Skip to Content
Technical Articles

SAP HANA XS with HTTPS.

Due to popular demand, this blog post shows the steps required to install a custom, CA-signed SSL certificate in the SAPSSLS.pse PSE store.

(And you may need it with any XS classic HTTPS application with InA protocol.)

Good to know:

Disclaimer:

  • This is not a tutorial on SAP HANA installation or administration. For official guidance and documentation please goto official SAP HANA PLATFORM pages.
  • Images/data in this blog post is from SAP internal sandbox, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Putting it all together

Typically when installing SAP HANA 2.x or deploying a pre-installed version of SAP HANA database, the SSL certificates in different PSE storesĀ are self-signed.

And eventually, thanks to the built-in SAP HANA XS webdispatcher, both HTTP (port 80xx) and HTTPS (port 43xx) communications are possible.

SAP HANA workbench editor.

This is to make sure the INA package is present and is activated.

http://<FQDN>:80xx/sap/hana/ide/
http://<FQDN>:80xx/sap/hana/ide/editor/

Configure SAPSSLS.pse PSE store certificate.

SAP HANA webdispatcher.

Goto SAP HANA XS webdispatcher admin cockpit:

http://<FQDN>:80xx/sap/hana/xs/wdisp/admin/public/default.html

Initially the SAPSSLS.pse PSE store will show the default and most likely self-signed SSL certificate as depicted below

In order to allow for signed SSL HTTP connections with SAP HANA, we will need to replace that certificate with a new one signed by a CA of your choice.

 

Steps:

  1. Recreate PSE
  2. Replace the Distinguished Name (DN) with the DN of the new certificate
  3. Create CA Request (CSR)
  4. Import CA Response

 

Certificate Signing Request (redacted)

CSR:
 
-----BEGIN CERTIFICATE REQUEST-----
MIICtDCCAZwCAQAwbzELMAkGA1UEBhMCREUxDDAKBgNVBAoTA1NBUDEcMBoGA1UE
................................................................
qtdk8i18R2UkLWaZoxTUJJ5Z7zfe87RO
-----END CERTIFICATE REQUEST-----

You will need to have access to a CA (Certificate Authority) and sign the CSR.

The screenshot below is only for illustration purposes.

Please note that we shall need to import the certificate chain.

Sign the CSR with your global CA (Certificate Authority) 
for instance:
https://getcerts.<xxxxxxxxx>/request/sapnetca_base64.html

The redacted certificate chain is shown below:

-----BEGIN PKCS7-----
MIIS9AYJKoZIhvcNAQcCoIIS5TCCEuECAQExADALBgkqhkiG9w0BBwGgghLJMIIG
NDCCBBygAwIBAgIQZCMUYlW/2Mrgho7hFsvEUzANBgkqhkiG9w0BAQsFADBEMQsw
................................................................
kgmxuxXGNYD1UxAK3i48iDVR9KT73tR13K5wleDwC0+h76GaBWwrgSlYJEkqBoJm
rMY441SHzIjoZHrw8mudhOZtFpzNSw92aGc2r7A0mILgT+jDlVYljbFR6HKbaYWx
IHcL7dwe+QgzeJH+jDWYNv7fG0YREMitRUcvDTHgZ20RZ5xD3uxyTQQdWU4568SQ
IAkIDQSEMQA=
-----END PKCS7-----

 

 

Step 4. Import CA Response

Click on Import CA Response button above and copy and paste the content of the PKCS7 certificate and click on the Import button to validate the import.

 

As a result the new and signed certificate has been imported into our PSE store.

From now on we can access HANA via HTTPS over port 43xx as depicted below:

https://<FQDN>:43xx/sap/hana/xs/wdisp/admin/public/default.html

 

__________

 

What’s New in the SAP HANA Platform 2.x

SAP HANA Administration Guide for SAP HANA Platform | PDF

SAP HANA Platform

SAP HANA trial

Get a Single Gateway to Your Enterprise Data with SAP HANA Cloud

 

Be the first to leave a comment
You must be Logged on to comment or reply to a post.