SAP

ABAP to HANA SSL connection

Written by jake.echanove@gmail.com. Date of post: . Leave a comment

Configure ABAP to HANA SSL connection

I worked on a CRM on HANA project where one of the requirements was to encrypt all traffic on any system that contained customer information, even the traffic between the ASCS and HANA. This is sort of documented starting on 5.3.1.2 of the HANA SP9 Security Guide, but it still took me some time to figure out. I thought I’d share some details that may help others.

 

The below instructions are based on sapcrypto. In SP7 and above, there is an option to use commoncrypto. OpenSSL is also an option if sapcrypto is not installed.

 

  • Install sapcrypto on both the HANA and ASCS systems
    • Copy sapcrypto files to correct kernel directories
    • This is well documented, so won’t provide details here
  • On HANA appliance
    • cp libsapcrypto.so /usr/sap/<sid>/SYS/global/security/lib
  • Create PSE files for both systems
    • See 1718944 – SAP HANA DB: Securing External SQL Communication (SAPCrypto)
      • If a Certificate Authority (CA) is not available, you can get a test cert from SAP that is valid for 8 weeks at https://websmp110.sap-ag.de/tcs
      • This option can be used to sign the sapcli.req discussed in Note 1718944
    • In my case, the customer created a PFX using their own CA, but this requires conversion to PSE
    • Convert *.PFX files provided by CA to PSE
      • sapgenpse import_p12 -p <newname>.pse <existing_cert>.pfx
        • eg: sapgenpse import_p12 -p sapcli.pse <existing_cert>.pfx
      • copy the newly created sapcli.pse to sapsrv.pse
        • cp sapcli.pse sapsrv.pse
      • pse is required for server authentication – HANA DB
      • pse is required for client authentication – ABAP system
        • The above files are required on the respective systems for our scenario, but it is easy to create both pse files on both systems for future requirements.
      • Copy both pse files to $SECUDIR
        • cp sapcli.pse sapsrv.pse $SECUDIR
      • Restart the HANA DB to enable SSL
      • On ASCS, copy sapcli.pse to /usr/sap/<SID>/DVEBMGS00/sec
      • If sec directory above doesn’t exist, then create it while logged on as <sid>adm
      • On the ASCS, add the following parameter in the DEFAULT.PFL
        • dbs/hdb/connect_property = ENCRYPT=TRUE
          • This param enables SSL encryption for the connection to the DB
        • Stop and start CI.
        • Check dev_w0 and verify connection to DB. Should look similar to below log dump.

Loading SQLDBC client runtime …

C  SQLDBC Module  : /usr/sap/<SID>/hdbclient/libSQLDBCHDB.so

C  SQLDBC Runtime : libSQLDBCHDB 1.00.70.00 Build 0386119-1510

C  SQLDBC client runtime is 1.00.70.00.0386119

C  connect property [ENCRYPT = TRUE]

C

C  Try to connect via secure store (DEFAULT) on connection 0 …

C

C Sun Jan 12 19:41:31 2014

C  Attach to HDB : 1.00.70.00.386119 (NewDB100_REL)

C  Database release is HDB 1.00.70.00.386119

C  INFO : Database ‘<SID>/00’ instance is running on ‘<HANA_Host>’

C  INFO : Connect to DB as ‘SAP<SID>’, connection_id=300100

C  DB max. input host variables  : 32767

 

I ran into several issues during this process that caused the workservers to crash. I’ve outlined the errors I saw in the dev_w* traces, the cause and the steps to resolve the errors.

Troubleshooting

  • Error message
    • Unable to create SSL context
      • This error message is very generic and did not give any additional details
    • Possible Causes
      • sapcrypto library is not accessible
      • PSE key/trust store is not available or not properly filled
    • Error message
      • C SQLERRTEXT : Connection failed (RTE:[300010] Cannot create SSL context: ERROR in SSL_CTX_set_default_pse_by_name:\

C                (4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in ssl_set_pse\

C               : (4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in af_open: (\

C               4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in secsw_open: (\

C               4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in secsw_open_ps\

  • Solution
    • Verify Sapcli.pse is available in the directory and SIDADM has permissions to it.
  • Error message
    • SQLERRTEXT : Connection failed (RTE:[300015] SSL certificate validation failed: host name ‘coe-he-005’ does not m\

C               atch name in certificate ‘coe-he-005.sapcoe.sap.com’)

B  ***LOG BV3=> severe db error -10709    ; work process is stopped [dbsh         1244]

B  ***LOG BY2=> sql error -10709 performing CON [dblink       550]

B  ***LOG BY0=> Connection failed (RTE:[300015] SSL certificate validation failed: host name ‘coe-he-005’ does not match name in certificate ‘coe-he-005.sapcoe.sap.com’) [dblink       550]

M  ***LOG R19=> ThDbConnect, db_connect ( DB-Connect 000256) [thDatabase.c 75]

M  in_ThErrHandle: 1

M  *** ERROR => ThInit: db_connect (step TH_INIT, thRc ERROR-DB-CONNECT_ERROR, action STOP_WP, level 1) [thxxhead.c   2151]

  • Cause/Solution
    • Ensure that the ASCS is using the hostname that exists in the certificate to establish the connection
    • You specify the dbs/hdb/connect_property in DEFAULT.PFL to specify the hostname in the cert
      • Example: dbs/hdb/connect_property = ENCRYPT=TRUE, sslHostNameInCertificate=hanadev.internal.com

Leave a Reply

Your email address will not be published. Required fields are marked *