Skip to Content

Configure ABAP to HANA SSL connection

I am working on a project where one of the requirements is to encrypt the traffic between the CI and the HANA back end DB. This is sort of documented in section 4.3 of the HANA Security Guide (, but it still took me some time to figure out. I understand the next version of the security guide will have more detailed instructions, but thought I’d share some details that may help others in the meantime.

The below instructions are based on sapcrypto. In SP7, there is an option to use commoncrypto. OpenSSL is also an option if sapcrypto is not installed.

  • Install sapcrypto on both CI and HANA systems
    • This is well documented, so I won’t provide details here
    • Copy to …/lib directory
      • cp /usr/sap/<sid>/SYS/global/security/lib
  • Create PSE files for both the CI and HANA systems
    • See 1718944 – SAP HANA DB: Securing External SQL Communication (SAPCrypto)
    • If a Certificate Authority (CA) is not available, SAP provides an option to create a test cert that is valid for 8 weeks:
      • This option can be used to sign the sapcli.req from Note 1718944
    • In my case, the customer created a PFX file using their own CA
      • This requires a conversion of the *.PFX files provided by customer to PSE using command below
        • sapgenpse import_p12 -p sapcli.pse <existing_cert>.pfx
    • copy sapcli.pse to sapsrv.pse
        • cp sapcli.pse sapsrv.pse
    • sapsrv.pse is required for server authentication – HANA DB
    • sapcli.pse is required for client authentication – CI ABAP system
      • Even though only the above files are required on the respective systems for our scenario, it is easy to create both pse files on both systems.
  • Enable SSL on HANA
    • su to <sid>adm
    • Create $SECUDIR
      • mkdir -p $SECUDIR
    • Copy both pse files to $SECUDIR
      • cp sapcli.pse sapsrv.pse $SECUDIR
    • Restart the HANA DB to enable SSL
  • Configure CI to connect via SSL
    • Copy sapcli.pse to /usr/sap/<SID>/DVEBMGS00/sec
      • If sec directory above doesn’t exist, then create it while logged on as <sid>adm
    • Add the following parameter in the DEFAULT.PFL to enable encryption on the DB connection
      • dbs/hdb/connect_property = ENCRYPT=TRUE
    • Stop and start CI.
    • Check dev_w0 and verify connection to DB. Should look something like below.

Loading SQLDBC client runtime …

C  SQLDBC Module  : /usr/sap/<SID>/hdbclient/

C  SQLDBC Runtime : libSQLDBCHDB Build 0386119-1510

C  SQLDBC client runtime is

C  connect property [ENCRYPT = TRUE]


C  Try to connect via secure store (DEFAULT) on connection 0 …


C Sun Jan 12 19:41:31 2014

C  Attach to HDB : (NewDB100_REL)

C  Database release is HDB

C  INFO : Database ‘<SID>/00’ instance is running on ‘<HANA_Host>’

C  INFO : Connect to DB as ‘SAP<SID>’, connection_id=300100

C  DB max. input host variables  : 32767

I rant into a few errors on the CI that caused the workservers to crash. I’ve outlined the errors I saw in the dev_w* traces, the cause and the steps to resolve the errors.

  • Troubleshooting –
    • Error message
      • “Cannot create SSL context” – This message does not provide additional details as the below error messages do. Very generic.
        • Possible Causes
          • sapcrypto library is not accessible
          • PSE key/trust store is not available or not properly filled
        • Solution
          • Ensure sapcrypto is installed correctly and the PSEs are created properly
    • Error message

C SQLERRTEXT : Connection failed (RTE:[300010] Cannot create SSL context: ERROR in SSL_CTX_set_default_pse_by_name:\

C                (4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in ssl_set_pse\

C               : (4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in af_open: (\

C               4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in secsw_open: (\

C               4129/0x1021) The PSE does not exist : “/usr/sap/<SID>/DVEBMGS00/sec/sapcli.pse”,ERROR in secsw_open_ps\

        • Solution
          • Verify Sapcli.pse is available in the directory and SIDADM has permissions to it.
    • Error message

SQLERRTEXT : Connection failed (RTE:[300015] SSL certificate validation failed: host name ‘<hostname>’ does not m\

C               atch name in certificate ‘<’)

B  ***LOG BV3=> severe db error -10709    ; work process is stopped [dbsh         1244]

B  ***LOG BY2=> sql error -10709 performing CON [dblink       550]

B  ***LOG BY0=> Connection failed (RTE:[300015] SSL certificate validation failed: host name ‘<hostname> does not match name in certificate ‘<’) [dblink       550]

M  ***LOG R19=> ThDbConnect, db_connect ( DB-Connect 000256) [thDatabase.c 75]

M  in_ThErrHandle: 1

M  *** ERROR => ThInit: db_connect (step TH_INIT, thRc ERROR-DB-CONNECT_ERROR, action STOP_WP, level 1) [thxxhead.c   2151]

        • Cause/Solution
          • Ensure that the CI is using the hostname that exists in the certificate to establish the connection
          • Force the connection to use the hostname specified in the cert by updating the dbs/hdb/connect_property in DEFAULT.PFL
            • Example: dbs/hdb/connect_property = ENCRYPT=TRUE,

The configuration is really simple once figuring it, but I did run into various issues trying to get it to work. Feel free to ask questions in the comment and I’ll do my best to answer right away.

You must be Logged on to comment or reply to a post.
  • Hi Jake,



    Did you see any error in trans.log?



    LOG BY2=>sql error 4321   performing CON?



    Thanks and regards,


  • Hi Jake,


    Thank you for taking the time to create such a helpful blog.  This has really helped us during the setup of SSL between ABAP and HANA.




  • One question about the below error, with sslenforce=true in file global.ini of HDB.:



    hdbsql -U DEFAULT



    4321: only secure connections are allowed SQLSTATE: HY000


    Any idea?

      • Great catch. There are some considerations when you set "sslenforce=true". I never got around to blogging about this, but you i'd suggest you test your transports. The TP connection isn't encrypted by default and this may fail. Test and let me know what you find.



  • Hi Jake,


    Nice post.

    We are configuring SLL and realized, SAP no longer provides Test cert now.

    Are you aware of other alternative for this step ?





    If a Certificate Authority (CA) is not available, SAP provides an option to create a test cert that is valid for 8 weeks:




    Thanks for sharing




  • Hi Jake,


    Thank you for the article, it helped me a lot.

    I have some questions, regarding this topic.

    1. I got the error mentioned by you, but a bit different : B  ***LOG BY0=> Connection failed (RTE:[300015] SSL certificate validation failed: host name ‘IP does not match name in certificate ‘<’) [dblink       550]. Do you have any idea why i do not receive a hostname in the connection data, but in stead we get an IP address?
    2. What happens when you connect more than one Hana DB to a system (e.g. Solution Manager). Is there a syntax to use multiple entries for sslHostNameInCertificate ?

    Thank you,

    Best regards,


  • Hello Jake,

    This is  a wonderful blog. Thank you for making it simple.

    However, a couple of questions from my end.

    1> Can we use the same PSE created for HANA as an SAP ABAP PSE/SSL as well?

    I mean, instead of creating a new CSR from STRUSTSSO2, can we use the HANA PSE and import the same signed certificate for SAP as well ?( In our case we use the same CN)

    2> Contrary to Point 1 above, Generate/create a SSL cert using STRUSTSSO2, and use the SAP PSE ( SAPSSLS.PSE ) to overwrite the sapcli.pse and use for HANA as well? Will this work?

    Appreciate if you could take time to reply.

    Thank you.