How to Configure a Secure Connection

Between Informatica Clients and an SAP HANA

Server

© 1993-2016 Informatica LLC. No part of this document may be reproduced or transmitted in any form, by any
means (electronic, photocopying, recording or otherwise) without prior consent of Informatica LLC. All other
company and product names may be trade names or trademarks of their respective owners and/or copyrighted
materials of such owners.
Abstract
You can use the SSL protocol to configure a secure connection between Informatica clients and an SAP HANA server.
This article describes how to configure Informatica clients for SSL communication with a HANA server.

Supported Versions
• Data Explorer 9.6.1 HotFix 1 and later
• Data Quality 9.6.1 HotFix 1 and later
• Data Services 9.6.1 HotFix 1 and later
• PowerCenter 9.6.1 HotFix 1 and later

Table of Contents
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
SSL Configuration for Informatica Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
SSL Configuration for Informatica Clients on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
SSL Configuration for Informatica Clients on UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Additional Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Overview
Effective in version 9.6.1 HotFix 1, you can use the SSL protocol to configure a secure connection between Informatica
clients and an SAP HANA server.

SAP HANA supports OpenSSL and the SAP Cryptographic Library to enable a secure connection through SSL.
Informatica uses the OpenSSL standard to enable a secure connection through SSL.

Prerequisites
Before you configure the Informatica clients for SSL communication, perform the following tasks:

1. Install the OpenSSL libraries on the HANA server.

2. Configure the HANA server for SSL communication and restart the HANA server for the configuration
changes to take effect.
For information about configuring and restarting the HANA server, see the following URL:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/70d2b2b7-3574-3010-dcac-be68463c66e2?
QuickLink=index&overridelayout=true&58110907731645
3. On the HANA server machine, generate the key.pem and trust.pem certificate files.
4. On the Informatica client machine where you want to configure a secure connection, create an ODBC data
source to connect to the HANA server.
For information about creating an ODBC data source, see the Informatica How-To Library article "Configure
an ODBC Connection to SAP HANA":
https://kb.informatica.com/h2l/HowTo%20Library/1/0563-ConfigODBCConnToSAPHANA-H2L.pdf

2
SSL Configuration for Informatica Clients
After you configure the SAP HANA server for SSL communication, you can configure the Informatica clients for SSL
communication with the HANA server.

The SSL configuration steps differ based on whether you use Windows or UNIX.

SSL Configuration for Informatica Clients on Windows

Before you configure the Informatica clients for SSL communication, you must configure the client machine to trust the
HANA server certificate. For information about managing the trusted root certificates for the client machine, see the
following document:
https://technet.microsoft.com/en-in/library/cc754841.aspx

On Windows, perform the following steps to configure the Informatica clients for SSL communication:

1. Import the trust.pem certificate file to the Informatica client machine where you want to configure a secure
connection.
2. Define the SSL configuration properties for the ODBC data source that you created to connect to the HANA
server.

Step 1. Import the SAP HANA Server Certificate File

After you create an ODBC data source to connect to the SAP HANA server and configure the client machine to trust
the HANA server certificate, import the HANA server certificate file named trust.pem.

1. Click Start, type mmc in the Search box, and press Enter.
The Console window appears.
2. Click File > Add/Remove Snap-in.
The Add/Remove Snap-ins window appears.

3
3. From the Available snap-ins list, select Certificates, and then click Add.

4. Click Computer account and then click Next.

4
5. Click Local computer and then click Finish.

6. Click OK.
The Certificates snap-in is added to the console tree.

7. In the console tree, double-click Certificates.

5
8. Right-click the Trusted Root Certification Authorities store, and then click All Tasks > Import.

The Certificate Import Wizard appears.

6
9. Click Next.

The File to Import dialog box appears.

7
10. Click Browse to import the trust.pem certificate file.

Note: By default, the wizard does not display the trust.pem certificate file. To view the file, click the file type
list and select All Files.
11. Select the trust.pem certificate file and click Open to import the file.

