Friday, 4 November 2016

Secure your HANA Cloud Connector with OpenSSL certificates – Part 2

In part 1 of this blog series, I showed how to secure your SCC with a trusted UI Certificate:

Secure your HANA Cloud Connector with OpenSSL certificates – Part 2

Therefore, in this blog, I will show how to further secure your SCC with a trusted System Certificate, put your CA certificate in the Trust Store, install a SCC CA Certificate and with that enable Principal Propagation.
Installing a SCC System Certificate is very similar to installing a UI Certificate. The steps are:
  1. Generate and export a Certificate Signing request (CSR)
  2. Import and sign the CSR in your CA tool
  3. Export the resulting certificate and subsequently import it into the SCC


Secure your HANA Cloud Connector with OpenSSL certificates – Part 2

To import your CA certificate into your SCC, you have to export it in DER format:

Secure your HANA Cloud Connector with OpenSSL certificates – Part 2

Then you can import it into your SCC Trust Store:

Secure your HANA Cloud Connector with OpenSSL certificates – Part 2

Generating the CSR for your SCC CA Certificate is similar to the SCC System Certificate, but there is one important difference and that is 2 additional X.509 Extensions, i.e. Certificate Sign and CRL Sign. These are generated automatically by the SCC, but make sure they are present prior to singing the request:

Secure your HANA Cloud Connector with OpenSSL certificates – Part 2

Subsequently, your SCC CA Certificate can be imported:

Secure your HANA Cloud Connector with OpenSSL certificates – Part 2

And with that, Principal Propagation can be activated:

Secure your HANA Cloud Connector with OpenSSL certificates – Part 2

As a result, we got 2 more green boxes in the SCC General Security Status:

Secure your HANA Cloud Connector with OpenSSL certificates – Part 2

In my next and final blog of this series I will show how to Configure local LDAP authentication of your Cloud Connector administrators.

Source: scn.sap.com

No comments:

Post a Comment