SAP HANA applications can use single sign-on (SSO) authentication with X.509 certificates to confirm the logon credentials of a user calling an application service.
To configure SAP HANA to use trusted X.509 certificates for user authentication with SSO, note the following prerequisites:
You need root/administrator access to the SAP HANA system hosting the SAP Web Dispatcher service.
Note
To maintain security and authentication settings for SAP HANA XS applications, the user also needs the privileges granted by the SAP HANA XS role RuntimeConfAdministrator.
The SAP encryption library libsapcrypto.so is installed and available.
The trust store utility sapgenpse is available.
The SAP Web Dispatcher trust store (SAPSSL.pse) is available.
Note
The SAP Web Dispatcher referred to here is internal to SAP HANA XS and not the SAP Web Dispatcher included in the SAP Fiori / SAP Smart Business system landscape.
The SAP HANA trust store (sapsrv.pse) is available.
To enable SAP HANA applications to use single sign-on (SSO) authentication with X.509 certificates to confirm the logon credentials of a user, you need to add the root CA of the trusted X.509 certificates to both the SAP HANA trust store (sapsrv.pse) and the trust store of the SAP Web Dispatcher SAPSSL.pse.
Add the root CA of the trusted X.509 certificates to the SAP HANA trust store (sapsrv.pse).
Syntax
./sapgenpse maintain_pk -p /usr/sap/<SAPHANAInstance>/HDB/<InstNo>/<Hostname>/sec/sapsrv.pse -a SSO_CA.der
Add the root CA of the trusted X.509 certificates to the SAP Web Dispatcher SAPSSL.pse.
Syntax
./sapgenpse maintain_pk -p /usr/sap/<SAPHANAInstance>/HDB<InstNo>/<Hostname>/sec/ SAPSSL.pse -a SSO_CA.der
Reload the new trust store configuration.
Whenever you import a new certificate into the trust store, you must restart the corresponding trust-store process, for example:
SAP HANA trust store (sapsrv.pse)
hdbxsengine and hdbindexserver
SAP Web Dispatcher trust store (SAPSSL.pse)
sapwebdisp_hdb
Maintain the authentication settings in the runtime configuration for your SAP HANA XS application.
You can use the Web-based SAP HANA XS Administration Tool to complete this step. The tool is available on the SAP HANA XS Web server at the following URL: http://<WebServerHost>80<SAPHANAInstance>/sap/hana/xs/admin/.
Create a database user whose identity is defined in an X.509 certificate.
Create a new user in the SAP HANA database based on the details specified in an existing X.509 certificate.
The following example shows how to use the SQL statement CREATE USER WITH IDENTITY to create the database user “MyUserName” and the corresponding X.509 certificate:
Syntax
CREATE USER MyUserName WITH IDENTITY 'CN=MyUserName, O=SAP-AG, C=DE' ISSUER 'CN=SSO_CA, O=SAP-AG, C=DE' FOR X509
Import into the Web browser the X.509 certificate that is to be used to authenticate the new database user.
Use a Web browser to test the logon authentication settings for the SAP HANA application.
When you enter the URL for your application in the Web browser, the Web browser prompts you to select a certificate, which enables you to log on without supplying logon credentials manually.