Secure connection from DBeaver to SAP HANA Cloud

In my previous post Secure connection from HDBSQL to SAP HANA Cloud I worked with HDBSQL. Now let’s move to DBeaver CE — a free database manager that I have used in some previous posts already. Today it got the latest update 7.0.3, which I already installed on my machines.

SAP HANA Cloud…

… is the new cloud-native SAP HANA product, used in my previous post or in the recent live coding episode by Thomas Jung.

Two quick notes before we start:

1. As of today, it is available only as a paid service in SAP Cloud Platform, but (usual disclaimer about forward-looking statement applies) the trial version should be available later this year.
2. As a reminder, the IP address of a machine from which a DB client tries to connect to SAP HANA Cloud instance — should be whitelisted by your administrator.

Luckily, in my case, I am one of the admins of this SAP HANA Cloud instance. So, it is accessible from my IP addresses.

I need to grab the endpoint of my instance, which is:

2246ed61-81df-48e8-9711-323311f7613f.hana.prod-eu20.hanacloud.ondemand.com:443.

Back to DBeaver…

…where you can notice two great things:

1. SAP HANA is already included in the list available drivers and
2. HANA JDBC driver ngdbc is downloaded automatically when required or updated. If needed, you can still point to a driver you might have pre-install on your machine already.

Let’s create a new connection.

So, I need to put Host and Port accordingly to the endpoint copied from my HANA Cloud instance cockpit. This will automatically populate the JDBC URL. Plus populate Username and Password fields. Ok, let’s Test Connection….

“Receive of connect failed.“? Why? Of course, you know, if you read the previous post 😉

Clients can establish only secure connections to SAP HANA Cloud!

Let’s add this encrypt parameter to the connection. Unfortunately, this is where I found DBevaer UI somewhat unintuitive.

Switch to Driver properties and right-click on User Properties to add a new property.

Unfortunately, DBevar did not allow me to put encrypt=true just right here. Instead, I added encrypt property, and then (it took me half an hour to figure our) double-click next to my property in Value column to edit. Type true there.

Ok, let’s Test Connection now…

Bingo! Now I can connect and work with my instance.

Here’s another obvious disclaimer.

Never use admin user, like DBAdmin, to do your work!
Create separate users for admin or for development.

We are on MacOS… Have we missed anything?

Again, if you read the previous post, then you might remember that “DigiCert Global Root CA” root certificate was required to authenticate SAP HANA host to establish secure communication. And you might remember that on MacOS or Linix we had to explicitly use that certificate with HDBSQL.

What is different with DBeaver? It is a Java app and it is using the JDBC driver. The complete JRE is included in the DBeaver installation.

And by default JRE comes with the cacerts store of root certificates. Let’s check.

cd /Applications/DBeaver.app/Contents/Eclipse/jre/Contents/Home
bin/keytool -exportcert -cacerts -v -alias "digicertglobalrootca [jdk]" -rfc -storepass changeit

Don’t you trust yet?

Personally, I certainly would like to double-check, if these assumptions are correct.

I have another Java installation on my Mac:

/usr/local/Cellar/openjdk/13.0.2+8_2/libexec/openjdk.jdk/Contents/Home

so let’s check if it can be used to provide the trustStore property for our JDBC connection instead.

And what about Windows?

Well, not much different. You use the default JRE installed with DBeaver…

…or you can use cacerts delivered in some other %JAVA_HOME%, like with SAP JVM in my case.

Looking for more information about JDBC?

There is a tutorial from https://people.sap.com/daniel.vanleeuwen available: Connect Using the SAP HANA JDBC Driver as a part of the tutorials mission Use Clients to Query an SAP HANA Database.

Trust me, I am an engineer.
-Vitaliy (aka @Sygyzmundovych)