Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP HANA Service Secure Client Connections with SAP CommonCryptoLib – by the SAP HANA Academy

dvankempen
Product and Topic Expert
Product and Topic Expert
‎01-24-2019 3:38 PM








LATEST UPDATE: September 1, 2020 =========================================

The SAP Cloud Platform, SAP HANA Service will be retired in 2021. For more information, see

For the latest information about SAP HANA database-as-a-service, visit our blog post series about SAP HANA Cloud:

Introduction


The SAP HANA Service on the SAP Cloud Platform only accepts secure (encrypted) connections from client tools. To make this happen, you have two options:

  1. Use the default (built-in) TLS/SSL security provider of your platform

  2. Use the SAP CommonCrypto Library (SCL)


This blog is about the second option. For the default provider, see

For the tutorial video about the secure user store (hdbuserstore), see

Sample Code on GitHub


For the full code samples, see the repository on the SAP HANA Academy GitHub site


Tutorial Videos


In the video tutorial, we show how to configure secure client connections with SAP CommonCryptoLib on macOS, Linux, and Microsoft Windows.

The following clients are used:

  • hdbsql (SAP HANA interactive terminal)

  • hdbuserstore (connect with key instead of password)

  • ODBC

  • JDBC (command line connection test)

  • Eclipse (Java class connection test)

  • Python (Jupyter Notebook connection test)




 

Hands-On Video


For those already familiar with the topic, here is a short(er) video with focus on just the Microsoft Windows platform.



Cloud Foundry, Neo, and On-Premise


In the tutorial video we are using the SAP HANA Service from the Cloud Foundry environment. However, as this concerns client-side configuration, it works exactly the same in the Neo environment (SAP datacenter). For those interested in how to configure secure SAP HANA client connections for on-premise SAP HANA, just ignore the "Service" word. Again, on the client-side it works the same.

The SAP CommonCrypto Library was created by SAP to guarantee a secure compute environment regardless of the underlying platform. The SAP HANA Service is configured for using the SAP CommonCrypto Library for all internal cryptography purposes. For on-premise server-side SAP HANA, openSSL has been deprecated.


SAP CommonCryptoLib Required for Client-side Encryption


The SAP CommonCryptoLib is required for SAP HANA Client Side Encryption.

For the blog about CSE, see

DigiCert Global Root CA


For the SAP HANA client to be able to verify the validity of the SAP HANA service certificate, a certificate root authority certificate is required. For this, the DigiCert Global Root CA is used, which you can download from DigiCert.

For openSSL, you need to convert the CRT in PEM format. This is not required for adding the certificate to the SAP client PSE. See the video and the code examples.

SAP HANA CLIENT FOR HAAS


The SAP HANA client for HAAS includes the SAP CommonCryptoLib and can be downloaded from Software Downloads on the SAP ONE Support launchpad.

If you prefer DIY, you can also download the latest SAP HANA client and download the latest SAP CommonCryptoLib and install them together in the same directory. Works as well.


SECUDIR and PSE


You need to create a PSE and add the CA root certificate with the sapgenpse utility. See the video and sample code for how this can be done.

To verify the contents of the PSE and list the public keys (pk), user can use the commands:
sapgenpse get_my_name -p sapcli.pse

sapgenpse maintain_pk -l -p sapcli.pse

Jupyter and Python


Once the PSE has been set up, it is easy to use the SAP CommonCryptoLib in ODBC, JDBC, Python, and any of the other support SAP HANA clients.

Below, an example for connecting to the SAP HANA Service using Python in a Jupyter Notebook using sslCryptoProvider=commoncrypto. We also use a hdbuserstore key in this connection, so we do not have to provide hardcoded usernames and passwords.



 

YouTube Playlist(s)


The tutorials has been posted to the following playlists:


References


For the full code samples, see

For the documentation, see

Thank you for watching


The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.

Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.

For the full library, see SAP HANA Academy Library - by the SAP HANA Academy.

For the full list of blogs, see Blog Posts - by the SAP HANA Academy.
Labels in this area
Popular Blog Posts