Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
This blog post is a part of a larger series. You can navigate the series here:

Deployment Options

In this post we'll perform some additional tasks to ensure the environment is accessible and secure. The system will not be usable until after the following key tasks are performed:

Hostname & URL We want our installation to be accessible on the internet with our domain name so we need to change the system configuration to reflect our new name.
Upgrade SAPCRYPTOLIB The SAPCRYPTOLIB is used to manage secure stores, certificates etc. The version that ships with the HANA Express install has a bug that is resolved with version 8.5.26+. We need to update to the latest version so we can import our SSL certificates correctly.
SSL Certificates In order to communicate with the server we need to establish secure communication with SSL certificates. We will need to create a Certificate Signing Request and have it signed by a CA such as GoDaddy. The certificate with then need to be imported in to the SAP Secure Store as well as XSA.


Rename the Host & URL

The default installation is not designed to be accessible from the internet. It has a local hostname & API url that we can modify by editing a file and restarting the system.
sudo vi /hana/shared/HXE/global/hdb/custom/config/xscontroller.ini

Change the default_domain and api_url variables to reflect your domain name.  The variables should look something like this
default_domain =
api_url =

Save the file by pressing ESC, then :wq, then ENTER.

Next we need to create a password file that can be used by the rename system process so that it knows the appropriate passwords for various accounts.
cd /tmp
vi pwd.xml

Include the following contents in the file and be sure to change the text in the brackets to specify your passwords for these accounts.
<?xml version="1.0" encoding="UTF-8"?>

Save the file by pressing ESC, then :wq, then ENTER.

Now we need to stop the SAP HANA database, trigger the rename process, and bring the database back up. Make sure the -certificates_hostmap parameter is equal to your current hostname. Your current hostname was accepted as a default in the installation process and is your AWS public DNS name. This can be found by clicking on your instance in the EC2 Dashboard.

Be sure to replace your source and target domain name in the command below for the -certificates_hostmap parameter and fix the domain name in the -xs_domain_name parameter.
su -l hxeadm

HDB stop

sudo cat ./pwd.xml | sudo /hana/shared/HXE/hdblcm/hdblcm --action=rename_system --nostart --skip_hostagent_calls --read_password_from_stdin=xml -b

Become hxeadm again and restart the database.
su -l hxeadm
HDB start

When the system comes up you still won't be able to access much because we haven't loaded the SSL certificates yet. We need to complete a few more tasks before accessing the system.



If we don't update SAPCRYPTOLIB we will bang our heads against the wall trying to get the SSL certificates to work.

Exit to the local machine and update SAPCRYPTOLIB using the file downloaded from SAP Software Downloads.

scp SAPCRYPTOLIBP_8530-20011697.SAR ec2-user@your-domain-or-ip:/tmp/SAPCRYPTOLIBP_8530-20011697.SAR

Now we need to log back in to the server, uncompress the image and copy the files to the correct location.

su -l hxeadm
/usr/sap/HXE/HDB90/exe/SAPCAR -xvf /tmp/SAPCRYPTOLIBP_8530-20011697.SAR

cd /tmp
sudo cp sapgenpse /usr/sap/HXE/HDB90/exe/sapgenpse
sudo cp sapcrypto.lst /usr/sap/HXE/HDB90/exe/sapcrypto.lst
sudo cp /usr/sap/HXE/HDB90/exe/
sudo cp /usr/sap/HXE/HDB90/exe/
sudo cp /usr/sap/HXE/HDB90/exe/
sudo cp /usr/sap/HXE/HDB90/exe/
sudo cp sapcrypto.lst /usr/sap/HXE/HDB90/exe/sapcrypto.lst


Install SSL Certificates

Of the full end-to-end installation and configuration process, the SSL certificates portion is the most variable component of the tutorial and most likely where your situation will differ than mine.  If you have any issues, this is where it will probably happen. I"ll be using GoDaddy and hopefully your experience is similar.

We will start by making a backup of the secure store where SAP stores the security keys and other encrypted info.


Next, we need to create a few files that will be used in command line parameters in upcoming steps.

The first file we will call test.conf:
vi test.conf

Paste the following text into the file and be sure to change the domain name to match your domain with the SSL certificate.
subjectAltName = @alt_names

Save the file by pressing ESC, then :wq, then ENTER.

Now we generate a certificate signing request that we will give to our certificate authority for signing. Be sure to replace the domain names with your domain. Go ahead and the change Organization Unit, Organization, and Country as well.
sapgenpse get_pse -p SAPSSLS.pse -r hanaradeio.csr -k ", OU=HANA, O=RADE, C=US"

Let's verify that we have a valid request
openssl req -text -noout -in hanaradeio.csr

Open the .csr file and carefully copy all characters. Your certificate authority will have a section for you to past a signing request and get a certificate in return.  In my case, GoDaddy looks like this:

It may take a few minutes to process but eventually your certificate authority will have a file for you to download that will contain your certificate and possibly additional intermediate and/or root certificates.


Next, SAP will require the intermediate and root certificates of the certificate authority. Your CA makes these available publicly. In my case, GoDaddy has a repository of certificates available when I login to my account.

vi godaddy_chain.pem

We need to create a single file with both the intermediate and root certificates together.  Be sure to include the intermediate first, then the root. Save the file by pressing ESC, then :wq, then ENTER.

vi hanaradeio.crt

Create the file and carefully copy the contents of the certificate (.pem or .crt) received from the CA and paste it into the file. Save the file by pressing ESC, then :wq, then ENTER.


Import the certificate into the PSE.
sapgenpse import_own_cert -p SAPSSLS.pse -c hanaradeio.crt -r godaddy_chain.pem

Finally we need to import the certificate to the XSA server. To do that we need the key which can be exported from the PSE.
sapgenpse export_p12 -p SAPSSLS.pse -C 0 SAPSSLS.p12

sudo openssl pkcs12 -in SAPSSLS.p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > hanaradeio.key

Due to a bug, we need to import the certificates to XSA in reverse order, starting with root, then intermediate, and finally the server certificate.  Create a file with the certificates in this order.
vi combinedcerts_rev.pem

Save the file by pressing ESC, then :wq, then ENTER.

Now set the certificate for XSA
xs set-certificate -k hanaradeio.key -c combinedcerts_rev.pem

At this point, you can bounce the XSA server with the following command
xs restart

However, I prefer to do a full system restart.  Be patient and let the system come up with the new certificates in place.  Once the server is up you can SSH into the server, become hxeadm, then use the command below to list the URLs for WebIDE, the Cockpit, and other services and applications to be access.

In our next post, we'll deploy a Fiori Lauchpad to house a collection of apps to be built in future blog posts.