To start with, I create a server certificate for my HANA XSA system as usual:
This provides me with two crucial files:
1. hxehost.dyndns.org.p12 (private key – Download to Firefox)
2. hxehost.dyndns.org.pem (host certificate – Download PEM file)
Per SAP Note 2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced model however, I need the complete chain of X.509 PEM-encoded certificates. Therefore, I download the CA certificate as PEM:
Unfortunately, these certificates are not in the format required yet.
Convert the key file into an unencrypted RSA private key in PKCS8 format encoded as PEM:
C:\openssl-1.0.2k-x64_86-win64>openssl pkcs12 -in hxehost.dyndns.org.p12 -nocerts -nodes -out hxehost.dyndns.org-key.pem
Enter Import Password:
MAC verified OK
C:\openssl-1.0.2k-x64_86-win64>openSSL pkcs8 -in hxehost.dyndns.org-key.pem -topk8 -nocrypt -out hxehost.dyndns.org-key.pk8
Combine the host certificate and CA certificate so that the certificate-chain file includes the complete chain of X.509 PEM-encoded certificates, and the order of the certificates must ensure that a signed certificate is always followed by the signing certificate. In other words, put the root certificate last:
C:\openssl-1.0.2k-x64_86-win64>copy hxehost.dyndns.org.pem + compriseitcom.pem hxehost.dyndns.org-cert.pem
hxehost.dyndns.org.pem
compriseitcom.pem
1 file(s) copied.
Finally, I use the SAP HANA XS advanced command-line client to upload my custom certificates for my domain:
C:\XS_CLIENT00P_46-70001792\bin>xs set-certificate hxehost.dyndns.org -k \openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-key.pk8 -c
\openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-cert.pem
Setting SSL certificate for domain hxehost.dyndns.org as xsa_admin...
OK
TIP: Restart the SAP XS Controller to ensure your changes take effect for all applications.
Alternatively use 'xs restage' and 'xs restart' for all applications.
After a restart, I got a Secure Connection to all my HANA XSA services for this domain:
This might have looked a bit tedious to start with, but now you got it. Well done.
No comments:
Post a Comment