Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

Last Changed: 5th of November 2020

Blog: prepare the Installation Host for the SLC Bridge
Blog: Maintenance Planer and the SLC Bridge for Data Hub
Blog: SAP DataHub 2.7 Installation with SLC Bridge
Blog: Secure the Ingress for DH 2.7 or DI 3.0
Blog: Data Intelligence Hub - connecting the Dots …
new Blog: SAP Data Intelligence 3.0 – implement with slcb tool

Secure the Ingress for DH 2.7 or DI 3.0


In case (mostly possibly) you want to secure the Ingress access to the Data Hub/Data Intelligence Cluster with more than self-signed certificate, the usage of the cert-manager would be more than beneficial.

the cert-manager run's in it's own namespace and own pod and allows several additional possibilities. This chart is maintained at
### install cert-manager v0.15.0 - jetstack
server:/ # kubectl create namespace cert-manager
# Kubernetes 1.15+
server:/ # kubectl apply --validate=false -f
server:/ # helm repo add jetstack
server:/ # helm repo update
server:/ # helm install cert-manager jetstack/cert-manager --version v0.15.0 -n cert-manager [--dry-run]

server:/ # kubectl get pods --namespace cert-manager
server:/ # kubectl -n cert-manager get service ${service_name}
cert-manager-77f4c9d4b-894dq 1/1 Running 0 4d2h
cert-manager-cainjector-7cd4857fc7-z4b6c 1/1 Running 0 4d2h
cert-manager-webhook-586c9597db-5w8sf 1/1 Running 0 4d2h
server:/ #

the cert-manager kubectl plugin allows you additional commands together with kubectl.

Azure has already a prepared container Image provided by Bitnami

prepare the files and apply them to the AKS cluster. Beside the Install Documentation there is also a Tutorial which contains additional details and a Troubleshooting Section. I have used the Automated Certificate Management Environment (ACME) with let's encrypt.

make sure you create you resources in the AKS namespace to make the configuration active

you can use the Let's Encrypt Staging Environment to test all the needed functions beforehand, e.g. adding the staging environment intermediate certificate (“Fake LE Intermediate X1”) to your Web Browser.

If you get errors with the format of the yaml files like below, then you have to replace the existing coding with a clean one from the original source, even it looks correct. See an example here.

server:/ # kubectl apply -f HTTP01-issuer.yaml -n $NAMESPACE
server:/ # kubectl apply -f Certificate.yaml -n $NAMESPACE

server:/ # kubectl get Certificate -n $NAMESPACE
letsencrypt-staging False vsystem-tls-letsencrypt-staging 9m24s
vsystem-tls-certs-prod True vsystem-tls-certs-prod 16h
server:/ #

Example with the Certificate "letsencrypt-staging":
=> describe Certificate letsencrypt-staging
=> describe CertificateRequest letsencrypt-staging-<9-digits>
=> describe Order letsencrypt-staging-<9-digits>-<9-digits>
=> describe Challenge letsencrypt-staging-<9-digits>-<9-digits>-<9-digits>
=> describe Secret vsystem-tls-letsencrypt-staging

