Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP BTP - PostgreSQL SSH Tunnel and SSH Tunneling Explained

yogananda
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 19 7:17 PM
6,237

SSH tunneling, also known as SSH port forwarding, provides a secure method for client applications to communicate with remote servers. By encrypting traffic, SSH tunnels ensure data protection during transmission. This article explores the significance of SSH tunneling, its advantages, how it works, and its various use cases.



What is an SSH Tunnel?

 

An SSH tunnel (also known as SSH port forwarding) is a method by which client applications can securely communicate with remote servers. The SSH client and server provide the SSH tunnel and encrypt traffic, providing security during the transmission of data. When using an SSH tunnel to interact with remote services, if any of the data were intercepted in transit, it would be securely encrypted.

Why Do You Need SSH Tunneling?


SSH tunneling is a method used to connect a client application on a local machine to services on remote machines. However, there are other ways to accomplish the same goal. Many services that you might wish to connect to on remote servers, such as a database, can have ports open externally to accept connections directly from over the internet. You can also limit these kinds of connections to devices that exist on your private network, or on a virtual private network (VPN). This kind of perimeter-based security, which automatically rejected external connections and gave at least some implicit trust to on-premise connections was a very common security practice prior to the popularization of cloud computing.

for more information https://goteleport.com/blog/ssh-tunneling-explained/

How Do SSH Tunnels Work?


SSH tunneling is a fairly straightforward process. On the server in question, the remote service (for example, a database) listens on a local port, but does not open ports for that service to the internet.

Your SSH client connects to the SSH service on the remote server and establishes a secure tunnel. You will need to configure your SSH client to forward traffic to a local port to the remote port that you desire (for example, port 3306 for MySQL), or if you are using the command line only, specify that, in this format:

 

cf enable-ssh <YOUR-HOST-APP>

cf restage <YOUR-HOST-APP>


cf create-service-key MY-DB EXTERNAL-ACCESS-KEY

cf service-key MY-DB EXTERNAL-ACCESS-KEY

cf ssh -L 63306:<hostname>:<port> YOUR-HOST-APP

psql -d <dbname> -U <username> -p 63306 -h localhost

 

 

$ ssh -L <YOUR_LOCAL_PORT>:<YOUR_SERVER_IP>:<YOUR_REMOTE_PORT> <YOUR_USER>@<YOUR_SERVER>


For example:

 At that point, when you use your local application (such as a database client, or the command line) to attempt to connect to the remote service, you start the connection using your chosen port for that application locally (for example, `localhost:8000`) and traffic that is sent to that port is forwarded over the SSH tunnel to the specified local port (`63306`) that is open on the server.

SSH reverse tunneling is a similar, but opposite, effect. To forward local traffic from a port on the remote machine to one of the client’s local ports over the SSH tunnel, you can replace the `-L` flag with a `-R` flag. In the example above, this would now forward traffic from the server’s local 8000 port to the client’s port 63306, via the SSH tunnel.

SAP BTP Security groups shows the Port is disabled

Conclusion

The use of SSH tunnels is extremely useful when interacting with services that require higher security for traffic that is external to a secure perimeter without requiring a VPN or exposing them directly to the internet. But they don’t solve every access problem facing an organization. Individual credentials must be managed, or shared credentials doled out insecurely. SSH tunnels provide secure access, but at the cost of decreased visibility and auditability.

3 Comments
mallesh_reddy3
Explorer
‎2024 Apr 01 12:04 PM
0 Kudos

HI Yogananda ,

Thanks for the detailed blog on the PostgreSQL SSL tunnel.

Our requirement is we are developing Springboot Java application through SAP BAS by enabling PostgreSQL instance as hyperscaller option

mallesh_reddy3_0-1711969153271.png

 

Some how we are unable to connect to our PostgreSQL instance through our Java App

We are unable to connect to our PostgreSQL Server instance through PgAdmin 4.

We are encountering connection timeout errors.

Can you help me whith any documentation on how to connect to PostgreSQL through Java in BAS.

mallesh_reddy3_1-1711969382663.png

Also let me know, does the ports disable causing issue, if so how do we enable it.

 

Thanks & Regards,

Mallesh

mpyreddy@gemini-us.com

+917989981075

 

 

 

Issar
Newcomer
‎2024 Sep 23 11:36 AM
0 Kudos

Hi Yogananda!!

I intend to create a springboot java application in a btp as cap project and backend as PostgreSQL Hyperscale instance..

I have successfully bind the potgre instance with the CAP project using "cds bind db --to hat:hat_sk" where hat is the postgre instance name and hat_sk is its service key..

But unable to establish connection to PostgreSQL..

And would truly appreciate your guidance.. 

Regards,

Parikshit Issar

parikshitissar14@gmail.com

 

 

rgadirov
Participant
‎2025 Feb 04 8:49 PM
0 Kudos

Hi @yogananda ,

thank you for this informative blog. I already have bound a Business Application Studio CAP application against the hyperscaler postgreSQL instance on SAP BTP successfully. The app is deployed but as soon as I try to call my exposed service endpoint, I get "Resource Timeout Issue". 

I also didn´t manage to connecto via DBeaver tool, I pasted the hostname, url, and password and also specified the SSL certificate but the connection fails. The ssh tunnel is something that I build via BAS terminal. But I have difficulties in the combination of the steps, it is still unclear for me. 

During start of the app via "cds watch --profile hybrid" in BAS, I noticed the following in the terminal: It connects not only with db>postgres, but also with db.sqlite although I took care via command "cds bind -2 "postgreInstance:postgreKey" command that it is bound against existing service and key. I also have my .cdsrc-private.json file with these settings and I start my app in hybrid runtime with BTP cloud bindings. 

[cds] - connect using bindings from: { registry: '~/.cds-services.json' }
[cds] - connect to db > postgres {
url: 'db.sqlite',
vcap: { name: 'MyPostgreSQL-Instance }, //example only, not real for this blog post!
credentials: { ssl: true },
username: '61fdd1993a12', //modified
password: '...',
hostname: 'postgres-e907e4e7-0d55-407b-ae9f-1deee445fba8.postgres.database.azure.com', //modified
dbname: 'vCPkjVeirgrU',
port: '5432',
uri: 'postgres://41fdc1893a13:e0e4c5a97ac6dcc17a96e0a79f3d3a0b@postgres-e807e4e7-0d55-407b-ae9f-1deee445fba9.postgres.database.azure.com:5432/vCPkjVeirgrU',
urls: {
api_server: 'https://api-backing-services.eu20-001.data.services.cloud.sap'
},
sslcert: '...',
sslrootcert: '...'
}

The error when requesting the service endpoint to a PostGreSQL based/deployed cds entity:

"error": {"code": "500","message": "ResourceRequest timed out"}}

You can kindly contact me if you can support via my mail: Rufat.Gadirov@jfs-digital.com

Thank you in advance.

Best regards

Rufat

Labels in this area
Popular Blog Posts