This blog is intended to use SAP crypto library to enable SAML SSO from SAP BI4 to SAP HANA DB. If you want to use OPENSSL instead, please check the other SCN blog for details.
SAP Crypto Library can be downloaded from Service Market Place. Browse to http://service.sap.com/swdc, expand Support Packages and Patches "Browse our Download Catalog "SAP Cryptographic Software" SAPCRYPTOLIB" SAPCRYPTOLIB 5.5.5 "Linux on x86_64 64bit.
Use SAPCAR to extract sapgenpse and libsapcrypto.so to /usr/sap/<SID>/SYS/global/security/lib/
Add the directory containing the SAP Crypto libraries to your library path:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/sap/<SAPSID>/SYS/global/security/lib
The new CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 (or higher) is fully compatible with previous versions of SAPCRYPTOLIB, but adds features of SAP Single Sign-On 2.0 Secure Login Library. It can be downloaded in this location:
expand Support Packages and Patches "Browse our Download Catalog "Additional Components " SAPCRYPTOLIB "COMMONCRYPTOLIB 8
Please refer to the following SAP note for details about using CommonCryptoLib:
2084313 - Install and Verify CommonCrypto to SAP HANA
The CommonCryptoLib is supported by HANA since Rev 74. Starting from HANA SPS9, the CommonCryptoLib will be delivered with HANA, sapsrv.pse file is also auto generated by default.
2. Create the SSL key pair and certificate request files
Copy the sapgenpse and libsapcrypto.so to $SECUDIR directory. Then run sapgenpse to generate sapsrv.pse file and SAPSSL.req file:
./sapgenpse gen_pse -p sapsrv.pse -r SAPSSL.req "CN=<FQDN of the host>"
Click on the "Connect using SSL" option in the properties of the connection. Once done, a lock will appear in the connection in HANA Studio
./sapgenpse maintain_pk -p sapsrv.pse -a sapid.cer
You could import the SAML identity provider from the certificate file (sapid.cer) which you created from last step in Security->Open security Console -> SAML Identity Providers. Make sure you have chosen the SAP Cryptographic Library.
Check the SAML option, click the Configure link, then Add the Identity Provider created in last step 'HANA_BI_PROVIDER' for the external user 'Administrator'
Go to BO CMC" Application" HANA Authentication, edit the entry created in previous step, click "Test Connection" button.
If the connection test is not successful, please change the trace level of the following to DEBUG:
indexserver.ini - authentication, xssamlproviderconfig
The index server trace will provide more information on why the authentication failed.
You may find more information about tracing in this SAP note:
2083682 - How to Enhance Tracing for SAP HANA SSO Login Issues
Reference
How to Configure SSL for SAP HANA XSEngine using SAPCrypto
Configuring SAML with SAP HANA and SAP BusinessObjects 4.1 - Part 1
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
24 | |
22 | |
16 | |
12 | |
9 | |
9 | |
8 | |
8 | |
8 | |
8 |