ICF 1.5.20.31

SAP HANA Database connector

Before you start

These connector instructions require a SAP HANA Database account with elevated privileges to add roles, system, and application privileges. The following information is required to configure the connector:

Username

Your SAP HANA Database username.

Password

Your SAP HANA Database password.

JDBC Connection URL

The URL to establish the connection between the connector and the SAP HANA Database.

Driver class name

The class name driver path.

For more information, refer to the Connect to SAP HANA via JDBC documentation.

Install the SAP HANA Database connector

To check for an Advanced Identity Cloud application for this connector, refer to:

You can download any connector from Backstage, but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration.

Connector included in default deployment
Connector IDM RCS

SAP HANA Database

No

Yes

Download the connector .jar file from Backstage.

  • If you are running the connector locally, place it in the /path/to/openidm/connectors directory, for example:

    mv ~/Downloads/saphanadb-connector-1.5.20.31.jar /path/to/openidm/connectors/

  • If you are using a remote connector server (RCS), place it in the /path/to/openicf/connectors directory on the RCS.

Download the Sap Hana JDBC driver.

The minimum required JDBC version is 2.16.14.

  • If you are running the connector locally, place the library in the /path/to/openidm/lib/ directory:

    mv ~/Downloads/ngdbc-version.jar /path/to/openidm/lib/

  • If you are using a remote connector server (RCS), place it in the /path/to/openicf/connectors directory on the RCS.

Configure the SAP HANA Database connector

Create a connector configuration using the IDM admin UI:

  1. From the navigation bar, click Configure > Connectors.

  2. On the Connectors page, click New Connector.

  3. On the New Connector page, type a Connector Name.

  4. From the Connector Type drop-down list, select SAP HANA Database Connector - 1.5.20.31.

  5. Complete the Base Connector Details.

    For a list of all configuration properties, refer to SAP HANA Database Connector Configuration

  6. Click Save.

When your connector is configured correctly, the connector displays as Active in the admin UI.

Refer to this procedure to create a connector configuration over REST.

Base connector details

username

The username for logging in to the database.
password

The user password for logging in to the database.
url

The database connection string in the form of jdbc:sap://<server>:<port>[/?<options>].
driverClassName

The file directory location of DBC driver files.
pageSize

Defines the page size to be displayed to users.
ignoreUsers

Database users to ignore. Typically, these are internal database users to avoid for security reasons. SYS and SYSTEM internal users are ignored by default.

Object types

You can add or edit the object type to obtain any of the following objects and their properties:

__ACCOUNT__
PROPERTY NAME TYPE NATIVE TYPE REQUIRED

USER_ID

String

String

NO

USER_NAME

String

String

NO

PASSWORD

GuardedString

String

NO

USER_MODE

String

String

NO

EMAIL_ADDRESS

String

String

NO

CLIENT

String

String

NO

TIME_ZONE

String

String

NO

CREATOR

String

String

NO

VALID_FROM

String

String

NO

VALID_UNTIL

String

String

NO

IS_RESTRICTED

Boolean

Boolean

NO

IS_CLIENT_CONNECT_ENABLED

Boolean

Boolean

NO

HAS_REMOTE_USERS

Boolean

Boolean

NO

PASSWORD_CHANGE_NEEDED

Boolean

Boolean

NO

IS_KERBEROS_ENABLED

Boolean

Boolean

NO

IS_SAML_ENABLED

Boolean

Boolean

NO

IS_PASSWORD_ENABLED

Boolean

Boolean

NO

SAML_PROVIDERS

Array

Object

NO

SYSTEM_PRIVILEGES

Array

String

NO

APPLICATION_PRIVILEGES

Array

String

NO

ROLES

Array

String

NO

EXTERNAL_IDENTITY

Array

String

NO
ROLES
PROPERTY NAME TYPE NATIVE TYPE REQUIRED

ROLE_ID

String

String

NO

ROLE_NAME

String

String

NO

GLOBAL_IDENTITY

String

String

NO

ROLE_SCHEMA_NAME

String

String

NO

ROLE_MODE

String

String

NO
APPLICATION_PRIVILEGES

PROPERTY NAME

TYPE

NATIVE TYPE

REQUIRED

__NAME__

String

String

NO
SYSTEM_PRIVILEGES

PROPERTY NAME

TYPE

NATIVE TYPE

REQUIRED

__NAME__

String

String

NO

To configure the connector over REST or using the filesystem, specify the connection details to the SAP HANA Database resource provider in the configurationProperties for the connector. The minimum required properties are username, password, url and driverClassName.

