How to Configure TLS/SSL in SAP HANA 2.

PUBLIC

Document Version : 1.0 – November 2018

DOCUMENT HISTORY

Document version Description

1.0 First official release of this guide

2
TABLE OF CONTENTS

DOCUMENT HISTORY ............................................................................................................................... 2

BEFORE YOU START ................................................................................................................................ 4
SCENARIO 1: SINGLE-HOST SAP HANA SYSTEM .................................................................................. 4
Prerequisites .............................................................................................................................................. 4
Assumptions .............................................................................................................................................. 4
Configuration on the server ...................................................................................................................... 5
Configuration on the client ........................................................................................................................ 8

3
SAP HANA supports encrypted communication for all client-server (external) communication and
internal communication. SAP recommends using encrypted communication channels where possible.

The aim of this document is to describe one way of configuring secure communication (TLS/SSL) in typical
installation scenarios. The initial scenario described is an SAP HANA system installed on a single host with
incoming connections from SQLDBC and HTTP clients for database and administrative access.

BEFORE YOU START

We recommend that you read the following chapters in SAP HANA Security Guide:

• SAP HANA Network and Communication Security

• Certificate Management in SAP HANA

SCENARIO 1: SINGLE-HOST SAP HANA SYSTEM

TLS/SSL is to be configured for incoming connections to SAP HANA from:

• Database clients via the SQL interface (port 3xx13/3xx15), e.g. SAP HANA studio, SAP HANA cockpit
• SAP HANA cockpit/studio via SAP start service ("sapstartsrv") (port 5xx13/5xx14)
• SAP HANA database lifecycle manager via SAP Host Agent (port 1128/1129)
• Web applications via XS advanced application server (ports used depend on XSA routing mode)
• XS advanced server via the SQL interface (port 3xx13/3xx15)
• Web applications via the XS classic server (port 43xx)
Note: SAP HANA XS classic and the SAP HANA repository have been deprecated since SAP HANA 2.0
SPS 02. See SAP Note 2465027.

Prerequisites
• Tools: sapgenpse and openSSL.
Both are available on the server host (e.g. /usr/sap/<sid>/HDB<instance>/exe)
• <sid>adm and "root" access to server host
• XSA_ADMIN access to the XSA server
• For cockpit client-side configuration: COCKPIT_ADMIN access to the XSA server of the cockpit system

Assumptions
• You are using file-based trust stores (PSEs).
Note: An in-memory trust store (or "certification collection") can alternatively be used for external SQL
communication (port 3xx13/3xx15).
See: Certificate Management in SAP HANA in the SAP HANA Security Guide.
• All databases in the system can share the same keys and certificate. Tenant database isolation is not
required.

4
 • You want to use the same certificate on all interfaces listed above.

Configuration on the server

I. Create server's public and private key pair, and public-key certificate
Logged on to the SAP HANA host as <sid>adm:
1. Use sapgenpse to generate a PSE file containing a certificate with common name (CN) and subject
alternative name (SAN) for the server name (e.g., cert.pse):
sapgenpse gen_pse -p cert.pse -r csr.txt -k GN-dNSName:<HOSTNAME with
FQDN> "CN=<HOSTNAME with FQDN>, O=<organization>, C=<country>"
Note: Repeat the -k option for every FQDN of the host.
Note: Do not password protect the pse file.
2. Sign the certificate signing request with a trusted Certificate Authority (CA).
If possible, select "pkcs7" as the output format (as this will include all CA certificates).
3. Copy the content to a new file on the server, e.g. cert.p7b.
4. Import the signed certificate into the server PSE:
sapgenpse import_own_cert -p cert.pse -c cert.p7b
Note: If all CA certificates are not included in the file, import them using the option -r.

II. Set newly created PSE as the server trust store for the various connections

i. For connections from JDBC/ODBC database clients on port 3xx13/3xx15 (SQLDBC)

These connections use the sapsrv.pse trust store of the SAP HANA system.

