SAP HANA Service Secure Client Connections with SA...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
The SAP HANA Service on the SAP Cloud Platform only accepts secure (encrypted) connections from client tools. To make this happen, you have two options:
Use the default (built-in) TLS/SSL security provider of your platform
Use the SAP CommonCrypto Library (SCL)
This blog is about the second option. For the default provider, see
In the video tutorial, we show how to configure secure client connections with SAP CommonCryptoLib on macOS, Linux, and Microsoft Windows.
The following clients are used:
hdbsql (SAP HANA interactive terminal)
hdbuserstore (connect with key instead of password)
ODBC
JDBC (command line connection test)
Eclipse (Java class connection test)
Python (Jupyter Notebook connection test)
Hands-On Video
For those already familiar with the topic, here is a short(er) video with focus on just the Microsoft Windows platform.
Cloud Foundry, Neo, and On-Premise
In the tutorial video we are using the SAP HANA Service from the Cloud Foundry environment. However, as this concerns client-side configuration, it works exactly the same in the Neo environment (SAP datacenter). For those interested in how to configure secure SAP HANA client connections for on-premise SAP HANA, just ignore the "Service" word. Again, on the client-side it works the same.
The SAP CommonCrypto Library was created by SAP to guarantee a secure compute environment regardless of the underlying platform. The SAP HANA Service is configured for using the SAP CommonCrypto Library for all internal cryptography purposes. For on-premise server-side SAP HANA, openSSL has been deprecated.
SAP CommonCryptoLib Required for Client-side Encryption
The SAP CommonCryptoLib is required for SAP HANA Client Side Encryption.
For the SAP HANA client to be able to verify the validity of the SAP HANA service certificate, a certificate root authority certificate is required. For this, the DigiCert Global Root CA is used, which you can download from DigiCert.
For openSSL, you need to convert the CRT in PEM format. This is not required for adding the certificate to the SAP client PSE. See the video and the code examples.
SAP HANA CLIENT FOR HAAS
The SAP HANA client for HAAS includes the SAP CommonCryptoLib and can be downloaded from Software Downloads on the SAP ONE Support launchpad.
If you prefer DIY, you can also download the latest SAP HANA client and download the latest SAP CommonCryptoLib and install them together in the same directory. Works as well.
SECUDIR and PSE
You need to create a PSE and add the CA root certificate with the sapgenpse utility. See the video and sample code for how this can be done.
To verify the contents of the PSE and list the public keys (pk), user can use the commands:
Once the PSE has been set up, it is easy to use the SAP CommonCryptoLib in ODBC, JDBC, Python, and any of the other support SAP HANA clients.
Below, an example for connecting to the SAP HANA Service using Python in a Jupyter Notebook using sslCryptoProvider=commoncrypto. We also use a hdbuserstore key in this connection, so we do not have to provide hardcoded usernames and passwords.
YouTube Playlist(s)
The tutorials has been posted to the following playlists:
The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.