近期客户为满足安全要求,提了让业务应用使用 SSL 方式连接 SAP HANA 数据库的需求。本人查询 SAP官方文档 发现数据库支持 SSL 连接,有参数直接加到 JDBC 的 URL 后边就行了,为了便于验证写了个 JDBC 的 demo,在此处记录一二。

准备工作

JdbcTest.java

import java.io.FileNotFoundException;

import java.io.IOException;

import java.io.InputStream;

import java.sql.Connection;

import java.sql.DriverManager;

import java.sql.SQLException;

import java.util.Properties;

public class JdbcTest {

    public static Connection getConnection() throws FileNotFoundException, IOException {

        Connection conn = null;

        Properties prop = new Properties();

        try {

            InputStream in = JdbcTest.class.getResourceAsStream("jdbc.properties");

            prop.load(in);

            Class.forName(prop.getProperty("jdbcDriver"));

            //@formatter:off

            conn = (Connection) DriverManager.getConnection(

                    prop.getProperty("jdbcUrl"),

                    prop.getProperty("username"),

                    prop.getProperty("password"));

            //@formatter:on

        } catch (ClassNotFoundException | SQLException e) {

            e.printStackTrace();

        }

        return conn;

    }

    public static void releaseConnection(Connection conn) {

        try {

            if (conn != null) {

                conn.close();

                System.out.println("Connection has closed");

            }

        } catch (SQLException e) {

            e.printStackTrace();

        }

    }

    public static void main(String[] args) throws FileNotFoundException, IOException {

        Connection conn = getConnection();

        if (conn != null)

            System.out.println("Connection has establish");

        releaseConnection(conn);

    }

}

jdbc.properties

jdbcDriver=com.sap.db.jdbc.Driver

jdbcUrl=jdbc:sap://10.2.42.15:30015/?databaseName=Q15&encrypt=true&trustStore=/deployments/SSL/jssecacerts&trustStorePassword=changeit

username=test

password=ABCabc123

InstallCert.java

/*

 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 *

 *   - Redistributions of source code must retain the above copyright

 *     notice, this list of conditions and the following disclaimer.

 *

 *   - Redistributions in binary form must reproduce the above copyright

 *     notice, this list of conditions and the following disclaimer in the

 *     documentation and/or other materials provided with the distribution.

 *

 *   - Neither the name of Sun Microsystems nor the names of its

 *     contributors may be used to endorse or promote products derived

 *     from this software without specific prior written permission.

 *

 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS

 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,

 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR

 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 */

/**

 * Originally from:

 * http://blogs.sun.com/andreas/resource/InstallCert.java

 * Use:

 * java InstallCert hostname

 * Example:

 *% java InstallCert ecc.fedora.redhat.com

 */

import javax.net.ssl.*;

import java.io.*;

import java.security.KeyStore;

import java.security.MessageDigest;

import java.security.cert.CertificateException;

import java.security.cert.X509Certificate;

/**

 * Class used to add the server's certificate to the KeyStore

 * with your trusted certificates.

 */

public class InstallCert {

    public static void main(String[] args) throws Exception {

        String host;

        int port;

        char[] passphrase;

        if ((args.length == 1) || (args.length == 2)) {

            String[] c = args[0].split(":");

            host = c[0];

            port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);

            String p = (args.length == 1) ? "changeit" : args[1];

            passphrase = p.toCharArray();

        } else {

            System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");

            return;

        }

        File file = new File("jssecacerts");

        if (file.isFile() == false) {

            char SEP = File.separatorChar;

            File dir = new File(System.getProperty("java.home") + SEP

                    + "lib" + SEP + "security");

            file = new File(dir, "jssecacerts");

            if (file.isFile() == false) {

                file = new File(dir, "cacerts");

            }

        }

        System.out.println("Loading KeyStore " + file + "...");

        InputStream in = new FileInputStream(file);

        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

        ks.load(in, passphrase);

        in.close();

        SSLContext context = SSLContext.getInstance("TLS");

        TrustManagerFactory tmf =

                TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

        tmf.init(ks);

        X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];

        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);

        context.init(null, new TrustManager[]{tm}, null);

        SSLSocketFactory factory = context.getSocketFactory();

        System.out.println("Opening connection to " + host + ":" + port + "...");

        SSLSocket socket = (SSLSocket) factory.createSocket(host, port);

        socket.setSoTimeout(10000);

        try {

            System.out.println("Starting SSL handshake...");

            socket.startHandshake();

            socket.close();

            System.out.println();

            System.out.println("No errors, certificate is already trusted");

        } catch (SSLException e) {

            System.out.println();

            e.printStackTrace(System.out);

        }

        X509Certificate[] chain = tm.chain;

        if (chain == null) {

            System.out.println("Could not obtain server certificate chain");

            return;

        }

        BufferedReader reader =

                new BufferedReader(new InputStreamReader(System.in));

