Reconfigure Trust Relationships on SAP HANA XS Systems
- How to register the service provider and the identity provider certificates in the SAP HANA in-memory store
- How to reconfigure the trust relationship between your identity provider and your SAP HANA database system
Prerequisites
- You have installed an SAP HANA XS system in the SAP BTP, Neo environment that you’d like to convert to an SAP HANA MDC system. For more information, see SAP Note 2960608.
- You have configured a trust relationship between your identity provider and your SAP HANA XS system using SAML on the file system.
- You have access to your identity provider and the required roles to configure SAML trust relationships.
- You have installed openSSL or another certification tool.
This tutorial assumes that you want to convert your SAP HANA XS system to an MDC system and, therefore, want to reconfigure your SAML setup to prepare for the conversion. For more information, see SAP Note 2960608.
It also assumes that you have already configured a trust relationship between your SAP HANA database system and your identity provider. If you do not use SAML-based authentication, you can ignore this tutorial.
When you configured the SAML trust relationship, the setup consisted of the following steps:

-
The service provider certificates were automatically created during the installation of the SAP HANA database and stored in the file system (in the sapsrv.pse file).
TIP: The public certificate stored in the file system can be viewed in the Trust Manager tab of the XS Admin Tool.
-
You configured a trust relationship to the SAP HANA system to an identity provider by exporting the service metadata and registering it in the identity provider.
-
You configured a trust relationship to the identity provider in the SAP HANA system, by exporting the identity provider SAML metadata and importing it into the SAP HANA system.
-
You configured the application for SAML authentication.
Converting your SAP HANA XS system to an SAP HANA MDC system now requires you to reconfigure the SAML trust relationship to store the certificates in the in-memory store. To do so, you will have to repeat some of the already completed steps:

-
You will regenerate the service provider certificates (step 2).
-
You store the service provider and the identity provider certificates in the in-memory store of the SAP HANA system (steps 3-6).
-
You will reconfigure the trust relationship in the identity provider based on the updated service provider certificates (step 7).
But before we start, we have to make sure that your database user has been assigned the required roles.