In this Post you are going to learn how to enable X.509 client certificate authentication on your HANA system. The X.509 certificates provide a convenient and secure way for authentication.
It is possible to use this mechanism in XS applications since HANA SP6.
I assume you have good understanding of authentication mechanisms and know what you are doing (at least most of the time). Other than that there are some things, which also need to be in place before going ahead:
If you meet all those requirements, the setup is going to be a piece of cake.
First of all we need to configure the server. After that we create a user who leverages the X.509 authentication. Last but not least we will configure the XS application.
The first thing we need to do is to get the root certificate of your CA.
Using the SAP infrastructure, it can be retrieved via
In the following I assume the file name of this root certificate is SSO_CA.der.
In order to trust the certificate, we need to configure the trust relations for both of our trust stores (WebDispatcher [SAPSSL.pse] and XS Engine [sapsrv.pse]). Furthermore we need to enable client authentication in the Web Dispatcher profile.
This is how it can be done:
X509_enablement.sh
#!/bin/bash
##########################################
# Configure the script
##########################################
INSTANCE='<SID>'
INSTNO='<INSTNACE_NUMBER>'
HOST='<HANA_HOSTNAME_WITHOUT_DOMAIN>'
######### example
#INSTANCE='KCR'
#INSTNO='00'
#HOST='pall00539444a'
DIR_SECURITY_LIB="/usr/sap/$INSTANCE/SYS/global/security/lib"
cp SSO_CA.der $DIR_SECURITY_LIB
##########################################
# Web Dispatcher configuration
##########################################
echo "
icm/HTTPS/verify_client = 1
" >> /usr/sap/$INSTANCE/HDB$INSTNO/$HOST/wdisp/sapwebdisp.pfl
##########################################
# Trust relations
##########################################
echo 'ok, so now we will configure the trust relations'
$DIR_SECURITY_LIB/sapgenpse maintain_pk -p /usr/sap/$INSTANCE/HDB$INSTNO/$HOST/sec/SAPSSL.pse -a $DIR_SECURITY_LIB/SSO_CA.der
$DIR_SECURITY_LIB/sapgenpse maintain_pk -p /usr/sap/$INSTANCE/HDB$INSTNO/$HOST/sec/sapsrv.pse -a $DIR_SECURITY_LIB/SSO_CA.der
##########################################
# Restart the services
##########################################
kill -9 `pidof sapwebdisp_hdb`
kill -9 `pidof hdbxsengine`
At this point the HANA server trusts the certificates being issued by the CA. This does not mean the end user is known to the HANA system.
So we create a user with the according authentication mechanism and make sure our XS application uses X.509.
Before finally testing our app, we need to ensure the certificate is installed in our Browser.
There are two ways for creating a such a user.
Using a SQL interface just send the following command to the engine:
CREATE USER <YOUR_USERNAME> WITH IDENTITY 'CN=<YOUR_USERNAME>, O=SAP-AG, C=DE' ISSUER 'CN=SSO_CA, O=SAP-AG, C=DE' FOR X509;
-- in my case
CREATE USER D042399 WITH IDENTITY 'CN=D042399, O=SAP-AG, C=DE' ISSUER 'CN=SSO_CA, O=SAP-AG, C=DE' FOR X509;
Using the Studio it can be done via:
In my case the certificate is installed in Windows. Therefore Internet Explorer already has got this certificate installed. As I prefer Firefox, I am going to export it from IE and import it into Firefox.
In Windows there is a certificate export wizard, which you can start in tow ways
Internet Explorer
OR
Start->Run command (Windows button + 'R'): certmgr.msc
Once you have opened the 'Certificate Export wizard', you generally follow the default screens with following modifications:
So the next thing we want to do is: Import the certificate into Firefox.
If you see a success method, you will be able to show the server a valid client certificate.
The chosen method of authentication depends on the system configuration and has to be configured in the runtime environment. To do so, we are going to leverage the XS Administrator.
In order to change the authentication of your XS application open the HANA XS administrator at
https://<FQHost>:43<InstNumber>/sap/hana/xs/admin/
Activate X.509 authentication via:
After changing the authentication method you can verify it's usage by opening your application. If you see the 'Certificate selection wizard' everything is working as expected:
If you do not see the wizard, there may be an open session somewhere. These things will help you to get rid of it:
This XSJS code may come handy as well:
$.response.setBody(JSON.stringify({
"username" : $.session.getUsername()
}));
Watch out, there is the so called 'December bug' in SAP HANA XS SPS06 (in revisions 64 up to 69.01). Static resources being activated in December are not returned via http(s) - this particularly holds true for packages using SSO authentication (such as X.509).
Please refer to SAP Note 1950647 for details.
I hope this post was useful and enjoyable to you.
Enjoy your X.509 authentication and stay tuned for more
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
11 | |
10 | |
10 | |
10 | |
9 | |
8 | |
8 | |
7 | |
7 | |
6 |