While enabling HTTPS after login to SAP Start Service for a secure communication in SAP HANA I experienced some issues listed below:
1) Yellow status in the System View of the SAP HANA studio along with an error 'sapstartsrv' service not started is shown by the HANA system. Which means that sapstartsrv cannot be reached.
2) The sapstartsrv service gets missing from the Services section of Landscape tab:
3) In SAP HANA studio function such as Stop System, Start System, and Restart System are no longer available:
4) In the Error Log View of the SAP HANA Studio the SAPControl request gets failed message with an error:
PKIX path building failed: sun.security.provider.cerpath.SunCertPathBuilderException: unable to find valid certification path to requested target
5) It is shown by OS console that sapstarsrv is using a PKI certificate. Which can be confirmed by executing command openssl s_client -connect <host>:50014
subject=/C=DE/O=SAP System PKI/CN= _AB2_00
Issue=/C=DE/O=SAP System PKI/OU=sapstartsrv/CN=root_AB2
6) And also, error like following given below confirm that this type of certificate is not valid for SSL secure communication:
Verify error:num=27:certificate not trusted
All the above issue you are facing must be occurring due to the certificate used by the sapstartsrv is either invalid or not trusted by the SAP HANA Studio The certificate .
Therefore we must make sure that the certificate used for the HTTPS connection is valid or not.
- Please Run a command openssl s_client -connect <host>:50014
- And check the output for the hostname which was addressed by the SAP HANA Studio. The hostname must either appear in the subject as the Common Name (CN) , orin the respective section of the output as an alternative hostname. Please also check if the certificate is signed by a PKI.
- And If the hostname is not in the certificate is issued by the System PKI or the output, that means that the sapstartsrv does not find the correct certificate.
In order to point the sapstartsrv to the default SAPSSLS.pse keystore, please follow the steps given below:
1) First, check the directory <DIR_INSTANCE>/sec exists or not.
- If <DIR_INSTANCE>/sec do not exist continue from step 2.
- If <DIR_INSTANCE>/sec exists continue from step 4.
2) Also create a symbolic link in <DIR_INSTANCE> that points to <DIR_INSTANCE>/host/sec. This can be done by running this command:
ln -s /usr/sap/<SID>/HD<instance number>/<host>/sec
3) Restart the service with sapcontrol -nr 00 -function RestartService
40 Run command openssl s_client -connect <host>:50014
Now you will notice that the certificate has changed. Subject and Issuer are now indicating that this is a self-signed certificate not PKI certificate. This can be further confirmed by this entry:
Verify return code: 18(self signe certificate)
Now you can now sign this certificate either with a company PKI or trust this self-signed certificate.
For signing the certificate please refer to the sapgenpse command ("gen_pse -onlyreq" and "import_own_cert").
In order to trust the self-signed certificate in your Windows certificate store, please follow the steps given below:
- First Copy the certificate including the -----BEGIN CERTIFICATE----- and the -----END CERTIFICATE----- tags.
- Now please paste the certificate in a text editor and save the file with .cer extension.
- Double-click on the file and click Install Certificate and after this click Next.
- Click Browse after selecting the place all certificates in the following store.
- Now complete the process by selecting Trusted Root Certification Authorities.
Finally, you need to establish the Windows certificate store as the trust store for the SAP HANA Studio:
1) Please add the following system property to the hdbstudio.ini file:
Now this will give an advice to the Java engine in the SAP HANA Studio for using the Trusted Root Certification Authorities of the Windows certificate store to establish the trust.
The hdbstudio.ini file is located in the same folder as the executable that is used to start the SAP HANA Studio. For Linux, the default location is hana/shared/<SID>/hdbstudio.
2) At last restart the SAP HANA Studio. Now the system will show green status now and sapstartsrv should be listed again under Landscape/Services. And also now, starting, restarting, stopping the database from the SAP HANA Studio will be possible again.