Skip to Content

Running SAP HANA dbapi client from non sidadm user

Jul 18, 2017 at 12:13 PM


avatar image

I have my python program which will connect using python dbapi and fetch the results :

import dbapi conn = dbapi.connect('linux',31515,'SYSTEM','*****')



ret = cur.execute(query)

ret = cur.fetchall()

I am validating the possibility of running it from non sidadm user.

Is it valid to run it from non sidadm user. Should that user have HANA env set up ?

What is the general process that should be followed ?

I have faced troubles in connecting with ssl enabled.

conn = dbapi.connect('',30015,'SYSTEM','*****',encrypt='True')

It works if I load the environment variables using -

". /usr/sap/<SID>/home/".

Is this the norm ?

10 |10000 characters needed characters left characters exceeded

What "troubles" did you have? It's a good idea to include the error messages in the question.

* Please Login or Register to Answer, Follow or Comment.

1 Answer

Mashood K Jul 21, 2017 at 12:15 PM

These are the steps that I followed.

I have put the steps in a script which is run from sidadm -

# Do all activities in a client directory, so that we donot accidently delete any certificate - Run this from sidadm.
set -x
rm -rf ./client
mkdir client
cd client
#copy server certificate and extract public/private keys
cp $SECUDIR/sapsrv.pse ./
sapgenpse export_own_cert -p sapsrv.pse > serv.cer
sapgenpse export_p12 -p sapsrv.pse SID_priv.p12 <<EOF

openssl pkcs12 -nodes -nocerts -in SID_priv.p12 -out serv.key
# create a client certificate and certificate request
mv $SECUDIR/sapcli.pse ./sapcli.pse_bkp
sapgenpse gen_pse -p sapcli.pse -r sapcli.req <<EOF

cp $SECUDIR/sapcli.pse ./
# now sign the client certificate
openssl x509 -req -days 365 -in sapcli.req -sha1 -extensions usr_cert -CA serv.cer -CAkey serv.key -CAcreateserial -out sapcli.crt
cat serv.cer>>sapcli.crt
# import this certificate to SAP HANA
sapgenpse import_own_cert -p sapcli.pse -c sapcli.crt

Different scenario's :

1. While using sidadm to connect post this :

Works perfectly fine.

2. Using root to connect :

Followed below steps post above script.

a. Copied the file sapcli.pse to /root/pse/

b. Set $SECUDIR to point to /root/pse/

c. Added /usr/sap/SID/HDB00/exe: to LD_LIBRARY_PATH.

It works fine after the steps b and c are added.

3. While using a normal user - mashood :

a. Copied the file sapcli.pse to /home/mashood/pse/

b. Set $SECUDIR to point to /home/mashood/pse/

c. Added /usr/sap/SID/HDB00/exe: to LD_LIBRARY_PATH.

When running the program i get the error :

		Traceback (most recent call last):
		  File "", line 9, in <module>
			conn = dbapi.connect('',30015,'SYSTEM','*******',encrypt='True')        #,encrypt='True')
		  File "/usr/sap/hdbclient/hdbcli/", line 82, in __init__
			self.__connection = pyhdbcli.connect("%s:%d" % (address, port), 'HDB', user, password, self.__properties)
		dbapi.Error: (-10709, 'Connection failed (RTE:[300010] Cannot create SSL context: SSL key store cannot be found: /home/mashood/.ssl/key.pem (')

I thought it is directory permission stuff and added the user to "sapsys" group - It works fine after this.

1. Are the steps correct ?

2. What is the recommended way to get dbapi connect through ssl from user mashood.



10 |10000 characters needed characters left characters exceeded