The COMMONCRYPTOLIB and OPENSSL (If you are using self signed certificate) are required on the HANA server. This is normally already installed along with your HANA installation.
CommonCryptoLib (libsapcrypto.so) is installed by default as part of SAP HANA server installation at $DIR_EXECUTABLE.
Certificates stored in the file system are contained in database-specific personal security environments or PSEs (default $SECUDIR/sapsrv.pse).
Navigate to $SECUDIR
This ensures all the prerequisites are met and all environment variables are properly set.
- Create the PSE and Server Certificate Requests Using SAPGENPSE
- Do not enter password when requested for PSE PIN/paraphrase as it is not supported!
- Also, to secure internal communication, canonical name should be host specific, eg CN=”<hostname_with_domain>”. So when creating private CA on each host, parameter CN will be unique.
This creates two files:
- Create root the certificate for this hostHere you can use the pass phrase that you want.
You now have two more files in the directory:
- Sign the certificate request.You can get the certificate signed by CA. But since this is just for demo, we will sign the certificate using openssl.
A new file with name sapsrv.pem will be created in the same directory, $SECURDIR
With this step you have the certificate ready that can be used on Client machines.
In the next blog we will see how to use this certificate to login to HANA Database via HANA Studio using SSL.
- Import the server certificate into pse.Note that the pse file has a new timestamp with certificate added.
Import SAP Notes:
2487639 – HANA Basic How-To Series – HANA and SSL – MASTER KBA
2183363 – Configuration of SAP HANA internal network
2009483 – PSE Management in Web Administration Interface of SAP Web Dispatcher
2487698 – HANA Basic How-To Series – HANA and SSL – establishing a secured ODBC/JDBC connection using HANA Studio
2416525 – Single SSL Certificate with FQDN configuration for HANA Scaled out / MDC in HANA Studio