近期客户为满足安全要求,提了让业务应用使用 SSL 方式连接 SAP HANA 数据库的需求。本人查询 SAP官方文档 发现数据库支持 SSL 连接,有参数直接加到 JDBC 的 URL 后边就行了,为了便于验证写了个 JDBC 的 demo,在此处记录一二。

准备工作

JdbcTest.java

import java.io.FileNotFoundException;

import java.io.IOException;

import java.io.InputStream;

import java.sql.Connection;

import java.sql.DriverManager;

import java.sql.SQLException;

import java.util.Properties;

public class JdbcTest {

    public static Connection getConnection() throws FileNotFoundException, IOException {

        Connection conn = null;

        Properties prop = new Properties();

        try {

            InputStream in = JdbcTest.class.getResourceAsStream("jdbc.properties");

            prop.load(in);

            Class.forName(prop.getProperty("jdbcDriver"));

            //@formatter:off

            conn = (Connection) DriverManager.getConnection(

                    prop.getProperty("jdbcUrl"),

                    prop.getProperty("username"),

                    prop.getProperty("password"));

            //@formatter:on

        } catch (ClassNotFoundException | SQLException e) {

            e.printStackTrace();

        }

        return conn;

    }

    public static void releaseConnection(Connection conn) {

        try {

            if (conn != null) {

                conn.close();

                System.out.println("Connection has closed");

            }

        } catch (SQLException e) {

            e.printStackTrace();

        }

    }

    public static void main(String[] args) throws FileNotFoundException, IOException {

        Connection conn = getConnection();

        if (conn != null)

            System.out.println("Connection has establish");

        releaseConnection(conn);

    }

}

jdbc.properties

jdbcDriver=com.sap.db.jdbc.Driver

jdbcUrl=jdbc:sap://10.2.42.15:30015/?databaseName=Q15&encrypt=true&trustStore=/deployments/SSL/jssecacerts&trustStorePassword=changeit

username=test

password=ABCabc123

InstallCert.java

/*

 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 *

 *   - Redistributions of source code must retain the above copyright

 *     notice, this list of conditions and the following disclaimer.

 *

 *   - Redistributions in binary form must reproduce the above copyright

 *     notice, this list of conditions and the following disclaimer in the

 *     documentation and/or other materials provided with the distribution.

 *

 *   - Neither the name of Sun Microsystems nor the names of its

 *     contributors may be used to endorse or promote products derived

 *     from this software without specific prior written permission.

 *

 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS

 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,

 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR

 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 */

/**

 * Originally from:

 * http://blogs.sun.com/andreas/resource/InstallCert.java

 * Use:

 * java InstallCert hostname

 * Example:

 *% java InstallCert ecc.fedora.redhat.com

 */

import javax.net.ssl.*;

import java.io.*;

import java.security.KeyStore;

import java.security.MessageDigest;

import java.security.cert.CertificateException;

import java.security.cert.X509Certificate;

/**

 * Class used to add the server's certificate to the KeyStore

 * with your trusted certificates.

 */

public class InstallCert {

    public static void main(String[] args) throws Exception {

        String host;

        int port;

        char[] passphrase;

        if ((args.length == 1) || (args.length == 2)) {

            String[] c = args[0].split(":");

            host = c[0];

            port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);

            String p = (args.length == 1) ? "changeit" : args[1];

            passphrase = p.toCharArray();

        } else {

            System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");

            return;

        }

        File file = new File("jssecacerts");

        if (file.isFile() == false) {

            char SEP = File.separatorChar;

            File dir = new File(System.getProperty("java.home") + SEP

                    + "lib" + SEP + "security");

            file = new File(dir, "jssecacerts");

            if (file.isFile() == false) {

                file = new File(dir, "cacerts");

            }

        }

        System.out.println("Loading KeyStore " + file + "...");

        InputStream in = new FileInputStream(file);

        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

        ks.load(in, passphrase);

        in.close();

        SSLContext context = SSLContext.getInstance("TLS");

        TrustManagerFactory tmf =

                TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

        tmf.init(ks);

        X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];

        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);

        context.init(null, new TrustManager[]{tm}, null);

        SSLSocketFactory factory = context.getSocketFactory();

        System.out.println("Opening connection to " + host + ":" + port + "...");

        SSLSocket socket = (SSLSocket) factory.createSocket(host, port);

        socket.setSoTimeout(10000);

        try {

            System.out.println("Starting SSL handshake...");

            socket.startHandshake();

            socket.close();

            System.out.println();

            System.out.println("No errors, certificate is already trusted");

        } catch (SSLException e) {

            System.out.println();

            e.printStackTrace(System.out);

        }

        X509Certificate[] chain = tm.chain;

        if (chain == null) {

            System.out.println("Could not obtain server certificate chain");

            return;

