Early Access: The content on this website is provided for informational purposes only in connection with pre-General Availability Qlik Products.
All content is subject to change and is provided without warranty.
Skip to main content Skip to complementary content
Qlik Resources
Search
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal

Setting general connection properties

You can add a SAP HANA endpoint to Qlik Replicate to use as a source. For more information on how to add endpoints, see Defining and managing endpoints.

You can connect to the SAP HANA database directly or via SAP Application Server.

To add a SAP HANA source endpoint to Qlik Replicate:

  1. In the Qlik Replicate console, click Manage Endpoint Connections to open the Manage Endpoints Connections dialog box.
  2. In the Name field, type a name for your database. This can be any name that will help to identify the database being used.
  3. In the Description field, optionally enter a description that helps to identify the SAP HANA database.

  4. Select Source as the database role.

    You can do this step before any of the other steps if you want, however before you can continue with the next step in this process, you must select the database role.

  5. Select SAP HANA as the database Type.

    Information note

    When this endpoint is used as a duplicated source in a Log Stream Staging setup, select the Read changes from log stream staging folder check box and then select the relevant Log Stream Staging task from the drop-down list.

    For information on setting up and managing Log Stream Staging tasks, see Using the Log Stream.

  6. Continue from Settings when connecting to SAP HANA directly or Settings when connecting to SAP HANA via SAP Application Server, according to your connection method.

Settings when connecting to SAP HANA directly

  1. In the Server field, specify the IP address or host name of the SAP HANA database server.

    To connect to a High Availability Cluster, specify all of the cluster nodes and port numbers in the Server field. The nodes should be separated by a comma.

    Example:

    12.12.1.123:3033,12.12.1.124:3034

  2. In the Instance number field, enter the instance number of the SAP HANA database with the source tables.

  3. Select either Single tenant or Multi tenant according to your Database architecture. If you selected Multi tenant, enter the source Database name.

  4. Enter the Username and Password required to access the SAP HANA database. If you do not know this information, see your SAP HANA database Administrator (DBA).

    Information note

      This information is case sensitive.

  5. To connect to SAP HANA using SSL, in the Security section, do the following:

    1. Select the Enable SSL check box.

    2. In the Crypto provider field, select your cryptographic library provider from the drop-down list.

    3. In the Keystore file field, enter the file path to the SSL Keystore file that contains the client identity.

    4. In the Truststore file field, enter the file path to your SSL Truststore file that contains the server’s public certificates.

    5. In the Server host name in certificate field, enter the name of the server host specified in the server certificate. This verifies the identity of the server, rather than the host name with which the connection was established. If you specify * as the host name, the server host name is not validated.

    6. In the Server name indication field, enter the name of the SSL server.

    7. To validate your SSL certificate, select the Validate certificate check box. This step is optional, but strongly recommended for security reasons.

    Information note

    To connect to SAP HANA using SSL, the client must be configured to authenticate the SSL server certificate. For more information, see Prerequisites when accessing SAP HANA directly.

  6. Click Test Connection to verify that the specified settings are correct.

Settings when connecting to SAP HANA via SAP Application Server

This section describes how to set up connection parameters for a specific SAP Application server or for a SAP Application system using load balancing.

Connecting to a specific SAP Application Server

To connect to a specific SAP Application Server:

  1. From the Connection mode drop-down list, select Connect to a specific SAP server.
  2. In the Server name field, enter the IP address of the Application Server on which the SAP Application source is located.
  3. In the Instance number field, enter the instance number of the SAP Application source you want to replicate.
  4. In the Client field, enter the System ID of the SAP Application source you want to replicate.

  5. Enter your credentials (User Name, Password) for accessing the SAP Application source.

    Information noteThese are the credentials for the communication user created earlier in SAP.
  6. Click Test Connection to verify that the specified settings are correct.

Connecting to a SAP system using load balancing

To connect to a SAP Application Server using load balancing:

  1. From the Connection mode drop-down list, select Connect to a load balancing SAP server.
  2. In the Message server field, enter the host name or IP address of the message server host.
  3. In the Application servers group name field, enter the name of the SAP server group. This is an optional group of application servers in a load balancing connection.
  4. In the SAP system name field, enter the SAP R/3 name.

  5. In the Message server service field, enter the name of the SAP message server service as specified in the following file:

    <system drive>:\WINDOWS\system32\drivers\etc\services

    If you do not specify a value, the Data Provider for SAP uses the following default name:

    sapms<R/3 system name>

  6. In the Client field, enter the System ID of the SAP Application source you want to replicate.

  7. Enter your credentials (Username, Password) for accessing the SAP Application source.

    These are the credentials for the communication user created earlier in SAP.

  8. Click Test Connection to verify that the specified settings are correct.

Security

In the Security settings, you can configure Secure Network Communication (SNC).

Prerequisites for working with SNC

Follow the steps below to install the Secure Network Communication (SNC) client on the Replicate machine.

