Overview
This blog is intended to use SAP crypto library to enable SAML SSO from SAP BI4 to SAP HANA DB. If you want to use OPENSSL instead, please check the other SCN blog for details.
Turn on SSL using SAP Crypto Library
1. Install SAP Crypto library
SAP Crypto Library can be downloaded from Service Market Place. Browse to http://service.sap.com/swdc, expand Support Packages and Patches "Browse our Download Catalog "SAP Cryptographic Software" SAPCRYPTOLIB" SAPCRYPTOLIB 5.5.5 "Linux on x86_64 64bit.
The new CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 (or higher) is fully compatible with previous versions of SAPCRYPTOLIB, but adds features of SAP Single Sign-On 2.0 Secure Login Library. It can be downloaded in this location:
expand Support Packages and Patches "Browse our Download Catalog "Additional Components " SAPCRYPTOLIB "COMMONCRYPTOLIB 8
Use SAPCAR to extract sapgenpse and libsapcrypto.so to /usr/sap/<SID>/SYS/global/security/lib/
Add the directory containing the SAP Crypto libraries to your library path:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/sap/<SAPSID>/SYS/global/security/lib
2. Create the SSL key pair and certificate request files
Copy the sapgenpse to $SECUDIRdirectory. Then run sapgenpse to generate sapsrv.pse file and SAPSSL.req file:
./sapgenpse get_pse -p sapsrv.pse -r SAPSSL.req "CN=<FQDN of the host>"
- Send the Certificate Request to a Certificate Authority to be signed. Browse to http://service.sap.com/trust, and expand SAP Trust Center Services in Detail, and click SSL Test Server Certificates, and then click the ‘Test it Now!’ button. Paste the content from the SAPSSL.req file to the text box, and click Continue.
![1.png]()
SAP returns the signed certificate as text, copy this text and paste it into a file on the HANA server:
/usr/sap/<sid>/HDB<instance_nr>/<hostname>/sec/SAPSSL.cer - Download the SAP SSL Test Server CA Certificate from the http://service.sap.com/trust site:
![6.png]()
- Import the Signed Certificate using sapgenpse
./sapgenpse import_own_cert -c SAPSSL.cer -p sapsrv.pse -r SAPServerCA.cer
3. Check HANA settings
Indexserver.ini->[Communication]->sslcryptoprovider = sapcrypto
4.Restart HANA, and test if SSL works from HANA studio
Click on the "Connect using SSL" option in the properties of the connection. Once done, a lock will appear in the connection in HANA Studio
Create Certificate file for BO instance.
- Create HANA Authentication connection
Log onto BO CMC" Application" HANA Authentication, click New. After provide HANA Hostname and port, and IDP name, click the Generate button, and click OK button so that you will see an entry added for HANA authentication![10-22-2014 10-07-46 AM.png]()
Copy the content of the generated certificate and paste it to a file on your HANA server:
/usr/sap/<sid>/HDB<instance_nr>/<hostname>/sec/sapid.cerAdd the certification to the pse file:
./sapgenpse maintain_pk -p sapsrv.pse -a sapid.cer
4. You may need to Restart HANA to make the new pse file take effect.
SAML configuration in HANA
Create SAML provider in HANA
You could import the SAML identity provider from the certificate file (sapid.cer) which you created from last step in Security->Open security Console -> SAML Identity Providers. Make sure you have chosen the SAP Cryptographic Library.
2. Create a HANA user TESTUSER with SAML authentication.
Check the SAML option, click the Configure link, then Add the Identity Provider created in last step 'HANA_BI_PROVIDER' for the external user 'Administrator'
Test SAML authentication
Go to BO CMC" Application" HANA Authentication, edit the entry created in previous step, click "Test Connection" button.
Troubleshooting
If the connection test is not successful, please change the trace level of the following to DEBUG:
indexserver.ini - authentication, xssamlproviderconfig
The index server trace will provide more information on why the authentication failed.
Reference
How to Configure SSL for SAP HANA XSEngine using SAPCrypto
Configuring SAML with SAP HANA and SAP BusinessObjects 4.1 - Part 1