Skip to Content
Technical Articles

SAP HANA Service Secure Client Connections with SAP CommonCryptoLib – by the SAP HANA Academy

Introduction

The SAP HANA Service on the SAP Cloud Platform only accepts secure (encrypted) connections from client tools. To make this happen, you have two options:

  1. Use the default (built-in) TLS/SSL security provider of your platform
  2. Use the SAP CommonCrypto Library (SCL)

This blog is about the second option. For the default provider, see

For the tutorial video about the secure user store (hdbuserstore), see

Sample Code on GitHub

For the full code samples, see the repository on the SAP HANA Academy GitHub site

Tutorial Videos

In the video tutorial, we show how to configure secure client connections with SAP CommonCryptoLib on macOS, Linux, and Microsoft Windows.

The following clients are used:

  • hdbsql (SAP HANA interactive terminal)
  • hdbuserstore (connect with key instead of password)
  • ODBC
  • JDBC (command line connection test)
  • Eclipse (Java class connection test)
  • Python (Jupyter Notebook connection test)

 

Hands-On Video

For those already familiar with the topic, here is a short(er) video with focus on just the Microsoft Windows platform.

Cloud Foundry, Neo, and On-Premise

In the tutorial video we are using the SAP HANA Service from the Cloud Foundry environment. However, as this concerns client-side configuration, it works exactly the same in the Neo environment (SAP datacenter). For those interested in how to configure secure SAP HANA client connections for on-premise SAP HANA, just ignore the “Service” word. Again, on the client-side it works the same.

The SAP CommonCrypto Library was created by SAP to guarantee a secure compute environment regardless of the underlying platform. The SAP HANA Service is configured for using the SAP CommonCrypto Library for all internal cryptography purposes. For on-premise server-side SAP HANA, openSSL has been deprecated.

SAP CommonCryptoLib Required for Client-side Encryption

The SAP CommonCryptoLib is required for SAP HANA Client Side Encryption.

For the blog about CSE, see

DigiCert Global Root CA

For the SAP HANA client to be able to verify the validity of the SAP HANA service certificate, a certificate root authority certificate is required. For this, the DigiCert Global Root CA is used, which you can download from DigiCert.

For openSSL, you need to convert the CRT in PEM format. This is not required for adding the certificate to the SAP client PSE. See the video and the code examples.

SAP HANA CLIENT FOR HAAS

The SAP HANA client for HAAS includes the SAP CommonCryptoLib and can be downloaded from Software Downloads on the SAP ONE Support launchpad.

If you prefer DIY, you can also download the latest SAP HANA client and download the latest SAP CommonCryptoLib and install them together in the same directory. Works as well.

SECUDIR and PSE

You need to create a PSE and add the CA root certificate with the sapgenpse utility. See the video and sample code for how this can be done.

To verify the contents of the PSE and list the public keys (pk), user can use the commands:

sapgenpse get_my_name -p sapcli.pse
sapgenpse maintain_pk -l -p sapcli.pse

Jupyter and Python

Once the PSE has been set up, it is easy to use the SAP CommonCryptoLib in ODBC, JDBC, Python, and any of the other support SAP HANA clients.

Below, an example for connecting to the SAP HANA Service using Python in a Jupyter Notebook using sslCryptoProvider=commoncrypto. We also use a hdbuserstore key in this connection, so we do not have to provide hardcoded usernames and passwords.

 

YouTube Playlist(s)

The tutorials has been posted to the following playlists:

References

For the full code samples, see

For the documentation, see

Thank you for watching

The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.

Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.

For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.

For the full list of blogs, see Blog Posts – by the SAP HANA Academy.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.