Skip to Content
0

Running SAP HANA dbapi client from non sidadm user

Jul 18, 2017 at 12:13 PM

106

avatar image
Former Member

I have my python program which will connect using python dbapi and fetch the results :

import dbapi conn = dbapi.connect('linux',31515,'SYSTEM','*****')

cur=conn.cursor()

query="select GRANTEE,GRANTEE_TYPE,PRIVILEGE from GRANTED_PRIVILEGES "

ret = cur.execute(query)

ret = cur.fetchall()

I am validating the possibility of running it from non sidadm user.

Is it valid to run it from non sidadm user. Should that user have HANA env set up ?

What is the general process that should be followed ?

I have faced troubles in connecting with ssl enabled.

conn = dbapi.connect('linux.site',30015,'SYSTEM','*****',encrypt='True')

It works if I load the environment variables using -

". /usr/sap/<SID>/home/.sapenv.sh".

Is this the norm ?

10 |10000 characters needed characters left characters exceeded

What "troubles" did you have? It's a good idea to include the error messages in the question.

0
* Please Login or Register to Answer, Follow or Comment.

1 Answer

avatar image
Former Member Jul 21, 2017 at 12:15 PM
0

These are the steps that I followed.

I have put the steps in a script which is run from sidadm -

#/bin/bash
# Do all activities in a client directory, so that we donot accidently delete any certificate - Run this from sidadm.
set -x
rm -rf ./client
mkdir client
cd client
#copy server certificate and extract public/private keys
cp $SECUDIR/sapsrv.pse ./
sapgenpse export_own_cert -p sapsrv.pse > serv.cer
sapgenpse export_p12 -p sapsrv.pse SID_priv.p12 <<EOF




EOF
openssl pkcs12 -nodes -nocerts -in SID_priv.p12 -out serv.key
# create a client certificate and certificate request
mv $SECUDIR/sapcli.pse ./sapcli.pse_bkp
sapgenpse gen_pse -p sapcli.pse -r sapcli.req <<EOF




cn=client
EOF
cp $SECUDIR/sapcli.pse ./
# now sign the client certificate
openssl x509 -req -days 365 -in sapcli.req -sha1 -extensions usr_cert -CA serv.cer -CAkey serv.key -CAcreateserial -out sapcli.crt
cat serv.cer>>sapcli.crt
# import this certificate to SAP HANA
sapgenpse import_own_cert -p sapcli.pse -c sapcli.crt

Different scenario's :

1. While using sidadm to connect post this :

Works perfectly fine.

2. Using root to connect :

Followed below steps post above script.

a. Copied the file sapcli.pse to /root/pse/

b. Set $SECUDIR to point to /root/pse/

c. Added /usr/sap/SID/HDB00/exe: to LD_LIBRARY_PATH.

It works fine after the steps b and c are added.

3. While using a normal user - mashood :

a. Copied the file sapcli.pse to /home/mashood/pse/

b. Set $SECUDIR to point to /home/mashood/pse/

c. Added /usr/sap/SID/HDB00/exe: to LD_LIBRARY_PATH.

When running the program i get the error :

python dbapi_test.py
		Traceback (most recent call last):
		  File "dbapi_test.py", line 9, in <module>
			conn = dbapi.connect('linux.site',30015,'SYSTEM','*******',encrypt='True')        #,encrypt='True')
		  File "/usr/sap/hdbclient/hdbcli/dbapi.py", line 82, in __init__
			self.__connection = pyhdbcli.connect("%s:%d" % (address, port), 'HDB', user, password, self.__properties)
		dbapi.Error: (-10709, 'Connection failed (RTE:[300010] Cannot create SSL context: SSL key store cannot be found: /home/mashood/.ssl/key.pem (linux.site:30015))')
 

I thought it is directory permission stuff and added the user to "sapsys" group - It works fine after this.

1. Are the steps correct ?

2. What is the recommended way to get dbapi connect through ssl from user mashood.

Regards,

Mashood

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi,

I'm getting the same error. Have you found any solution to this? How to connect to HANA instance using SSL?

Kind Regards,

Sarthak

0