SAP HANA Service Secure Client Connections with SAP CommonCryptoLib – by the SAP HANA Academy
The SAP HANA Service on the SAP Cloud Platform only accepts secure (encrypted) connections from client tools. To make this happen, you have two options:
- Use the default (built-in) TLS/SSL security provider of your platform
- Use the SAP CommonCrypto Library (SCL)
This blog is about the second option. For the default provider, see
For the tutorial video about the secure user store (hdbuserstore), see
Sample Code on GitHub
For the full code samples, see the repository on the SAP HANA Academy GitHub site
In the video tutorial, we show how to configure secure client connections with SAP CommonCryptoLib on macOS, Linux, and Microsoft Windows.
The following clients are used:
- hdbsql (SAP HANA interactive terminal)
- hdbuserstore (connect with key instead of password)
- JDBC (command line connection test)
- Eclipse (Java class connection test)
- Python (Jupyter Notebook connection test)
For those already familiar with the topic, here is a short(er) video with focus on just the Microsoft Windows platform.
Cloud Foundry, Neo, and On-Premise
In the tutorial video we are using the SAP HANA Service from the Cloud Foundry environment. However, as this concerns client-side configuration, it works exactly the same in the Neo environment (SAP datacenter). For those interested in how to configure secure SAP HANA client connections for on-premise SAP HANA, just ignore the “Service” word. Again, on the client-side it works the same.
The SAP CommonCrypto Library was created by SAP to guarantee a secure compute environment regardless of the underlying platform. The SAP HANA Service is configured for using the SAP CommonCrypto Library for all internal cryptography purposes. For on-premise server-side SAP HANA, openSSL has been deprecated.
SAP CommonCryptoLib Required for Client-side Encryption
The SAP CommonCryptoLib is required for SAP HANA Client Side Encryption.
For the blog about CSE, see
DigiCert Global Root CA
For the SAP HANA client to be able to verify the validity of the SAP HANA service certificate, a certificate root authority certificate is required. For this, the DigiCert Global Root CA is used, which you can download from DigiCert.
For openSSL, you need to convert the CRT in PEM format. This is not required for adding the certificate to the SAP client PSE. See the video and the code examples.
SAP HANA CLIENT FOR HAAS
The SAP HANA client for HAAS includes the SAP CommonCryptoLib and can be downloaded from Software Downloads on the SAP ONE Support launchpad.
If you prefer DIY, you can also download the latest SAP HANA client and download the latest SAP CommonCryptoLib and install them together in the same directory. Works as well.
SECUDIR and PSE
You need to create a PSE and add the CA root certificate with the sapgenpse utility. See the video and sample code for how this can be done.
To verify the contents of the PSE and list the public keys (pk), user can use the commands:
sapgenpse get_my_name -p sapcli.pse sapgenpse maintain_pk -l -p sapcli.pse
Jupyter and Python
Once the PSE has been set up, it is easy to use the SAP CommonCryptoLib in ODBC, JDBC, Python, and any of the other support SAP HANA clients.
Below, an example for connecting to the SAP HANA Service using Python in a Jupyter Notebook using sslCryptoProvider=commoncrypto. We also use a hdbuserstore key in this connection, so we do not have to provide hardcoded usernames and passwords.
The tutorials has been posted to the following playlists:
For the full code samples, see
For the documentation, see
- Connecting to an SAP HANA Service Instance Directly from SAP HANA Clients – SAP HANA Client Interface Programming Reference for SAP HANA Service
- 2393013 – FAQ: SAP HANA Clients
- 2159014 – FAQ: SAP HANA Security
Thank you for watching
The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.
For the full list of blogs, see Blog Posts – by the SAP HANA Academy.