Sample configuration

{
    "configurationProperties" : {
        "connectionProperties" : null,
        "propagateInterruptState" : false,
        "useDisposableConnectionFacade" : true,
        "defaultCatalog" : null,
        "validationInterval" : 3000,
        "ignoreExceptionOnPreLoad" : false,
        "jmxEnabled" : true,
        "commitOnReturn" : false,
        "logAbandoned" : false,
        "maxIdle" : 100,
        "testWhileIdle" : false,
        "removeAbandoned" : false,
        "abandonWhenPercentageFull" : 0,
        "minIdle" : 10,
        "defaultReadOnly" : null,
        "maxWait" : 30000,
        "logValidationErrors" : false,
        "name" : "Tomcat Connection Pool[1-20280544]",
        "useStatementFacade" : true,
        "initSQL" : null,
        "validationQueryTimeout" : -1,
        "validationQuery" : null,
        "rollbackOnReturn" : false,
        "alternateUsernameAllowed" : false,
        "dataSourceJNDI" : null,
        "validatorClassName" : null,
        "suspectTimeout" : 0,
        "useEquals" : true,
        "removeAbandonedTimeout" : 60,
        "defaultAutoCommit" : null,
        "testOnConnect" : false,
        "jdbcInterceptors" : null,
        "initialSize" : 10,
        "defaultTransactionIsolation" : -1,
        "numTestsPerEvictionRun" : 0,
        "url" : "jdbc:sap://HOST:PORT",
        "testOnBorrow" : false,
        "fairQueue" : true,
        "accessToUnderlyingConnectionAllowed" : true,
        "maxAge" : 0,
        "minEvictableIdleTimeMillis" : 60000,
        "timeBetweenEvictionRunsMillis" : 5000,
        "testOnReturn" : false,
        "useLock" : false,
        "maxActive" : 100,
        "username" : "USERNAME",
        "password" : "PASSWORD",
        "pageSize" : "50",
        "driverClassName" : "com.sap.db.jdbc.Driver",
        "ignoreUsers" : [
            "SYS",
            "SYSTEM"
        ]
    }
}

Configure connection pooling

The SAP HANA Database connector embeds the Apache Tomcat 9 JDBC Connection Pool. Learn more about the different pooling mechanisms in Connectors by pooling mechanism.

Mapping

From SAP HANA Database users to IDM or Advanced Identity Cloud users
Attributes
SOURCE TARGET TRANSFORMATION SCRIPT

USER_ID

_id

N/A

USER_NAME

userName

N/A

PASSWORD

password

N/A

EMAIL_ADDRESS

mail

N/A

TIME_ZOME

timeZone

N/A

CLIENT

sessionClient

N/A

VALID_FROM

validFrom

N/A

VALID_UNTIL

validUntil

N/A

IS_RESTRICTED

isRestricted

N/A

ROLES

grantedRoles

N/A

APPLICATION_PRIVILEGES

applicationPrivileges

N/A

SYSTEM_PRIVILEGES

systemPrivileges

N/A

SAML_PROVIDERS

samlProviders

N/A

IS_SAML_ENABLED

isSamlEnabled

N/A

IS_KERBEROS_ENABLED

isKerberosEnabled

N/A

PASSWORD_CHANGE_NEEDED

passwordChangeNeeded

N/A

EXTERNAL_IDENTITY

externalIdentity

N/A

Association>Association Rules>Correlation Queries

  • Link Qualifier: default

  • Any of the following fields: USER_NAME

From IDM or Advanced Identity Cloud users to SAP HANA Database users
Attributes
SOURCE TARGET TRANSFORMATION SCRIPT

