EDUCAÇÃO E TECNOLOGIA

HANA secure network communication – part II

  1. Scenarios [part I]
    1. Client & HANA Cockpit communication
    2. SolMan Communication
    3. AS ABAP
  2. JDBC/ODBC/SQLDBC [part I]
  3. Term clarification [part I]
  4. Create and sign certificate [part II]
  5. Import certificate to HANA Cockpit (for client communication) [part II]
  6. Import certificate to HANA resource(s) [part II]
  7. Configure clients (AS ABAP, ODBC, etc.) to use SSL [part II]
  8. Configure HDB parameters for high security [part II]
  9. Import certificate to host agent [part II]
  10. Pros and Cons certification collections

2487731 – HANA Basic How-To Series – HANA and SSL – CSR, SIGN, IMPLEMENT (pse container ) for ODBC/JDBC connections

Command:

sapgenpse get_pse -p <PSE_Name> -r <cert_req_file_name> -k <more options for SAN>
sapgenpse gen_pse -p cert.pse -r csr.txt -k GN-dNSName:<HOSTNAME incl. FQDN> "CN=<HOSTNAME incl. FQDN>, O=<organization>, C=<country>"

Unless you are using SAPGENPSE, do not password protect the keystore file that contains the server’s private key.

Sign the certificate signing request with a trusted Certificate Authority (CA) as pkcs7 which will include all CA certificates.

cp cert.pkcs7 cert.p7b sapgenpse import_own_cert -p cert.pse -c cert.p7b

SAP recommendation:

“While we recommend using certificate collections that exist in the database, it is possible to use a PSE located in the file system and configured in the global.ini file.”

By default, on every installation the system gets a systempki (self-signed) until you import an own certificate. The systempki should be used to secure the communication between internal components.

global.ini: Set inside the section [communication] ssl from ‘off’ to ‘systemPKI’

[communication] ssl = systemPKI

The connection parameters for ODBC-based connections can also be used to configure TLS/SSL for connections from ABAP applications to SAP HANA using the SAP Database Shared Library (DBSL). To pass the connection parameters to the DBSL, use the following profile parameter:

dbs/hdb/connect_property = param1, param2, …., paramN

Details:

https://help.sap.com/viewer/b3ee5778bc2e4a089d3299b82ec762a7/2.0.04/en-US/0ae2b75266df44499d8fed8035e024ad.html


a) Export the keys in PKCS#12 transfer format:

sapgenpse export_p12 -p sapsrv.pse sapsrv.p12

b) Create a key file:

openssl pkcs12 -nodes -nocerts -in sapsrv.p12 -out sapsrv.key

c) Create a certificate file:

openssl pkcs12 -nodes -nokeys -in sapsrv.p12 -out sapsrv.pem

The HANA DB has to be online. The XSA can be offline, but will be restarted. I recommend this method, but you can also use the “online one” (xs set-sertificate) but here you have to follow more steps and at the end you have to restart the XSA. So, the easiest way is to use the XSA set-certificate command:

XSA set-certificate --cert /usr/sap/<SID>/HDB<instance- no>/<host>/sec sapsrv.pem --key /usr/sap/<SID>/HDB<instance- no>/<host>/sec/sapsrv.key

Check it via:

xs login xs domains
xs trusted-certificates
  • Won’t list the imported certificate
xs domains
  • Will show your certificate for your whole domain

global.ini: Set inside the section [communication] ssl from ‘off’ to ‘systemPKI’ (default for XSA systems)

[communication] ssl = systemPKI

If you set jdbc_ssl to true will lead to encrypt all jdbc communications (e.g. HANA database explorer) with all connected HANA resources! Only set this to true if you have configured all resources with SSL. By default, this enables security and forces all resources to use ssl.

alter system alter configuration ('xscontroller.ini','SYSTEM') set ('communication','jdbc_ssl') = 'true' with reconfigure;
Result: You have activated the SSL certificate for the HANA Cockpit. The clients can now connect via HTTPS to the HANA Cockpit.

  1. Shut down the system
  2. Check the certificate: sapgenpse get_my_name -p cert.pse
  3. Replace the sapsrv.pse, SAPSSLS.pse and SAPSSLC.pse with the created cert.pse
  4. Restart the system

SECUDIR=/usr/sap/<SID>/HDBxx/<hostname>/sec

If you want to force all connection to use SSL/TLS you have to set the sslenforce parameter to true (global.ini).

