使用hdbsql连接HANA Cloud中的HANA数据库
前言
HANA数据库的命令行客户端工具,叫hdbsql。hdb前缀表示的就是HANA DB。也正如它的jdbc驱动:com.sap.db.jdbc.Driver, 文件名:ngdbc-
当HANA数据库只是本地安装时,它的连接也比较直观。
hdbsql -n <host>[:<port>]
-d <database name>
-u <user_name>
-p <password>
可是在Cloud 环境当中,就不一样了。涉及到证书与SSL加密。
补充HANA的JDBC驱动误区
HANA的JDBC分两种,一种是面向Cloud的,另一种是面向非Cloud的。其库的mvn定义如下:
OnPremise System
<dependency>
<groupId>com.sap.db.jdbcgroupId>
<artifactId>ngdbcartifactId>
<version>[2.5.49,)version>
dependency>
Cloud system
<dependency>
<groupId>com.sap.cloud.db.jdbcgroupId>
<artifactId>ngdbcartifactId>
<version>[2.7.7,)version>
dependency>
这两个驱动文件名形式相同,但是里边java包的名字是不一样的。
OnPremise系统中的JDBC:https://int.repositories.cloud.sap/ui/native/build-releases/com/sap/db/jdbc/ngdbc/2.14.7/ (on premise)
Cloud系统中的JDBC: https://int.repositories.cloud.sap/ui/native/build-releases/com/sap/cloud/db/jdbc/ngdbc/2.14.7/ (Cloud)
至于版本,要跟具体的HANA数据库服务器版本相匹配即可。
如果把Cloud的JDBC误用于OnPremise或反过来,在少数情况下,可能出现不可预料的错误。很多开发人员都没有意识到这一点。最常见的错误是将OnPremise的JDBC用于所有的环境。
hdbsql连接Cloud中的HANA
我们再来看看hdbsql连接Cloud时要注意什么?
给定一个连接信息:
"url": "jdbc:sap://#########hhhhhhhhhhhh:443?encrypt=true&validateCertificate=true¤tschema=6D436A932BAE4307BD99C794B584604F",
"certificate": "-----BEGIN CERTIFICATE-----***\n-----END CERTIFICATE-----",
"database_id": "ccccc-75fc-40eb-9dd7-*********",
"driver": "com.sap.db.jdbc.Driver",
"hdi_password": "Qd0DB1FXVE4StL2n9AAAAAAAAAAAAAAAaaa",
"hdi_user": "BBBBBBBBBBBBBBBBB************",
"host": "cccc-75fc-CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC",
"password": "Xg24dRgS58*****************************",
"port": "443",
"schema": "SSSSSSSSSSSSSSsss**************",
"tenantId": "tenantId",
"user": "UUUUUUUUUUUUUUU**************"
出于安全的目的,这里隐去了相关值的信息。
一般情况下,使用下述命令行进行连接:
hdbsql -n <host>[:<port>]
-d <database name>
-u <user_name>
-p <password>
不做任何配置直接连接Cloud HANA DB会出如下错误:
hdbsql -n -u myuser -p password
* -10709: Connection failed (RTE:[300010] Cannot create SSL context: Error in api.SSL_CTX_set_default_pse_by_name D:\tools\sap\hdbclient\\sapcli.pse - SSL error [4129]: Unknown error, General error: 0x00001021 | SAPCRYPTOLIB | SSL_CTX_set_default_pse_by_name
SAPCRYPTO API error
The PSE file does not exist.
0xa1d50108 | TOKEN_TOKPSE | SSL_CTX_set_default_pse_by_name
Token application not existing
Cannot open PSE (PSE=D:\tools\sap\hdbclient\\sapcli.pse, SECUDIR=D:\tools\sap\hdbclient\, user=Administrator Administrator Administrator)
0xa1d50108 | TOKEN_TOKPSE | sec_SSL_CTX_set_asc
Token application not existing
(ErrCode: 4129) (3afc2648-75fc-40eb-9dd7-b444e5dd7a60.hna0.canary-eu10.hanacloud.ondemand.com:443))
我们需要进行如下配置:
1、设置:sapgenpse gen_pse
PSE owner指定为: "CN=Client 001"即可. PIN码直接置为空串。
D:\tools\sap\hdbclient>sapgenpse gen_pse -p "D:\tools\sap\hdbclient\sapcli.pse"
Please enter PSE PIN/Passphrase:
Please reenter PSE PIN/Passphrase:
!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.