What you need:

  • An exported certificate (.crt) of the SAP server. Export the certificate as follows:
    1. Log into the SAP system.
    2. Run STRUST transaction.
    3. Select SNC SAPCryptolib.
    4. Select the subject under Own Certificate.
    5. Click the Display > Change option, and select Export certificate.
    6. From the Certificate section, choose the type and save the file.
  • SAPCAR.EXE
  • SAP user (authorized customer)
  • The version of the crypto library which is installed on the corresponding SAP server

Installing the SNC client

  1. Create a workspace folder for the SAP SNC files and binaries (hereafter referred to as "your SNC folder"), for example: "C:\snc\"
  2. Copy the exported server certificate and SAPCAR.EXE to your SNC folder.
  3. Go to https://support.sap.com/en/my-support/software-downloads.html and search for SAPCRYPTOLIB under Installations & Upgrades. Download the 64-bit .SAR to your SNC folder.

  4. Open a command prompt and change the working directory to your SNC folder. Then run the following command to unpack the content of the .SAR to your SNC folder:

    sapcar -xvf LibName.sar

    Example:

    sapcar -xvf SAPCRYPTOLIBP_8541-20011731_32.SAR

  5. Add system environment variables as follows:
    1. Add a system environment called SECUDIR with the path to your SNC folder as its value.
    2. Add a system environment variable called QLIK_SNC_LIB with the path to the sapcrypto.dll file as its value.
    3. Add the newly added environment variables to the "PATH" environment variable.

  6. Determine the <PSE_File_Name> and choose a <PSE_PIN> to protect it. You will need to provide this information in the next steps.

    Example:

    pseName: "CN=USR,OU=SAP,O=Qlik,C=IS" password: password123

  7. Determine the <SNC_NAME>. It should look something like this: CN=USR, OU=SAP, O=Qlik, C=IS

    See also Determining the server SNC name below.

  8. Make sure you have the required permissions to access and execute the files in the SECUDIR folder, and then run the following command to generate the PSE file:

    sapgenpse get_pse -p <PSE_File_Name>.pse -x <PSE_PIN> <SNC_NAME>

    Example:

    sapgenpse get_pse -p usr.pse -x password123 "CN=USR,OU=SAP,O=Qlik,C=IS"

  9. Bind the PSE file with the OS user and create the CRED_V2 file in SECUDIR folder as follows:
    1. Make a note of the OS user under which Replicate is running:
      • Windows: Open the Services console and double-click the QlikReplicate Server service to open the properties dialog. Look in the Log On tab.
      • Linux: Run the ps aux command.

    2. Run the following command:

      sapgenpse seclogin -p <PSE_File_Name>.pse -x <PSE_PIN> -O <OS_USER>

      Example:

      sapgenpse seclogin -p usr.pse -x password123 -O SYSTEM

  10. Generate the CRT file by executing the following command:

    sapgenpse export_own_cert -o <PSE_File_Name>.crt -p <PSE_File_Name>.pse -x <PSE_PIN>

    Example:

    sapgenpse export_own_cert -o usr.crt -p usr.pse -x password123

  11. Import the SAP Application Server Certificate (<SERVER_CRT>) to the PSE by executing the following command:

    sapgenpse maintain_pk -a <SERVER_CRT>.crt -p <PSE_File_Name>.pse -x <PSE_PIN>

    Example:

    sapgenpse maintain_pk -a sapsys.crt -p usr.pse -x password123

  12. To verify that the DN of the SAP Server’s PSE was imported into the client, run the following command and then check the "subject" value:

    sapgenpse maintain_pk -v -l -p <PSE_File_Name>.pse

    Example:

    sapgenpse maintain_pk -v -l -p usr.pse

Importing the client certificate

  1. Connect to the SAP Application Server and navigate to the "STRUST" transaction using an authorized user.
  2. Double-click the SNC (SAPCryptolib) folder.
  3. Click Display-chang button to switch to Change view.
  4. Click Certificate import button to import the certificate.
  5. In the new dialog, enter the path to the .crt file that was created earlier, then click continue.
  6. Verify the details of the certificate in the Certificate section.
  7. Click Add to Certificate List to add the certificate to the list.
  8. Save the changes.

Determining the server SNC name

There are two ways you can determine the server name:

  • Method 1: Decrypt the server CRT file using the OpenSSL command. The server name will be part of the subject.
  • Method 2: This method requires appropriate permissions. While connected to the system:
    1. Run the RZ10 transaction.
    2. Select the system profile.

    3. Select the Extended Maintenance option and then click Display.

    4. The value of the snc/identity/as parameter should be the SNC name.

Connection settings

Configure the SNC settings in the SAP HANA endpoint as follows:

  • Activate Secure Network Communication: Select to turn on SNC.

  • SNC name: The SNC partner name.

    Example:

    p:CN=SYS, OU=SAP, O=Qlik, C=IS

  • SNC quality of protection - Select one of the following:
    • Authentication only: Select to verify the identity of the SAP Application machine. This is the minimum protection level offered by SNC.
    • Integrity protection: Select to detect any changes or manipulation of the data, which might have occurred between the Replicate machine and the SAP Application machine.
    • Privacy protection: Select to encrypt the messages being transferred to prevent eavesdropping. Privacy protection also includes integrity protection. This is the maximum level of protection provided by SNC.
    • Maximum security available: The maximum level of data protection supported by the SAP Application machine.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here