How to enable SSL/TSL support for SAP HANA agent

Document ID : KB000115863
Last Modified Date : 26/09/2018
Show Technical Document Details
Having a *.PSE file certificate from SAP for SSL configuration how should you proceed to configure a SAP HANA agent. As is the certificate cannot be imported to java keystore, nor is it  x.509 standard.

Without having SSL/TSL enabled, SAP HANA jobs will fail with error :
SAP DBTech JDBC:  [4321] :  only secure connections are allowed
How should a secure connection from the SQL agent to SAP HANA be set up?
Follow the following steps:
1) Import the certificate in format *.cer to the JDK keystore and restarted DB Service Agent and SQL HANA Agent
- A certificate in *cer can be created by SAP authorized team.
- Certificates can also be converted from *.PSE format  to *.CER format using ' sapgenpse ' command on your Hana server:
sapgenpse get_pse -p <pse filename>.pse -a sha256WithRsaEncryption -s 2048 -noreq -x <password> "<xxx>"

2) Created an SQL Connection Object with type SQL HANA and connection parameters with parameter as ' encrypt ' and value as ' true'.
Secured connectivity can be verified after certificate import manually using the following command from the server :

/opt/uc4/java/jre1.8.0_131/bin/java -jar ngdbc.jar -u <user>,<password> -n <hostname:port> -c "SELECT DATABASE_NAME FROM SYS.M_DATABASES" -o encrypt=true

See also:

3) Execute SQL jobs using the created CONN object instead of login object.

Additional information about connection objects user Generic JDBC:

SAP documentation regarding SSL activation inside the jdbc string (jdbc:sap://::[options] can be found here: And notably here where the Connection Properties are discussed: