Technology Blog Posts by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

How to configure HANA DB connections using SSL from ABAP instance

eason_chen
Product and Topic Expert
Product and Topic Expert
‎2024 May 07 9:00 AM
5,762

Overview

This guide shows you how to connect to HANA from ABAP instance by using SSL. This demo would include steps to be followed for both primary DB connection (hdbuserstore) and secondary DB connection (T-code DBCO). 
To avoid unnecessory ABAP down time, it is recommended that we firstly set up secondary DB connection with SSL connection and then set up primary DB connection.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Host Details

  • HANA
    SID: HA2
    Instance number:01
    apj-1.openstack.ap-cn-1.cloud.sap 
    SYSTEMDB@HA2 
    HA2@HA2 
  • ABAP
    SID: HAR
    Instance number: 01
    apj-b.openstack.ap-cn-1.cloud.sap 

Referrence documents

2475246 - How to configure HANA DB connections using SSL from ABAP instance
3168368 - After setting sslenforce as true in HANA database, the R3trans, transport in ABAP are failing
2846931 - HANA Basic How-To Series - HANA and SSL - establishing a secured ODBC/JDBC connection using HANA Studio fails with a reply of the IP Address instead of DNS
510007 - Additional considerations about setting up SSL on Application Server ABAP 
HANA secure network communication – part II | SAP Blogs

Prerequisite

SAPSSLC.pse (Standard SSL Client PSE) is created in application server (T-code STRUST). Following guide can be referred.
Creating the Standard SSL Client PSE

Steps to Follow

Setup secondary DB connection

1.       Login HANA server
    1. log on to apj-1.openstack.ap-cn-1.cloud.sap with <sid>adm user
    2. export HANA certificate
      1. For file based certificate
        1. export own certificate of sapsrv.pse (It’s the default PSE file used for ODBC connection)
        2. command: cd $SECDIR
        3. command: sapgenpse export_own_cert -o sapsrvown.crt -p sapsrv.pse
          eason_chen_0-1714723532846.png

           

        4. copy sapsrvown.crt from HANA to your local PC with WinSCP
      2. For In-Database Certificate 
        1. Open HANA Cockpit 2.0 and connect to your HANA  
        2. Open "Certificate Collections"
        3. Click on the certificate collection with purpose "SSL" (When there is no certificate collection with purpose "SSL", refer to steps in file based certificate.)
        4. Click on the certificate with function "Personal"
        5. Click on "Show PEM Representation"
        6. Save the content as sapsrvown.crt in your local PC
2.       Login to ABAP system with SAP GUI by using a user has authorization to launch T-code STRUST. Import HANA sapsrv certificate into ABAP SAPSSLC.pse’s trust list. Please take care that SAPSSLC.pse must be modified with T-code STRUST, instead of sapgenpse. Otherwise, it would be roll back to last version saved in STRUST when ABAP is restarted.
    1. Switch to edit mode by clicking on following button
      eason_chen_1-1714723532848.png

       

    2. Double click on entry “SSL client SSL Client (Standard)”. It shows that Certificate List is empty.
    3. Click on “Import Certificate” and select sapsrvown.crt from your local PC.
      eason_chen_2-1714723532853.png

       

    4. Click on “Add to Certificate List”, so that the certificate would be shown in the list.
      eason_chen_3-1714723532863.png

       

    5. Click on save button.
      eason_chen_4-1714723532864.png

       

3.       Create DBCO connection to HANA:
    1. Launch T-code: DBCO
  1. Switch to edit mode and create new connection

DB Connection

HA2SYSTEMDBSSL

DBMS

HDB

User Name

SYSTEM

DB password

<PASSWORD>

Conn.info

HOST=apj-1.openstack.ap-cn-1.cloud.sap:30113;CON_PARAM=ENCRYPT=TRUE,sslCryptoProvider=commoncrypto,sslKeyStore=SAPSSLC.pse,sslTrustStore=SAPSSLC.pse

4.       Verify the connection
    1. Launch T-code: SE38
    2. Execute program: ADBC_TEST_CONNECTION
    3. Run test for connection: HA2SYSTEMDBSSL
      eason_chen_5-1714723532866.png

       

    4. Launch T-code: ST11
    5. Open the last updated dev_w** trace
      eason_chen_6-1714723532887.png

       

Steps to Follow (Primay DB connection)

Please firstly set up secondary DB connection to HANA tenant DB (with indexserver port and application user, e.g. SAP<SID>) with ssl enabled as above and ensure it should work fine.

