Skip to Content
Technical Articles
Author's profile photo Shaun Williams

Installing HANA Express 2.0 and XSA: Configuration

This blog post is a part of a larger series. You can navigate the series here:

Deployment Options
Installation
Configuration

In this post we’ll perform some additional tasks to ensure the environment is accessible and secure. The system will not be usable until after the following key tasks are performed:

Hostname & URL We want our installation to be accessible on the internet with our domain name so we need to change the system configuration to reflect our new name.
Upgrade SAPCRYPTOLIB The SAPCRYPTOLIB is used to manage secure stores, certificates etc. The version that ships with the HANA Express install has a bug that is resolved with version 8.5.26+. We need to update to the latest version so we can import our SSL certificates correctly.
SSL Certificates In order to communicate with the server we need to establish secure communication with SSL certificates. We will need to create a Certificate Signing Request and have it signed by a CA such as GoDaddy. The certificate with then need to be imported in to the SAP Secure Store as well as XSA.

 


Rename the Host & URL

The default installation is not designed to be accessible from the internet. It has a local hostname & API url that we can modify by editing a file and restarting the system.

sudo vi /hana/shared/HXE/global/hdb/custom/config/xscontroller.ini

Change the default_domain and api_url variables to reflect your domain name.  The variables should look something like this

default_domain = your-domain-or-ip.com
api_url = https://your-domain-or-ip.com:39030

Save the file by pressing ESC, then :wq, then ENTER.

Next we need to create a password file that can be used by the rename system process so that it knows the appropriate passwords for various accounts.

cd /tmp
vi pwd.xml

Include the following contents in the file and be sure to change the text in the brackets to specify your passwords for these accounts.

<?xml version="1.0" encoding="UTF-8"?>
<Passwords>
<password><![CDATA[your_password]]></password>
<source_password><![CDATA[your_source_password]]></source_password>
<system_user_password><![CDATA[your_system_user_password]]></system_user_password>
<sapadm_password><![CDATA[your_sapadm_password]]></sapadm_password>
</Passwords>

Save the file by pressing ESC, then :wq, then ENTER.

Now we need to stop the SAP HANA database, trigger the rename process, and bring the database back up. Make sure the -certificates_hostmap parameter is equal to your current hostname. Your current hostname was accepted as a default in the installation process and is your AWS public DNS name. This can be found by clicking on your instance in the EC2 Dashboard.

Be sure to replace your source and target domain name in the command below for the -certificates_hostmap parameter and fix the domain name in the -xs_domain_name parameter.

su -l hxeadm

HDB stop
exit

sudo cat ./pwd.xml | sudo /hana/shared/HXE/hdblcm/hdblcm --action=rename_system --nostart --skip_hostagent_calls -certificates_hostmap=ip-172-16-30-83.us-east-2.compute.internal=your-domain-or-ip.com -xs_domain_name=your-domain-or-ip.com --read_password_from_stdin=xml -b

Become hxeadm again and restart the database.

su -l hxeadm
HDB start

When the system comes up you still won’t be able to access much because we haven’t loaded the SSL certificates yet. We need to complete a few more tasks before accessing the system.

 


Upgrade SAPCRYPTOLIB

If we don’t update SAPCRYPTOLIB we will bang our heads against the wall trying to get the SSL certificates to work.

Exit to the local machine and update SAPCRYPTOLIB using the file downloaded from SAP Software Downloads.

exit

scp SAPCRYPTOLIBP_8530-20011697.SAR ec2-user@your-domain-or-ip:/tmp/SAPCRYPTOLIBP_8530-20011697.SAR

Now we need to log back in to the server, uncompress the image and copy the files to the correct location.

ssh ec2-user@your-domain-or-ip.com

su -l hxeadm
/usr/sap/HXE/HDB90/exe/SAPCAR -xvf /tmp/SAPCRYPTOLIBP_8530-20011697.SAR

cd /tmp
sudo cp sapgenpse /usr/sap/HXE/HDB90/exe/sapgenpse
sudo cp sapcrypto.lst /usr/sap/HXE/HDB90/exe/sapcrypto.lst
sudo cp libsapcrypto.so /usr/sap/HXE/HDB90/exe/libsapcrypto.so
sudo cp libslcryptokernel.so /usr/sap/HXE/HDB90/exe/libslcryptokernel.so
sudo cp libslcryptokernel.so.sha256 /usr/sap/HXE/HDB90/exe/libslcryptokernel.so.sha256
sudo cp sapcrypto.mf /usr/sap/HXE/HDB90/exe/sapcrypto.mf
sudo cp sapcrypto.lst /usr/sap/HXE/HDB90/exe/sapcrypto.lst

 


Install SSL Certificates

Of the full end-to-end installation and configuration process, the SSL certificates portion is the most variable component of the tutorial and most likely where your situation will differ than mine.  If you have any issues, this is where it will probably happen. I”ll be using GoDaddy and hopefully your experience is similar.

We will start by making a backup of the secure store where SAP stores the security keys and other encrypted info.

cd $SECUDIR
mv SAPSSLS.pse SAPSSLS.pse.OLD

 

Next, we need to create a few files that will be used in command line parameters in upcoming steps.

The first file we will call test.conf:

vi test.conf

Paste the following text into the file and be sure to change the domain name to match your domain with the SSL certificate.