userName

USER_NAME

N/A

password

PASSWORD

N/A

mail

EMAIL_ADDRESS

N/A

timeZone

TIME_ZONE

N/A

sessionClient

CLIENT

N/A

validFrom

VALID_FROM

N/A

validUntil

VALID_UNTIL

N/A

isRestricted

IS_RESTRICTED

N/A

grantedRoles

ROLES

N/A

applicationPrivileges

APPLICATION_PRIVILEGES

N/A

systemPrivileges

SYSTEM_PRIVILEGES

N/A

samlProviders

SAML_PROVIDERS

N/A

isSamlEnabled

IS_SAML_ENABLED

N/A

isKerberosEnabled

IS_KERBEROS_ENABLED

N/A

passwordChangeNeeded

PASSWORD_CHANGE_NEEDED

N/A

externalIdentity

EXTERNAL_IDENTITY

N/A

Association>Association Rules>Correlation Queries

  • Link Qualifier: default

  • Any of the following fields: USER_NAME

Test the SAP HANA Database connector

Test the connector configuration:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request POST \
'http://localhost:8080/openidm/system/saphanadb?_action=test'
{
    "name": "saphanadb",
    "enabled": true,
    "config": "config/provisioner.openicf/saphanadb",
    "connectorRef": {
        "bundleVersion": [1.5.0.0,1.6.0.0),
        "bundleName": "org.forgerock.openicf.connectors.saphanadb-connector",
        "connectorName": "org.forgerock.openicf.connectors.saphanadb.SapHanaDBConnector"
    },
    "displayName": "SAP HANA Database Connector",
    "objectTypes": [
        "APPLICATION_PRIVILEGES",
        "__ACCOUNT__",
        "SYSTEM_PRIVILEGES",
        "ROLES",
        "__ALL__"
    ],
    "ok": true
}

Use the SAP HANA Database connector

Database user

Create a user

To create a new user, you must include at least the USER_NAME and PASSWORD fields. The default configuration requires passwords to have:

  • a minimum of 8 characters.

  • at least one number.

  • at least one uppercase letter.

  • at least one lowercase letter.

Special characters are optional, but the default password setting (Aa1) only accepts underscores (_). For more information, refer to Password Policy Configuration Options.

If the IS_RESTRICTED field is true, a restricted user is created. A restricted user has no default roles and an unrestricted user has the default PUBLIC role.

The possible date format for the fields VALID_FROM and VALID_UNTIL is: yyyy-MM-dd HH:mm AM/PM.

When assigning SAML Providers to a User, only those providers that already exist within the database can be assigned during a create operation.

To grant and revoke roles, application or system privileges, some requirements are necessary, as detailed here.

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--header 'Content-Type: application/json' \
--request POST \
--data '{
    "USER_NAME" : "SAPHANADB_NEWUSER",
    "PASSWORD" : "Password123",
    "EMAIL_ADDRESS" : "SAPHANADB_NEWUSER@example.com",
    "CLIENT" : "001",
    "TIME_ZONE" : "GMT",
    "VALID_FROM" : "2024-12-12 12:30",
    "VALID_UNTIL" : "2025-12-12 15:00",
    "IS_SAML_ENABLED" : true,
    "IS_KERBEROS_ENABLED" : true,
    "IS_PASSWORD_ENABLED" : true,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "ROLES" : [
      "MODELING"
    ],
    "APPLICATION_PRIVILEGES" : [
        "sap.hana.backup::Admin"
    ],
    "SYSTEM_PRIVILEGES" : [
        "REPO.EXPORT",
        "REPO.IMPORT",
        "REPO.MAINTAIN_DELIVERY_UNITS"
    ]
}' \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__'
{
    "USER_NAME" : "SAPHANADB_NEWUSER",
    "EMAIL_ADDRESS" : "SAPHANADB_NEWUSER@example.com",
    "IS_RESTRICTED" : false,
    "CLIENT" : "001",
    "TIME_ZONE" : "GMT",
    "USER_MODE" : "LOCAL"
    "VALID_FROM": "2024-12-12 12:30",
    "VALID_UNTIL": "2025-12-12 15:00",
    "IS_SAML_ENABLED" : true,
    "IS_KERBEROS_ENABLED" : true,
    "IS_PASSWORD_ENABLED" : true,
    "PASSWORD_CHANGE_NEEDED" : false,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "HAS_REMOTE_USERS" : false,
    "EXTERNAL_IDENTITY" : false,
    "CREATOR" : "USER_CREATOR",
    "ROLES" : [
        "PUBLIC",
        "MODELING"
    ],
    "APPLICATION_PRIVILEGES" : [
        "sap.hana.backup::Admin"
    ],
    "SYSTEM_PRIVILEGES" : [
        "REPO.EXPORT",
        "REPO.IMPORT",
        "REPO.MAINTAIN_DELIVERY_UNITS"
    ]
}