[communication] sslenforce = true

This means:

  • the application server connection via SQLDBC have to set up to be secure
  • HANA Cockpit connections have to set up to be secure
  • Local hdbsql connections have to be set up for encryption

It is also possible to create one certificate per tenant.

Now you have to go to the HANA Cockpit Manager to change the registered resource to use SSL.

Result: The database will trust all other certificates in the same domain which includes the HANA cockpit. All communications can now be established via SSL. The current status of encryption of the communication is optional not obligatory. All incoming communications can still be unencrypted! (more: Configure HDB for high security)

AS ABAP

There is already a blog about this configuration:

https://blogs.sap.com/2014/01/17/configure-abap-to-hana-ssl-connection/
1761693 – Additional CONNECT options for SAP HANA
2475246 – How to configure HANA DB connections using SSL from ABAP instance

You can copy the certificate of the HANA database to the application server but you don’t need to. You can also create an own certificate based on the server name of the application.

You just have to set the dbs/hdb/connect_property parameter to the correct value:

dbs/hdb/connect_property=ENCRYPT=TRUE,sslCryptoProvider=commoncrypto,sslKeyStore=/usr/sap/<SID>/HDBxx/<hostname>/sec/SAPSSLC.pse,sslTrustStore=/usr/sap/<SID>/HDBxx/<hostname>/sec/SAPSSLC.pse

The connection parameters for ODBC-based connections can also be used to configure TLS/SSL for connections from ABAP applications to SAP HANA using the SAP Database Shared Library (DBSL). To pass the connection parameters to the DBSL, use the following profile parameter:

dbs/hdb/connect_property = param1, param2, …., paramN

In some cases, you may receive an error if you force the use of TLS/SSL:

SQLERRTEXT : Connection failed (RTE: [300015] SSL certificate validation failed: host name ’10.xxx.xxx.xxx’ does not match names in certificate severe db error -10709; work process is stopped sql error -10709 performing CON

You have to set some tricky parameter due to the default gateway of the Linux server.

There are 3 different solutions:

  1. sslValidateCertificate = false => will not validate the certificate
  2. sslHostNameInCertificate = <vhostname> => will overwrite the calling hostname
  3. configure the hostname mapping inside the HANA

Solution 1

dbs/hdb/connect_property=ENCRYPT=TRUE,sslValidateCertificate=false,sslCryptoProvider=commoncrypto,sslKeyStore=/usr/sap/<SID>/HDBxx/<hostname>/sec/SAPSSLC.pse,sslTrustStore=/usr/sap/<SID>/HDBxx/<hostname>/sec/SAPSSLC.pse

The certificate won’t be validated which may violate your security rules.

Solution 2

dbs/hdb/connect_property=ENCRYPT=TRUE,sslHostNameInCertificate=<vhostname>,sslCryptoProvider=commoncrypto,sslKeyStore=/usr/sap/<SID>/HDBxx/<hostname>/sec/SAPSSLC.pse,sslTrustStore=/usr/sap/<SID>/HDBxx/<hostname>/sec/SAPSSLC.pse

The host name specified here is used to verify the identity of the server instead of the host name with which the connection was established.

Solution 3

global.ini [public_hostname_resolution] use_default_route=fqdn map_<host_short_name>=<host_long_name> map_<host_physical_short_name>=<host_long_name>

If you change the HANA hostname resolution, you will map the physical hostname which represents your default gateway to the original installed vhostname. For details how this is working, read this blog.

The cleanest way is the Golden middle – option 2. Please keep in mind to configure the correct default gateway with ’is/addr’ for stateful firewall connections. (details see part I)

Result: Your ABAP application server now connects via TLS/SSL.

hdbsql

Here we talk about the client within the HANA client executable. Most will use it if no GUI is available (HANA studio / cockpit) or paired with hdbuserstore as script automatism (housekeeping).

Here it is pretty simple one option is to define manually some command line options:

  • hdbsql -e (forces using the encryption)
  • the other one to copy the sapsrv.pse to the sapcli.pse

cp /usr/sap/SID/HDB00/hostname/sec/sapsrv.pse /usr/sap/SID/HDB00/hostname/sec/sapcli.pse

connect string to skip hostname validation:

hdbsql -U <hdbuserstore key> -e -ssltrustcert

As always you can create an own certificate for the client and copy it to sapcli.pse instead of using the server sapsrv.pse.

