Prepare SAP HANA server For SSL

The COMMONCRYPTOLIB and OPENSSL (If you are using self signed certificate) are required on the HANA server. This is normally already installed along with your HANA installation.

CommonCryptoLib (libsapcrypto.so) is installed by default as part of SAP HANA server installation at $DIR_EXECUTABLE.

direxe

Check OPENSSL.

openssl

Certificates stored in the file system are contained in database-specific personal security environments or PSEs (default $SECUDIR/sapsrv.pse).

Navigate to $SECUDIR

secdir

This ensures all the prerequisites are met and all environment variables are properly set.

  1. Create the PSE and Server Certificate Requests Using SAPGENPSESAPGENPSE1Important Note:
    • Do not enter password when requested for PSE PIN/paraphrase as it is not supported!
    • Also, to secure internal communication, canonical name should be host specific, eg CN=”<hostname_with_domain>”. So when creating private CA on each host, parameter CN will be unique.


    This creates two files:

    TUT1

  2.  Create root the certificate for this hostsecstore2Here you can use the pass phrase that you want.
    You now have two more files in the directory:cakey
  3. Sign the certificate request.You can get the certificate signed by CA. But since this is just for demo, we will sign the certificate using openssl.ca23
    A new file with name sapsrv.pem will be created in the same directory, $SECURDIR
    cer1With this step you have the certificate ready that can be used on Client machines.
    In the next blog we will see how to use this certificate to login to HANA Database via HANA Studio using SSL.
  4. Import the server certificate into pse.impcertNote that the pse file has a new timestamp with certificate added.certadd

 

Import SAP Notes:

2487639 – HANA Basic How-To Series – HANA and SSL – MASTER KBA

2183363 – Configuration of SAP HANA internal network

2009483 – PSE Management in Web Administration Interface of SAP Web Dispatcher

2487698 – HANA Basic How-To Series – HANA and SSL – establishing a secured ODBC/JDBC connection using HANA Studio

2416525 – Single SSL Certificate with FQDN configuration for HANA Scaled out / MDC in HANA Studio

 

Advertisements

AWS Certified Solution Architect – Points to remember (VPC)

Virtual private cloud.

VPC Limitations

You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.

NAT are ideal for instances which need one interntet connection for example patching but no incoming connection from internet.

Bastion hosts (Which are in a public subnet) should be used to connect to the instances in your private subnet.

Other way to connect to server in private subnet is to have a direct VPN connection.

You dont have to

 

What exactly does “Program Not Registered Mean”?

Many times we come accross RFC connections of type TCP/IP connection which are not working or suddenly stop working with most infamous error “Program no registered”

Logon Connection Error
Error Details Error when opening an RFC connection
Error Details ERROR: program <program id> not registered
Error Details LOCATION: SAP-Gateway on host xxxxx / sapgwxx
Error Details DETAIL: TP xxxxx not registered
Error Details COMPONENT: SAP-Gateway

External program should always regsiter on the Gateway of the SAP application to be able to establish connectivity like SLD registers itself using RFC’s SLD_UC or SLD_NUC.

For example a ESB program like WSO2 should register on the gateway using connectors (.jar files normally). While registering, it will use details of the application/server like, gateway host, gateway service, Program ID, user name, password etc..

Once this program is registered you should be able to see this under the logged on clients in transaction SMGW:

You should see the program you registered under TP name. Once this is done, you are ready to create the required TCP/IP RFC using the same program ID under TP name.

smgw

smgw2

If you are not able to see this TP Name registered, check the connectivity from you third party server to SAP gateways host by doing a telnet to gateway port.

If this works, it could be your gateway ACL parameters are blocking the connection.

Check you profile parameters for gw/acl_mode, gw/sec_info and gw/reg_info etc and adjust them accordingly,

2104408 – Checklist for “program <program ID> not registered” errors

 

Could not open app – SAP Fiori

In continuation to my previous blog cannot load tile – SAP Fiori, I continue discussion the other error we faced after the upgrade of S/4HANA system from 1511 to 1610.

“Could not open app. Please try again later”.

could not open app

Troubleshooting steps:

Ensure that the following steps are taken care off after the upgrade:

  1. Review OSS note 2346431 – SAP S/4HANA 1610: Release Information Note (https://launchpad.support.sap.com/#/notes/0002346431) and apply all the recommended notes mentioned for the target FPS/SPS level you just upgraded to. As a suggestion, apply all SAP_ABA, SAP_BW, and SAP_BASIS to both Frontend and Backend. While S4Core are only for backend.
  2. Ensure the scheduling of report /UI5/APP_INDEX_CALCULATE is running and if not, please schedule and run the job.
  3. Ensure the scheduling of report /UI2/GET_APP_DESCR_REMOTE is running and if not, please schedule and run the job.
  4. Ensure the following reports are also run in the Frontend Server:
    a. /UI2/CHIP_SYNCHRONIZE_CACHE
    b. /UI2/DELETE_CACHE_AFTER_IMP

If this does not solve your issue, jump to next steps:

Create RFC destinations as per SAP note SAP Note 2269272 and Replicate App Descriptors from Back-End System.

Check again if your app works. If not continue with next steps:

Compare the App details from the app launcher with the details on the SAP Fiori App Reference Library. 

App launcher url looks like:

<http/s>://mys4hanasystem<HTTP/HTTSport>/sap/bc/ui5_ui5/sap/arsrvc_upb_admn/main.html

On app launcher, you  should find the Odata (/n/iwfnd/maint_service) and ICF service (SICF) details for the app that should be active on the front end server:

app launcher

Ensure that the SICF services are active and you are able to test it successfully and also the odata service is active and mapped to right System Alias.

Odata:

odata service

Note: Service here points to local system alias as I have my front end and back end configured on the same application. Please check correctness of your alias to be used.

SICF:

sicf.png

If you are not able to find the services for the app, its time for an incident towards SAP.

Please let me know if this solves your issues or if you have any questions in the comments below.