Skip to main content
Enhance security with a signed SSL certificate (SAP HANA)
Updated over 5 months ago

Enterprise Workloads Editions: โœ… Business โœ… Enterprise โœ… Elite

Overview

Hybrid Workloads agent ships with a self-signed SSL certificate. The communication between the Backint executable and Hybrid Workloads agent takes place using a secured TLS. However, the Backint executable cannot verify the self-signed certificate.

For enhanced security, you can use your own signed SSL certificates. The benefit of using a signed certificate is that the Backint executable can verify the SSL certificate, which cannot be done for the self-signed certificate.

Prerequisites

Edit section

You must have the SSL certificate and the key file for your domain name.

The SSL certificate file typically has a file extension of .crt, and the key file typically has a file extension of .key.

Contact your network administrator for these files.

Additionally, the root-CA certificate of the certificate authority (CA) must be added to the trust pool of the SAP HANA server.

Before you continue, take note of the path where you saved the certificate, the key file, and the rootCA file.

Procedure

Edit section

Log in to the SAP HANA server, open a terminal, and follow these steps:

  1. Open the following file in any editor:

/etc/Druva/EnterpriseWorkloads/sap-hana/SaphanaPlugin.yml

  1. Locate the following flags and set the value as follows:

insecureSkipVerify: false
useCustomCerts: true


See the following table for these flags' possible values and impact.

Value of Flag

Impact

insecureSkipVerify: true

(Default value)

Even though the communication between Backints and Hybrid Workloads agent is over SSL, the Hybrid Workloads agent certificate is not verified.

insecureSkipVerify: false

The most secure setting where the communication between the Backint executable and Hybrid Workloads agent uses SSL and the SAP HANA agent certificate is verified.

useCustomCACerts: false

(Default value)

You can use the default self-signed certificates shipped in Hybrid Workloads agent to enable TLS

useCustomCACerts: true

This option enables custom certificates instead of the default self-signed certificate used by Hybrid Workloads agent.

  1. Locate the keys customServerCert, customServerKey, and customCAPemFile. Enter the complete path of the path where you saved the certificate, the key file, and the rootCA file, respectively, as follows:

customServerCert: /full/path/to/certificate.crt
customServerKey: /full/path/to/private.key
customCAPemFile: /full/path/to/rootCA.pem
  1. Finally, save the configuration file and restart the Hybrid Workloads agent service as follows:
    โ€‹

    systemctl restart Druva-EnterpriseWorkloads.service
Did this answer your question?