When SAP-HANA is configured with SSL/TLS encryption, S-TAP requires configuring two
proxies using NGINX.
Before you begin
Verify the following prerequisites:
Procedure
-
Identify the ports clients use to connect to the database.
- Configure NGINX using the configuration file that is typically located at
/etc/nginx/nginx.conf
. For example, assuming that the original port for
client connections to the database is
30015
and the SSL certificate is
sap-hana.pem
:
worker_processes 1;
load_module lib64/nginx/modules/ngx_stream_module.so;
events {
worker_connections 1024;
use epoll;
}
stream {
upstream saphana {
server localhost:30015;
}
server {
listen 31015 ssl;
proxy_pass localhost:32015;
proxy_protocol on;
ssl_certificate /hana/shared/HXE/HDB00/su12u2ppc64le-hana/sec/sap-hana.pem;
ssl_certificate_key /hana/shared/HXE/HDB00/su12u2ppc64le-hana/sec/sap-hana.key;
}
server {
listen 32015 proxy_protocol;
proxy_pass saphana;
proxy_ssl on;
proxy_ssl_certificate /hana/shared/HXE/HDB00/su12u2ppc64le-hana/sec/sap-hana.pem;
proxy_ssl_certificate_key /hana/shared/HXE/HDB00/su12u2ppc64le-hana/sec/sap-hana.key;
}
}
- Restart the NGINX service using the following command:
systemctl restart
nginx
.
- Configure the S-TAP for SAP-HANA using second proxy port.
For example, in a
typical inspection engine configuration:
[DB_0]
connect_to_ip=127.0.0.1,::1
db2_fix_pack_adjustment=20
db2_shmem_client_position=61440
db2_shmem_size=131072
db2bp_path=NULL
db_exec_file=NULL
db_install_dir=NULL
db_user=NULL
db_type=HANA
encryption=0
informix_inf_file=NULL
db_version=
instance_running=1
intercept_types=NULL
load_balanced=1
port_range_end=32050
port_range_start=32010
priority_count=20
real_db_port=32015
tap_identifier=SAP-HANA
tee_listen_port=0
unix_domain_socket_marker=NULL
networks=0.0.0.0/0.0.0.0,::/0
exclude_networks=
Note: If clients use multiple ports for database connections, the NGINX
configuration file requires multiple reverse-proxy sections.