Skip to Content
avatar image
Former Member

Running SAP HANA dbapi client from non sidadm user

I have my python program which will connect using python dbapi and fetch the results :

import dbapi conn = dbapi.connect('linux',31515,'SYSTEM','*****')

cur=conn.cursor()

query="select GRANTEE,GRANTEE_TYPE,PRIVILEGE from GRANTED_PRIVILEGES "

ret = cur.execute(query)

ret = cur.fetchall()

I am validating the possibility of running it from non sidadm user.

Is it valid to run it from non sidadm user. Should that user have HANA env set up ?

What is the general process that should be followed ?

I have faced troubles in connecting with ssl enabled.

conn = dbapi.connect('linux.site',30015,'SYSTEM','*****',encrypt='True')

It works if I load the environment variables using -

". /usr/sap/<SID>/home/.sapenv.sh".

Is this the norm ?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Jul 21, 2017 at 12:15 PM

    These are the steps that I followed.

    I have put the steps in a script which is run from sidadm -

    #/bin/bash
    # Do all activities in a client directory, so that we donot accidently delete any certificate - Run this from sidadm.
    set -x
    rm -rf ./client
    mkdir client
    cd client
    #copy server certificate and extract public/private keys
    cp $SECUDIR/sapsrv.pse ./
    sapgenpse export_own_cert -p sapsrv.pse > serv.cer
    sapgenpse export_p12 -p sapsrv.pse SID_priv.p12 <<EOF
    
    
    
    
    EOF
    openssl pkcs12 -nodes -nocerts -in SID_priv.p12 -out serv.key
    # create a client certificate and certificate request
    mv $SECUDIR/sapcli.pse ./sapcli.pse_bkp
    sapgenpse gen_pse -p sapcli.pse -r sapcli.req <<EOF
    
    
    
    
    cn=client
    EOF
    cp $SECUDIR/sapcli.pse ./
    # now sign the client certificate
    openssl x509 -req -days 365 -in sapcli.req -sha1 -extensions usr_cert -CA serv.cer -CAkey serv.key -CAcreateserial -out sapcli.crt
    cat serv.cer>>sapcli.crt
    # import this certificate to SAP HANA
    sapgenpse import_own_cert -p sapcli.pse -c sapcli.crt
    

    Different scenario's :

    1. While using sidadm to connect post this :

    Works perfectly fine.

    2. Using root to connect :

    Followed below steps post above script.

    a. Copied the file sapcli.pse to /root/pse/

    b. Set $SECUDIR to point to /root/pse/

    c. Added /usr/sap/SID/HDB00/exe: to LD_LIBRARY_PATH.

    It works fine after the steps b and c are added.

    3. While using a normal user - mashood :

    a. Copied the file sapcli.pse to /home/mashood/pse/

    b. Set $SECUDIR to point to /home/mashood/pse/

    c. Added /usr/sap/SID/HDB00/exe: to LD_LIBRARY_PATH.

    When running the program i get the error :

    python dbapi_test.py
    		Traceback (most recent call last):
    		  File "dbapi_test.py", line 9, in <module>
    			conn = dbapi.connect('linux.site',30015,'SYSTEM','*******',encrypt='True')        #,encrypt='True')
    		  File "/usr/sap/hdbclient/hdbcli/dbapi.py", line 82, in __init__
    			self.__connection = pyhdbcli.connect("%s:%d" % (address, port), 'HDB', user, password, self.__properties)
    		dbapi.Error: (-10709, 'Connection failed (RTE:[300010] Cannot create SSL context: SSL key store cannot be found: /home/mashood/.ssl/key.pem (linux.site:30015))')
     

    I thought it is directory permission stuff and added the user to "sapsys" group - It works fine after this.

    1. Are the steps correct ?

    2. What is the recommended way to get dbapi connect through ssl from user mashood.

    Regards,

    Mashood

    Add comment
    10|10000 characters needed characters exceeded