Skip to Content
Product Information

How to Configure TLS/SSL in SAP HANA 2.0?

Communication encryption is a key feature to secure data in transit. Usage of encrypted communication channels can prevent attackers to intercept traffic on network level. SAP HANA supports encrypted communication for all client-server (external) communication and HANA internal communication.

SAP HANA recommends using encrypted communication channels where possible.

The aim of this document is to describe one way of configuring secure communication (TLS/SSL) in typical installation scenarios. The initial scenario described is an SAP HANA system installed on a single host with incoming connections from SQLDBC and HTTP clients for database and administrative access. TLS/SSL configuration is explained for following incoming connections to HANA:

  • Database clients via the SQL interface (port 3xx13/3xx15), e.g. SAP HANA studio, SAP HANA cockpit
  • SAP HANA cockpit/studio via SAP start service (sapstartsrv) (port 5xx13/5xx14)
  • SAP HANA database lifecycle manager via SAP Host Agent (port 1128/1129)
  • Web applications via XS advanced application server (ports used depend on XSA routing mode)
  • XS advanced server via the SQL interface (port 3xx13/3xx15)
  • Web applications via the XS classic server (port 43xx)

Detailed instructions can be found in the document “How to Configure TLS/SSL in SAP HANA 2.0

You must be Logged on to comment or reply to a post.
  • Nice document, thank you! It seems to cover everything I looked for.

    I assume I can skip a few steps if I already got a ready-signed certificate from my company’s CA. To install it into an ABAP host, I use on OS level

    sapgenpse import_p12 -p SAPSSLS_${sid}_$(date +%Y%m%d).pse -x "" -r cert_chain.txt -z $P12PASSWORD cert_and_privatekey.p12

    So I get a PSE without password (-x “”) complete with the certificates from Root CA down to Server CA, ready to import into the system. I guess that this may work like Configuration I in Scenario 1. Am I right here?

    As in II V, I already have the data in two separate files, so I don’t need to extract it from the PSE, right?

    By the way, Scenario 1 is the only one I see, are there others? Not that I need them, I think all I need has been covered here 🙂

    Regards, Werner