This blog will demonstrate you about how to configure SAML based login for your HANA xs based applications in SAP HANA.
SAP Cryptographic libraries (libsapcrypto.so and sapgenpse):
SAP Crypto libraries includes both sapgenpse and libsapcrypto.so
Browse to http://service.sap.com/swdc, expand ‘Support Packages and Patches’ and select ‘Browse
our Download Catalog, choose ‘SAP Cryptographic Software and linux on x86 64 64bit.
Once download is complete into your local system, by using SAPCAR Archiving tool you can De-archive the sap Crypto libs into your local folder of your systems. or can you do everything in server location also.
We will get libsapcrypto.so and sapgenpse files from De-archive process, please copy this files and paste into HANA server location /usr/sap/<SID>/SYS/global/security/lib/ by using WinScp software.
we are done with setup pre requisites, please follow the below steps and complete this integration.
Step1: Create Trust Store
Type the following commands from a Linux command prompt, logged in as <sid>adm (e.g. hdbadm where your instance name is HDB):
1A). Pre-requisites:
- Need Winscp software or any other s/w to copy files from local desktop to HANA Server.
- Putty software to run the commands in Linux Environment.
- HANA adm credentials for creating trust store files.
- You need the IDP metadata URL of your company. example for SAP company metadata url as following,
- https://accounts.sap.com/saml2/metadata/accounts.sap.com
Note: You have to take proper metadata URL of your company, either it is QA system or Production system.
1B). Files Need to be download from Service Market Place:
SAP Cryptographic libraries (libsapcrypto.so and sapgenpse):
SAP Crypto libraries includes both sapgenpse and libsapcrypto.so
Browse to http://service.sap.com/swdc, expand ‘Support Packages and Patches’ and select ‘Browse
our Download Catalog, choose ‘SAP Cryptographic Software and linux on x86 64 64bit.
Once download is complete into your local system, by using SAPCAR Archiving tool you can De-archive the sap Crypto libs into your local folder of your systems. or can you do everything in server location also.
We will get libsapcrypto.so and sapgenpse files from De-archive process, please copy this files and paste into HANA server location /usr/sap/<SID>/SYS/global/security/lib/ by using WinScp software.
we are done with setup pre requisites, please follow the below steps and complete this integration.
Step1: Create Trust Store
Type the following commands from a Linux command prompt, logged in as <sid>adm (e.g. hdbadm where your instance name is HDB):
- cd /usr/sap/<INSTANCE>/SYS/global/security/lib
- mkdir /usr/sap/<INSTANCE>/HDB<InstNo>/<host>/sec
- ./sapgenpse gen_pse -p /usr/sap/<INSTANCE>/HDB<InstNo>/<host>/sec/sapsrv.pse
Leave PIN empty (2x enter), and as "Distinguished name of PSE owner:" enter CN=<yourhostname>
Step2:Setup the trust relation with the IDP
1).Open your company metadata url(as mentioned in pre requisite step), go to view page source and copy the certificate string (which is DER encoded) from the ds:X509Certificate tag.
Sample URL of SAP metadata service is
2).Open the above metadata URL and copy the string in between the X509 tags, we need to use this string for creating sapid.cer file.
Just follow the steps for creating sapid.cer file.
Open your favorite editor and enter text as follows and save file as sapid.cer.
-----BEGIN CERTIFICATE-----
Paste the string which you copied from the above step.
-----END CERTIFICATE-----
Note:
Surround the certificate string with the tags below (there are 5 hyphens before and after the CERTIFICATE tags)
3). And move this newly created file(sapid.cer) file into server directory
/usr/sap/<INSTANCE>/SYS/global/security/lib
Step3: Import this certificate into sapsrv.pse
./sapgenpse maintain_pk -p /usr/sap/<INSTANCE>/HDB<InstNo>/<host>/sec/sapsrv.pse -a sapid.cer
Step4 :Restart the XS Engine
From HANA Studio, double-click on the SYSTEM you are configuring from the Systems view.
From the landscape tab, right-click on the xsengine row and select “kill”.
Alternatively you can type HDB stop and then HDB start from a Linux prompt to restart the whole HANA server.
No comments:
Post a Comment