Skip to Content
Author's profile photo Ling Zhu

Setup SAML SSO from BI to HANA using CommonCryptoLib or SapCryptoLib


This blog is intended to use SAP crypto library to enable SAML SSO from SAP BI4 to SAP HANA DB. If you want to use OPENSSL instead, please check the other SCN blog for details.

Turn on SSL using SAP Crypto Library

1.     Install SAP Crypto library

SAP Crypto Library can be downloaded from Service Market Place. Browse to, expand Support Packages and Patches Browse our Download Catalog SAP Cryptographic Software SAPCRYPTOLIB SAPCRYPTOLIB 5.5.5 Linux on x86_64 64bit.

Use SAPCAR to extract sapgenpse and to /usr/sap/<SID>/SYS/global/security/lib/

Add the directory containing the SAP Crypto libraries to your library path:

  export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/sap/<SAPSID>/SYS/global/security/lib

The new CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 (or higher) is fully compatible with previous versions of SAPCRYPTOLIB, but adds features of SAP Single Sign-On 2.0 Secure Login Library. It can be downloaded in this location:

expand Support Packages and Patches Browse our Download Catalog Additional Components SAPCRYPTOLIB COMMONCRYPTOLIB 8

Please refer to the following SAP note for details about using CommonCryptoLib:

2084313 – Install and Verify CommonCrypto to SAP HANA

The CommonCryptoLib is supported by HANA since Rev 74. Starting from HANA SPS9, the CommonCryptoLib will be delivered with HANA, sapsrv.pse file is also auto generated by default.

2.     Create the SSL key pair and certificate request files

  • Copy the sapgenpse and to $SECUDIR directory. Then run sapgenpse to generate sapsrv.pse file and SAPSSL.req file:

  ./sapgenpse gen_pse -p sapsrv.pse -r SAPSSL.req “CN=<FQDN of the host>”

  • Send the Certificate Request to a Certificate Authority to be signed. Browse to, and expand SAP Trust Center Services in Detail, and click SSL Test Server Certificates, and then click the ‘Test it Now!’ button. Paste the content from the SAPSSL.req file to the text box, and click Continue.
    SAP returns the signed certificate as text, copy this text and paste it into a file on the HANA server: 
  • Download the  SAP SSL Test Server CA Certificate from the site:

  • Import the Signed Certificate using sapgenpse
    ./sapgenpse import_own_cert -c SAPSSL.cer -p sapsrv.pse -r SAPServerCA.der
3. Check HANA settings
global.ini->[Communication]->sslcryptoprovider = sapcrypto(change it to commoncrypto if use the CommonCryptoLib)

4.Restart HANA, and test if SSL works from HANA studio

Click on the “Connect using SSL” option in the properties of the connection.  Once done, a lock will appear in the connection in HANA Studio

Create Certificate file for BO instance.

  1. Create HANA Authentication connection
    Log onto BO CMCApplicationHANA Authentication, click New. After provide HANA Hostname and port, and IDP name, click the Generate button, and click OK button so that you will see an entry added for HANA authentication
    10-22-2014 10-07-46 AM.png
  2. Copy the content of the generated certificate and paste it to a file on your HANA server:


  3. Add the certification to the pse file:

./sapgenpse maintain_pk -p sapsrv.pse -a sapid.cer


4. You may need to Restart HANA to make the new pse file take effect.

SAML configuration in HANA

  1. Create SAML provider in HANA

You could import the SAML identity provider from the certificate file (sapid.cer) which you created from last step in Security->Open security Console -> SAML Identity Providers. Make sure you have chosen the SAP Cryptographic Library.


2. Create a HANA user TESTUSER with SAML authentication.

Check the SAML option, click the Configure link, then Add the Identity Provider created in last step ‘HANA_BI_PROVIDER‘ for the external user ‘Administrator’


Test SAML authentication

Go to BO CMCApplicationHANA Authentication, edit the entry created in previous step, click “Test Connection” button.



If the connection test is not successful, please change the trace level of the following to DEBUG:

indexserver.ini – authentication, xssamlproviderconfig

The index server trace will provide more information on why the authentication failed.