get_pse: Distinguished name of PSE owner: CN=Client 001
Certificate Request:
Signed Part:
Subject: CN=Client 001
Key: rsaEncryption (2048 bits)
Attributes: None
Signature:
Signature algorithm: sha256WithRsaEncryption (1.2.840.113549.1.1.11)
Signature: <Not displayed>
PKCS#10 certificate request for "D:\tools\sap\hdbclient\sapcli.pse":
-----BEGIN CERTIFICATE REQUEST-----
MIICWjCCAUICAQAwFTETMBEGA1UEAxMKQ2xpZW50IDAwMTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALJQ+LitFwpi0xYhDhszNtLREdDVFYaNjYfLugQ9
tvsW78SvoA8c7l7lr5q8vRT2iH2V7wkhggAe7+ELR5rPkuyWuMfdXeXqWFvfkQjx
lARjX***************************************************JkiJpxwI
N1y/NwAl1VvtsO49i26NNdTYM42FDKkK0FwIf+5INcdKk3hHtA0NpjQ9z/CPo1kj
W9QgfGK4l99fXP8dvteUiwZZY82nTq0z1Xqml2DNG5HDdXJuiXPR5XfqWcHfnTEv
gT04eViGHBSWWpKPxmiPsMa04KhT56n3ivUz/900
-----END CERTIFICATE REQUEST-----
2、下载根证书
从网站:https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt
3、导入根证书
sapgenpse maintain_pk -p "D:\tools\sap\hdbclient\sapcli.pse" -a d:\logs\DigiCertGlobalRootCA.crt
D:\tools\sap\hdbclient>sapgenpse maintain_pk -p "D:\tools\sap\hdbclient\sapcli.pse" -a d:\logs\DigiCertGlobalRootCA.crt
maintain_pk for PSE "D:\tools\sap\hdbclient\sapcli.pse"
----------------------------------------------------------------------------
Subject : CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
PKList updated (1 entries total, 1 newly added)
这样添加完之后,就可以顺利的连接HANA数据库了。
4、连接HANA
D:\tools\sap\hdbclient>hdbsql -n mydb.region.hanacloud.ondemand.com:443 -u -p password
Welcome to the SAP HANA Database interactive terminal.
Type: \h for help with commands
\q to quit
hdbsql=> \h
hdbsql=> \dt
List of tables
Schema,Name
SEAN940SK2PNO59YS77FRI6MPSFMP_123,TEST
SYS,DUMMY
SYS,INDEX_TYPE_ADVISOR_RESULT_TYPE
SYS,INSUFFICIENT_PRIVILEGE_ERROR_DETAILS_TYPE
SYS,PARAMETER_PROPERTIES_PROCEDURE_TYPE
SYS,REMOTE_SOURCE_PROPERTIES_TYPE
SYS,RESTART_PREDICTION_RESULT_TYPE
SYS,RESTART_PROGRESS_RESULT_TYPE
SYS,SQLSCRIPT_LOGGING_TABLE_TYPE
_SYS_BI,AMS_STATUS
_SYS_TASK,DQ_REFERENCEDATA_EXPIRY_RESULT
_SYS_TASK,GENERATE_PARTITION_FILTERS_OPTIONS
_SYS_TASK,GENERATE_PARTITION_FILTERS_RESULT
_SYS_TASK,PROFILE_FREQUENCY_DISTRIBUTION_COLUMNS
_SYS_TASK,PROFILE_FREQUENCY_DISTRIBUTION_RESULT
_SYS_TASK,PROFILE_METADATA_COLUMNS
_SYS_TASK,PROFILE_METADATA_RESULT
_SYS_TASK,PROFILE_SEMANTIC_COLUMNS
_SYS_TASK,PROFILE_SEMANTIC_RESULT
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
19 rows selected (overall time 112.513 msec; server time 3089 usec)
hdbsql=> create table t123(id int, col2 varchar(32))
0 rows affected (overall time 23.342 msec; server time 4584 usec)
hdbsql=> insert into t123 values(1, 'wang'), (2, 'zhou');
* 257: sql syntax error: incorrect syntax near ",": line 1 col 35 (at pos 35) SQLSTATE: HY000
hdbsql=> insert into t123 values(1, 'wang');
1 row affected (overall time 24.532 msec; server time 2736 usec)
hdbsql=> insert into t123 SELECT n.ELEMENT_NUMBER as t, 'test' from SERIES_GENERATE_DECIMAL(1,0,1000) n;
1000 rows affected (overall time 27.541 msec; server time 2176 usec)
hdbsql=> select count(*) from t123;
COUNT(*)
1001
1 row selected (overall time 40.331 msec; server time 331 usec)