        }

        BufferedReader reader =

                new BufferedReader(new InputStreamReader(System.in));

        System.out.println();

        System.out.println("Server sent " + chain.length + " certificate(s):");

        System.out.println();

        MessageDigest sha1 = MessageDigest.getInstance("SHA1");

        MessageDigest md5 = MessageDigest.getInstance("MD5");

        for (int i = 0; i < chain.length; i++) {

            X509Certificate cert = chain[i];

            System.out.println

                    (" " + (i + 1) + " Subject " + cert.getSubjectDN());

            System.out.println("   Issuer  " + cert.getIssuerDN());

            sha1.update(cert.getEncoded());

            System.out.println("   sha1    " + toHexString(sha1.digest()));

            md5.update(cert.getEncoded());

            System.out.println("   md5     " + toHexString(md5.digest()));

            System.out.println();

        }

        System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");

        String line = reader.readLine().trim();

        int k;

        try {

            k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;

        } catch (NumberFormatException e) {

            System.out.println("KeyStore not changed");

            return;

        }

        X509Certificate cert = chain[k];

        String alias = host + "-" + (k + 1);

        ks.setCertificateEntry(alias, cert);

        OutputStream out = new FileOutputStream("jssecacerts");

        ks.store(out, passphrase);

        out.close();

        System.out.println();

        System.out.println(cert);

        System.out.println();

        System.out.println

                ("Added certificate to keystore 'jssecacerts' using alias '"

                        + alias + "'");

    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {

        StringBuilder sb = new StringBuilder(bytes.length * 3);

        for (int b : bytes) {

            b &= 0xff;

            sb.append(HEXDIGITS[b >> 4]);

            sb.append(HEXDIGITS[b & 15]);

            sb.append(' ');

        }

        return sb.toString();

    }

    private static class SavingTrustManager implements X509TrustManager {

        private final X509TrustManager tm;

        private X509Certificate[] chain;

        SavingTrustManager(X509TrustManager tm) {

            this.tm = tm;

        }

        public X509Certificate[] getAcceptedIssuers() {

	    /**

	     * This change has been done due to the following resolution advised for Java 1.7+

		http://infposs.blogspot.kr/2013/06/installcert-and-java-7.html

       	     **/ 

	    return new X509Certificate[0];

            //throw new UnsupportedOperationException();

        }

        public void checkClientTrusted(X509Certificate[] chain, String authType)

                throws CertificateException {

            throw new UnsupportedOperationException();

        }

        public void checkServerTrusted(X509Certificate[] chain, String authType)

                throws CertificateException {

            this.chain = chain;

            tm.checkServerTrusted(chain, authType);

        }

    }

}

将这三个文件和 ngdbc-2.4.70.jar 上传到服务器目录 /deployments/SSL,执行编译命令:

cd /deployments/SSL

javac JdbcTest.java

javac InstallCert.java

此时目录中会有三个class文件(有个内部类):

$ ls

InstallCert.class  InstallCert$SavingTrustManager.class  JdbcTest.class  ngdbc-2.4.70.jar

InstallCert.java   jdbc.properties                       JdbcTest.java

导入证书

执行 java InstallCert <域名 或 IP>[:端口号],根据提示输入 1 导入证书,公钥证书文件是从数据库端返回的,会被工具类转换成 Java 程序能识别的证书格式(JKS),输出证书到当前目录下的 jssecacerts,后边要做的就是在 JDBC 连接地址上添加这个证书的绝对位置,使用证书加密连接数据库。

SAP 技术支持人员提供的证书有问题,hostname 与 证书里签得不一样,导致他们给的 cer 证书导入系统后报错如下:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

引起这个报错的原因不大好定位,使用 InstallCert.java 导入证书时会很清晰地提示证书有问题,而且也不需要额外上传 cer 证书 再执行 keytool 导入证书命令。

验证连接

修改 jdbc.properties,执行 java -cp ".:ngdbc-2.4.70.jar" JdbcTest ,当出现如下输出而不是报错即连接测试通过。

$ java JdbcTest

Connection has closed

Connection has establish

参考资料:

使用 SSL 加密的 JDBC 连接 SAP HANA 数据库的更多相关文章

  1. 使用ABAP(ADBC)和Java(JDBC)连接SAP HANA数据库

    在表DBCON里维护一条记录,指向HANA数据库.con_ENV里填入HANA数据库的主机名和端口号.如vmXXXX:30015 DATA: ls_new TYPE DBCON. ls_new-con ...

  2. 【HANA系列】SAP 【第一篇】EXCEL连接SAP HANA的方法(ODBC)

    公众号:SAP Technical 本文作者:matinal 原文出处:http://www.cnblogs.com/SAPmatinal/ 原文链接:[HANA系列]SAP [第一篇]EXCEL连接 ...