1. Shut down the SAP HANA system.

2. Logged on to the SAP HANA host as <sid>adm, copy the PSE created in step I (cert.pse) to
/usr/sap/<SID>/HDB<instance-no>/<host>/sec ($SECUDIR) as sapsrv.pse, replacing the existing
sapsrv.pse.
Note: Do not password protect the pse file.

3. Restart the system.

Tip: For added security, you can configure single sign-on access to sapsrv.pse for the operating system
user <sid>adm. To do so, before you restart the system:
1. Grant <sid>adm access to sapsrv.pse.
sapgenpse seclogin -p /usr/sap/<SID>/HDB<instance-
no>/<host>/sec/sapsrv.pse -O <sid>adm
A credentials file (cred_v2) is created for the user.
2. Allow file access:
chmod 644 /usr/sap/<SID>/HDB<instance-no>/<host>/sec/sapsrv.pse

5
ii. For connections to the XS classic server from Web applications on port 43xx (HTTPS)

These connections use the SAPSSLS.pse trust store of the SAP HANA system.

Logged on to the SAP HANA host as <sid>adm, copy the PSE created in step I (cert.pse) to
/usr/sap/<SID>/HDB<instance-no>/<host>/sec ($SECUDIR) as SAPSSLS.pse, replacing the existing
SAPSSLS.pse.

Note: Do not password protect the pse file.

Tip: For added security, you can configure single sign-on access to SAPSSLS.pse for the operating
system user <sid>adm. To do so:
1. Grant <sid>adm access to SAPSSLS.pse.
sapgenpse seclogin -p /usr/sap/<SID>/HDB<instance-
no>/<host>/sec/SAPSSLS.pse -O <sid>adm
Credentials are added to the existing credentials file (cred_v2) for the user.
2. Allow file access:
chmod 644 /usr/sap/<SID>/HDB<instance-no>/<host>/sec/SAPSSLS.pse

iii. For connections to SAP start service from SAP HANA cockpit/studio on port 5xx13/5xx14 (HTTPS)

These connections can be configured to use the SAPSSLS.pse trust store of the SAP HANA system.

Logged on to the SAP HANA host as <sid>adm:

1. Add the following line to the file "/hana/shared/<SID>/profile/<SID>_HDB<instance-no>_<host>" after
the line starting with SECUDIR:
ssl/server_pse=$(SAP_RETRIEVAL_PATH)/sec/SAPSSLS.pse
This is required as by default sapstartsrv searches for SAPSSLS.pse in
/usr/sap/<SID>/<Instance>/sec.
2. Restart the sapstartsrv service:
sapcontrol -nr <instance-no> -function RestartService

iv. For connections to SAP Host Agent from the SAP HANA database lifecycle manager on port 1128/1129
(HTTPS)

These connections use the SAPSSLS.pse trust store of the SAP Host Agent.

Logged on to the SAP HANA host as a user with root credentials:

1. Copy the PSE created in step I (cert.pse) to /usr/sap/hostctrl/exe/sec/ as SAPSSLS.pse replacing the
default SAPSSLS.pse.
Note: Do not password protect the pse file.
2. Delete the existing file cred_v2 file.

6
 3. Restart the saphostagent:
/usr/sap/hostctrl/exe # ./hostexecstart -restart

Tip: For added security, you can configure single sign-on access to SAPSSLS.pse for the operating
system user that runs the Host Agent (sapadm). To do so, before you restart the Host Agent:
1. Ensure that the Host Agent environment variable SECUDIR is set to /usr/sap/hostctrl/exe/sec.
2. Grant sapadm access to SAPSSLS.pse.
sapgenpse seclogin -p /usr/sap/hostctrl/exe/sec/SAPSSLS.pse -O sapadm
A credentials file (cred_v2) is created for the user.
3. Allow file access:
chmod 644 /usr/sap/hostctrl/exe/sec/SAPSSLS.pse

v. For connections to XSA applications and services from Web applications (HTTPS)

These connections use the certificates deployed to the default domain (default entry point to all
applications and services via the Platform Router).