[SAN]
subjectAltName = @alt_names
[alt_names]
DNS.1=your-domain-or-ip.com

Save the file by pressing ESC, then :wq, then ENTER.

Now we generate a certificate signing request that we will give to our certificate authority for signing. Be sure to replace the domain names with your domain. Go ahead and the change Organization Unit, Organization, and Country as well.

sapgenpse get_pse -p SAPSSLS.pse -r hanaradeio.csr -k GN-dNSName:your-domain-or-ip.com "CN=your-domain-or-ip.com, OU=HANA, O=RADE, C=US"

Let’s verify that we have a valid request

openssl req -text -noout -in hanaradeio.csr

Open the .csr file and carefully copy all characters. Your certificate authority will have a section for you to past a signing request and get a certificate in return.  In my case, GoDaddy looks like this:

It may take a few minutes to process but eventually your certificate authority will have a file for you to download that will contain your certificate and possibly additional intermediate and/or root certificates.

 

Next, SAP will require the intermediate and root certificates of the certificate authority. Your CA makes these available publicly. In my case, GoDaddy has a repository of certificates available when I login to my account.

 

vi godaddy_chain.pem

We need to create a single file with both the intermediate and root certificates together.  Be sure to include the intermediate first, then the root. Save the file by pressing ESC, then :wq, then ENTER.

 

vi hanaradeio.crt

Create the file and carefully copy the contents of the certificate (.pem or .crt) received from the CA and paste it into the file. Save the file by pressing ESC, then :wq, then ENTER.

 

Import the certificate into the PSE.

sapgenpse import_own_cert -p SAPSSLS.pse -c hanaradeio.crt -r godaddy_chain.pem

Finally we need to import the certificate to the XSA server. To do that we need the key which can be exported from the PSE.

sapgenpse export_p12 -p SAPSSLS.pse -C 0 SAPSSLS.p12

sudo openssl pkcs12 -in SAPSSLS.p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > hanaradeio.key

Due to a bug, we need to import the certificates to XSA in reverse order, starting with root, then intermediate, and finally the server certificate.  Create a file with the certificates in this order.

vi combinedcerts_rev.pem

Save the file by pressing ESC, then :wq, then ENTER.

Now set the certificate for XSA

xs set-certificate your-domain-or-ip.com -k hanaradeio.key -c combinedcerts_rev.pem

At this point, you can bounce the XSA server with the following command

xs restart

However, I prefer to do a full system restart.  Be patient and let the system come up with the new certificates in place.  Once the server is up you can SSH into the server, become hxeadm, then use the command below to list the URLs for WebIDE, the Cockpit, and other services and applications to be access.

In our next post, we’ll deploy a Fiori Lauchpad to house a collection of apps to be built in future blog posts.

 

 

Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Andreas Schoesser
      Andreas Schoesser

      Hi Shaun,

      very nice post! I have some suggestions to optimize the configuration a bit:

      • You only need to configure the 'default_domain' property in xscontroller.ini to expose XSA applications on a different domain. The api_url property will be set automatically when XSA starts up.
      • The command 'xs set-certificate' can take .pse files. So, no need to export the key and certificate chain from the PSE and reverse the order, just call 'xs set-certificate --pse SAPSSLS.pse' to upload the signed certificate to XSA.
      • The command to restart XSA is 'XSA restart'

      Thanks a lot and best regards,

      Andreas

      Author's profile photo Shaun Williams
      Shaun Williams
      Blog Post Author

      Andreas

      Thank you so much for tips on streamlining the config! I like to keep the process as clean and simple as possible and will incorporate your changes.

       

      Author's profile photo Vladimir Hilderink
      Vladimir Hilderink

      Very nice post. I used this, the comment of Andreas and note 2487120 to secure my HANA Express server on SP04. I successfully tested the result with an online ssl-check. Thanks!

      Next year I will use it again 😉

      Author's profile photo Henrik Damhøj Andersen
      Henrik Damhøj Andersen

      Shaun … Thanks for the great blog.

      Can't wait for the series to continue

      Author's profile photo Thorsten Niehues
      Thorsten Niehues

      Shawn Williams very helpful post

      • Helps understand and fixes the Certificate Issue
      • Easy to follow

      For all who are on a local network: You may sign the Certificate Sign Request yourself (with your ca.crt / ca.key file). Make sure to

      • Use Version 3
      • Fill "Subject Alternative Name" (it is in the CSR file but not always generated into the CRT file)
      • Use the Server.crt as "intermediate" and the ca.crt as "root" certifcate

      Example crt generation:

      openssl x509 -req -days 360 -in hanaradeio.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out hanaradeioV3.crt -extfile localhost.cnf -extensions v3_re

      #
      # localhost.cnf
      #

      [ req ]
      prompt = no
      distinguished_name = server_distinguished_name
      req_extensions = v3_req

      [ server_distinguished_name ]
      commonName = YourServerName
      stateOrProvinceName = BW
      countryName = DE
      emailAddress = your-email@posteo.net
      organizationName = YourOrganization
      organizationalUnitName = Security

      [ v3_req ]
      basicConstraints = CA:FALSE
      keyUsage = nonRepudiation, digitalSignature, keyEncipherment
      subjectAltName = @alt_names

      [ alt_names ]
      DNS.0 = localhost
      DNS.1 = YourServerName