        System.out.println();

        System.out.println("Server sent " + chain.length + " certificate(s):");

        System.out.println();

        MessageDigest sha1 = MessageDigest.getInstance("SHA1");

        MessageDigest md5 = MessageDigest.getInstance("MD5");

        for (int i = 0; i < chain.length; i++) {

            X509Certificate cert = chain[i];

            System.out.println

                    (" " + (i + 1) + " Subject " + cert.getSubjectDN());

            System.out.println("   Issuer  " + cert.getIssuerDN());

            sha1.update(cert.getEncoded());

            System.out.println("   sha1    " + toHexString(sha1.digest()));

            md5.update(cert.getEncoded());

            System.out.println("   md5     " + toHexString(md5.digest()));

            System.out.println();

        }

        System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");

        String line = reader.readLine().trim();

        int k;

        try {

            k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;

        } catch (NumberFormatException e) {

            System.out.println("KeyStore not changed");

            return;

        }

        X509Certificate cert = chain[k];

        String alias = host + "-" + (k + 1);

        ks.setCertificateEntry(alias, cert);

        OutputStream out = new FileOutputStream("jssecacerts");

        ks.store(out, passphrase);

        out.close();

        System.out.println();

        System.out.println(cert);

        System.out.println();

        System.out.println

                ("Added certificate to keystore 'jssecacerts' using alias '"

                        + alias + "'");

    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {

        StringBuilder sb = new StringBuilder(bytes.length * 3);

        for (int b : bytes) {

            b &= 0xff;

            sb.append(HEXDIGITS[b >> 4]);

            sb.append(HEXDIGITS[b & 15]);

            sb.append(' ');

        }

        return sb.toString();

    }

    private static class SavingTrustManager implements X509TrustManager {

        private final X509TrustManager tm;

        private X509Certificate[] chain;

        SavingTrustManager(X509TrustManager tm) {

            this.tm = tm;

        }

        public X509Certificate[] getAcceptedIssuers() {

	    /**

	     * This change has been done due to the following resolution advised for Java 1.7+

		http://infposs.blogspot.kr/2013/06/installcert-and-java-7.html

       	     **/ 

	    return new X509Certificate[0];

            //throw new UnsupportedOperationException();

        }

        public void checkClientTrusted(X509Certificate[] chain, String authType)

                throws CertificateException {

            throw new UnsupportedOperationException();

        }

        public void checkServerTrusted(X509Certificate[] chain, String authType)

                throws CertificateException {

            this.chain = chain;

            tm.checkServerTrusted(chain, authType);

        }

    }

}

将这三个文件和 ngdbc-2.4.70.jar 上传到服务器目录 /deployments/SSL,执行编译命令:

cd /deployments/SSL

javac JdbcTest.java

javac InstallCert.java

此时目录中会有三个class文件(有个内部类):

$ ls

InstallCert.class  InstallCert$SavingTrustManager.class  JdbcTest.class  ngdbc-2.4.70.jar

InstallCert.java   jdbc.properties                       JdbcTest.java

导入证书

执行 java InstallCert <域名 或 IP>[:端口号],根据提示输入 1 导入证书,公钥证书文件是从数据库端返回的,会被工具类转换成 Java 程序能识别的证书格式(JKS),输出证书到当前目录下的 jssecacerts,后边要做的就是在 JDBC 连接地址上添加这个证书的绝对位置,使用证书加密连接数据库。

SAP 技术支持人员提供的证书有问题,hostname 与 证书里签得不一样,导致他们给的 cer 证书导入系统后报错如下:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

引起这个报错的原因不大好定位,使用 InstallCert.java 导入证书时会很清晰地提示证书有问题,而且也不需要额外上传 cer 证书 再执行 keytool 导入证书命令。

验证连接

修改 jdbc.properties,执行 java -cp ".:ngdbc-2.4.70.jar" JdbcTest ,当出现如下输出而不是报错即连接测试通过。

$ java JdbcTest

Connection has closed

Connection has establish

参考资料:

使用 SSL 加密的 JDBC 连接 SAP HANA 数据库的更多相关文章

  1. 使用ABAP(ADBC)和Java(JDBC)连接SAP HANA数据库

    在表DBCON里维护一条记录,指向HANA数据库.con_ENV里填入HANA数据库的主机名和端口号.如vmXXXX:30015 DATA: ls_new TYPE DBCON. ls_new-con ...

  2. 【HANA系列】SAP 【第一篇】EXCEL连接SAP HANA的方法(ODBC)

    公众号:SAP Technical 本文作者:matinal 原文出处:http://www.cnblogs.com/SAPmatinal/ 原文链接:[HANA系列]SAP [第一篇]EXCEL连接 ...

  3. 【HANA系列】SAP 【第二篇】EXCEL连接SAP HANA的方法(ODBC)

    公众号:SAP Technical 本文作者:matinal 原文出处:http://www.cnblogs.com/SAPmatinal/ 原文链接:[HANA系列]SAP [第二篇]EXCEL连接 ...