But still some more options e.g. -ssltrustcert have to be added to the call.

Result: Your hdbsql connection will be now encrypted via SSL.

2300943 – Enabling SSL encryption for database connections for SAP HANA extended application services, advanced model

2487639 – HANA Basic How-To Series – HANA and SSL – MASTER KBA

# SSL for internal communication ssl = on/systempki # Enforce clients to connect only with valid certificate. sslEnforce=true # This property tells SAP HANA XS advanced services and applications to open SSL encrypted connection to the SAP HANA database. # The default value is "false". jdbc_ssl=true # This property can be used to enable or disable validation of the certificate for SSL encrypted connection to the SAP HANA database. # This property takes only effect for SAP HANA XS advanced services and Java applications. # It has no effect for Node.js or XSJS applications. The default value is "false". jdbc_ssl_validate_certificate = true # This property can be used to override the hostname, which is used during hostname validation of the SSL encrypted connection to the SAP HANA database. # This property takes only effect for SAP HANA XS advanced services and Java applications. # It has no effect for Node.js or XSJS applications. jdbc_ssl_certificate_hostname = # minimum available SSL protocol version: SSL30,TL10,TLS11,TLS12 sslMinProtocolVersion = TLS10/TLS11/TLS12 # maximum available SSL protocol version: TL10,TLS11,TLS12,MAX sslMaxProtocolVersion = MAX # values: commoncrypto (default), openssl, mscrypto sslCryptoProvider = commoncrypto # key store file used for external communication sslKeyStore = sapsrv.pse # trust tore file used for external communication sslTrustStore = sapsrv.pse # validate the cetificate of the communication partner during external communication (default: false) => set to true if possible sslValidateCertificate = true # For each porpuse in this list, the in-memory PSE store is omitted and the file-based PSE store is used # Possible values are : JWT, SAML, SAP LOGON, SSL, X509, JWT skip_in_memory_pse_store_for_purpose = # SSL for internal communication over localhost ssl_local = on 

Be careful with setting these parameters! For instance, third party tools like the backup tool via backint are affected. Check if your vendor supports SSL. Check all connecting interfaces for it.

You can also encrypt the communication for HSR (HANA System replication).

Tip: Create a security configuration template (HANA Cockpit) for all your databases to apply changes pretty fast.
Result: You have forced all communication channels to use SSL. All incoming connection have to use it or getting dropped.

There is already a blog post in place covering this topic. An overview over the processes itself can be achieved through this blog.

Check also the official documentation.

  1. Create the certificate on base of the vhostname of the server
  2. Copy the *.pse as SAPSSLS.pse to /usr/sap/hostctrl/exe/sec/
  3. set ssl/server_pse= <Path to Server PSE> inside the host_profile
  4. Restart the hostagent

Tip: use the integrated port reservation of the Host agent for all of your services

/usr/sap/hostctrl/exe/host_profile

reserved_port/product_list = HANA,XSA

Possible values are: HANA,HANAREP,XSA,ABAP,J2EE,SUITE,ETD,MDM,SYBASE,MAXDB,ORACLE,DB2,TREX,CONTENTSRV,BO,B1

Check SAP Note 401162 for details:

401162 – Linux: Avoiding TCP/IP port conflicts and start problems

Check also the saphostctrl functionality for the monitoring:

/usr/sap/hostctrl/exe/saphostctrl -function GetDatabaseSystemStatus -dbname SYSTEMDB@InstanceName -dbtype hdb

 


There are two possibilities to store the certificates:

  • file based => PSE
  • inside the database => certificate collection

Due to the flexiblity there are some advantages (copy move of databases) in the newer solution (certificate collection), but if you have to update 100 HANA instances with new certificate every 2 years it can be easier to use the file based solution. Here you can reuse your current automatism for updating them.

Source: SAP

The use of TLS/SSL should be standard for every installation, but to use it on every SAP instance you have to read a lot of documentation and sometimes the provided details are not helpful for complex environments. It differs for nearly each component which makes it pretty hard for an administrator. Another thing is the maintainability of the certificates. Here your should consider a standard automatism. To set it up is one task, to maintain and operate it another.

I hope this little summary is helping you to understand the relations and avoid some errors and long researches.