Show TOC

Procedure documentationMaintaining SSO with X.509 Authentication for SAP HANA XS Applications Locate this document in the navigation structure

 

SAP HANA applications can use single sign-on (SSO) authentication with X.509 certificates to confirm the logon credentials of a user calling an application service.

Prerequisites

To configure SAP HANA to use trusted X.509 certificates for user authentication with SSO, note the following prerequisites:

  • You need root/administrator access to the SAP HANA system hosting the SAP Web Dispatcher service.

    Note Note

    To maintain security and authentication settings for SAP HANA XS applications, the user also needs the privileges granted by the SAP HANA XS role RuntimeConfAdministrator.

    End of the note.

  • The SAP encryption library libsapcrypto.so is installed and available.

  • The trust store utility sapgenpse is available.

  • The SAP Web Dispatcher trust store (SAPSSL.pse) is available.

    Note Note

    The SAP Web Dispatcher referred to here is internal to SAP HANA XS and not the SAP Web Dispatcher included in the SAP Fiori / SAP Smart Business system landscape.

    End of the note.

  • The SAP HANA trust store (sapsrv.pse) is available.

Procedure

To enable SAP HANA applications to use single sign-on (SSO) authentication with X.509 certificates to confirm the logon credentials of a user, you need to add the root CA of the trusted X.509 certificates to both the SAP HANA trust store (sapsrv.pse) and the trust store of the SAP Web Dispatcher SAPSSL.pse.

  1. Add the root CA of the trusted X.509 certificates to the SAP HANA trust store (sapsrv.pse).

    Syntax Syntax

    1. ./sapgenpse maintain_pk -p /usr/sap/<SAPHANAInstance>/HDB/<InstNo>/<Hostname>/sec/sapsrv.pse -a SSO_CA.der
    End of the code.

  2. Add the root CA of the trusted X.509 certificates to the SAP Web Dispatcher SAPSSL.pse.

    Syntax Syntax

    1. ./sapgenpse maintain_pk -p /usr/sap/<SAPHANAInstance>/HDB<InstNo>/<Hostname>/sec/
SAPSSL.pse -a SSO_CA.der
    End of the code.

  3. Reload the new trust store configuration.

    Whenever you import a new certificate into the trust store, you must restart the corresponding trust-store process, for example:

    • SAP HANA trust store (sapsrv.pse)

      hdbxsengine and hdbindexserver

    • SAP Web Dispatcher trust store (SAPSSL.pse)

      sapwebdisp_hdb

  4. Maintain the authentication settings in the runtime configuration for your SAP HANA XS application.

    You can use the Web-based SAP HANA XS Administration Tool to complete this step. The tool is available on the SAP HANA XS Web server at the following URL: http://<WebServerHost>80<SAPHANAInstance>/sap/hana/xs/admin/.

  5. Create a database user whose identity is defined in an X.509 certificate.

    1. Create a new user in the SAP HANA database based on the details specified in an existing X.509 certificate.

      The following example shows how to use the SQL statement CREATE USER WITH IDENTITY to create the database user “MyUserName” and the corresponding X.509 certificate:

      Syntax Syntax

      1. CREATE USER MyUserName WITH IDENTITY 'CN=MyUserName, O=SAP-AG, C=DE' ISSUER 
'CN=SSO_CA, O=SAP-AG, C=DE' FOR X509
      End of the code.

    2. Import into the Web browser the X.509 certificate that is to be used to authenticate the new database user.

  6. Use a Web browser to test the logon authentication settings for the SAP HANA application.

    When you enter the URL for your application in the Web browser, the Web browser prompts you to select a certificate, which enables you to log on without supplying logon credentials manually.