SAP HANA Authentication
The Qualytics SAP HANA connector authenticates with basic credentials: a HANA database username and password supplied directly to the connection. There is no IAM role, Kerberos, or SAML option in the connection form. The same flow is used for HANA Cloud and for on-premises HANA.
Basic Authentication
The connection user is a HANA database user created inside the tenant database you want to monitor. Qualytics passes the credentials to the SAP HANA JDBC driver, which opens a TLS-encrypted session against the HANA endpoint.
| Field | Description |
|---|---|
| Username | HANA database user (e.g., QUALYTICS_READER). Treat as case-insensitive; HANA stores unquoted names in upper case. |
| Password | The HANA user's password. Stored encrypted in Qualytics and never echoed back in the UI or API responses. |
Grant the user the minimum privileges listed in SAP HANA Permissions. Avoid sharing administrative HANA users (such as SYSTEM) with Qualytics; create a dedicated read-only user instead.
TLS and Certificate Validation
The HANA JDBC driver is invoked with encrypt=true and validateCertificate=true. The driver:
- Opens a TLS handshake against the HANA endpoint.
- Validates the server certificate.
- Aborts the connection if validation fails.
This is the same behavior SAP recommends for production deployments and the only mode supported by HANA Cloud.
Disabling encryption via API
The controlplane accepts an encrypt parameter on the connection payload (encrypt=false) for on-premises HANA deployments that require an unencrypted SQL channel. The UI form does not expose this toggle; submit it via the API only and only when your security policy explicitly allows it.
Host, Port, and Tenant Database
The connector builds the JDBC URL from the Host, Port, and Database fields you provide:
jdbc:sap://<host>:<port>/?encrypt=true&validateCertificate=true[&databaseName=<tenant>]¤tschema=<schema>
| Field | HANA Cloud | On-Premises |
|---|---|---|
| Host | The Cloud endpoint URL provided by SAP (e.g., xxxxxxxx.hna1.prod-us10.hanacloud.ondemand.com). The tenant is encoded inside this hostname. |
The hostname or IP of the HANA system (e.g., hana-prod.acme.internal). |
| Port | 443 (TLS-only). |
The SQL port of the target tenant. For a single-container or system database, this is 3<instance>15 (e.g., 39015). For a tenant database in a multi-container deployment, use the tenant's SQL port (commonly 30041, 30043, etc.). |
| Database | Leave blank. The tenant is encoded in the hostname. | Optional. Set to the tenant database name when connecting to a multi-tenant container that does not encode the tenant in the port. |
Default port
The connection form defaults to 443 (suitable for HANA Cloud). For on-premises HANA, override the port to the value used by your tenant. Pointing at the wrong port returns Cannot connect to jdbc:sap://...: connection refused or a TLS error if the port belongs to a non-SQL service.
Schema Selection
The Schema field is required. HANA does not have a catalog-above-schema hierarchy, so the schema is the unit of discovery. The connection user must hold SELECT on the chosen schema (or on the underlying objects) for tables to appear in the Container dropdown after the datastore is created.
The Add New Connection flow supports picking more than one schema in a single operation. When you do, Qualytics creates a separate source datastore per schema, reusing the same connection.
Updating credentials
When the HANA password changes, update the connection via Settings → Connections or the API and click Test Connection to confirm the new credentials work before the next scheduled job runs. Qualytics does not refresh HANA credentials automatically; failed jobs after a password change indicate the connection still holds the old password.