Hello guys,
I have a HANA DB with Rev 110 and XS Advanced installed.
The hostname of the machine is hdb.
The fully qualified hostname is hdb.domain.tld (just replaced it for privacy). This is also what "hostname -f" on OS level is returning.
In XS Advanced I already created the domain hdb.domain.tld in addition to the default domain hdb and also set a (signed) certificate for this new domain.
This way I can access one of my XS Advanced apps by calling https://hdb.domain.tld:51011 in my browser. However when I want to use the uaa service there are many problems. The first obvious problem is that the browser redirects me to https://hdb:30032/uaa-security/login which is not available from the client since the domain name is missing.
While it is possible to specify the domain for apps, service brokers seem to have fixed urls? I tried the xs update-service-broker but it just gives me a "Not implemented" message. Also I need to specify a username and password for this command - but which? I tried with SYS_XS_UAA but doesn't matter at all since its not implemented as mentioned before.
Another problem is that I can't just manually visit https://hdb.domain.tld:30032/uaa-security/login because it then gives me a 404 error. It seems that the uaa server is using SNI and is only serving the url which is specified during startup.
Although the startup script xs-uaa-server in /usr/sap/hana/shared/HDB/xs/bin clearly states the usage [port] [full qualified hostname] [ssl-enable OR ssl-disable] [start OR run] [router-port], the argument is retrieved by the hdbxsuaaserver script in the same directory by
if [ "$USE_DEFAULT_DOMAIN" != "" ]; then HOSTNAME_TO_USE=$USE_DEFAULT_DOMAIN else HOSTNAME_TO_USE=`cat $SAP_RETRIEVAL_PATH/sapprofile.ini | sed -n 's/SAPLOCALHOST *= *//p'` fi
So basically it just reads parameter SAPLOCALHOST of the sapprofile.ini which is NOT the fully qualified hostname. The sapprofile.ini also doesn't even contain the parameter SAPLOCALHOSTFULL like it is for ABAP systems.
You can easily see where this leads to by looking at the xsuaaserver.out in the trace directory:
hdb -Dcom.sap.xs.scenario=hana -Duaaserver.port=30031 UAA_PORT 30031 FULL_QUALIFIED_HOSTNAME hdb SSL_ENABLE true STARTMODE run JAVA_OPTS -Dcom.sap.xs.scenario=hana -Duaaserver.port=30031 -Duaaserver.logdir=/usr/sap/hana/shared/HDB/xs/bin/../uaaserver/tomcat/logs -Duaaserver.host=hdb -Duaaserver.ssl.enable=true -Duaaserver.ssl.keystore=/usr/sap/hana/shared/HDB/xs/bin/../uaaserver/tomcat/ssl_key_store.jks -Duaaserver.ssl.keystore.pass=iBoi8mKKJfzL6wx-HI7WokKUvjCJs9hqGRX -Duaaserver.port=30031 -Dcom.sap.sapjvm.vmtag=xsuaaserver INTERNAL UAA URL https://hdb:30031/uaa-security EXTERNAL UAA URL https://hdb:30032/uaa-security
Sine the startup script is looking for a xsa_startup_properties file which is sourced before the start, I also tried creating this file with content
#!/bin/bash USE_DEFAULT_DOMAIN=hdb.domain.tld
which is then used as fully qualified hostname. You can see the effect in the xsuaaserver.out and also the 404 is gone then, but typing xs service-brokers still gives the internal url only. Also redirection is still to the local hostname. When you restart the hana instance then (probably xs controller service needs to pick up the changes) the xs controller service startup fails (because it can't find the uaa server).
So my question is, are there any workarounds and will there ever be an official solution for using fqdn?