  4. 如何使用命令行备份SAP HANA数据库

    SAP HANA是一个在in-memory内存中的数据平台,部署为内部部署应用. 这是一个革命性的平台,它最适合进行实时分析,并开发和部署实时应用程序. 请点击这里了解更多有关SAP HANA. 通过 ...

  5. 利用Veeam保护SAP HANA数据库

    利用Veeam保护SAP HANA数据库 前言 针对越来越多的SAP HANA备份需求,我们Team翻译.整理.借鉴了Veeam 的SAP HANA 大神 Clemens Zerbe 和 Ali Sa ...

  6. JDBC连接sql server数据库及其它

    JDBC连接sql server数据库的步骤如下: 1.加载JDBC驱动程序: 在连接数据库之前,首先要加载想要连接的数据库的驱动到JVM(Java虚拟机), 这通过java.lang.Class类的 ...

  7. JDBC连接sql server数据库的详细步骤和代码

    JDBC连接sql server数据库的详细步骤和代码 JDBC连接sql server数据库的步骤如下: 1.加载JDBC驱动程序: 在连接数据库之前,首先要加载想要连接的数据库的驱动到JVM(Ja ...

  8. 用JDBC连接SQL Server2017数据库

    用JDBC连接SQL Server2017数据库 2018年03月26日 17:40:47 yasinzhang 阅读数:8346 安装完SQL server2017之后,选择SQL 身份验证登录,可 ...

  9. Java使用JDBC连接SQL Server数据库|实现学生成绩信息系统

    Java实验四 JDBC 使用SQL Server数据库或者MySQL数据库各自的客户端工具,完成如下任务: (1)创建数据库students: (2)在数据students中创建表scores,包括 ...

随机推荐

  1. Fillder抓包配置

    Faillder设置,完成以下设置后重启Fillder Fillder工具配置 设置端口 端口设置 (根据公司限制使用范围内的端口) 设置是否远程连接 勾选Decrypt HTTPS traffic ...

  2. [转载]CentOS 7 创建本地YUM源

    本文中的"本地YUM源"包括三种类型:一是直接使用CentOS光盘作为本地yum源,优点是简单便捷,缺点是光盘软件包可能不完整(centos 7 Everything 总共才6.5 ...

  3. ARC106E-Medals【hall定理,高维前缀和】

    正题 题目链接:https://atcoder.jp/contests/arc106/tasks/arc106_e 题目大意 \(n\)个员工,第\(i\)个在\([1,A_i]\)工作,\([A_i ...

  4. NOIP 模拟五 考试总结

    T1string T1开的不错,看到这个题很激动,类似与HEOI2016排序,好像还要更简单一些,于是迅速冲了个桶排.因为洛谷上排序那道题是用桶排水的,所以我觉得没必要打线段树了,极端大数据20秒冲过 ...

  5. NOIP 模拟二 考试总结

    SDOI2015 排序 今天看到这道题,没有一点思路,暴力都没的打...还是理解错题意了,操作不同位置不是说改不同的区间,而是不同操作的顺序...考场上如果知道这个的话最少暴力拿一半啊,因为正解本来就 ...

  6. 从0到1使用Kubernetes系列——Kubernetes入门

    基本概念 Docker 是什么 Docker 起初是 dotCloud 公司创始人 Solomon Hykes 在法国的时候发起的一项公司内部项目,Docker 是基于 dotCloud 公司多年云服 ...

  7. 使用CEF(三)— 从CEF官方Demo源码入手解析CEF架构与CefApp、CefClient对象

    在上文<使用CEF(2)- 基于VS2019编写一个简单CEF样例>中,我们介绍了如何编写一个CEF的样例,在文章中提供了一些代码清单,在这些代码清单中提到了一些CEF的定义的类,例如Ce ...

  8. 题解 「THUPC 2017」小 L 的计算题 / Sum

    题目传送门 题目大意 给出 \(a_{1,2,...,n}\),对于 \(\forall k\in [1,n]\) ,求出: \[\sum_{i=1}^{n}a_i^k \] \(n\le 2\tim ...

  9. hdu3507 斜率优化学习笔记(斜率优化+dp)

    QWQ菜的真实. 首先来看这个题. 很显然能得到一个朴素的\(dp\)柿子 \[dp[i]=max(dp[i],dp[j]+(sum[i]-sum[j])^2) \] 但是因为\(n\le 50000 ...

  10. cf1082D Maximum Diameter Graph(构造+模拟+细节)

    QWQ不得不说 \(cf\)的\(edu\ round\)出这种东西 有点太恶心了 题目大意:给你\(n\)个点,告诉你每个点的最大度数值(也就是说你的度数要小于等于这个),让你构造一个无向图,使其满 ...