Skip to Content
Technical Articles
Author's profile photo Denys van Kempen

SAP HANA Cloud, JWT Provider, and Certificate Collections

With this blog series we provide an update with the latest information on getting started with SAP HANA Cloud on the SAP Cloud Platform.

  1. About SAP HANA Cloud
  2. SAP HANA Cloud Getting Started
  3. SAP HANA Cloud and SAP Business Application Studio
  4. HDI with SAP HANA Cloud
  5. SAP Analysis for Microsoft Office and SAP HANA Cloud
  6. Cloud Foundry Advanced
  7. SAP HANA Cloud and SAP BTP Trust <=
  8. Data masking and data anonymization
  9. Predictive Analysis Library (PAL) and Automated Predictive Library (APL)
  10. Remote data sources and virtual tables
  11. OData with SAP HANA Cloud
  12. SAP HANA Cloud Graph
  13. Role Attributes
  14. SAP HANA Cloud and Smart Data Integration

For more information about the free trial, see

For the new features overview posts, see

Questions? Post as comment.

Useful? Give us a like and share on social media.



Hands-On Video Tutorial

Philip MUGGLESTONE just added another video tutorial to the SAP HANA Cloud series. In this blog, you will find the video embedded with some additional information and resources. Following along in the patented zero-to-hero format, you will be able to fix the dreaded HTTP 500 internal server error-type errors.

You can watch the video tutorial in a little over 5 minutes. What you learn is

  • How to cause and solve a 500 internal server error
  • How to create a JWT Provider and Certificate Collection using SQL

As we know your time is precious, you can find the code snippet on our GitHub repository

500 Internal Server Error

When you want to pass on the credentials of the business user (as defined with the identity provider, e.g. SAP ID Service or Microsoft Azure AD) from the business logic application to the database, you need to manually configure the trust between the authorization server (XSUAA) and the resource server (SAP HANA Cloud).

Configure JWT Trust (using SQL)

In this video tutorial, Philip Mugglestone shows how to configure JWT trust between SAP HANA Cloud and the SAP Cloud Platform subaccount where an application has been deployed.

Without this trust, the application returns error message:

the predefined session variable cannot be set via SET command: 


0:00 – Introduction and use case

1:20 – Paste code snippet into SQL Console of SAP HANA Database Explorer

1:55 – Query JWT provider(s), certificate(s), and certificate collection(s) a.k.a. PSE

2:30 – Get authentication URL

2:45 – Use API endpoint replacing ‘api’ with ‘subaccount’ and ‘cf’ with ‘authentication’, appending /sap/trust

3:20 – Copy certificate and issuer and create the certificate and JWT Provider 

3:50 – Create certificate collection and set purpose to JWT. 

Configure JWT Trust using SAP HANA Cockpit

Alternatively, we can also use the SAP HANA cockpit to configure the JWT trust, as shown in the next video. This video is part of the role attributes series.

  • Blog

0:00 – Introduction and use case

0:50 – Role collections with attributes (documentation)

2:00 – Prerequisite: SAP HANA Cloud 

2:30 – XSUAA service

2:45 – Prerequisite: Configure JWT Trust 

4:25 – Import certificate

4:35 – Create JWT Identity Provider

5:10 – Create certificate collection (PSE)

5:45 – Configure SAP Business Application Studio

6:20 – Git clone sample code from

6:40 – Showcase myapphana MTA (multi-target application)

7:10 – Recap



Ready-Made Authentication Strategy

With a few lines of code, you can plug a ready-made authentication strategy into your business logic application using xssec and xsenv; two Node.js packages provided by SAP.

The first section  implements the ready-made with a simple copy/paste of the code snippet. As documented,

// XS Advanced Container Security API for node.js
const xsenv = require('@sap/xsenv');
const services = xsenv.getServices({uaa: { tag: 'xsuaa' }, hana: { tag: 'hana' }});
const xssec = require('@sap/xssec');
const passport = require('passport');
passport.use('JWT', new xssec.JWTStrategy(services.uaa));
app.use(passport.authenticate('JWT', {session: false}));

Using another convenience package, we can establish a connection to the SAP HANA Cloud instance without hardcoding any credentials, simply by passing environment variables (VCAP_SERVICES)

// HANA Client Utility
const hdbext = require('@sap/hdbext');

This enables us to run a database query for authenticated and appropriately authorised users only, in this case those with the Admin scope.

app.get('/srv/db', function (req, res) {
if (req.authInfo.checkScope('$XSAPPNAME.Admin')) {
  req.db.exec('SELECT * FROM M_DATABASE', function (err, results) {
    if (err) 
      {res.type('text/plain').status(500).send('ERROR: ' + err.toString()); return;}

For more information about how this works exactly, see

One More Thing

Unfortunately, as ready-made as it is, the implementation requires an additional configuration to avoid HTTP 500 internal server error-type errors.

In OAuth terminology, this concerns the trust between the authorization server (XSUAA) and the resource server (SAP HANA Cloud).


