This blog post describes a possibility to automate certificate renewal for HANA Databases.
We assume, that you are familiar with the certificate lifecycle management process in general and as well with the implementation (https://blogs.sap.com/2020/07/09/configuring-certificate-lifecycle-management/).
In general, there are two possibilities to manage certificates in HANA:
- As PSE files on OS level
- As InDatabase certificates in stores within the HANA Databse (this is always tenant specific)
The solution described below will concern primarily the PSE files on OS level, but there will be some hints on how to handle InDatabase certificates as well.
Prerequisites
- Working Certificate Lifecycle Management Setup in Secure Login Server
- Commandlinebinary sapslscli (can be downloaded as Secure Login Library 3.0 in the SAP Single Sign-On 3.0 product)
- [for PSE file reload] HANA 2.0 SPS07
We assume that the Secure Login Server is reachable via HTTPS from the HANA Database.
We assume that the sapgenpse binary as well as the sapslscli binary are in directories that are part of the PATH variable and that they work (i.e. there is no error when they are called without any parameters).
We assume that the SECUDIR environment variable is set to the standard Secudir of the HDB (usually /usr/sap/<SID>/HDB<INST-NR>/<HOSTNAME>/sec)
We assume that you have the URL to the Application Server Profile Group Metadata (can be found in the SLAC. This is the URL that you paste into the ABAP Report and the Java Application). We’ll call this URL MetadataURL.
Also, we assume the CLM scenario to be configured in the SLS. If this is not the case, please refer to this blog for information about the implementation: https://blogs.sap.com/2020/07/09/configuring-certificate-lifecycle-management/
We will assume, that the SECUDIR environment variable is set to /usr/sap/<SID>/HDB<Inst-Nr.>/<host>/sec.
General Scenario
As in the AS ABAP and AS Java scenarios, there are two certificates:
- A so called Registration Agent certificate, which is used to authenticate the client at the Secure Login Server. We will call this file SLSRA.pse in this document, even though the name doesn’t matter.
- The TLS Server certificate, which is used by the HANA Database to authenticate to clients. We will call it sapsrv.pse, even though this name doesn’t matter either.
First, the two PSE files will be created. Then the SLSRA.pse will be enrolled with the Secure Login Server.
Afterwards, the sapsrv.pse will be signed.
As a last step, the HANA database will be informed about the certificate having been changed.
Implementation and Usage
To communicate with the SLS, we need the specific enrollment URLs. These are contained in the Metadata. Download the metadata and get the URLs for the RA as well as the TLS server certificate profiles:
In the SECUDIR create the two PSE files:
sapgenpse gen_pse -p SLSRA.pse -s 4096 -x '' "CN=<HDB-SID>, OU=SAP, O=<Company>, C=<Country Code>"
sapgenpse gen_pse -p sapsrv.pse -s 4096 -x '' "DNS=<host>, CN=<host>, OU=SAP, O=<Company>, C=<Country Code>"Replace the HDB-SID with the SID of your Hana Database and maintain it in the Secure Login Server as a valid SID for the application server profile group. Replace <host> with the hostname that the HANA Database is reachable by. You can add additional hosts by expanding the DNS entry with the hosts, separated by colons.
Then sign the SLSRA.pse with the SLS by using
sapslscli enroll -r SLSRA.pse -i -e '<RA Enrollment URL>'Then use this newly signed RA PSE to sign the sapsrv.pse
sapslscli renew -p sapsrv.pse -r SLSRA.pse -e '<TLS Server Enroll URL>'With this, you should have a signed sapsrv.pse, that can be used by the HANA Database.
Now, you can regularly renew both PSE files by scheduling the commands
sapslscli renew -p SLSRA.pse -r SLSRA.pse -e '<TLS Client Enroll URL>'
sapslscli renew -p sapsrv.pse -r SLSRA.pse -e '<TLS Server Enroll URL>'This will renew your PSE files. You can also add the “-g <N>” parameter to renew a certificate if the validity is less than <N> days.
After a renewal, you can reload the PSE file by issuing the SQL statement
ALTER SYSTEM RELOAD FILE PSE(documented here https://help.sap.com/docs/SAP_HANA_PLATFORM/4fe29514fd584807ac9f2a04f6754767/04b171b3450143feb08b63912f768125.html?locale=en-US), which is available since HANA 2.0 SP7.
For older HANA releases, you can think about converting the PSE file into a PKCS8 and importing that into a database store.
In any case, you will need the hdbsql client and credentials.
Conclusion
Obviously, this blog just provides a rough outline of the scenario and an idea of the relevant commands needed. There are still some things to be done:
Everything should be put into a script that can be scheduled regularly. Such a script can be a few hundred lines long without any problem. You have to consider your specific environment (what are the names of the PSE files, where are the binaries located, which environment variables are present, which SIDs should be renewed, which user is executing the script, what is the preffered language in your company).
In addition, such a script (from a coneceptual point of view) can also be used to renew for example the TLS Server certificates for a Hostagent. Now, the question is, if that should be a different script or if everything should be handled by the same script (depends for example on the user running the script, since the hostctrl usually relies on the sapadm and root, while the HDB file system usually belongs to <sid>adm).
Due to all these different options, there is no one script, that can cover all the needs and hence, there is also no script attached to this blog.
All these things together give you a hint at the commands that need to be executed. You still need to put this into a script, but when you grasp the general concept, this can basically be used to renew any certificate that can be imported/activated in an application via OS commands (for example Web Dispatchers, Hostagents, SNC certificates for AS Java, Wily Introscope Manager, XSA, HANA Cockpit 2.0, TREX SNC certificates, …).
