parser: v2

auto_validation: true

time: 60

tags: [ tutorial>intermediate, products>sap-business-technology-platform, tutorial>license]

primary_tag: products>sap-hana-service-for-sap-btp

<!-- description --> Reconfigure a SAML trust relationship on your SAP HANA XS database system from the file system to the in-memory store.

- You have installed an **SAP HANA XS system in the SAP BTP, Neo environment** that you'd like to convert to an **SAP HANA MDC system**. For more information, see [SAP Note 2960608](https://launchpad.support.sap.com/#/notes/2960608).

- You have configured a trust relationship between your identity provider and your SAP HANA XS system using SAML on the file system.

- You have access to your identity provider and the required roles to configure SAML trust relationships.

- You have installed openSSL or another certification tool.

- How to register the service provider and the identity provider certificates in the SAP HANA in-memory store

- How to reconfigure the trust relationship between your identity provider and your SAP HANA database system

When you configured the SAML trust relationship, the setup consisted of the following steps:


1. The service provider certificates were automatically created during the installation of the SAP HANA database and stored in the **file system** (in the *sapsrv.pse* file).

>**TIP:** The public certificate stored in the file system can be viewed in the **Trust Manager** tab of the **XS Admin Tool**.

2. You configured a trust relationship to the SAP HANA system to an identity provider by exporting the service metadata and registering it in the identity provider.

3. You configured a trust relationship to the identity provider in the SAP HANA system, by exporting the identity provider SAML metadata and importing it into the SAP HANA system.

4. You configured the application for SAML authentication.

Converting your SAP HANA XS system to an SAP HANA MDC system now requires you to reconfigure the SAML trust relationship to store the certificates in the **in-memory store**. To do so, you will have to repeat some of the already completed steps:


1. You will regenerate the service provider certificates (step 2).

2. You store the service provider and the identity provider certificates in the in-memory store of the SAP HANA system (steps 3-6).

3. You will reconfigure the trust relationship in the identity provider based on the updated service provider certificates (step 7).

But before we start, we have to make sure that your database user has been assigned the required roles.

1. Open the **SAP HANA Web-based Development Workbench** on the SAP HANA XS system.

You can do so by appending `/sap/hana/ide` to the URL of the database system, or you can access it from the SAP BTP cockpit.


2. Go to **Security** and open your database user.

3. Check that the user has been assigned at least the following roles:

- `sap.hana.security.base.roles::HANACertificateAdmin`

- `sap.hana.security.cockpit.roles::DisplayCertificateStore`

- `sap.hana.security.cockpit.roles::EditCertificateStore`

- `sap.hana.security.cockpit.roles::MaintainCertificateCollections`

- `sap.hana.security.cockpit.roles::MaintainCertificates`

- `sap.hana.xs.admin.roles::SAMLAdministrator`

- `sap.hana.xs.admin.roles::TrustStoreAdministrator`

For more information on how to create database user and assign roles on SAP HANA XS database systems, see [Create a Database Administration User for SAP HANA XS Databases](https://help.sap.com/viewer/d4790b2de2f4429db6f3dff54e4d7b3a/Cloud/en-US/1658a0868ded48c49a04508f89a8cbfa.html).

When you initially established trust, the service provider certificates had been automatically created and stored in the file system. You now have to re-create these certificates to store them in the in-memory store. The SAP HANA database system uses the service provider certificates to sign SAML documents that are exchanged with the identity provider.

Additionally, we only use example parameters in the command below. **Do not use these parameters in productive scenarios**, and align them with your Security Office.

To create a self-signed certificate using openSSL, run the following command in a command line shell:

openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes -subj "//CN=example"

You have now generated your service provider certificate consisting of the following two files:

- *certificate.key* - the private key

- *certificate.crt* - the public key

Create the certificate collection in which you will store the service provider and the identity provider certificates.

1. Open the **SAP HANA cockpit** on your SAP HANA XS database system.

You can do so by appending `/sap/hana/admin/cockpit` to the URL of the database system, or you can access it from the SAP BTP cockpit.


2. Open the **Configure Certificate Collections** application.


3. Create a new collection. To do so, choose **+** and enter a **name** for the collection.


4. Edit the collection and set its purpose to **SAML**.


You have now created a PSE store that we'll use to store the "own" certificate and the identity provider certificate.

1. Prepare the upload of the service provider certificates by copying the values from the files you previously created into a new file:

- Copy the values between the *Begin/End Certificate* tags from the *certificate.crt* file.

- Copy the values between the *Begin/End Private RSA Key* tags from the *certificate.key* file.

```