, and other services and applications to be access.
In our next post, we’ll deploy a Fiori Lauchpad to house a collection of apps to be built in future blog posts.
Hi Shaun,
very nice post! I have some suggestions to optimize the configuration a bit:
Thanks a lot and best regards,
Andreas
Andreas
Thank you so much for tips on streamlining the config! I like to keep the process as clean and simple as possible and will incorporate your changes.
Very nice post. I used this, the comment of Andreas and note 2487120 to secure my HANA Express server on SP04. I successfully tested the result with an online ssl-check. Thanks!
Next year I will use it again 😉
Shaun … Thanks for the great blog.
Can't wait for the series to continue
Shawn Williams very helpful post
For all who are on a local network: You may sign the Certificate Sign Request yourself (with your ca.crt / ca.key file). Make sure to
Example crt generation:
openssl x509 -req -days 360 -in hanaradeio.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out hanaradeioV3.crt -extfile localhost.cnf -extensions v3_re
#
# localhost.cnf
#
[ req ]
prompt = no
distinguished_name = server_distinguished_name
req_extensions = v3_req
[ server_distinguished_name ]
commonName = YourServerName
stateOrProvinceName = BW
countryName = DE
emailAddress = your-email@posteo.net
organizationName = YourOrganization
organizationalUnitName = Security
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = localhost
DNS.1 = YourServerName