SAP Analytics Cloud
Page tree
Skip to end of metadata
Go to start of metadata

Foreword

This procedure enables any customer to have an end-to-end procedure for settings valid SSL Certificate to be used in SAP Analytics Cloud with Chrome Browser. 

Table of Contents

5 rules for a valid SSL Certificate with SAP Analytics Cloud Live Connection
SSL Certificate thru Proxy
PassThrough Proxy 
Not PassThrough Proxy 
SSL Certificate settings in SAP HANA
SSL Certificate settings in SAP NetWeaver BW
Wildcard SSL or SAN based Certificate settings with sapgenpse command line

5 rules for a valid SSL Certificate with SAP Analytics Cloud Live Connection

Rule 1

SAP Analytics Cloud Live Connection is a communication initiated by Business User Browser. SSL Certificate has to be valid from a Business User Browser perspective.

Rule 2

SSL Certificate has to be signed by a Certification Authority which is know by your Laptop 

  • Mac or Windows comes with pre-installed Trusted Root Authority certificates. These certificates are used across Mac, Windows and browsers to verify the identity of trusted websites. 

  • You can add your own Trusted CA Root certificate and intermediate (if any)  in your computer Trust store from your own Certification Authority. 

Rule 3

Hash Algorithm must be SHA-256. SHA1 is now deprecated. 

Rule 4

Subject Alternative Name is mandatory. Subject Alternative Name is required for Chrome Browser. Otherwise, Chrome will not consider your certificate as valid. 

Rule 5 

SSL Certificate is only valid for a specific hostname which can be resolved thru DNS or hosts file (not recommended). No IP address !!! 

SSL Certificate thru Proxy

if your SAP Analytics Cloud Live Connection goes over proxy you have to consider it. 

Let's consider two types of proxy : 

  • PassThrough Proxy (Proxy does not decrypt and encrypt)
  • Not PassTrough Proxy (Proxy decrypts and encrypts) 

PassThrough Proxy (Flow is encrypted by Datasources and decrypted by Browser)

Not PassThrough Proxy (Intermediate re-encryption of Proxy)

SSL Certificate settings in SAP HANA

Go to HANA PSE Management  (/sap/hana/xs/wdisp/admin) 

  • Recreate PSE and set proper CN for your HANA XS endpoints. Do not forget to specify DNS=<FQDN> in front of Distinguished name to generate Subject  Alternate Name (see chapter about Chrome). Choose RSA with SHA-256 as algorithm. 
  • Enter the Instance-Specific PSE with the correct CN and please add DNS=<dns server hostname>. In this example, DNS server is equal to HANA server. 
  • DNS is mandatory to generate Subject Alternative Name (SAN) item in your Certificate. SAN is mandatory for some Browsers especially Chrome Browser
  • You can also add Subject Alternative Name when you sign the Certificate Signing request in your Certification Authority if possible. 

  • Select Create. You should get the below green message: Created Key Pair for PSE SAPSSLS.pse.

  • Select Create CA request Copy CA request of PSE 

  • Copy and paste CA request into a new file. Send it to the Certification Authority Administrator for signing. 

  • CA administrator should have sent back Signed Certificate with CA Root and Intermediates Certificates if any. 
  • Paste server, root and intermediate certificates in the same response window as below screenshot: 
  • Copy and paste the signed certificate followed by the CA Root certificate and intermediate in the Import CA Response into PSE SAPSSLS.pse field. 

  • and press import you should get the following response: 


You can now access your HANA XS endpoint with a valid certificate. 

SSL Certificate settings in SAP NetWeaver BW

Go to STRUST transaction with Administration Privileges :

  • Select SSL Server Standard 
  • First step : Delete existing PSE and create a new one. 

 

  • Right click on SSL server Standard and select Delete option

  • Now SSL server Standard should show a red cross icon

  • Right click on SSL server Standard and select Create option

  • Enter the FQDN (Full Qualified Distinguished Name) of your server 
  • Check if you selected the convenient Algorithm (SHA256 is more than recommended. SHA1 is now deprecated and no more supported by most of browsers)

  • Enter the Instance-Specific PSE with the correct CN and please add DNS=<dns server hostname>. In this example, DNS server is equal to Netweaver BW server. 
  • DNS is mandatory to generate Subject Alternative Name (SAN) item in your Certificate. SAN is mandatory for some Browsers especially Chrome Browser.
  • You can also add Subject Alternative Name when you sign the Certificate Signing request in your Certification Authority if possible. 

 

  • Copy en paste content of Certificate request into a file. Send it to the Certification Authority Administrator for signing. 

  • Open Import Response as above.
  • CA administrator should have sent back Signed Certificate with CA Root and Intermediates Certificates if any. 
  • Paste server, root and intermediate certificates in the same response window as below: 

  • Submit response 

  • Now test your certificate by requesting /sap/public/ping (no authentication required) or /sap/bw/ina/GetServerInfo service for example. 

Your certificate is valid and Certificate chain if available on your Laptop as below: 

Subject Alternative Name is available for Chrome Browser support. 

Wildcard or SAN based SSL Certificate settings with sapgenpse command line

Customer can buy wildcard certificate or multi servers certificate based on Subject Alternative Name DNS Name list to be used across all their organisations. In such context, standard signing process does not fit customer requirements. 

Provided Certificate and Key have to be uploaded into SAP PSE Trust store. It cannot be done with SAP PSE GUI or SAP STRUST transaction. You have to do thru sapgenpse command line. 

Let's guess you receive from SSL provider a file with: 

    • Client wildcard certificate and Client Certificate Key (p12 format such as certificate.pfx or certificate.p12)
    • Certificate chain from your SSL Provider composed by CA Root and intermediate certificates. (CA Root 
  1. Go to the location of SAPSSLS.pse file :  /usr/sap/<Tenant>/<Instance>/<hostname>/sec
  2. Backup existing SAPSSLS.pse
  3. Copy files from your provider at this location
  4. Type the following command:

    sapgenpse import_p12 -r CAroot.crt -r Intermediate1.crt -r intermediate2.crt ...  -p SAPSSLS.pse certificate.pfx

    Please enter PKCS#8 password : (I will give you the password in a separate mail)
    Delete it ? answer yes
    Please enter a new Pin/Passphrase for the new SAPSSLS.pse file. 
    If successful you get the message : PSE “/usr/sap/…../sec/SAPSSLS.pse” was written.
  5. Restart Webdispatcher
  6. Open PSE Management and type the Pin/Passphrase you have set
  7. You should see your Certificate installed as below: 

Thanks for Reading. 

 

 

 

 

 

 

 

  • No labels