Symptom
Got the below errors when create import data connection to HANA using TLS Option in SAC:
- In SAC UI:
Error 1:
We couldn't connect to the TLS-configured HANA database because the TLS certificate couldn't be validated. For security reasons, we recommend that the certificate be signed by a trusted CA. If that's not possible, select the option to skip validation. For more information, see the help topic "Import Data Connection to SAP HANA".
Error 2:
We couldn't connect to the TLS-configured HANA database because we can't verify the host name provided in the certificate. Please check the connection details and try again. For more information, see the help topic "Import Data Connection to SAP HANA". - In HAR trace:
SAP DBTech JDBC: Certificate validation failed : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.\",\"params\":[\"SAP DBTech JDBC: Cannot connect to jdbc:sap://<HANA Host>:<HANA Port> [Cannot connect to host <HANA Host>:<HANA Port> [sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - In Tomcat Catalina log:
SAP DBTech JDBC: Cannot connect to jdbc:sap://<HANA Host>:<HANA Port> [Cannot connect to host <HANA Host>:<HANA Port> [sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Environment
- SAP Analytics Cloud (Enterprise)
- SAP HANA
Reproducing the Issue
- Login to SAC.
- Go to Connections.
- Create a new import data connection to HANA.
- In "TLS Option", select "Signed by a certificate authority".
- In the text box "Host Name In Certificate", enter the CN name in the certificate
- Make sure all the other information are entered.
- Click Create button, notice that error happened, error message is:
Error 1:
"We couldn't connect to the TLS-configured HANA database because the TLS certificate couldn't be validated. For security reasons, we recommend that the certificate be signed by a trusted CA. If that's not possible, select the option to skip validation. For more information, see the help topic "Import Data Connection to SAP HANA". "
Error 2:
"We couldn't connect to the TLS-configured HANA database because we can't verify the host name provided in the certificate. Please check the connection details and try again. For more information, see the help topic "Import Data Connection to SAP HANA"."
Cause
Possible causes:
- Error 1: The root certificate of HANA database is not imported into the keystore used by the tomcat where SAP Analytics Cloud Agent is deployed.
- Error 2: The CN name in the certificate does not match the name entered in the connection configuration dialogue.
Resolution
For error 1:
Import the HANA Server certificate into the keystore like used by tomcat where SAP Analytics Cloud Agent is deployed. Follow the steps in the HANA help guide: Server Certificate Authentication.
For example, if SAP Analytics Cloud Agent is deployed within SAP Analytics Cloud Agent Simple Deployment Kit.
Note: The keystore of which the certificate to be imported is the JAVA JVM keystore used by tomcat. E.g. for Deployment Kit, it is "<install path>\SAP\SACAgentKit\sapjvm_8\jre\lib\security\cacerts"
- Acquire the public certificate of the trusted root certificate authority. Execute below command in HANA command line:
sapgenpse export_own_cert -r -p sapsrv.pse -o server_root.crt - Copy the certificate file server_root.crt to the tomcat machine to folder "C:\Program Files\SAP\SACAgentKit\sapjvm_8\jre\bin".
- Open the command line and navigate to the path "C:\Program Files\SAP\SACAgentKit\sapjvm_8\jre\bin".
- Execute below command to import the certificate into the keystore "cacerts", by default the keystore password is "changeit":
Note: The alias HANA is just an example, any unique alias name can be used to identify this certificate.
keytool.exe -importcert -alias HANA -file server_root.crt -keystore "C:\Program Files\SAP\SACAgentKit\sapjvm_8\jre\lib\security\cacerts"
For error 2:
Please make sure you have imported the certifciate by following the above steps first.
- To verify the imported certificate and note down the correct CN name which is ued to entered in the text box "Host Name In Certificate", execute the below command on the tomcat machine:
Note: Please use the same alias name when imported the certificate like HANA which is used in this example to easily find the certificate.
keytool.exe -list -v -keystore "C:\Program Files\SAP\SACAgentKit\sapjvm_8\jre\lib\security\cacerts" -alias HANA
Keywords
KBA , LOD-ANA-AQU , Import Data Connections (Acquiring Data) , Problem