It’s fun to stay at the C-M-I-S

Introduction to SAP HANA Cloud Platform, week 3

This week left me a bit confused. The first 2 sessions were about connectivity, while the rest was about CMIS. I had the impression that the JDBC sessions were misplaced and belonged to week 2, but for time reasons were lifted over to week 3. Nevertheless, the actual topic of week 3 was CMIS.

Anyone still remember the 2008 CMIS announcments (like this one)? Well, CMIS survived the last years (no surprise) and Hana Cloud supports CMIS. While the service is normally only accessible from inside HCP, Rui demonstrated a CMIS proxy servlet that lets you access the content repository from outside. He used the Apache Cemistry workbench to show that you can create folders, file and interact with them directly from your computer.

I am now wondering if this means that I can use the SAP HANA Cloud Document Service as a CMIS repository for my Alfresco or Liferay installations. The only application I need to have running is the CMIS proxy on HCP, right? I guess later I will try this out.

Talking about trying it out: the video for week 3 unit 3 comes with an interesting line:

“It is also very secure, so all the data transport is encrypted via HTTPS, and also the data storage is encrypted with the standard AES, so very safe and secure encryption.”

Very secure? Challenge accepted.

[Disclaimer: I am not a security expert. I also have no detailed information about the internals of HCP. I ran my test against hana.ondemand.com as this is an public available server that serves as the entry point to HCP. To me, this server should be 100% secure, as you send and receive sensitive information (like credentials). I executed the test on Wednesday (20/Nov/2013)]

Let’s take a look back at our beloved NSA and the statement that RC4 is hacked.

For now, assume that RC4 is hacked and that SAP wants to be aligned to German and European security guidelines.

How to check if a web server is using a secure certificate? Fortunately, there are free tools available to see if a web server uses RC4 or not, like:

https://www.ssllabs.com/ssltest/analyze.html?d=hana.ondemand.com Running the scan shows a very good result:

Looking at the details reveals:

That’s not so good, as RC4 is allowed and no Forward Secrecy.

RC4 is not anymore recommended (or here) and should therefore not used. Considering its weakness, a web server should not offer RC4. Forward Secrecy is something you want to have. It ensures that when an intruder gets the key to decrypt your current session, he can only read / encrypt the current session, but not any other session. Even when your earlier streams were saved by the intruder, the captured session key won’t help in decrypting the data. To take a closer look at the result I got by SSLlabs I used sslscan. SSL scan can give a list of what the server accepts.

sslscan hana.ondemand.com:443

AES and DES are also supported, not only RC4, that’s good. But the preferred cipher is RC4-SHA.

Connecting to the server shows which cipher is used, and it is RC4-SHA:

openssl s_client –connect hana.ondemand.com:443

To see if Forward Secrecy is supported, as I understand it, Diffie-Hellman needs to be used and not RSA. Let’s check this:

openssl s_client –ciper ‘ECDH:DH’ –connect hana.ondemand.com:443

Looks like Forward Secrecy is not supported.

In case you do not have the tools available, a simple tool to see what the server gives you is Google Chrome:

A site that uses Forward Secrecy is Gmail

For the web server running hana.ondemand.com I think the phrase very secure is a little bit exaggerated. Maybe a real security expert can jump in.

Other example: login.live.com