Get users

Retrieve a list of database user ids from SAP HANA Database:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__?_queryId=query-all-ids'
{
    "result": [
        {
            "_id" : "001"
        },
        {
            "_id" : "002"
        },
        {
            "_id" : "003"
        },
        ...
    ]
}

Get a user

Retrieve a user from SAP HANA Database. You must specify the id in the URI path:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__/USER_ID'
{
    "USER_NAME" : "NEW_USER",
    "EMAIL_ADDRESS" : "NEW_USER@example.com",
    "IS_RESTRICTED" : false,
    "CLIENT" : "000",
    "TIME_ZONE" : "GMT",
    "USER_MODE" : "LOCAL",
    "VALID_FROM": "2023-09-06",
    "VALID_UNTIL": "2023-12-31",
    "IS_SAML_ENABLED" : fale,
    "IS_KERBEROS_ENABLED" : false,
    "IS_PASSWORD_ENABLED" : true,
    "PASSWORD_CHANGE_NEEDED" : false,
    "HAS_REMOTE_USERS" : false,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "EXTERNAL_IDENTITY" : "999",
    "CREATOR" : "USER_CREATOR",
    "ROLES": [
        "PUBLIC",
        "MODELING"
    ],
    "APPLICATION_PRIVILEGES" : [
        "sap.hana.backup::Admin"
    ],
    "SYSTEM_PRIVILEGES" : [
        "REPO.EXPORT",
    ],
    "SAML_PROVIDERS" : [
        {
            "SAML_PROVIDER_NAME" : "PROVIDER_NAME",
            "EXTERNAL_IDENTITY" : null
        }
    ]
}

Update a user

Update a user from the database. You must specify the id in the URI path.

The roles field combines the catalog and repository roles. To grant and revoke roles, application or system privileges, some requirements are necessary, as detailed here.

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request PUT \
--data '{
    "EMAIL_ADDRESS": "NEW_MAIL@EMAIL.COM",
    "CLIENT" : "002",
    "TIME_ZONE" : "PST",
    "VALID_FROM" : "2023-09-06",
    "VALID_UNTIL" : "2023-12-31",
    "IS_KERBEROS_ENABLED" : true,
    "IS_SAML_ENABLED" : true,
    "IS_PASSWORD_ENABLED" : true,
    "PASSWORD_CHANGE_NEEDED": true,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "EXTERNAL_IDENTITY": "999",
    "ROLES": [
        "PUBLIC",
        "RESTRICTED_USER_JDBC_ACCESS"
    ]
}' \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__/USER_ID'
{
    "USER_NAME": "USERNAME",
    "EMAIL_ADDRESS": "NEW_MAIL@EMAIL.COM",
    "IS_RESTRICTED": false,
    "CLIENT": "002",
    "TIME_ZONE": "PST",
    "USER_MODE": "LOCAL",
    "VALID_FROM": "2023-09-06",
    "VALID_UNTIL": "2023-12-31",
    "IS_KERBEROS_ENABLED": true,
    "IS_SAML_ENABLED": true,
    "IS_PASSWORD_ENABLED": true,
    "PASSWORD_CHANGE_NEEDED": true,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "EXTERNAL_IDENTITY": "999",
    "HAS_REMOTE_USERS": false,
    "CREATOR": "USER_CREATOR",
    "ROLES": [
        "PUBLIC",
        "RESTRICTED_USER_JDBC_ACCESS",
    ],
    "APPLICATION_PRIVILEGES": [],
    "SYSTEM_PRIVILEGES": [],
    "SAML_PROVIDERS" : []
}

Delete a user

Delete a user from a database. You must specify the id in the URI path:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request DELETE \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__/USER_ID'
{
    "USER_NAME" : "NEW_USER",
    "EMAIL_ADDRESS" : "NEW_USER@EMAIL.COM",
    "IS_RESTRICTED" : false,
    "CLIENT" : "001",
    "TIME_ZONE" : "GMT",
    "USER_MODE" : "LOCAL"
    "VALID_FROM": "2024-12-12",
    "VALID_UNTIL": "2025-12-12",
    "IS_SAML_ENABLED" : false,
    "IS_KERBEROS_ENABLED" : false,
    "IS_PASSWORD_ENABLED" : true,
    "PASSWORD_CHANGE_NEEDED" : false,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "HAS_REMOTE_USERS" : false,
    "EXTERNAL_IDENTITY" : "999",
    "CREATOR" : "USER_CREATOR",
    "ROLES": [
        "PUBLIC"
    ],
    "APPLICATION_PRIVILEGES" : [],
    "SYSTEM_PRIVILEGES" : [],
    "SAML_PROVIDERS" : []
}

