MaxDB SSL Client Connection Configuration

nelis · ‎11-26-2021

Good day,

I am trying to configure MaxDB client connections to use SSL as per the following documentation.

I have two requirements:

1) Encrypt the connection from MaxDB DB Studio to MaxDB DB

2) Encrypt the connection from SAP Application Server to MaxDB DB

I have configured MaxDB for SSL with a CA trusted certificate contained with full chain in /sapdb/data/sec/SDBSSLS.pse:

2021-11-26 09:53:28 24522 93184 INF 12945 NISSLSRV U64/LIX86 7.9.09 Build 005-123-259-005

2021-11-26 09:53:28 24522 93184 INF 12943 NISSLSRV NISSL support started.

I want to first try connect using SSL from MaxDB DB Studio. I have created the file SDBSSLA.pse for the anonymous client which contains the server certificate and I placed it in the following installation path of the studio software C:\sapdb\data\sec - is this location correct ?

The issue I'm having is there doesn't seem to be any way to determine SSL connections on MaxDB Database. If I select the "Use SSL Communication" checkbox in MaxDB Studio login it still connects even if I disable SSL on MaxDB and there is no error. How do you troubleshoot ?

Can anyone provide some help on how to accomplish this please because I can't find any clear instructions ?

Thanks.

henrimuller · ‎08-19-2022

Hi to both of you,

I am eager to read about the solution. I have exactly the same two requirements than Nelis.

Best Regards,

Henri

holger_becker · ‎11-29-2021

Hi Nelis,

I noticed that you have opened a Service Now ticket and suggest to communicate via this ticket.
As soon as we have solved your problem we will update this thread with the solution so others can find it easily.

Kind regards
Holger

nelis · ‎11-29-2021

Hi Holger,

Thanks for the information.

I was trying a connection test via DB59 on my sandbox using DBCON '@DBM_SSL:hostname-MB1' and was getting the below result:

hostname_MB1_00 (hostname)
SAP Kernel Release : 753_REL
SAP Kernel Patch : 900
DBMRFC Release :
DBMCLI Release :
DBSL Release : 753.02
DBSL Patch : 900
SQLDBC Version : 7.9.08.31
SQLDBC Runtime : 7.9.10.00
1.DBSL Library Availability -Connection test successful
2.Client Software Availability -Connection test successful
3.Execute an external operating system command (DBMCLI) -Error in connection test
3.dbmcli_neg: dbmcli_command_execute_error
3.72 Error! Connection failed to node @DBM_SSL:hostname for database MB1:
3.39 unknown service 'hostname' (see /et
3.44 External program terminated with exit code 2
4.Determine status using TCP/IP connection SAPDB_DBM (DBMRFC command mode) -Error in connection test
4.dbmrfc_c_neg: dbm_system_error
4.Name and Server : MB1 - @DBM_SSL:hostname
4.Function : DBM_EXECUTE
4.Command : db_state
4.Error : DBM Error
4.Return Code : -4
4.Error Message : unknown service 'hostname' (see /et 
5.Determine status using TCP/IP connection SAPDB_DBM_DAEMON (DBMRFC session mode) -Error in connection test 
5.dbmrfc_s_neg: dbm_system_error 
5.Name and Server : MB1 - @DBM_SSL:hostname
5.Function : DBM_CONNECT 
5.Error : DBM Error
5.Return Code : -4
5.Error Message : unknown service 'hostname' (see /et
6.Test the SQL connection (Native SQL at CON_NAME) -Error in connection test
6.sql_neg: no_connection
6.sql code: 4008
6.POS(1) Unknown username/password combination SBAC |medusavm|RSSDBLST |
6.Please check with SM50 the following work process: 9<br>

I did follow your instructions to basically enforce SSL communication.

The "unknown service hostname" seems odd and I'm not sure where it is getting this from ? The username/password is definitely correct so I'm assuming this is just as a result of a communication issue somewhere. Here I'm using the hostname not localhost, not sure if that makes a difference.

One thing I'm not so sure of is the location of the anonymous client PSE on application servers. I placed it in /sapdb/clients/MB1/data/sec/SDBSSLA.pse but also kept a copy in /sapdb/data/sec/ where the server certificate is kept.

I think it is good that we have answers to this somewhere because while we may all be moving to HANA many customers like ourselves would still use MaxDB for content servers. I guess once we move to S/4 then the above issue with connecting to application instances using SSL would be no more of an issue 😉

Anyway, this all came about because our auditors are asking for it.

Thanks,

Nelis

holger_becker · ‎11-26-2021

Hi,

the issue with the "Use SSL Communication" checkbox is a known problem and has to be fixed in the future.
But do not expect it in the near future, sorry.

The best way to ensure that only SSL enabled network connections are possible
is to stop the remote communication server (x_server/sdbgloballistener) on database host.
Unfortunately we noticed another problem with the start/stop options of this server.
So you have to follow these steps to stop the server but keep nisslserver alive:

sdbgloballistener stop
sdbgloballistener -w
ps -afe | grep vserver
kill -9 <pids of the running vserver>

After that you should only see running nisslserver on the host.

You can see in the system table SESSIONS if SSL is used for a connection.
In this case the column ENCRYPTION shows the value SSL.
Please be aware that SSL is only used for network connections.
If the client is located on the same host like the database we usually use a special communication channel via shared memory.
For such connections the column IPADDRESSFAMILY in system table SESSIONS is empty.
For most clients you can enforce network communication by using the "-n localhost" option.
All tools using JDBC, like Database Studio, are always using network connections.

Hope that helps a little bit.

Kind regards
Holger

MaxDB SSL Client Connection Configuration

Accepted Solutions (0)

Answers (4)

Answers (4)

Re: SAP MDK: Attachment delete button not working ...

Re: SAP Datasphere connection to SAP ARIBA (SAP RI...

Re: Problem with Select-Options

Re: SAP FIORI My Inbox - QM

Re: SAP MDK: Attachment delete button not working ...