PSE With Purpose JWT

For this trust to be established we need to import the certificate of the authorisation server into a Personal Security Environment (PSE) also known as a Certificate Collection.

Get Certificate

To obtain the certificate access the URL: tenant-id + uaadomain + endpoint

  • 123abctrial +
  • authentication +
  • +
  • /sap/trust/jwt

For example

The URL returns Issuer and subject distinguished name (dn), purpose, public certificate, and issuer.

The figure shows the JSON key:values returned in a Chrome browser with JSON Viewer extension.

When in doubt, the parameters “url” and “uaadomain” are accessible as environment variables (VCAP_SERVICES) when you bind an XSUAA service instance to an application.

Create JWT Provider

Add an identity provider using the JWT Identity Provider app of the SAP HANA Cockpit. Use the value of issuer with claim user_nameThe name must start with a letter and contain only ASCII characters, digits, and underscores.

Alternatively, use SQL statement CREATE JWT PROVIDER with the certificate in single quotes.


Import Certificate

Import the certificate using the Certificate Store app of the SAP HANA Cockpit.

Alternatively, use SQL statement CREATE CERTIFICATE with the certificate in single quotes.

CREATE certificate FROM 
'-----BEGIN CERTIFICATE-----<string>-----END CERTIFICATE-----';

Create Certificate Collection

Create a certificate collection, add the certificate, and set the purpose to JWT.

Alternatively, use SQL statement CREATE PSE, add the certificate using ALTER PSE and set the purpose to JWT.

ALTER PSE XSUAA ADD certificate <certificate-id>;

As documented


Share and Connect

Questions? Please post as comment.

Useful? Give us a like and share on social media.


If you would like to receive updates, connect with me on

For the author page of SAP PRESS, visit

Over the years, for the SAP HANA Academy, SAP’s Partner Innovation Lab, and à titre personnel, I have written a little over 300 posts here for the SAP Community. Some articles only reached a few readers. Others attracted quite a few more.

For your reading pleasure and convenience, here is a curated list of posts which somehow managed to pass the 10k-view mile stone and, as sign of current interest, still tickle the counters each month.

For the SAP HANA Cloud e-bite, see

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo varun bhargav
      varun bhargav

      Hi Denys van Kempen ,

      Thanks for the blog, very helpful.
      I am facing the same issue and I have mentioned the details here . Could you please help me if I have missed something.

      The steps I followed to add the certificate are
      1. Adding the certificate

      CREATE certificate FROM 

      and in the STRING I copy pasted the vale between <X509Certificate> and </X509Certificate> from my metadata.

      2. Creating SAML Identity Provider

      by adding entity Id and choosing the certificate added in step I

      3. Creating the Certificate Collection by choosing purpose as SAML



      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Varun,

      That looks about right; will proceed with your question

      Author's profile photo varun bhargav
      varun bhargav

      Hi Denys,

      It worked fine when I added xsApplicationUser and set it as false in server.js file.

      var options = {
         //anonymous : true, // remove to authenticate calls
         auditLog : { logToConsole: true }, // change to auditlog service for productive scenarios
         redirectUrl : "/index.xsjs",
         xsApplicationUser: false

      but am not sure if that means the session is not been carried to DB layer.



      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      As this concerns xsjs it might be challenging to get a response; most developers will have moved on the XS advanced first and then to CAP.

      Philip MUGGLESTONE recorded a tutorial about using the XSJS compatibility layer. Maybe the code samples can provide you some insights

      Author's profile photo Former Member
      Former Member

      Hi Denys,

      just for ha-ha's - since this space is changing very quickly and i'm not sure what will end up in the free tier, if i get it in the first place.

      1. my trial SAP Hana Cloud service key does not contain clientid/-secret values but
      2. my Authorization & Trust Management (xsuaa) service key does have both.

      it probably doesn't make any sense but is there a way to 'bind' both keys to each other without creating and deploying an application, so that HANA cloud server will have both in its collection and certificate store?

      Thank you,


      P.S. always good to validate JWT values on

      Author's profile photo Jaafar Farissi
      Jaafar Farissi

      Hi Denys,


      Any Idea for connection Dot Net Core and Hana Cloud Database with SSO Jwt.

      Thanks for Your Help.



      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Jaafar,

      Not familiar that much with .NET Core. Could not find (1-2-3) much documented on the topic either.

      Would you mind asking this question to the Community? You might need to add a bit of context of what it is you are trying to achieve, what you tried, code snippets, error message, etc.

      Thanks for contributing!

      Author's profile photo Ananya Appan
      Ananya Appan

      Hi Denys,


      We are trying to apply row level filters to our BTP CAP JAVA application based on the user and the same filters should be applied to our SAC reports also. We are trying to use analytic privileges to do this. We can see that the sample code is using nodejs. Do you have any reference for JAVA?




      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Ananya,

      No reference for Java. Suggest to post this comment as a question to the forum >>



      Author's profile photo Ananya Appan
      Ananya Appan

      Hi Denys,


      Okay, will do. Thank you for your prompt response.