Skip to Content
Technical Articles
Author's profile photo Piotr Tesny
Piotr Tesny
July 1, 2021 3 minute read

SAP HANA XS with HTTPS.

Due to popular demand, this blog post shows the steps required to install a custom, CA-signed SSL certificate in the SAPSSLS.pse PSE store.

(And you may need it with any XS classic HTTPS application with InA protocol.)
Good to know:

Disclaimer:

  • This is not a tutorial on SAP HANA installation or administration. For official guidance and documentation please goto official SAP HANA PLATFORM pages.
  • Images/data in this blog post is from SAP internal sandbox, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Putting it all together

Typically when installing SAP HANA 2.x or deploying a pre-installed version of SAP HANA database, the SSL certificates in different PSE stores are self-signed.

And eventually, thanks to the built-in SAP HANA XS webdispatcher, both HTTP (port 80xx) and HTTPS (port 43xx) communications are possible.

SAP HANA workbench editor.

This is to make sure the INA package is present and is activated.

http://<FQDN>:80xx/sap/hana/ide/
http://<FQDN>:80xx/sap/hana/ide/editor/

Configure SAPSSLS.pse PSE store certificate.

SAP HANA webdispatcher.

Goto SAP HANA XS webdispatcher admin cockpit:

http://<FQDN>:80xx/sap/hana/xs/wdisp/admin/public/default.html

Initially the SAPSSLS.pse PSE store will show the default and most likely self-signed SSL certificate as depicted below

In order to allow for signed SSL HTTP connections with SAP HANA, we will need to replace that certificate with a new one signed by a CA of your choice.

 

Steps:

  1. Recreate PSE
  2. Replace the Distinguished Name (DN) with the DN of the new certificate
  3. Create CA Request (CSR)
  4. Import CA Response

 

Certificate Signing Request (redacted)

CSR:
 
-----BEGIN CERTIFICATE REQUEST-----
MIICtDCCAZwCAQAwbzELMAkGA1UEBhMCREUxDDAKBgNVBAoTA1NBUDEcMBoGA1UE
................................................................
qtdk8i18R2UkLWaZoxTUJJ5Z7zfe87RO
-----END CERTIFICATE REQUEST-----

You will need to have access to a CA (Certificate Authority) and sign the CSR.

The screenshot below is only for illustration purposes.

Please note that we shall need to import the certificate chain.

Sign the CSR with your global CA (Certificate Authority) 
for instance:
https://getcerts.<xxxxxxxxx>/request/sapnetca_base64.html

The redacted certificate chain is shown below:

-----BEGIN PKCS7-----
MIIS9AYJKoZIhvcNAQcCoIIS5TCCEuECAQExADALBgkqhkiG9w0BBwGgghLJMIIG
NDCCBBygAwIBAgIQZCMUYlW/2Mrgho7hFsvEUzANBgkqhkiG9w0BAQsFADBEMQsw
................................................................
kgmxuxXGNYD1UxAK3i48iDVR9KT73tR13K5wleDwC0+h76GaBWwrgSlYJEkqBoJm
rMY441SHzIjoZHrw8mudhOZtFpzNSw92aGc2r7A0mILgT+jDlVYljbFR6HKbaYWx
IHcL7dwe+QgzeJH+jDWYNv7fG0YREMitRUcvDTHgZ20RZ5xD3uxyTQQdWU4568SQ
IAkIDQSEMQA=
-----END PKCS7-----

 

 

Step 4. Import CA Response

Click on Import CA Response button above and copy and paste the content of the PKCS7 certificate and click on the Import button to validate the import.

 

As a result the new and signed certificate has been imported into our PSE store.

From now on we can access HANA via HTTPS over port 43xx as depicted below:

https://<FQDN>:43xx/sap/hana/xs/wdisp/admin/public/default.html

 

__________

 

Additional resources

What’s New in the SAP HANA Platform 2.x

SAP HANA Administration Guide for SAP HANA Platform | PDF

SAP HANA Platform

SAP HANA trial

Get a Single Gateway to Your Enterprise Data with SAP HANA Cloud

OAuth2 Authentication using HANA XS – Basics (1) | SAP Blogs

OAuth2 Authentication using HANA XS – XS OAuth client lib calling Google’s API (2) | SAP Blogs

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Daniela Betancourt
      Daniela Betancourt

      Hi,

       

      Great post!

      Do you know the process of adding SSL certificate from another server into the trust store and then connecting it to the httpdest of the external server ?  We've had issues with this configuration. We followed the steps on SAP help documentation but we're still getting errors

       

      Thanks!

       

      Daniela Betancourt

      Author's profile photo Piotr Tesny
      Piotr Tesny
      Blog Post Author

      Hello Daniela, Thanks for reading my blog;

      Back to your question. May you please narrow down your question and explain what you are trying to achieve? What is the nature of your SSL certificate? What is it for ?

      This blog is really dedicated to a very specific use case of uploading a CA-signed certificate to the XS engine of a SAP HANA 2.x system

      Assuming that you also use a SAP HANA 2.x OP system, are you using the xsjs cockpit or the new  XSA-based cockpit to manage your SAP HANA instance?

      In a nutshell, you could also import (upload) your SSL certificate from the above PSE Management Webdispatcher based interface if you know which PSE store it should go to. Or from the XSJS cockpit or from the XSA-cockpit.

      kind regards; Piotr