Note: Ports used depend on XSA routing mode. See: Maintaining Application Routes in XS Advanced in
the SAP HANA Administration Guide and SAP Note 2245631.

Logged on to the SAP HANA host as <sid>adm:

1. Convert the server PSE created in step I (cert.pse) to PEM format:
a) Export the keys in PKCS#12 transfer format:
sapgenpse export_p12 -p sapsrv.pse sapsrv.p12
b) Create a key file:
openssl pkcs12 -nodes -nocerts -in sapsrv.p12 -out sapsrv.key
c) Create a certificate file:
openssl pkcs12 -nodes -nokeys -in sapsrv.p12 -out sapsrv.pem
2. Install the PEM file in XSA:
XSA online 1. As <sid>adm, log on to the server host and connect to the XS command line
interface as the XSA_ADMIN user:
xs-admin-login
2. Check the domain:
xs domains
3. Set the certificate and private key:
xs set-certificate <domain> -c /usr/sap/<SID>/HDB<instance-
no>/<host>/sec sapsrv.pem -k /usr/sap/<SID>/HDB<instance-
no>/<host>/sec/sapsrv.key
4. Restage or restart apps or restart XSA.
XSA offline Set the certificate and private key:

7
 XSA set-certificate --cert /usr/sap/<SID>/HDB<instance-
no>/<host>/sec sapsrv.pem --key /usr/sap/<SID>/HDB<instance-
no>/<host>/sec/sapsrv.key

vi. For connections from XSA to the database on port 3xx13/3xx15 (SQL)

1. As <sid>adm, log on to the server host and connect to the XS command line interface as the
XSA_ADMIN user:
xs-admin-login
2. Import the certificate file (sapsrv.pem) of the server as a trusted certificate into XSA (created above):
xs trust-certificate -c /usr/sap/<SID>/HDB<instance-no>/<host>/sec
sapsrv.pem --hana-broker
3. In an SQL console, log on to the system database and configure SAP HANA XS advanced to open
SSL encrypted database connections by changing the following parameter:
alter system alter configuration ('xscontroller.ini','SYSTEM') set
('communication','jdbc_ssl') = 'true' with reconfigure;

Note: You need system privilege INIFILE ADMIN.

Configuration on the client

ODBC clients
1. Add the public-key certificate of the server or the root certificate to the trust store used by the client.
2. Set the relevant connection properties for secure communication to the server (CONNECT,
sslTrustStore, sslValidateCertificate).
See: Client-Side TLS/SSL Connection Properties (ODBC) in the SAP HANA Security Guide.

SAP HANA studio, including connections via SAP start service

1. Import the public-key certificate of the server or the root certificate into the relevant Java keystore.
2. Configure the relevant connection properties for the system in the studio.
See: Configure TLS/SSL for SAP HANA Studio Connections in the SAP HANA Administration Guide.

SAP HANA cockpit, including connections via SAP start service

1. Import the public-key certificate of the server or the root certificate into the XSA trust store of the cockpit
system using the xs CLI command xs trust-certificate.
See: Import a Certificate for Encrypted Communication in the SAP HANA Administration Guide.
2. Configure the relevant configuration properties for the resource in the cockpit manager.
See: Register a Resource in the SAP HANA Administration Guide.

8
SAP HANA database lifecycle manager (connection via SAP host agent)
Import the public-key certificate of the server or the root certificate into your browser.

XSA applications
• For XSA applications running on the local SAP HANA system: Import the public-key certificate of server
or root certificate into browser.
• For XSA applications running on a remote system (e.g. SAP HANA cockpit): Upload the public-key
certificate of the server or the root certificate into the XSA runtime environment of the remote system
using the xs CLI command xs trust-certificate.
See:
• Maintaining Trust Certificates in XS Advanced in the in the SAP HANA Administration Guide.
• SAP Note 2300943

XSC applications
Import the public-key certificate of server or root certificate into browser.

9
www.sap.com/contactsap

© 2018 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set fort h in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this docume nt or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obli gation
to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark
information and notices.