Skip to Content
Author's profile photo Jennifer Gray


Hi everyone,


My name is Jennifer Gray and I’m a Product Support Engineer. I work in SAP’s Vancouver office and I support the growing database technology known as HANA.


The goal of this blog is to provide an overview of various SSL configurations in HANA. There are already a number of guides that detail how to configure SSL on HANA; I hope these posts will help you understand why each step is necessary. This is a series I will be adding to in the future; I’m currently planning on covering single and multi-node HANA systems with and without certificate authorities, and internal communication in multi-node systems.



As these posts are related to SSL and HANA, I won’t give an in-depth explanation of the mechanics behind SSL. If you are new to SSL the following resource helped greatly when I started learning SSL:



SSL protocols provide methods for establishing encrypted connections and verifying the identity of an entity (client, server, etc). Verifying the identity of a communication partner, however, isn’t mandatory. Many clients will allow you to establish connections with untrusted parties. For the following posts I will assume that our clients will reject untrusted servers.


Configuring clients to reject untrusted connections depends on the client itself. For HANA Studio, this option is found in Systems view -> right click the system connection <SID> (<DBUSER>) -> Properties -> Database User Logon -> Additional Properties tab -> Validate the SSL certificate checkbox.


Additionally, in the following examples I’ll assume that clients already trust certificates (i.e. the trust store contains the root certificate) signed by common CAs such as Verisign and DigiCert.


Should you encounter a term you’re not familiar with, please refer to the glossary at the bottom of this page.



  • Certificate Authority (CA): An entity, such as DigiCert, that verifies the identity of another entity, such as Facebook.
  • Public key: The key used to encrypt messages/decrypt signatures in asymmetric cryptography.
  • Public key certificate: A digital certificate that contains, and identifies the owner of, a public key; this is distributed publicly.
  • Private key: The key used to decrypt messages and sign objects in asymmetric cryptography; this is kept private.
  • Root certificate: A public key certificate that identifies the root CA. Root certificates from common CAs are generally distributed with clients (e.g. web browsers).
  • Certificate Signing Request (CSR): Contains the information required to generate a signed certificate.
  • Common Name (CN): Contained in public key certificates and identifies the host the certificate belongs to. The CN of a certificate must match the FQDN the client is connecting to.
  • Fully Qualified Domain Name (FQDN): A name that uniquely identifies a host on the internet.
  • Key store: A file that contains the information necessary for an entity to authenticate itself to others. Contains the server’s private key, signed server certificate, and intermediate certificates if necessary.
  • Trust store: A file that contains the information of trusted entities. Generally contains root certificates of CAs.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Guillaume Bruyneel
      Guillaume Bruyneel

      Hello Daniel,

      I am currently searching information on How to enable SSL with HANA SPS09 in Multitenant.

      Your blog is very interesting, so i would like to get in contact with you, if you like ?

      Best regards

      Guillaume Bruyneel

      Author's profile photo Jennifer Gray
      Jennifer Gray
      Blog Post Author

      Hi Guillaume,

      Configuring SSL for a multitenant database is the same process as a single-container database; place necessary crypto binary in LIB_SECURITY_DIR and create the necessary key and trust stores in ~/.ssl .

      If you'd like different setting for different tenants you can specify this with the various settings in global.ini -> [communication]. This includes System level, (Tenant) Database level, and host-level configuration.

      Hope this helps,

      Daniel Gray

      Author's profile photo Former Member
      Former Member

      Hi Daniel,

      i have already asked the first question elsewhere on SCN, but got no response so far:

      1. if i'm NOT working on SAP internal system, where can i get the SAPNetCA_G2.cer file?
      2. is it possible that i don't need that file after all for SSL to work?

      thank you,


      Author's profile photo Jennifer Gray
      Jennifer Gray
      Blog Post Author

      Hi Gregory,


      Marcin Kowalczyk is using SAP as a Certificate Authority (CA). After obtaining his signed certificate he obtains the root certificate (SAPNetCA_G2.cer) which is required to later import the signed certificate into his key store(s) (SAPSSLS.pse & sapsrv.pse).

      That said, since you don't wish to use SAP as a CA you will have to have your server's cert request...

      A) signed by a well-known CA. You will have to obtain the root certificate and any intermediate certificates in order to add your signed server certificate to the key store with sapgenpse


      B) signed by your own root certificate and imported into the servers key store using sapgenpse. Then you will need to distribute that root certificate to clients' trust stores in order for connections to be trusted.


      At the very least you will need a signed certificate of some kind to establish an encrypted connection (whether it's self-signed, signed by a CA, etc. doesn't matter). If you choose not to have your server cert signed by a CA, you will have to distribute the certificate of whatever key did sign your server cert, or be vulnerable to man-in-the-middle attacks.

      Best regards,


      Author's profile photo Martino Rivaplata
      Martino Rivaplata

      Hello Daniel

      I have generated these two files in my Hana Server

      • Key: Server_Key.key
      • CSR: Server_Req.csr

      The CSR needs to be sent to the CA, which in turn will give me a signed certificate (Server_Cert.pem) and their Root CA Certificate (CA_Cert.pem). But I am stuck here I do not know how to generate these two files.

      From linux terminal I issued these commands::

      hdbadm@hdb11:/usr/sap/HDB/HDB00>openssl x509 -inform der -in CA_Cert.cer -out CA_Cert.pem

      Error opening Certificate CA_Cert.cer
      139661050246800:error:02001002:system library:fopen:No such file or directory:bss_file.
      139661050246800:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:409:unable to load certificate

      I cannot generate Server_Cert.pem or CA_Cert.pem

      Please can You share any ideas as to how to generate these two files...


      Thank You Very Much!!








      Author's profile photo Jennifer Gray
      Jennifer Gray
      Blog Post Author

      Hi Martino,

      Are you looking to use a third party CA (DigiCert, Verisign, etc) to sign your csr?

      If you are, then when your server csr is signed and the Server_Cert.pem/cer file is returned to you, the CA should also provide links to where you can find the necessary intermediate & root certificates (e.g. CA_cert.pem/cer).

      If you're not, you will need to create your own CA. This consists of generating a private key and a root certificate (CA_cert.pem/cer) which is self-signed with said private key. You then need to sign your server's csr with the private key of your new CAs root certificate using an "openssl ca" command to obtain the server certificate (Server_Cert.pem/cer). Here is an informative blog on how to create & manage your own CA; there are a few more steps than absolutely necessary, as the author also creates an intermediate certificate.


      Once you have CA's certificate(s) and your signed server certificate (Server_Cert.pem/cer), you can use "openssl x509" commands with -inform and -outform arguments to convert between the different formats, PEM, DER, NET, and into a format the server can use. Here is a an article which contains the more common format conversion commands.


      Kind regards,