While enabling HTTPS after login to SAP Start Service for a secure communication in SAP HANA I experienced some issues listed below:
1) Yellow status in the System View of the SAP HANA studio along with an error 'sapstartsrv' service not started is shown by the HANA system. Which means that sapstartsrv cannot be reached.
2) The sapstartsrv service gets missing from the Services section of Landscape tab:
3) In SAP HANA studio function such as Stop System, Start System, and Restart System are no longer available:
4) In the Error Log View of the SAP HANA Studio the SAPControl request gets failed message with an error:
PKIX path building failed: sun.security.provider.cerpath.SunCertPathBuilderException: unable to find valid certification path to requested target
5) It is shown by OS console that sapstarsrv is using a PKI certificate. Which can be confirmed by executing command openssl s_client -connect <host>:50014
subject=/C=DE/O=SAP System PKI/CN= _AB2_00
Issue=/C=DE/O=SAP System PKI/OU=sapstartsrv/CN=root_AB2
6) And also, error like following given below confirm that this type of certificate is not valid for SSL secure communication:
Verify error:num=27:certificate not trusted
All the above issue you are facing must be occurring due to the certificate used by the sapstartsrv is either invalid or not trusted by the SAP HANA Studio The certificate .
Therefore we must make sure that the certificate used for the HTTPS connection is valid or not.
In order to point the sapstartsrv to the default SAPSSLS.pse keystore, please follow the steps given below:
1) First, check the directory <DIR_INSTANCE>/sec exists or not.
2) Also create a symbolic link in <DIR_INSTANCE> that points to <DIR_INSTANCE>/host/sec. This can be done by running this command:
ln -s /usr/sap/<SID>/HD<instance number>/<host>/sec
3) Restart the service with sapcontrol -nr 00 -function RestartService
40 Run command openssl s_client -connect <host>:50014
Now you will notice that the certificate has changed. Subject and Issuer are now indicating that this is a self-signed certificate not PKI certificate. This can be further confirmed by this entry:
Verify return code: 18(self signe certificate)
Now you can now sign this certificate either with a company PKI or trust this self-signed certificate.
For signing the certificate please refer to the sapgenpse command ("gen_pse -onlyreq" and "import_own_cert").
In order to trust the self-signed certificate in your Windows certificate store, please follow the steps given below:
Finally, you need to establish the Windows certificate store as the trust store for the SAP HANA Studio:
1) Please add the following system property to the hdbstudio.ini file:
-Djavax.net.ssl.trustStoreType=Windows-ROOT
Now this will give an advice to the Java engine in the SAP HANA Studio for using the Trusted Root Certification Authorities of the Windows certificate store to establish the trust.
The hdbstudio.ini file is located in the same folder as the executable that is used to start the SAP HANA Studio. For Linux, the default location is hana/shared/<SID>/hdbstudio.
2) At last restart the SAP HANA Studio. Now the system will show green status now and sapstartsrv should be listed again under Landscape/Services. And also now, starting, restarting, stopping the database from the SAP HANA Studio will be possible again.