Skip to Content
0

uaa-security is not up on HANA Express

Oct 09, 2016 at 05:10 PM

1.2k

avatar image

Hello,

I've setup HANA Express and followed all the steps in the getting Started guide.
After changing the SSFS Master Keys and the Root key, I'm unable to login to XSA.

In the console, I get the message:
Authentication failed. UAA at https://hxehost:30032/uaa-security is not up

checking that location in the browser I see a `HTTP Status 500 - Servlet.init()` exception.

root causes:

org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'localSamlKeyManager' defined in ServletContext resource [/WEB-INF/spring/oauth-endpoints.xml]: Could not resolve placeholder 'login.serviceProviderKey' in string value "${login.serviceProviderKey}"; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'login.serviceProviderKey' in string value "${login.serviceProviderKey}"


and

java.lang.IllegalArgumentException: Could not resolve placeholder 'login.serviceProviderKey' in string value "${login.serviceProviderKey}"


Is there an additional configuration step needed to get the UAA working again?
I was able to login to XSA before changing the keys.

10 |10000 characters needed characters left characters exceeded

I am getting the same issue.

0

i had the same issue :(

0

anyone able to get pass this? No docs on this anywhere which is annoying.

0

The same here.

0
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Denys van Kempen
Oct 31, 2016 at 01:19 PM
0

Thank you for your comments. Same issue as https://answers.sap.com/questions/37661/index.html

See my blog and the comment: https://blogs.sap.com/2016/10/21/managing-encryption-keys-sap-hana-express-sap-hana-academy/

When you change the root key you can no longer access objects (in this case a PSE) encrypted by an older key. This is documented behaviour (see references below).

It is a security best practice to change the SSFS master (and the DSAPI root keys) when you receive SAP HANA as appliance. The SAP HANA express edition is similar to an appliance in this context, hence the documented steps in the SAP HANA express edition VM Getting Started PDF and tutorials: http://go.sap.com/developer/tutorials/hxe-ua-configure-security.html.

Changing the SSFS master keys and the DSAPI root key can be performed safely on the server-only VM.

Changing the SSFS master keys on the server-plus-apps VM is fine as well.

However, you should NOT generate a new root key for the DPAPI service as there is a PEM certificate [SAPXSUAASAML] in the database encrypted with the current key. This concerns the section 'Change the Root Key' in the Getting Started with SAP HANA express edition (Virtual Machine Method).

In a future release of SAP HANA, the tool used to generate a new key, hdbnsutil, will include the feature to export and restore root keys.

References:

SAP HANA Security Guide: Encryption Key Management

Caution: (...) changing the root key after data has been encrypted will result in key information in the SSFS and the database becoming inconsistent and encrypted data becoming inaccessible. Rectifying the problem could result in data loss. We recommend that you contact SAP Support if errors related to inconsistent SSFS or encryption failure occur.


SAP HANA Administration Guide: Change the Root Key of the Internal Data Encryption Service

Procedure: 1. Verify that no data has already been encrypted using the internal data encryption service by querying the following system views: CREDENTIALS (PUBLIC) P_DPAPI_KEY_ (SYS) (...)

Caution: Do not proceed with the root key change if there is encrypted data.


SAP Note 2228829 - How to Change the DPAPI Root Key

Please note that if you change the root key of the Internal Encryption Service all data that was encrypted using this service will become inaccessible and considered lost. If you determine through the following checks that you would lose data when performing the root key change and you are not 100% sure about the impact of this action, please contact SAP support!

(...)

Important Notes:

Please make once again sure that you have verified that there is no data already encrypted with the current root key of the Internal Data Encryption Service (see step 1). If you are not 100% sure about the impact of this action, please contact SAP support

Share
10 |10000 characters needed characters left characters exceeded
Niels Jelsma Nov 06, 2016 at 09:03 PM
0

Hi Denys,

Thanks for the extra explanation. Some of the information I was able to piece together from the SAP documentation. The howto guide for HANA Express did not clearly warn on the existing SAPXSUAASAML certificate.

I've happily used the vm without changing the keys in the meantime.

Share
10 |10000 characters needed characters left characters exceeded