Securing SAP HANA 2.0 Cockpit running on XSA via SSL / HTTPS

In this article, I’ll briefly describe the steps You need to follow to enable SSL / HTTPS in SAP HANA Cockpit.

Useful Notes:

2832060 – Verification error when setting Domain Certificate for SAP HANA Cockpit
2666262 – XSA set-certificate fails
2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced mode

Create server’s public and private key pair, and public-key certificate

  1. Check Your SECUDIR environment and next choose this folder.
  2. Use sapgenpse to generate a PSE file containing a certificate with common name (CN)
sapgenpse gen_pse -p cert.pse -r req_server.req "CN=hostname, OU=XXXX, O=YYYY, C=ZZ"
  1. Sign the certificate signing request with a trusted Certificate Authority (CA).
    I usually use p12 output format (all CA certificates included).
  2. Copy the content to a new file on the server, e.g. cert. p12
  3. Import the signed certificate into the server PSE:
sapgenpse import_p12 -z password_to_p12 -r subca.cer -r rootca.cer -p cert.pse hostname.p12
server:sidadm> sapgenpse import_p12 -z password_to_p12-r subca.cer -r rootca.cer -p cert.pse hostname.p12
Found key 'INDEX=0,SIG=YES,ENC=YES,MD5-FINGERPRINT=25F0 E960 1742 5CBB E703 7390 393B 4D09,KEYID=E6E8D4F9283C440E0750009995C7C0FDA38EBFAA'
WARNING: There already is a PSE "/usr/sap/SID/HDB96/hostname/sec/cert.pse" -- Delete it? (y/n) ?y
Choose a PIN/Passphrase for your new PSE "/usr/sap/SID/HDB96/hostname/sec/cert.pse"
Please enter PSE PIN/Passphrase:
Please reenter PSE PIN/Passphrase:
!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.
PSE "/usr/sap/SID/HDB96/hostname/sec/cert.pse" was written

Install certificate in XSA:

1. As adm, log on to the server host and connect to the XS command line interface as the XSA_ADMIN user:

xs-admin-login

2. Viewing Routes and check ports

xs routes

3. Check Your domain:

xs domains

4. Set the certificate and private key:

xs set-certificate <domain> --pse cert.pse
server:sidadm> xs set-certificate domain_name --pse cert.pse
Exporting PKCS8 from PSE…
PIN>
Setting SSL certificate for domain domain_name as COCKPIT_ADMIN…
OK
TIP: Restart the SAP XS Controller to ensure your changes take effect for all applications.
Alternatively use 'xs restage' and 'xs restart' for all applications.

5. Restart apps or restart XSA

server:sidadm> XSA restart

Now open Your Hana Cockpit via HTTPS in webrowser – Your certificate should be installed properly (green colour).