Prepare SAP HANA server For SSL

The COMMONCRYPTOLIB and OPENSSL (If you are using self signed certificate) are required on the HANA server. This is normally already installed along with your HANA installation.

CommonCryptoLib (libsapcrypto.so) is installed by default as part of SAP HANA server installation at $DIR_EXECUTABLE.

direxe

Check OPENSSL.

openssl

Certificates stored in the file system are contained in database-specific personal security environments or PSEs (default $SECUDIR/sapsrv.pse).

Navigate to $SECUDIR

secdir

This ensures all the prerequisites are met and all environment variables are properly set.

  1. Create the PSE and Server Certificate Requests Using SAPGENPSESAPGENPSE1 

    Important Note:

    • Do not enter password when requested for PSE PIN/paraphrase as it is not supported!
    • Also, to secure internal communication, canonical name should be host specific, eg CN=”<hostname_with_domain>”. So when creating private CA on each host, parameter CN will be unique.


    This creates two files:

    TUT1

  2.  Create root the certificate for this hostsecstore2Here you can use the pass phrase that you want.
    You now have two more files in the directory:cakey
  3. Sign the certificate request.You can get the certificate signed by CA. But since this is just for demo, we will sign the certificate using openssl.ca23
    A new file with name sapsrv.pem will be created in the same directory, $SECURDIR
    cer1

    With this step you have the certificate ready that can be used on Client machines.
    In the next blog we will see how to use this certificate to login to HANA Database via HANA Studio using SSL.

  4. Import the server certificate into pse.impcertNote that the pse file has a new timestamp with certificate added.

    certadd

 

Import SAP Notes:

2487639 – HANA Basic How-To Series – HANA and SSL – MASTER KBA

2183363 – Configuration of SAP HANA internal network

2009483 – PSE Management in Web Administration Interface of SAP Web Dispatcher

2487698 – HANA Basic How-To Series – HANA and SSL – establishing a secured ODBC/JDBC connection using HANA Studio

2416525 – Single SSL Certificate with FQDN configuration for HANA Scaled out / MDC in HANA Studio

 

Advertisements

Install SSL certificates – STRUSTSSO2

Problem:

You are receiving following error while applying SSL certificate to you SAP Web application server:

CA certificate missing in database (or is not unique) Message no. TRUST057.

Cannot import certificate response.

Steps to Troubleshoot:

  • Verify your certificate request.

You can do this by using any of the CA’s websites. For example Symantec below:

https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp

Generate Request from SAP (STRUSTSSO2):

Generate CSR

Paste the CSR into the checker:

CSR check

Main thing to check here is the Common Name. This should exactly correspond to the portal url being used by the end users.

In this example certificate will only work if used with portal example.com. It will not work if it is http://www.example.com or media.example.com.

If you are getting any other Common Name then the required one, delete the Server PSE and create new one with correct CN.

Make sure that SSL Server’s own certificate contains CN as the portal name you connect to and the hostname (Unless both are same).

User following guidelines:

  • Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
  • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California
  • Locality or City (L): The Locality field is the city or town name
  • Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.
  • Organizational Unit (OU): This field is the name of the department or organization unit making the request.
  • Common Name (CN): The Common Name is the Host + Domain Name. It looks like “www.example.com” or “example.com”
  • Get the right certificate chain

Most of the times, Signed certificates sent by CA will not include the complete chain, i.e. root and intermediate certificates.

These are generic certificates and are not specific to your application.

You can check this by opening the certificate using a notepad.

If you dont have the root and intermediate certificate, you can directly download these from CA’s website.

For example, Symantec certificates can be downloaded with below url:

https://knowledge.digicert.com/generalinformation/INFO4033.html#links

  • Import the certificate into SAP

Now combine all three certificates into one file in any order and save it as a .CER file.

combined cert

Import certificate into SAP. You can either use the file created or just copy paste into the window.

import cert

  • Restart ICM

For these changes to take effect, you must restart your ICM.

restart ICM

  • verify the certificate:

The HTTPS connection can now be verified by using vendor portal or third-party checkers. Symantec is used below:

https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

verify cert

What exactly does “Program Not Registered Mean”?

