zhongwei/gh-secondsky-sap-skills-skills-sap-hana-cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9c415435152b84f493aeb65a70cbd3ba8734606e
gh-secondsky-sap-skills-ski…/references/connection-security.md
Zhongwei Li 9c41543515 Initial commit
2025-11-30 08:55:22 +08:00

5.9 KiB
Raw Blame History

SAP HANA CLI - Connection & Security Guide

Source: https://github.com/SAP-samples/hana-developer-cli-tool-example

Connection Credential Hierarchy

The hana-cli searches for connection credentials in this priority order:

1. default-env-admin.json (Highest Priority)

Used when --admin flag is specified.

{
  "VCAP_SERVICES": {
    "hana": [{
      "name": "hana-admin",
      "credentials": {
        "host": "hostname.hanacloud.ondemand.com",
        "port": "443",
        "user": "DBADMIN",
        "password": "AdminPassword123",
        "schema": "MYSCHEMA",
        "encrypt": true,
        "sslValidateCertificate": true
      }
    }]
  }
}

2. .cdsrc-private.json (cds bind)

Most secure option for cloud credentials. Uses CAP binding.

{
  "requires": {
    "db": {
      "kind": "hana",
      "binding": {
        "type": "cf",
        "apiEndpoint": "[https://api.cf.eu10.hana.ondemand.com",](https://api.cf.eu10.hana.ondemand.com",)
        "org": "my-org",
        "space": "dev",
        "instance": "my-hana-hdi"
      }
    }
  }
}

3. .env File

Environment variables with VCAP_SERVICES.

VCAP_SERVICES={"hana":[{"credentials":{"host":"...","port":"443",...}}]}

4. --conn Parameter

Specify custom connection file.

hana-cli tables --conn ./my-connection.json

5. ${homedir}/.hana-cli/

User-level configuration directory.

6. default-env.json

Project-level default connection.

{
  "VCAP_SERVICES": {
    "hana": [{
      "name": "hana-db",
      "credentials": {
        "host": "hostname",
        "port": "30015",
        "user": "SYSTEM",
        "password": "Password123"
      }
    }]
  }
}

7. ${homedir}/.hana-cli/default.json (Lowest Priority)

Global fallback configuration.

Connection Methods

Interactive Connection

# Prompts for all parameters
hana-cli connect

# Partial parameters (prompts for missing)
hana-cli connect -n "myhost:443" -u MYUSER

Direct Connection

# Full specification
hana-cli connect -n "hostname:443" -u USER -p PASSWORD --encrypt --save

# Using user store key
hana-cli connect -U MYKEY

Service Key Connection (HANA Cloud)

# Interactive service key setup
hana-cli connectViaServiceKey

SSL/TLS Configuration

Enable Encryption

hana-cli connect --encrypt true
# or
hana-cli connect -e
# or
hana-cli connect --ssl

Custom Trust Store

# Specify certificate file
hana-cli connect --trustStore /path/to/DigiCertGlobalRootCA.crt

# Alternative aliases
hana-cli connect --Trust /path/to/cert.pem
hana-cli connect -t /path/to/cert.pem

HANA Cloud SSL

For SAP HANA Cloud, SSL is required. The connection automatically uses:

  • Port 443
  • SSL encryption enabled
  • DigiCert Global Root CA (usually pre-installed)

Credential Storage

Save Credentials

# Save after connection (default behavior)
hana-cli connect -n "host:port" -u USER -p PASS --save

# Don't save
hana-cli connect --save false

Credential Files Created

File Purpose
default-env.json Standard connection
default-env-admin.json Admin connection
.cdsrc-private.json CDS binding (gitignored)

Security Best Practices

DO:

  • Use cds bind for cloud credentials (no local storage)
  • Add default-env*.json to .gitignore
  • Add .cdsrc-private.json to .gitignore
  • Use service keys for HANA Cloud
  • Enable SSL/TLS for all connections
  • Use user store keys when available

DON'T:

  • Commit credentials to version control
  • Use plaintext passwords in scripts
  • Disable SSL certificate validation in production
  • Share admin credentials

Connection File Templates

HANA Cloud Connection

{
  "VCAP_SERVICES": {
    "hana": [{
      "name": "hana-cloud",
      "label": "hana",
      "credentials": {
        "host": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.hana.trial-eu10.hanacloud.ondemand.com",
        "port": "443",
        "user": "DBADMIN",
        "password": "SecurePassword123!",
        "schema": "DBADMIN",
        "encrypt": true,
        "sslValidateCertificate": true
      }
    }]
  }
}

On-Premise HANA Connection

{
  "VCAP_SERVICES": {
    "hana": [{
      "name": "hana-onprem",
      "label": "hana",
      "credentials": {
        "host": "hana.company.internal",
        "port": "30015",
        "user": "DEVELOPER",
        "password": "Password123",
        "schema": "MYSCHEMA"
      }
    }]
  }
}

HDI Container Connection

{
  "VCAP_SERVICES": {
    "hana": [{
      "name": "hdi-container",
      "label": "hana",
      "credentials": {
        "host": "hostname",
        "port": "443",
        "user": "CONTAINER_USER",
        "password": "ContainerPass",
        "schema": "CONTAINER_SCHEMA",
        "hdi_user": "CONTAINER_USER",
        "hdi_password": "ContainerPass"
      }
    }]
  }
}

Troubleshooting Connections

Check Status

hana-cli status

Test Connection

# Simple query test
hana-cli querySimple -q "SELECT CURRENT_USER FROM DUMMY"

Common Issues

Error Cause Solution
Connection refused Wrong host/port Verify hostname and port
SSL handshake failed Certificate issue Add --trustStore
Authentication failed Wrong credentials Check user/password
Insufficient privilege Missing permissions Check user roles

Diagnose Privileges

hana-cli privilegeError
hana-cli inspectUser

Connection Profiles

Use profiles for multiple environments:

# Use specific profile
hana-cli tables --profile dev
hana-cli tables --profile prod

# Profile stored in connection file

*Reference: https://github.com/SAP-samples/hana-developer-cli-tool-example*

Reference in New Issue View Git Blame Copy Permalink