server:/ # kubectl describe certificate letsencrypt-staging -n $NAMESPACE
Last Transition Time: 2020-05-26T09:24:56Z
Message: Waiting for CertificateRequest "letsencrypt-staging-2680584605" to complete
Reason: InProgress
Status: False
Type: Ready
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Requested 10m cert-manager Created new CertificateRequest resource "letsencrypt-staging-2680584605"
server:/ # kubectl describe CertificateRequest letsencrypt-staging-2680584605 -n $NAMESPACE
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 12m cert-manager Created Order resource cert-manager/letsencrypt-staging-2680584605-3621476536
Normal OrderPending 12m cert-manager Waiting on certificate issuance from order cert-manager/letsencrypt-staging-2680584605-3621476536
server:/ # kubectl describe order letsencrypt-staging-2680584605-3621476536 -n $NAMESPACE
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 14m cert-manager Created Challenge resource "letsencrypt-staging-2680584605-3621476536-2139230782" for domain "<aks-cluster>.<region>"
Normal Created 14m cert-manager Created Challenge resource "letsencrypt-staging-2680584605-3621476536-3545865779" for domain "<aks-slcb>.<region>"
server:/ # kubectl get challenges -n $NAMESPACE
letsencrypt-staging-2680584605-3621476536-2139230782 valid
letsencrypt-staging-2680584605-3621476536-3545865779 pending
server:/ # kubectl describe challenge letsencrypt-staging-2680584605-3621476536-2139230782 -n $NAMESPACE
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 18m cert-manager Challenge scheduled for processing
Normal Presented 18m cert-manager Presented challenge using http-01 challenge mechanism
Normal DomainVerified 17m cert-manager Domain "<aks-cluster>.<region>" verified with "http-01" validation
server:/ # kubectl get secret vsystem-tls-letsencrypt-staging -n $NAMESPACE -o yaml
server:/ # kubectl describe secret vsystem-tls-certs-staging -n $NAMESPACE
Name: vsystem-tls-certs-staging
Namespace: $NAMESPACE
ca.crt: 0 bytes
tls.crt: 3610 bytes
tls.key: 1675 bytes
server:/ #

Tutorial: Securing NGINX-ingress

finally the AKS cluster should have a valid HTTPS URL to call.

It looks like the way @db8ac33b71d34a778adf273b064c4883 exposed the SAP Data Hub Launchpad is more efficient then the sap online help - Your SAP on Azure – Part 20 – Expose SAP Data Hub Launchpad

and the Your SAP on Azure – Part 16 – Easy TLS/SSL with SAP Data Hub and Let’s Encrypt works as well! actually with the current SAP Data Hub Installation only a few steps are necessary.

Applying necessary Certificates for Backend Connections

X509 File Extensions

The first thing we have to understand is what each type of file extension is. There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable.  While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.  Correctly labeled certificates will be much easier to manipulate. CER is an X. 509 certificate in binary form, DER encoded. CRT is a binary X. 509 certificate, encapsulated in text (base-64) encoding

Encodings (also used as extensions)

  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.

  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

  • .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems

  • CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.

  • .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.

The only time CRT and CER can safely be interchanged is when the encoding type can be identical.  (ie  PEM encoded CRT = PEM encoded CER)


Please note that only plain types of pem/crt Certificates are accepted.
Sometimes the Certificates are only available as binary files. These type of files are not accepted by the Certificate Store of the SAP Datahub.

Note 2631190 - Download location of SSL certificates required for Support Hub Connectivity configura...
Note 2148457 - How to convert the keypair of a PKCS#12 / PFX container into a PSE file

DigiCert Trusted Root Authority Certificates

openssl allows you to convert the files from binary format to plain format and vice versa.

SAP Data Intelligence accepts files with extension .pem or .crt
openssl x509 -in DigiCertGlobalRootCA.crt -inform der -outform pem -out DigiCertGlobalRootCA.pem
openssl x509 -in DigiCertGlobalRootG2.crt -inform der -outform pem -out DigiCertGlobalRootG2.pem
openssl x509 -in DigiCertHighAssuranceEVRootCA.crt -inform der -outform pem -out DigiCertHighAssuranceEVRootCA.pem

SAP Cloud Connector accepts files with extension .der or .cer
openssl x509 -inform DER -in DigiCertGlobalRootG2.crt -out DigiCertGlobalRootG2.cer
openssl x509 -inform DER -in DigiCertHighAssuranceEVRootCA.crt -out DigiCertHighAssuranceEVRootCA.cer
openssl x509 -inform DER -in SAPSSO_CA_G2.crt -out SAPSSO_CA_G2.cer
openssl x509 -inform DER -in SAPGlobalRootCA.crt -out SAPGlobalRootCA.cer
openssl x509 -inform DER -in SAPNetCA_G2.crt -out SAPNetCA_G2.cer
openssl x509 -inform DER -in SAPPassportG2.crt -out SAPPassportG2.cer

openssl x509 -inform PEM -in certificate.cer -out certificate.crt

SAP Cloud Connector Administration - Trust Store


Roland Kramer, SAP Platform Architect for Intelligent Data & Analytics


“I have no special talent, I am only passionately curious.” 

1 Comment