XS Advanced and FQDN
I have a HANA DB with Rev 110 and XS Advanced installed.
The hostname of the machine is hdb.
The fully qualified hostname is hdb.domain.tld (just replaced it for privacy). This is also what "hostname -f" on OS level is returning.
In XS Advanced I already created the domain hdb.domain.tld in addition to the default domain hdb and also set a (signed) certificate for this new domain.
This way I can access one of my XS Advanced apps by calling https://hdb.domain.tld:51011 in my browser. However when I want to use the uaa service there are many problems. The first obvious problem is that the browser redirects me to https://hdb:30032/uaa-security/login which is not available from the client since the domain name is missing.
While it is possible to specify the domain for apps, service brokers seem to have fixed urls? I tried the xs update-service-broker but it just gives me a "Not implemented" message. Also I need to specify a username and password for this command - but which? I tried with SYS_XS_UAA but doesn't matter at all since its not implemented as mentioned before.
Another problem is that I can't just manually visit https://hdb.domain.tld:30032/uaa-security/login because it then gives me a 404 error. It seems that the uaa server is using SNI and is only serving the url which is specified during startup.
Although the startup script xs-uaa-server in /usr/sap/hana/shared/HDB/xs/bin clearly states the usage [port] [full qualified hostname] [ssl-enable OR ssl-disable] [start OR run] [router-port], the argument is retrieved by the hdbxsuaaserver script in the same directory by
if [ "$USE_DEFAULT_DOMAIN" != "" ]; then
HOSTNAME_TO_USE=`cat $SAP_RETRIEVAL_PATH/sapprofile.ini | sed -n 's/SAPLOCALHOST *= *//p'`
So basically it just reads parameter SAPLOCALHOST of the sapprofile.ini which is NOT the fully qualified hostname. The sapprofile.ini also doesn't even contain the parameter SAPLOCALHOSTFULL like it is for ABAP systems.
You can easily see where this leads to by looking at the xsuaaserver.out in the trace directory:
JAVA_OPTS -Dcom.sap.xs.scenario=hana -Duaaserver.port=30031 -Duaaserver.logdir=/usr/sap/hana/shared/HDB/xs/bin/../uaaserver/tomcat/logs -Duaaserver.host=hdb -Duaaserver.ssl.enable=true -Duaaserver.ssl.keystore=/usr/sap/hana/shared/HDB/xs/bin/../uaaserver/tomcat/ssl_key_store.jks -Duaaserver.ssl.keystore.pass=iBoi8mKKJfzL6wx-HI7WokKUvjCJs9hqGRX -Duaaserver.port=30031 -Dcom.sap.sapjvm.vmtag=xsuaaserver
INTERNAL UAA URL https://hdb:30031/uaa-security
EXTERNAL UAA URL https://hdb:30032/uaa-security
Sine the startup script is looking for a xsa_startup_properties file which is sourced before the start, I also tried creating this file with content
which is then used as fully qualified hostname. You can see the effect in the xsuaaserver.out and also the 404 is gone then, but typing xs service-brokers still gives the internal url only. Also redirection is still to the local hostname. When you restart the hana instance then (probably xs controller service needs to pick up the changes) the xs controller service startup fails (because it can't find the uaa server).
So my question is, are there any workarounds and will there ever be an official solution for using fqdn?
currently the XSA controller & UAA server use the HANA local hostname as the hostname to setup the whole system. Basically you were right, that you need to change the "hdb" hostname to the FQDN.
Currently the only true solution is to reinstall the system and when HDBLCM asks "Enter Local Hostname" enter the FQDN. Then all XSA services will use this correct hostname.
In the future you will have the opportunity to specify different hostnames for the HANA Local Hostname and the XSA Default Domain. Also system rename will be available for XSA in one of the upcoming releases, which could also solve such an issue.