Skip to Content
0
Oct 10 at 05:00 PM

HANA & SAML authentication - missing intermediate certificate

201 Views Last edit Nov 18 at 01:57 PM 5 rev

I'm trying to setup SAML authentication from an on premise Tableau server (Windows) to SAP BW4/HANA (Linux) as part of a BW4/HANA Proof of Concept we are running (neither of these systems is in live use).

Thanks to a helpful response to an earlier question on this, I can now at least see why this is failing.

I've loaded the relevant certificate authority signed Tableau certificate into HANA (2.0 SPS 06), plus the root cert and intermediate one that signed it. The logs are showing that when a connection attempt is made though, the certificate itself is verified, but it's failing with the system not recognising the intermediate certificate. In the logs I'm seeing:

  Verification errors<br>   The chain of certificates is incomplete or untrusted, missing certificate of<br>    CN=<redacted> Issuing CA02, O=<redacted>

As mentioned, the individual certs are all loaded into the HANA DB. I haven't been able to load the certificate in question as a chain though. We don't have HANA Cockpit in our PoC, so admin tasks have been handled with HANA Studio. I've been using the sql console from that to add the certificates. I've been using sapgenpse to create pse files and then load the cert files, then the extract_certificates.py python script (from note 2935957) to generate the sql I then entered in the HANA Studio SQL console. Based on that note, I was expecting I could extract the certificates in the PSE file as a chain, but the extract script just outputs the private key and Tableau certificate, ignoring the root and intermediate ones in the PSE file.

I suspect there's a much better way to do this, and I'm failing to create a proper chain! I'd be most grateful for any pointers on getting a chain into the HANA DB. Not sure if HANA Cockpit would make this easier...