Step 2. Define SSL Configuration Properties for the ODBC Data Source
After you import the trust.pem certificate file, define the SSL configuration properties for the ODBC data source that
you created to connect to the SAP HANA server.

1. Start the ODBC Data Administrator.

2. Select the HANA data source and click Settings.
The SAP HDB ODBC Advanced Setup dialog box appears.

8
3. Select the Connect using SSL and Validate the SSL certificate options.

4. Click OK to save the changes.

SSL Configuration for Informatica Clients on UNIX

On UNIX, you must define the SSL configuration properties in the odbc.ini file to establish a secure connection
between Informatica clients and the HANA server. The odbc.ini file contains details of the ODBC data source that you
created to connect to the SAP HANA server. It also contains the locations where the key.pem and trust.pem certificate
files are stored.

On UNIX, perform the following steps to configure the Informatica clients for SSL communication:

1. Install the OpenSSL libraries on the client machine.

2. Copy the SAP HANA server certificate files to the client machine.
3. Configure the SSL properties on the client machine.

Step 1. Install the OpenSSL Libraries

On the client machine where you want to configure a secure connection to the HANA server, install the OpenSSL
libraries. If you want to connect to the HANA server from different nodes of an Informatica domain, you must install the
OpenSSL libraries on all the nodes.

1. Install the OpenSSL libraries and the soft link for the libssl.so file.
2. Define the library path environment variable based on the operating system that you use.

9
 The following table lists the library path variable that you must define for each operating system:

Operating System Library Path Environment Variable

HP-UX SHLIB_PATH

Linux LD_LIBRARY_PATH

Solaris LD_LIBRARY_PATH

3. Set the library path environment variable to the directory where the OpenSSL libraries are installed.
4. Restart the Informatica services for the environment variable to take effect.

Step 2. Copy the SAP HANA Server Certificate Files to the Client Machine
Access the SAP HANA server and download the trust.pem and key.pem certificate files. Copy the certificate files to
the Informatica client machine where you want to configure a secure connection. If you want to connect to the HANA
server from different nodes of an Informatica domain, you must copy the certificate files to all the nodes.

Step 3. Configure the SSL Properties on the Client Machine

On the client machine where you want to configure a secure connection to the HANA server, configure the SSL
properties in the odbc.ini file. If you want to connect to the HANA server from different nodes of an Informatica
domain, you must configure the odbc.ini file on all the nodes.

1. Find and open the odbc.ini file in the following directory:

<Informatica Installation Directory>/ODBC7.1
2. In the odbc.ini file, define the following SSL configuration properties:

Property Description

Encrypt Enables or disables SSL encryption.

Set this property to 1 to enable SSL encryption.

sslCryptoProvider Provider of the cryptographic library that will be used for SSL communication
Set this property to openssl because Informatica uses the Open SSL libraries to establish a
secure connection with the HANA server.

sslKeyStore Path and file name of the key store file that contains the private key of the HANA server.
Set this property to the path and file name of the key.pem file.

sslTrustStore Path and file name of the trust store file that contains the public certificate of the HANA
server.
Set this property to the path and file name of the trust.pem file.

The following example shows the SSL configuration entries in an odbc.ini file.
[hanasource]
Driver=/usr/sap/hdbclient/libodbcHDB.so
DriverUnicodeType=1
ServerNode=<hana server name>:<Port No>

10
 encrypt=1
User=<Username>
Password=<Password>
sslCryptoProvider=openssl
sslKeyStore=/export/home/adputf_9/key.pem
sslTrustStore=/export/home/adputf_9/trust.pem
sslValidateCertificate=false
ConnectionRetryCount=3
ConnectionRetryDelay=30

3. Save the odbc.ini file.

Additional Resources
For more information about SAP HANA security configuration, see the following document:

http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf

Author
Anu Chandrasekharan
Senior Technical Writer

Acknowledgements
The author would like to acknowledge Rajesh Thalluru, Software QA Engineer, for his technical assistance.

11