cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Running SAP HANA dbapi client from non sidadm user

Former Member

on ‎07-18-2017 1:13 PM

0 Kudos

I have my python program which will connect using python dbapi and fetch the results :

import dbapi conn = dbapi.connect('linux',31515,'SYSTEM','*****')

cur=conn.cursor()

query="select GRANTEE,GRANTEE_TYPE,PRIVILEGE from GRANTED_PRIVILEGES "

ret = cur.execute(query)

ret = cur.fetchall()

I am validating the possibility of running it from non sidadm user.

Is it valid to run it from non sidadm user. Should that user have HANA env set up ?

What is the general process that should be followed ?

I have faced troubles in connecting with ssl enabled.

conn = dbapi.connect('linux.site',30015,'SYSTEM','*****',encrypt='True')

It works if I load the environment variables using -

". /usr/sap/<SID>/home/.sapenv.sh".

Is this the norm ?

Show replies
Show replies
lbreddemann
Active Contributor
‎07-19-2017 12:37 PM
0 Kudos

What "troubles" did you have? It's a good idea to include the error messages in the question.

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎07-21-2017 1:15 PM
0 Kudos

These are the steps that I followed.

I have put the steps in a script which is run from sidadm - 

#/bin/bash
# Do all activities in a client directory, so that we donot accidently delete any certificate - Run this from sidadm.
set -x
rm -rf ./client
mkdir client
cd client
#copy server certificate and extract public/private keys
cp $SECUDIR/sapsrv.pse ./
sapgenpse export_own_cert -p sapsrv.pse > serv.cer
sapgenpse export_p12 -p sapsrv.pse SID_priv.p12 <<EOF




EOF
openssl pkcs12 -nodes -nocerts -in SID_priv.p12 -out serv.key
# create a client certificate and certificate request
mv $SECUDIR/sapcli.pse ./sapcli.pse_bkp
sapgenpse gen_pse -p sapcli.pse -r sapcli.req <<EOF




cn=client
EOF
cp $SECUDIR/sapcli.pse ./
# now sign the client certificate
openssl x509 -req -days 365 -in sapcli.req -sha1 -extensions usr_cert -CA serv.cer -CAkey serv.key -CAcreateserial -out sapcli.crt
cat serv.cer>>sapcli.crt
# import this certificate to SAP HANA
sapgenpse import_own_cert -p sapcli.pse -c sapcli.crt

Different scenario's :

1. While using sidadm to connect post this :

Works perfectly fine.

2. Using root to connect :

Followed below steps post above script.

a. Copied the file sapcli.pse to /root/pse/

b. Set $SECUDIR to point to /root/pse/

c. Added /usr/sap/SID/HDB00/exe: to LD_LIBRARY_PATH.

It works fine after the steps b and c are added.

3. While using a normal user - mashood :

a. Copied the file sapcli.pse to /home/mashood/pse/

b. Set $SECUDIR to point to /home/mashood/pse/

c. Added /usr/sap/SID/HDB00/exe: to LD_LIBRARY_PATH.

When running the program i get the error :

python dbapi_test.py
		Traceback (most recent call last):
		  File "dbapi_test.py", line 9, in <module>
			conn = dbapi.connect('linux.site',30015,'SYSTEM','*******',encrypt='True')        #,encrypt='True')
		  File "/usr/sap/hdbclient/hdbcli/dbapi.py", line 82, in __init__
			self.__connection = pyhdbcli.connect("%s:%d" % (address, port), 'HDB', user, password, self.__properties)
		dbapi.Error: (-10709, 'Connection failed (RTE:[300010] Cannot create SSL context: SSL key store cannot be found: /home/mashood/.ssl/key.pem (linux.site:30015))')

I thought it is directory permission stuff and added the user to "sapsys" group - It works fine after this.

1. Are the steps correct ?

2. What is the recommended way to get dbapi connect through ssl from user mashood.

Regards,

Mashood

Show replies
Show replies
sarthak0403
Advisor
Advisor
‎06-18-2018 11:43 AM
0 Kudos

Hi,

I'm getting the same error. Have you found any solution to this? How to connect to HANA instance using SSL?

Kind Regards,

Sarthak

Ask a Question