Linux-UNIX: Using SAP-HANA with encrypted connections

When SAP-HANA is configured with SSL/TLS encryption, S-TAP requires configuring two proxies using NGINX.

Before you begin

Verify the following prerequisites:
  • S-TAP is installed and configured on the SAP-HANA server.
  • NGINX is installed and configured for reverse-proxy connections.
  • SAP-HANA is configured to use only SSL/TLS connections and the database global configuration enforces SSL/TLS. For example:
    [communication]
    ssl = on
    sslEnforce = true

Procedure

  1. Identify the ports clients use to connect to the database.
  2. Configure NGINX using the configuration file that is typically located at /etc/nginx/nginx.conf.
    For example, assuming that the original port for client connections to the database is 30015 and the SSL certificate is sap-hana.pem:
    worker_processes  1;
    
    load_module lib64/nginx/modules/ngx_stream_module.so;
    
    events {
        worker_connections  1024;
        use epoll;
    }
    stream {
            upstream saphana {
                    server localhost:30015;
            }
    
            server {
                    listen 31015 ssl;
                    proxy_pass localhost:32015;
                    proxy_protocol on;
                    ssl_certificate /hana/shared/HXE/HDB00/su12u2ppc64le-hana/sec/sap-hana.pem;
                    ssl_certificate_key /hana/shared/HXE/HDB00/su12u2ppc64le-hana/sec/sap-hana.key;
            }
            server {
                    listen 32015 proxy_protocol;
                    proxy_pass saphana;
                    proxy_ssl on;
                    proxy_ssl_certificate /hana/shared/HXE/HDB00/su12u2ppc64le-hana/sec/sap-hana.pem;
                    proxy_ssl_certificate_key /hana/shared/HXE/HDB00/su12u2ppc64le-hana/sec/sap-hana.key;
            }
    }
  3. Restart the NGINX service using the following command: systemctl restart nginx.
  4. Configure the S-TAP for SAP-HANA using second proxy port.
    For example, in a typical inspection engine configuration:
    [DB_0]
    connect_to_ip=127.0.0.1,::1
    db2_fix_pack_adjustment=20
    db2_shmem_client_position=61440
    db2_shmem_size=131072
    db2bp_path=NULL
    db_exec_file=NULL
    db_install_dir=NULL
    db_user=NULL
    db_type=HANA
    encryption=0
    informix_inf_file=NULL
    db_version=
    instance_running=1
    intercept_types=NULL
    load_balanced=1
    port_range_end=32050
    port_range_start=32010
    priority_count=20
    real_db_port=32015
    tap_identifier=SAP-HANA
    tee_listen_port=0
    unix_domain_socket_marker=NULL
    networks=0.0.0.0/0.0.0.0,::/0
    exclude_networks=
    Note: If clients use multiple ports for database connections, the NGINX configuration file requires multiple reverse-proxy sections.