Many times we come accross RFC connections of type TCP/IP connection which are not working or suddenly stop working with most infamous error “Program no registered”

Logon Connection Error
Error Details Error when opening an RFC connection
Error Details ERROR: program <program id> not registered
Error Details LOCATION: SAP-Gateway on host xxxxx / sapgwxx
Error Details DETAIL: TP xxxxx not registered
Error Details COMPONENT: SAP-Gateway

External program should always regsiter on the Gateway of the SAP application to be able to establish connectivity like SLD registers itself using RFC’s SLD_UC or SLD_NUC.

For example a ESB program like WSO2 should register on the gateway using connectors (.jar files normally). While registering, it will use details of the application/server like, gateway host, gateway service, Program ID, user name, password etc..

Once this program is registered you should be able to see this under the logged on clients in transaction SMGW:

You should see the program you registered under TP name. Once this is done, you are ready to create the required TCP/IP RFC using the same program ID under TP name.

smgw

smgw2

If you are not able to see this TP Name registered, check the connectivity from you third party server to SAP gateways host by doing a telnet to gateway port.

If this works, it could be your gateway ACL parameters are blocking the connection.

Check you profile parameters for gw/acl_mode, gw/sec_info and gw/reg_info etc and adjust them accordingly,

 

 

Mass lock of SAP Users

During any maintenance it is always a discussion about how to track the already locked users.

Most easiest way is SU10. But with this it is difficult to keep track of already locked users.

For ECC systems (Also for S/4HANA), you can do this by using transaction EWZ5.

Note that this is not available for other SAP Applications.

Advantage with this method is that the application sets a flag for already locked users.

EWZ5 1

You can now select the users who should not be locked (Euro Administrator) and save the transaction.

Click on lock user and all the users are now locked.

EWZ5 4

Notice the Locked flag is still set for users that were already locked.

EWZ5 7

If you do not select a euro administrator before locking the users, you will get the below warning message.

EWZ5 11

GDPR for SAP – Are you ready?

Everyone keeping track of GDPR Clock should be already gearing up for compliance. Because the consequences of non-compliance could be damaging.

Under the new law, Personal data of your customers can only be gathered legally under strict conditions. Processing/handling/archiving/deleting this data should also be handled under strict rules.

We are part of Brexit! We do not have offices in EU countries! I do not know if this applies to us! By when should we be compliant!

You can find the answers to these questions at FAQ’s and Timelines.

It applies to everyone who is processing/using any data for customers from EU.

So even if you do not have a office in EU but do business with EU customers, you are in purview of GDPR.

When it comes to SAP, you should be thinking of but not limited to following aspects of Data.

  1. Any personal data of your customers should be secured. This includes from their official title (CEO/CFO/Director etc..) to their postal code. Make informed decisions.
  2. Be prepared to secure the data in you system already. Prevent unauthorized access to this information. Many might think this only applies to production systems, which is incorrect. Personal data in your Pre-Prod, Test, Development etc.. all are considered sensitive.
  3. Data should be archived/deleted unless it is absolutely required. Archived data should be safeguarded from unauthorized access.

This of course is a complicated and time taking process. But the great thing is there are already multiple tools readily available in the market which can completely automate this process.

Since we are talking about SAP, I would like to bring some of these tools to your notice which can help you make your SAP systems compliant.

  1. Lets start with Basics and the most crucial aspect. Check your authorization matrix. Ensure that only people who need access to personal data has access. Use tools like SAP GRC to  control authorizations, manage/mitigate/document risks.
  2. Protect the data in your non-production systems. Strict authorization controls on your non-production SAP system. Use tools that scramble test data in non-production systems. Some examples include, SAP TDMS and DATA Secure by EPI-USE. Another interesting tool could be SAP Field Masking Solution.
  3. Handle the data in your production system wisely. Archive or delete your data that is not necessary. Use tools like SAP ILM to manage the life cycle of your data.

Above are just some actions for compliance. There is much more to this than just using the tools like, appointing a Data Protection Officer (DPO), Legal advise etc..

Please share your experience regarding GDPR under comments.