Technical Articles

Denys van Kempen

February 4, 2019 3 minute read

Secure User Store for the SAP HANA Service – by the SAP HANA Academy

LATEST UPDATE: September 1, 2020 =========================================

The SAP Cloud Platform, SAP HANA Service will be retired in 2021. For more information, see

Time to LEVEL UP with SAP HANA Cloud on SAP Cloud Platform!

For the latest information about SAP HANA database-as-a-service, visit our blog post series about SAP HANA Cloud:

Getting Started with SAP HANA Cloud (Free Trial)

Introduction

The Secure User Store for the SAP HANA client, a.k.a. hdbuserstore, can be used to safely store the connection string (server, port, username, password) as a key for secure client connections.

This SSFS (secure-store-in-the-file-system) for the SAP HANA client has been part of SAP HANA since the initial release. Using it to connect to the SAP HANA Service requires no changes in parameters or options.

For the blog about encrypting your SAP HANA client connections with the SAP CommonCryptoLib, see

SAP HANA Service Secure Client Connections with SAP CommonCryptoLib

Tutorial Video

In the video tutorial below, we show how you can create a user store key for macOS (Linux) and Windows, and use it with hdbsql, the SAP HANA interactive terminal, with ODBC/JDBC, in Java and in Python.

URL: https://www.youtube.com/watch?v=27rwhnOGk7A

Code Samples

Create a user store key

hdbuserstore -i Set HAASKEY 
  zeus.hana.prod.eu-central-1.whitney.dbaas.ondemand.com:54321 system

Viewing the key store on Linux and Windows. Note that the key is the same for on-premise SAP HANA and for the SAP HANA Service. Also note that the key is the same on Linux and Windows (or macOS). Only the path to the key and data file differs a bit.

Use the key with the interactive terminal. Works on any platform.

hdbsql -U HAASKEY \
  -e -sslprovider commoncrypto -ssltruststore $SECUDIR/sapcli.pse \
  "SELECT VERSION FROM M_DATABASE"

ODBC configuration file on Windows:

Registry entry for the User DSN:

Equivalent on Linux (and macOS):

Code sample for Python:

conn = dbapi.connect(
    key='HAASKEY', 
    encrypt='true', 
    sslCryptoProvider='commoncrypto', 
    sslTrustStore='$SECUDIR/sapcli.pse'
)

Used in Jupyter notebook:

Code sample for Java

YouTube Playlist(s)

The tutorials has been posted to the following playlists:

References

For the documentation, see

Secure User Store (hdbuserstore) – SAP HANA Security Guide for SAP HANA Service
hdbuserstore Commands – SAP HANA Security Guide for SAP HANA Service
Use the User Store (hdbuserstore) – SAP HANA Client Interface Programming Reference for SAP HANA Service
2159014 – FAQ: SAP HANA Security
2393013 – FAQ: SAP HANA Clients

Thank you for watching

The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.

Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.