You may find more information about tracing in this SAP note:

2083682  – How to Enhance Tracing for SAP HANA SSO Login Issues


How to Configure SSL for SAP HANA XSEngine using SAPCrypto

Configuring SAML with SAP HANA and SAP BusinessObjects 4.1 – Part 1

Use SAML to Enable SSO for your SAP HANA XS App

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Rahul Chandra Kini
      Rahul Chandra Kini

      HI Ling,

      Thanks for this useful post.

      1. Will the above steps remain the same for new CommonCryptoLib as well?

      2. Are there separate commands for generating the trust store and key store?

      3. And does the indexserver.ini file have to be updated with this information for key store and trust store or any other global.ini file?



      Author's profile photo Ling Zhu
      Ling Zhu
      Blog Post Author

      Hi Rahul,

      Sorry for getting back to you late.

      No much difference to use CommonCryptoLib. You can follow the same steps. Hana used the pse file to authenticate the request from BI server, no need to configure trust store and key store.

      Author's profile photo Martin Kittel
      Martin Kittel


      one important difference to sapcrypto is of course that with CommonCryptoLib you have to set the parameter sslCryptoProvider to 'commoncrypto' (see Server-Side SSL Configuration Properties for External Communication - SAP HANA Security Guide - SAP Library).

      Best wishes,


      Author's profile photo Ling Zhu
      Ling Zhu
      Blog Post Author

      Hi Martin,

      Thank you for pointing this out. I will add this information in the blog. Thanks!

      Author's profile photo Juan Carlos Lazaro
      Juan Carlos Lazaro

      Hi Ling,

      SSL Test Server Certificates is not working anymore.

      What is the new way to get the signed certificate?

      Thank you

      Author's profile photo Mel Waldner
      Mel Waldner

      Hi Ling,

      Can you confirm what is the minimum HANA version that is required for this process?

      This document indicates SPS010,

      What is not clear is that your document was written Oct 2014 and according to the PAM SPS010 was not released until July 2015, which would indicate that the process you have documented would work with a HANA version prior to SPS010, is this correct?

      We are currently on HANA 1.00.097 and before we invest time in this configuration we would like to know if it is possible with our current HANA version.




      Author's profile photo Shiva Krishna Jupalli
      Shiva Krishna Jupalli

      Hi Experts,

      Currently, this link is migrated.
      For  any internal SAP system how can I order SSL test certificate.

      Even for internal SAP system also we need to pay for license in order to get test SSL certificate.

      Thanks & Regards,

      Author's profile photo Arijit Kumar
      Arijit Kumar
      SAP Crypto library need to be installed on BI servers in Cluster?
      Author's profile photo Axel Utz
      Axel Utz

      Dear all,

      find the latest How To Set up SSO using SAML between SAP HANA DB and SAP BI / SAP Analysis for Office attached to the below KBA.


      Use of in database certificate store (recommended)


      2593701 - HOW-TO In-Memory Trust Store and HANA DB SSO SAML and BI Platform 4.2 / Analysis for Office 4.2

      Beginning with HANA 1 SPS12 it is possible to use a certificate store within the HANA DB, instead of the file based.


      The advantage of the in-database certificate store is, that

      – a change in a certificate take effect immediately without restarting the DB

      – the certificates will be part of the backup

      – the certificates will be available on a system replication secondary DB without copying the files


      SAP HANA Security Guide for SAP HANA Platform > Certificate Management in SAP HANA


      SAP Note 2175664 – Migration of file system based X.509 certificate stores to in-database certificate stores


      Use of file-based certificate store (outdated)


      We recommend using the above described in-database certificate store, since the file based will no longer be evaluated when you use the in-database one. That will be the case as soon as you use activate SAML SSO to HANA Cockpit 2.

      For details refer to SAP Note 2656666 – Migrate PSE to in-database store before enabling SSO

      2284620 – HOW-TO HANA DB SSO SAML and BI Platform 4.2 SP4 and higher / AO 2.2


      Best regards

      Axel Utz