Get roles

Retrieve roles from a SAP HANA Database:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request GET \
'http://localhost:8080/openidm/system/saphanadb/ROLES?_queryFilter=true'
{
    "result": [
        {
            "_id": "2361418",
            "ROLE_NAME": "ABAP_READ",
            "ROLE_ID": "2361418",
            "ROLE_MODE": "LOCAL",
            "__NAME__": "ABAP_READ",
            "ROLE_SCHEMA_NAME": null,
            "GLOBAL_IDENTITY": null
        },
        ...
}

Get system privileges

Retrieve system privileges from a SAP HANA Database:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request GET \
'http://localhost:8080/openidm/system/saphanadb/SYSTEM_PRIVILEGES?_queryFilter=true'
{
    "result": [
        {
            "_id": "ADAPTER ADMIN",
            "__NAME__": "ADAPTER ADMIN",
        },
        ...
}

Get application privileges

Retrieve application privileges from a SAP HANA Database:

curl
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request GET 'http://localhost:8080/openidm/system/saphanadb/APPLICATION_PRIVILEGES/_queryFilter=true'
{
    "result": [
        {
            "_id": "sap.hana.ide::Catalog",
            "__NAME__": "sap.hana.ide::Catalog"
        },
        ...
}

OpenICF Interfaces Implemented by the SAP HANA Database Connector

The SAP HANA Database Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:

Create

Creates an object and its uid.

Delete

Deletes an object, referenced by its uid.

Schema

Describes the object types, operations, and options that the connector supports.

Script on Connector

Enables an application to run a script in the context of the connector.

Any script that runs on the connector has the following characteristics:

  • The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.

  • The script has access to a connector variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.

  • The script has access to any script arguments passed in by the application.

Search

Searches the target resource for all objects that match the specified object class and filter.

Test

Tests the connector configuration.

Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.

This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).

You can invoke the test operation before a connector configuration has been validated.

Update

Updates (modifies or replaces) objects on a target resource.

SAP HANA Database Connector Configuration

The SAP HANA Database Connector has the following configurable properties:

Configuration properties

Property Type Default Encrypted(1) Required(2)

connectionProperties

String

null

No

The connection properties that will be sent to our JDBC driver when establishing new connections. Format of the string must be [propertyName=property;]* NOTE - The "user" and "password" properties will be passed explicitly, so they do not need to be included here.

propagateInterruptState

boolean

false

No

Set this to true to propagate the interrupt state for a thread that has been interrupted (not clearing the interrupt state). Set the value as false for backwards compatibility.

useDisposableConnectionFacade

boolean

true

No

Set this to true if you wish to put a facade on your connection so that it cannot be reused after it has been closed. This prevents a thread holding on to a reference of a connection it has already called closed on, to execute queries on it.

defaultCatalog

String

null

No

The default catalog of connections created by this pool.

validationInterval

long

3000

No

avoid excess validation, only run validation at most at this frequency - time in milliseconds. If a connection is due for validation, but has been validated previously within this interval, it will not be validated again.

ignoreExceptionOnPreLoad

boolean

false

No

Flag whether ignore error of connection creation while initializing the pool. Set to true if you want to ignore error of connection creation while initializing the pool. Set to false if you want to fail the initialization of the pool by throwing exception.

jmxEnabled

boolean

true

No

Register the pool with JMX or not.

commitOnReturn

boolean

false

No

If autoCommit==false then the pool can complete the transaction by calling commit on the connection as it is returned to the pool If rollbackOnReturn==true then this attribute is ignored.

logAbandoned

boolean

false

No

Flag to log stack traces for application code which abandoned a Connection. Logging of abandoned Connections adds overhead for every Connection borrow because a stack trace has to be generated.

maxIdle

int

100

No

The maximum number of connections that should be kept in the pool at all times. Idle connections are checked periodically (if enabled) and connections that been idle for longer than minEvictableIdleTimeMillis will be released. (also see testWhileIdle).

