3695667 - SAP HANA Database Upgrade Failed due to Local Secure Store (LSS) Denies Connection

• The upgrade failed with error message from hdblcm:
  

   "unhandled ltt exception: exception 301154: lss exception: LSS refused connection (reason: Validation failed)"

• From hdblcm.log file, below messages can be found:
  
  HH:MM:SS - INFO: -----------------------------------------------------------
  HH:MM:SS - INFO: Registering SAP HANA Database binaries in Local Secure Store...
  HH:MM:SS - INFO: -----------------------------------------------------------
  HH:MM:SS - INFO:   Switching to user id 1234 and group id 1234.
  HH:MM:SS - INFO:   Starting external program /lss/shared/<SID>/exe/lsscfg
  HH:MM:SS - INFO:     Command line is: /lss/shared/<SID>/exe/lsscfg importComponentHashes -f HDB <HDB Build version> /hana/shared/<SID>/xxxxxxx
  HH:MM:SS - INFO:     Output line 1: Reading plain-text configuration: /usr/sap/<SID>/lss/local/private/lss.ini
  HH:MM:SS - INFO:     Output line 2: Use existing configuration DB:    /lss/shared/<SID>/data/config/lsscfg.db
  HH:MM:SS - INFO:     Output line 3:   Successfully opened ConfigDB with filesystem PSE '/usr/sap/<SID>/lss/local/private/config/lsscfg.pse'
  HH:MM:SS - INFO:     Output line 4: Use existing common DB:           /lss/shared/<SID>/data/common/lsscommon.db
  HH:MM:SS - INFO:     Output line 5:   Successfully opened CommonDB with filesystem PSE '/usr/sap/<SID>/lss/local/private/common/lsscommon.pse'
  HH:MM:SS - INFO:     Output line 6: 
  HH:MM:SS - INFO:     Output line 7: Product trust level set to 'UNTRUSTED'
  HH:MM:SS - INFO:     Output line 8: 797 files added to version '<HDB Build version>' of product 'HDB'
  HH:MM:SS - INFO:     Program terminated with exit code 0
  HH:MM:SS - INFO:   Switching back to root user.
  HH:MM:SS - INFO: -----------------------------------------------------------
  HH:MM:SS - INFO: END: Registering SAP HANA Database binaries in Local Secure Store (start: HH:MM:SS.223 duration: 00:00:00)
  HH:MM:SS - INFO: -----------------------------------------------------------
  

• The database fails to start, and similar error messages are observed in the nameserver trace logs.
  

  e LssClient        LssClientTracer.cpp(00032) : isAvailable [database SYSTEMDB]: lss exception: LSS refused connection (reason: Validation failed)
  e Logger           LoggerImpl.cpp(04185) : Error while loading libhdbbasement: exception  1: no.301154  (Crypto/LocalSecureStoreClient/ExceptionTranslator.hpp:145)
  f PersistenceLayer PersistenceController.cpp(00801) : startup failed exception  1: no.301154  (Crypto/LocalSecureStoreClient/ExceptionTranslator.hpp:145)

• And from lss_<hostname>.xxx.trc, we can find the reason of the LSS Validation failure is caused by untrusted library.
  

  i Validation       ValidationFrontend.cpp(00331) : [FAIL] Library is untrusted
  e Validation       ValidationFrontend.cpp(00155) : Peer process 1234556 failed validation check:
    'Library '/hana/shared/<SID>/exe/linuxx86_64/<library path>/hdbesatrconfig.so' is untrusted' at (lss/validation/ValidationFrontend.cpp:335)
  
  

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

• SAP HANA Platform Edition 2.0
• SAP HANA Local Secure Store

HANA upgrade, lss exception, validation failed, untrusted library, signature file, manifest file, SIGNATURE.SMF, hdblcm, local secure store, trust level, Library is untrusted, LSS refused connection, failed validation check, hdbesatrconfig.so, untrusted, lsscfg, listValidationProfiles , KBA , HAN-DB-SEC , SAP HANA Security & User Management , HAN-LM-UPG-DB , Upgrade of HANA Database , Problem