  3. 【HANA系列】SAP 【第二篇】EXCEL连接SAP HANA的方法(ODBC)

    公众号:SAP Technical 本文作者:matinal 原文出处:http://www.cnblogs.com/SAPmatinal/ 原文链接:[HANA系列]SAP [第二篇]EXCEL连接 ...

  4. 如何使用命令行备份SAP HANA数据库

    SAP HANA是一个在in-memory内存中的数据平台,部署为内部部署应用. 这是一个革命性的平台,它最适合进行实时分析,并开发和部署实时应用程序. 请点击这里了解更多有关SAP HANA. 通过 ...

  5. 利用Veeam保护SAP HANA数据库

    利用Veeam保护SAP HANA数据库 前言 针对越来越多的SAP HANA备份需求,我们Team翻译.整理.借鉴了Veeam 的SAP HANA 大神 Clemens Zerbe 和 Ali Sa ...

  6. JDBC连接sql server数据库及其它

    JDBC连接sql server数据库的步骤如下: 1.加载JDBC驱动程序: 在连接数据库之前,首先要加载想要连接的数据库的驱动到JVM(Java虚拟机), 这通过java.lang.Class类的 ...

  7. JDBC连接sql server数据库的详细步骤和代码

    JDBC连接sql server数据库的详细步骤和代码 JDBC连接sql server数据库的步骤如下: 1.加载JDBC驱动程序: 在连接数据库之前,首先要加载想要连接的数据库的驱动到JVM(Ja ...

  8. 用JDBC连接SQL Server2017数据库

    用JDBC连接SQL Server2017数据库 2018年03月26日 17:40:47 yasinzhang 阅读数:8346 安装完SQL server2017之后,选择SQL 身份验证登录,可 ...

  9. Java使用JDBC连接SQL Server数据库|实现学生成绩信息系统

    Java实验四 JDBC 使用SQL Server数据库或者MySQL数据库各自的客户端工具,完成如下任务: (1)创建数据库students: (2)在数据students中创建表scores,包括 ...

随机推荐

  1. Elasticsearch、XXLJob以及最近的学习记录

    Elasticsearch.XXLJob以及最近的学习记录 前言 在这九月的最后一周,来总结一下最近的学习记录,主要是对于Elasticsearch.XXLjob的初步学习,想着还是多记录点,以便后面 ...

  2. Superedge的新特性和未来之路

    作者 王冬,腾讯云高级研发工程师,专注于Kubernetes.容器等云原生领域,SuperEdge 核心开发人员,现负责腾讯云边缘容器TKE Edge私有化相关工作. 背景 2021年9月27号,,在 ...

  3. Python爬虫:通过做项目,小编了解了酷狗音乐的加密过程

    1.前言 小编在这里讲一下,下面的内容仅供学习参考,切莫用于商业活动,一经被相关人员发现,本小编概不负责!读者切记切记. 2.获取音乐播放列表 其实,这就是小编要讲的重点,因为就是这部分用到了加密. ...

  4. 5-让出CPU执行权的yield方法

    让出CPU执行权的yield方法 Thread类有一个静态的yield方法,当一个线程在调用yield方法时,实际上就是暗示线程调度器请求让出自己的CPU使用,但是线程调度器可以无条件忽略这个暗示. ...

  5. 【原创】SystemVerilog中的typedef前置声明方式

    SystemVerilog中,为了是代码简洁.易记,允许用户根据个人需要使用typedef自定义数据类型名,常用的使用方法可参见"define和typedef区别".但是在Syst ...

  6. OpenGL思维导图

  7. Flink sql 之 TopN 与 StreamPhysicalRankRule (源码解析)

    基于flink1.14的源码做解析 公司内有很多业务方都在使用我们Flink sql平台做TopN的计算,今天同事突然问到我,Flink sql 是怎么实现topN的 ? 蒙圈了,这块源码没看过啊 , ...

  8. 从零到熟悉,带你掌握Python len() 函数的使用

    摘要:本文为你带来如何找到长度内置数据类型的使用len() 使用len()与第三方数据类型 提供用于支持len()与用户定义的类. 本文分享自华为云社区<在 Python 中使用 len() 函 ...

  9. 4.1 The Example Domain 领域示例代码

    4.1 The Example Domain 领域示例代码 The examples will use some concepts those are used by GitHub, like Iss ...

  10. k8s 关于Job与Cronjob

    在Kubernetes 中通过创建工作负载资源 Job 可完成大型计算以及一些批处理任务.比如 Job 转码文件.获取部分文件和目录,机器学习中的训练任务等.这篇小作文我们一起来了解 k8s 中关于 ...