testWhileIdle

boolean

false

No

The indication of whether objects will be validated by the idle object evictor (if any). If an object fails to validate, it will be dropped from the pool. NOTE - for a true value to have any effect, the validationQuery parameter must be set to a non-null string. This property has to be set in order for the pool cleaner/test thread is to run (also see timeBetweenEvictionRunsMillis).

removeAbandoned

boolean

false

No

Flag to remove abandoned connections if they exceed the removeAbandonedTimeout. If set to true a connection is considered abandoned and eligible for removal if it has been in use longer than the removeAbandonedTimeout Setting this to true can recover db connections from applications that fail to close a connection. See also logAbandoned.

abandonWhenPercentageFull

int

0

No

Connections that have been abandoned (timed out) wont get closed and reported up unless the number of connections in use are above the percentage defined by abandonWhenPercentageFull. The value should be between 0-100. The value 0 implies that connections are eligible for closure as soon as removeAbandonedTimeout has been reached.

minIdle

int

10

No

The minimum number of established connections that should be kept in the pool at all times. The connection pool can shrink below this number if validation queries fail (also see testWhileIdle).

defaultReadOnly

Boolean

null

No

The default read-only state of connections created by this pool. If not set then the setReadOnly method will not be called (Some drivers dont support read only mode, ex: Informix).

maxWait

int

30000

No

The maximum number of milliseconds that the pool will wait (when there are no available connections) for a connection to be returned before throwing an exception.

logValidationErrors

boolean

false

No

Set this to true to log errors during the validation phase to the log file. If set to true, errors will be logged as SEVERE. Set the value as false for backwards compatibility.

driverClassName

String

null

No

The fully qualified Java class name of the JDBC driver to be used. The driver has to be accessible from the same classloader as tomcat-jdbc.jar.

name

String

Tomcat Connection Pool[5-1678009017]

No

Returns the name of the connection pool. By default a JVM unique random name is assigned.

useStatementFacade

boolean

true

No

If a statement proxy is set, wrap statements so that equals() and hashCode() methods can be called on closed statements.

initSQL

String

null

No

A custom query to be run when a connection is first created.

validationQueryTimeout

int

-1

No

The timeout in seconds before a connection validation queries fail. This works by calling java.test_sample.Statement.setQueryTimeout(seconds) on the statement that executes the validationQuery. The pool itself doesnt timeout the query, it is still up to the JDBC driver to enforce query timeouts. A value less than or equal to zero will disable this feature.

validationQuery

String

null

No

The SQL query that will be used to validate connections from this pool before returning them to the caller. If specified, this query does not have to return any data, it just cant throw a SQLException. Example values are SELECT 1(mysql), select 1 from dual(oracle), SELECT 1(MS Sql Server).

rollbackOnReturn

boolean

false

No

If autoCommit==false then the pool can terminate the transaction by calling rollback on the connection as it is returned to the pool.

alternateUsernameAllowed

boolean

false

No

By default, the jdbc-pool will ignore the DataSource.getConnection(username,password) call, and simply return a previously pooled connection under the globally configured properties username and password, for performance reasons. The pool can however be configured to allow use of different credentials each time a connection is requested. To enable the functionality described in the DataSource.getConnection(username,password) call, simply set the property alternateUsernameAllowed to true. Should you request a connection with the credentials user1/password1 and the connection was previously connected using different user2/password2, the connection will be closed, and reopened with the requested credentials. This way, the pool size is still managed on a global level, and not on a per schema level.

dataSourceJNDI

String

null

No

The JNDI name for a data source to be looked up in JNDI and then used to establish connections to the database. See the dataSource attribute.

validatorClassName

String

null

No

The name of a class which implements the org.apache.tomcat.jdbc.pool.Validator interface and provides a no-arg constructor (may be implicit). If specified, the class will be used to create a Validator instance which is then used instead of any validation query to validate connections. An example value is com.mycompany.project.SimpleValidator.

suspectTimeout

int

0

No

Timeout value in seconds. Similar to to the removeAbandonedTimeout value but instead of treating the connection as abandoned, and potentially closing the connection, this simply logs the warning if logAbandoned is set to true. If this value is equal or less than 0, no suspect checking will be performed. Suspect checking only takes place if the timeout value is larger than 0 and the connection was not abandoned or if abandon check is disabled. If a connection is suspect a WARN message gets logged and a JMX notification gets sent once.

