Overview 

Hybrid Workloads agent ships with a self-signed SSL certificate.  The communication between the Backint executable and Hybrid Workloads agent   takes place using a secured TLS. However, the Backint executable cannot verify the self-signed certificate.

For enhanced security, you can use your own signed SSL certificates. The benefit of using a signed certificate is that the Backint executable can verify the SSL certificate, which cannot be done for the self-signed certificate.

Prerequisites

You must have the SSL certificate and the key file for your domain name.

The SSL certificate file typically has a file extension of .crt, and the key file typically has a file extension of .key.

Contact your network administrator for these files.

Additionally, the root-CA certificate of the certificate authority (CA) must be added to the trust pool of the SAP HANA  server.

Before you continue, take note of the path where you saved the certificate, the key file, and the rootCA file.

Procedure

Log in to the SAP HANA  server, open a terminal, and follow these steps: 

1. Open the following file in any editor:

/etc/Druva/EnterpriseWorkloads/sap-hana/SaphanaPlugin.yml

2. Locate the following flags and set the value as follows:

insecureSkipVerify: false

useCustomCerts: true

See the following table for these flags' possible values and impact.

3. Locate the keys customServerCert, customServerKey, and customCAPemFile.  Enter the complete path of the path where you saved the certificate, the key file, and the rootCA file, respectively, as follows: 

customServerCert: /full/path/to/certificate.crt
customServerKey: /full/path/to/private.key

customCAPemFile: /full/path/to/rootCA.pem

4. Finally, save the configuration file and restart the Hybrid Workloads agent service as follows:
   systemctl restart Druva-EnterpriseWorkloads.service