Technical Articles

November 23, 2020 3 minute read

Fixes to common issues on macOS when working with SAP HANA, express edition

With the introduction of Catalina version a year ago I started experiencing some new issues on my MacBook laptop when working with my existing instances of SAP HANA, express edition. These issues were consequences of the OS changes in the security area to protect casual users.

I see other users running into similar issues, so I would like to share with fixes I am using. If you have other tips, then please let me know in the comments!

NET::ERR_CERT_INVALID in Chromium-based web browsers

In Chromium-based web browsers (like Vivaldi, Brave, Chrome…) NET::ERR_CERT_INVALID is displayed, when opening any SAP HANA web application, like https://hxehost:39030.

The SAP HANA, express edition, is using self-signed certificate, but up to macOS 10.14 the page would be NET::ERR_CERT_AUTHORITY_INVALID. On Windows these web browsers still show NET::ERR_CERT_AUTHORITY_INVALID and you can see the link that allows you to accept the risk and to proceed to the page.

The reason for this behavior on macOS are the new security requirements for TLS server certificates in macOS 10.15: https://support.apple.com/en-us/HT210176

The solution might be to move to another browser, like Firefox, where you still can get a link to accept the risk and to move on.

But if you do not want to switch a browser and feel geeky (plus know what you are doing!), then there is a BYPASS_SEQUENCE built-in into the Chromium. This allows certificate errors “to be skippped by typing a secret phrase into the page.”: https://chromium.googlesource.com/chromium/src/+/refs/heads/master/components/security_interstitials/core/browser/resources/interstitial_large.js#15

The current sequence is dGhpc2lzdW5zYWZl, which is Base64 decoded. After encoding it says thisisunsafe. And this is what you need to type on the keyboard to get pass the certificate error message in the browser.

Please note that:

this bypass sequence is changing between different versions of Chromium, and
with great power comes great responsibility!

“file” cannot be opened because the developer cannot be verified

If you download an executable file from the Internet using a web browser, then you may run into that message trying to run it: “… cannot be opened because the developer cannot be verified. macOS cannot verify that this app is free from malware.”

It happens e.g. when downloading SAP HANA Client install from https://tools.hana.ondemand.com/#hanatools.

This happens because the macOS adds an extended attribute com.apple.quarantine to files.

You can spot files with extended attributes by @ character that follows permission flags when using ls -l. You can see these extended attributes using ls -l@.

If you trust the files you downloaded, then the quarantine tag can be removed using xattr -d command, like

xattr -d com.apple.quarantine hanaclient-latest-macosx-x64.tar.gz

These extra attributes are not assigned when downloading files using e.g. curl, like:

curl "https://tools.hana.ondemand.com/additional/hanaclient-latest-macosx-x64.tar.gz" \
 --output "hanaclient-latest-macosx-x64.tar.gz" \
 --header "Cookie: eula_3_1_agreed=tools.hana.ondemand.com/developer-license-3_1.txt"

Please note that:

by using command line tool this way you agree to the SAP Developer License Agreement: https://tools.hana.ondemand.com/developer-license-3_1.txt.

“Abort trap: 6”, or “Invalid dylib load”

Since Catalina was released, different Python programs have been crashing with “Abort trap: 6” if there programs use encrypted communication.

Detailed stack would mention: Invalid dylib load. Clients should not load the unversioned libcrypto dylib as it does not have a stable ABI.

I did not find the single comprehensive explanation. I relied on this one: https://bugs.python.org/issue38814#msg356779.

There were many different solutions proposed involving manual re-links. The one I found working for me was:

brew install openssl
export DYLD_FALLBACK_LIBRARY_PATH=/usr/local/opt/openssl/lib

Obviously you can skip openSSL installation, if it is already available in your OS.

I hope you find these fixes helpful…

…if ran into any of these issues.

And if you have any further details or different solutions, then please share them in the comments.

Stay healthy ❤️
-Vitaliy (aka @Sygyzmundovych)

5 Comments

You must be Logged on to comment or reply to a post.

Soi Keo The Thao BK8

November 24, 2020 at 2:30 am

tks for share

George Jambon

November 24, 2020 at 9:00 am

Thank you very much Witalij !

Your articles are always very relevant.

I have a question regarding curl on Mac OS. I would like to download the file with curl : https://softwaredownloads.sap.com/file/0020000001866242020 (HANA Client 2.6 PL 61 with SAP Cryptolib for Mac OS included).

Do you know which command should I use to download it with SAML issue?

Denys van Kempen

November 24, 2020 at 9:59 am

Thanks for the compilation, Witalij.

Very convenient.

Adding a previous post on the topic for interested readers that also covers some gotchas and time waisters.

https://blogs.sap.com/2020/03/18/sap-hana-sapcar-and-macos/

Basis Services Bundle ERP

November 24, 2020 at 12:01 pm

Thank you vey much.

Do you know if SAP plans to make Universal applications for HANA Client to support the new Macs that run on Apple Silicon (ARM processor)?

Daniel Van Leeuwen

November 24, 2020 at 7:17 pm

We have this requirement in our backlog. At this point we do not have a release date for this feature.

Regards,
Dan van Leeuwen