  1. The connection property should be maintained in ABAP system DEFAULT.PFL with T-code RZ10
    dbs/hdb/connect_property = CONNECTTIMEOUT=0, ENCRYPT=TRUE,sslCryptoProvider=commoncrypto,sslKeyStore=SAPSSLC.pse,sslTrustStore=SAPSSLC.pse
  2. ABAP system need to be restarted to let the configuration to take affect.
  3. You may verify it by checking dev_w0 after you start ABAP.
    eason_chen_7-1714723532908.png

     

Troubleshooting

Issue 1
  1. Symptom:
    Could not open connection HA2SYSTEMDBERR
    sql error 709- occured:

Connection failed (RTE:[300010] Cannot create SSL context: Error in api.SSL_CTX_set_default_pse_by_name /usr/sap/HAR/D01/sec/sapcli.pse - SSL error [4129]: Unknown error, General error: 0x00001021   SAPCRYPTOLIB   SSL_CTX_set_default_pse_by_name#SAPCRYPTO

  1. Analysis:
    dev_w**
    eason_chen_8-1714723532922.png

     

  2. Root Cause:
    sapcli.pse doesn’t exist in applciation server with path /usr/sap/HAR/D01/sec/
  3. Resolution:
    Using SAPSSLC.pse which exists in system. It can be edited directly with STRUST. It is used for ABAP system as client PSE.
    Set Conn.info:

HOST=apj-1.openstack.ap-cn-1.cloud.sap:30113;CON_PARAM=ENCRYPT=TRUE,sslCryptoProvider=commoncrypto,sslKeyStore=SAPSSLC.pse,sslTrustStore=SAPSSLC.pse

Alternatively, you could generate new sapcli.pse in /usr/sap/HAR/D01/sec/ with sapgenpse.

Issue 2
  1. Symptom:

SSL certificate validation failed: host name '10.180.XXX.XXX' does not match names in certificate 'apj-b, apj-b.openstack.ap-cn-1.cloud.sap' (10.180.XXX.XXX:30015)

eason_chen_9-1714723532937.png

 

  1. Root Cause:
    HANA is communicated with IP, instead of FQDN.
    eason_chen_10-1714723532945.png

     

  2. Resolution:
    1. Solution 1: (not safe)
      Set sslValidateCertificate=false in connection property.

dbs/hdb/connect_property = CONNECTTIMEOUT=0, ENCRYPT=TRUE, sslValidateCertificate=false,sslCryptoProvider=commoncrypto,sslKeyStore=SAPSSLC.pse,sslTrustStore=SAPSSLC.pse

    1. Soultion 2: (Applicable if IP address is static and would not be changed)
      Recreate sapsrv.pse and put GN-iPAddress:10.180.XXX.XXX as SAN in HANA server.
      eason_chen_11-1714723532977.png

       

      1. Create sapsrv.pse with GN-iPAddress:10.180.XXX.XXX for HANA
        eason_chen_12-1714723533000.png

         


        PS: When the PSE is created as a self-signed certificate, SAN would remain empty.
        eason_chen_13-1714723533022.png

         

      2. Ask CA to sign your request sapsrv.req and import the CA response together with root and intermedate certificastes. Then 10.180.XXX.XXX would be shown in SAN.
        eason_chen_14-1714723533044.png

         

      3. Restart HANA to let new sapsrv.pse take affective
      4. Import CA root certificate into certificate list of SAPSSLC.pse.
    2. Solution 3:
      Set sslHostNameInCertificate=apj-b.openstack.ap-cn-1.cloud.sap in connection property.

dbs/hdb/connect_property = CONNECTTIMEOUT=0, ENCRYPT=TRUE,sslHostNameInCertificate=apj-b.openstack.ap-cn-1.cloud.sap,sslCryptoProvider=commoncrypto,sslKeyStore=SAPSSLC.pse,sslTrustStore=SAPSSLC.pse

    1. Solution 4:
      Change following parameter from value "ip" to "fqdn".

global.ini -> public_hostname_resolution -> use_default_route

eason_chen_15-1714723533052.png