useEquals

boolean

true

No

Set to true if you wish the ProxyConnection class to use String.equals and set to false when you wish to use == when comparing method names. This property does not apply to added interceptors as those are configured individually.

removeAbandonedTimeout

int

60

No

Timeout in seconds before an abandoned(in use) connection can be removed. The value should be set to the longest running query your applications might have.

defaultAutoCommit

Boolean

null

No

The default auto-commit state of connections created by this pool. If not set, default is JDBC driver default (If not set then the setAutoCommit method will not be called).

testOnConnect

boolean

false

No

Validate the connection when connecting to the database for the first time. Set to true if you want to use the validationQuery as an init query.

jdbcInterceptors

String

null

No

A semicolon separated list of classnames extending org.apache.tomcat.jdbc.pool.JdbcInterceptor class. See Configuring JDBC interceptors below for more detailed description of syntax and examples. These interceptors will be inserted as an interceptor into the chain of operations on a java.sql.Connection object.

initialSize

int

10

No

The initial number of connections that are created when the pool is started.

defaultTransactionIsolation

int

-1

No

The default TransactionIsolation state of connections created by this pool. One of the following: NONE, READ_COMMITTED, READ_UNCOMMITTED, REPEATABLE_READ, SERIALIZABLE If not set, the method will not be called and it defaults to the JDBC driver.

numTestsPerEvictionRun

int

0

No

Property not used in tomcat-jdbc-pool.

url

String

null

No

The URL used to connect to the database.

testOnBorrow

boolean

false

No

The indication of whether objects will be validated before being borrowed from the pool. If the object fails to validate, it will be dropped from the pool, and we will attempt to borrow another. NOTE - for a true value to have any effect, the validationQuery parameter must be set to a non-null string. In order to have a more efficient validation, see validationInterval.

fairQueue

boolean

true

No

Set to true if you wish that calls to getConnection should be treated fairly in a true FIFO fashion. This uses the org.apache.tomcat.jdbc.pool.FairBlockingQueue implementation for the list of the idle connections. This flag is required when you want to use asynchronous connection retrieval. Setting this flag ensures that threads receive connections in the order they arrive. During performance tests, there is a very large difference in how locks and lock waiting is implemented. When fairQueue=true there is a decision making process based on what operating system the system is running. If the system is running on Linux (property os.name=Linux. To disable this Linux specific behavior and still use the fair queue, simply add the property org.apache.tomcat.jdbc.pool.FairBlockingQueue.ignoreOS=true to your system properties before the connection pool classes are loaded.

accessToUnderlyingConnectionAllowed

boolean

true

No

Property not used. Access can be achieved by calling unwrap on the pooled connection. See javax.sql.DataSource interface, or call getConnection through reflection or cast the object as javax.sql.PooledConnection.

maxAge

long

0

No

Time in milliseconds to keep this connection. When a connection is returned to the pool, the pool will check to see if the now - time-when-connected > maxAge has been reached, and if so, it closes the connection rather than returning it to the pool. The value 0 implies that connections will be left open and no age check will be done upon returning the connection to the pool.

minEvictableIdleTimeMillis

int

60000

No

The minimum amount of time an object may sit idle in the pool before it is eligible for eviction.

timeBetweenEvictionRunsMillis

int

5000

No

The number of milliseconds to sleep between runs of the idle connection validation/cleaner thread. This value should not be set under 1 second. It dictates how often we check for idle, abandoned connections, and how often we validate idle connections.

testOnReturn

boolean

false

No

The indication of whether objects will be validated before being returned to the pool. NOTE - for a true value to have any effect, the validationQuery parameter must be set to a non-null string.

useLock

boolean

false

No

Use a lock when performing operations on the connection object. Set to true if you will use a separate background thread for idle and abandon checking (e.g. JMX clients). If the pool sweeper is enabled, a lock is used, regardless of this setting.

maxActive

int

100

No

The maximum number of active connections that can be allocated from this pool at the same time.

username

String

null

No

The connection username to be passed to our JDBC driver to establish a connection

password

String

null

Yes

Yes

SAP HANA Database login password to authenticate the user

pageSize

Integer

50

No

Page size of search

ignoreUsers

String[]

['SYS', 'SYSTEM']

No

List of database users to be ignored by the connector

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.