Technical Articles
Secure Client Connections for the SAP HANA Service – by the SAP HANA Academy
LATEST UPDATE: September 1, 2020 ========================================= The SAP Cloud Platform, SAP HANA Service will be retired in 2021. For more information, see For the latest information about SAP HANA database-as-a-service, visit our blog post series about SAP HANA Cloud: |
Introduction
The SAP HANA Service on the SAP Cloud Platform only accepts secure (encrypted) connections from client tools. To make this happen, you have two options:
- Use the default (built-in) TLS/SSL security provider of your platform
- Use the SAP CommonCrypto Library (SCL)
This blog is about the first option. It is the easiest to use and requires almost no configuration on the Microsoft Windows or Java platforms and minimal setup on macOS and Linux.
For the blog about the CommonCryptoLib, see
Cloud Foundry, Neo, and On-Premise
In the tutorial video we are using the SAP HANA Service from the Cloud Foundry environment. However, as this concerns client-side configuration, it works exactly the same in the Neo environment (SAP datacenter).
For those interested in how to configure secure SAP HANA client connections for on-premise SAP HANA, just ignore the “Service” word. Again, on the client-side it works the same.
For more information about client connections to the SAP HANA Service, see
- Getting started with the SAP HANA service by Philip Mugglestone
- Connecting to an SAP HANA Service database by Tom Slee
- LT122 – Connect to SAP Cloud Platform, SAP HANA Service Using SQL from Anywhere, 2018 Las Vegas by Jeff Wootton
Restrictions
Using the built-in security providers does have some restrictions as they cannot be used for SAP HANA Client Side Encryption, for example. CSE requires SCL.
The SAP CommonCrypto Library was created by SAP to guarantee a secure compute environment regardless of the underlying platform. For on-premise SAP HANA, openSSL has been deprecated.
For the blog about CSE, see
Code Sample
For the full code samples, see the repository on the SAP HANA Academy GitHub site
Tutorial Video
In the video tutorial below, we show how to configure secure client connections on Microsoft Windows, macOS and SUSE Linux for ODBC and JDBC, for the SAP HANA interactive terminal hdbsql, for Java in Eclipse, and for Python in a Jupyter Notebook.
Hands-On Video
For those already familiar with the topic, here is a short(er) video with focus on just the Microsoft Windows platform.
Working with Built-In TLS/SSL Providers
When you are running Microsoft Windows or connecting to HaaS from a Java VM, the default provider is automatically called when you set encrypt=true (either as parameter or in a GUI). The built-in providers include a certificate authority (CA) root certificate.
When you using the open source openSSL encryption provider on macOS or Linux, you do need to explicitly define this plus you need to point to the CA root certificate for openSSL to use to validate the certificate received from the SAP HANA Service.
Connecting to the SAP HANA Service using JDBC in Eclipse
Connecting to the SAP HANA Service using Python in a Jupyter Notebook
Connecting to the SAP HANA Service using ODBC on macOS
YouTube Playlist(s)
The tutorials has been posted to the following playlists:
References
For the full code samples, see
For the documentation, see
- Connecting to an SAP HANA Service Instance Directly from SAP HANA Clients – SAP HANA Client Interface Programming Reference for SAP HANA Service
- 2393013 – FAQ: SAP HANA Clients
- 2159014 – FAQ: SAP HANA Security
Thank you for watching
The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.
For the full list of blogs, see Blog Posts – by the SAP HANA Academy.
- Subscribe to our YouTube channel for updates
- Join us on LinkedIn: linkedin.com/in/saphanaacademy
- Follow us on Twitter: @saphanaacademy
- Facebook: @saphanaacademy
Hi Denys,
Thank you for interesting article. I have one comment though, I'm using HANA service on NEO, and I think that direct connection is not possible for this version. I couldn't find any word in the documentation about it. There is not even HANA Service Dashboard available.
It seems that the only option to connect to HANA Service on NEO is through a tunnel or via Cloud Connector.
Best regards
Maciej
Hi Maciej,
If not mistaken, new feature development stopped for the VM-based SAP HANA Service when the decision was made to invest into a more cloud-native, container-based, architecture back in 2019, with SAP HANA Cloud. What's in the box for both services is quite different and this impacts what's supported for the service. Best to contact SAP Support for information about the best approach for your scenario,