Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Vitaliy-R
Developer Advocate
Developer Advocate
2,705
With the introduction of Catalina version a year ago I started experiencing some new issues on my MacBook laptop when working with my existing instances of SAP HANA, express edition. These issues were consequences of the OS changes in the security area to protect casual users.

I see other users running into similar issues, so I would like to share with fixes I am using. If you have other tips, then please let me know in the comments!

NET::ERR_CERT_INVALID in Chromium-based web browsers


In Chromium-based web browsers (like Vivaldi, Brave, Chrome...) NET::ERR_CERT_INVALID is displayed, when opening any SAP HANA web application, like https://hxehost:39030.


The SAP HANA, express edition, is using self-signed certificate, but up to macOS 10.14 the page would be NET::ERR_CERT_AUTHORITY_INVALID. On Windows these web browsers still show NET::ERR_CERT_AUTHORITY_INVALID and you can see the link that allows you to accept the risk and to proceed to the page.

The reason for this behavior on macOS are the new security requirements for TLS server certificates in macOS 10.15: https://support.apple.com/en-us/HT210176

The solution might be to move to another browser, like Firefox, where you still can get a link to accept the risk and to move on.

But if you do not want to switch a browser and feel geeky (plus know what you are doing!), then there is a BYPASS_SEQUENCE built-in into the Chromium. This allows certificate errors "to be skippped by typing a secret phrase into the page.": https://chromium.googlesource.com/chromium/src/+/refs/heads/master/components/security_interstitials...

The current sequence is dGhpc2lzdW5zYWZl, which is Base64 decoded. After encoding it says thisisunsafe. And this is what you need to type on the keyboard to get pass the certificate error message in the browser.

Please note that:

  • this bypass sequence is changing between different versions of Chromium, and

  • with great power comes great responsibility!


“file” cannot be opened because the developer cannot be verified


If you download an executable file from the Internet using a web browser, then you may run into that message trying to run it: "... cannot be opened because the developer cannot be verified. macOS cannot verify that this app is free from malware."

It happens e.g. when downloading SAP HANA Client install from https://tools.hana.ondemand.com/#hanatools.


This happens because the macOS adds an extended attribute com.apple.quarantine to files.

You can spot files with extended attributes by @ character that follows permission flags when using ls -l. You can see these extended attributes using ls -l@.


If you trust the files you downloaded, then the quarantine tag can be removed using xattr -d command, like
xattr -d com.apple.quarantine hanaclient-latest-macosx-x64.tar.gz


These extra attributes are not assigned when downloading files using e.g. curl, like:
curl "https://tools.hana.ondemand.com/additional/hanaclient-latest-macosx-x64.tar.gz" \
--output "hanaclient-latest-macosx-x64.tar.gz" \
--header "Cookie: eula_3_1_agreed=tools.hana.ondemand.com/developer-license-3_1.txt"


Please note that:

"Abort trap: 6", or "Invalid dylib load"


Since Catalina was released, different Python programs have been crashing with "Abort trap: 6" if there programs use encrypted communication.


Detailed stack would mention: Invalid dylib load. Clients should not load the unversioned libcrypto dylib as it does not have a stable ABI.

I did not find the single comprehensive explanation. I relied on this one: https://bugs.python.org/issue38814#msg356779.

There were many different solutions proposed involving manual re-links. The one I found working for me was:
brew install openssl
export DYLD_FALLBACK_LIBRARY_PATH=/usr/local/opt/openssl/lib

Obviously you can skip openSSL installation, if it is already available in your OS.

I hope you find these fixes helpful...


...if ran into any of these issues.

And if you have any further details or different solutions, then please share them in the comments.




Stay healthy ❤️
-Vitaliy (aka @Sygyzmundovych)
5 Comments