HANA Alert id 130 Check Own Certificate Expiration Date alert appearing in HANA Production System
Overview
During system installation, a specific dedicated PKI for external communication is automatically built and enabled. This PKI is integrated with each host on which a database server is running, as well as with each tenant database in the system.
The tenant-specific certificate authorities (CAs), host-specific X.509 certificates signed by these CAs, private keys, and other components that make up the client PKI are all kept in database collections called certificate collections.
All certificates employ SHA-256 with RSA and a 4096-bit key length as its robust encryption and signature techniques.
As shown below, Click Alerts tab in the HANA Studio, alert message appeared "1 own or chain certificate will expire soon."
Investigation and Finding:
Login to Tenant Database in Hana studio with hana DB user SYSTEM or equivalent hana DB user with sufficient privilege.
Execute SQL statement to check the date of expiration and which certificate as shown below.
As shown above, certificate name is _SYS_CLIENTPKI_HOST_CERT and the expiration date is 25th Aug 2023.
Host Certificates
Host certificates are used to validate the server's authenticity. The host certificates include all known host names of the SAP HANA servers in the subject alternative names (SAN) field.
A database's host certificates (_SYS_CLIENTPKI_HOST_CERT) are kept in the database certificate store and given to the _SYS_CLIENTPKI certificate collection for SSL purposes.
Host certificates only last 180 days. They are automatically renewed 32 days before expiry, after a restart, and after a host has been added or removed.
The SQL command can also be used to create or generate new host certificates using the statement
ALTER SYSTEM CLIENTPKI UPDATE CERTIFICATES.
Check the Hana Parameter [communication] sslclientpki in the global.ini configuration file to ON before the update as well as after update to ensure that client PKI is enabled after an update or trigger the creation of the associated certificates, private keys and certificate collections
Procedure
Execute Update certificates sql statement as follows
Execute the SQL command to check the expiration date as shown below
Check the Hana Parameter [communication] sslclientpki in the global.ini configuration file to ON after update to ensure that client PKI is enabled after an update or trigger the creation of the associated certificates, private keys and certificate collections
Repeat the procedure for SYSTEMDB as shown below.
Before updating certificates execute SQL statements
select * from CERTIFICATES;
select * from PSE_CERTIFICATES;
Conclusion:
Host certificates automatically renewed 32 days before expiry, after a restart, and after a host has been added or removed.
However, in order to restart HANA instances on the Hana Production Host, we must wait for a customer's clearance.
Therefore, if the customer does not consent to restart the instance, it would be preferable to run Update certificate SQL statement.
Reference:
3287000 - How to handle HANA Alert 130: 'Check own certificate expiration date' - SAP for Me
Thanks for reading!
Follow for more such posts by clicking on FOLLOW =>
aprao
Please share your thoughts and feedback on this blog in a comment.