In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced with SAP HANA Support Package Stack (SPS) 7, released December 3, 2013.
For the highlights on the new release from SAP HANA product management, see Ingo Brenckmann’s blog on the SAP HANA community site or read the Release Notes on help.sap.com. For those already familiar with SAP HANA Security, see Andrea Kirsten’s presentation on Security What’s New, delta SPS6 – SPS7 on saphana.com.
Other blogs on the What’s New topic
- What’s new in SAP HANA SPS 7: Monitoring – by the SAP HANA Academy
- What’s new in SAP HANA SPS 7 – Installation and Update
- What’s new in SAP HANA SPS 7: SHINE – by the SAP HANA Academy
The topic of this post is internal authentication with a focus on password policy and complements the tutorial video posted the SAP HANA Academy site and YouTube: HANA Academy: SAP HANA Security – Authentication – Password Policy – YouTube
SAP HANA Authentication
Although SAP HANA supports several external authentication mechanisms, including industry standard authentication providers like Kerberos, the SAML framework to exchange security information, and – of course – SAP Logon Tickets, it is important to understand the configuration options available to secure the internal (built-in, native) mechanism for authentication based on user name and password. Keep in mind as well that external authentication mechanisms require an internal database user for HANA to map the identities.
Database users can be created using the New User dialog in SAP HANA Studio or by using the CREATE USER SQL statement. The password entered for the new user is subject to certain rules, i.e. the password needs to comply to the password policy and it should not be included on the password blacklist.
The print screen below shows the New User dialog in SAP HANA Studio and the password rule that is displayed when hovering over the password field.
New with SPS 7 are the Valid From and Valid Until calendar fields, which allow you to specify a date time during which the user account is valid.
Using SQL, you can achieve the same result with:
CREATE USER DUMMY password “Welcome1” VALID FROM ‘2013-12-05 11:38:35’ UNTIL ‘2013-12-08 11:38:35’;
CREATE USER DUMMY password “Welcome1” VALID FROM NOW UNTIL FOREVER;
ALTER USER DUMMY VALID FROM NOW;
VALID FROM NOW and VALID UNTIL FOREVER is implied when not selecting a Valid From or Valid Until date.
As documented in the SAP HANA Security Guide and the SAP HANA Administration Guide you can change the default password policy in line with your organisation’s security requirements but you cannot deactivate the password policy.
The recommended approach to configure the password policy is by using the Security editor in SAP HANA Studio.
New for SPS 7 are the Lock indefinitely radio button and a changed default value for Lifetime of Initial Password (now 7 days, previously 28 days).
The editor provides contextual help when you hover over with the mouse over the parameter.
When you enter a wrong value, an error message is displayed.
Full context-sensitive documentation on the different password policy parameters of the Security editor is available by using the F1 key. The documentation will display in a side-bar.
Configuration editor (advanced)
An alternative approach to using the Security editor, is to use the Configuration editor in the Administration Console, or to use the ALTER SYSTEM ALTER CONFIGURATION SQL statement in the SQL editor. In this case you should keep a copy open of the Administration Guide or the SAP HANA Reference respectively, to know the exact valid syntax for each parameter as no help is provided.
More importantly, similar to editing the Windows registry, you should really know what you are doing. For example, you can try to set the minimal password length to 0, using either the Configuration editor or SQL. A green dot will be displayed in the Configuration editor suggesting all is well.
alter system alter configuration (‘indexserver.ini’,’SYSTEM’)
set (‘password policy’,’minimal_password_length’) = ‘0’ with reconfigure
However, when actually creating a zero-string (or smaller than 6 character) password you will receive an error. Clearly, your custom setting is being ignored in this case.
Could not execute ‘create user dummy2 password “”‘ in 2 ms 625 µs .
SAP DBTech JDBC:  (at 29): sql syntax error: zero-length delimited identifier
Could not execute ‘create user dummy2 password “1”‘ in 5 ms 539 µs .
SAP DBTech JDBC: : invalid password layout: minimal password length is 
The Security editor will display a value of 6 for minimal field, which conforms to the hard coded limit.
A value of 6 for parameter minimal_password_length will also be displayed by the monitoring view M_PASSWORD_POLICY.
However, when you query the contents of the indexserver.ini parameter file, you will get the value that you submitted. Note that there are two versions of this configuration file, one with host default values and one with the custom values for the global instance.
The same information is provided when viewing the contents of the file from the file system.
All in all, unexpected behaviour may result. Hence the recommendation, use the Security editor!
The eleven different password policy system parameters are clearly documented in the the SAP HANA Security Guide and the SAP HANA Administration Guide (with identical text) and are discussed in the SAP HANA Academy tutorial video so I will not repeat them here with one exception: password lifetime.
New for SPS 7 is that you can enable the password lifetime. As of SPS 5, SAP HANA password policy includes the option to disable the password lifetime. A typically use case is for a technical user, i.e. an application schema owner, who would not likely react to messages that the password is about to expire. However, once set this could not be undone. If you accidentally used DISABLE PASSWORD CHANGE on the wrong user, you were out of luck. One could also imagine stricter company password policy regulations requiring a password lifetime for all users. As of SPS 7, you can now both disable and (re-) enable password lifetime.
ALTER USER <user_name> ENABLE PASSWORD LIFETIME
Note that there is no corresponding check box in the policy editor. The system parameter maximum_password_lifetime defaults to a value of 182 (days) and must be at least 1 with a maximum of 65536 days (~ 184 years). One might argue, of course, that the requirement to change the password every 184 years in practice corresponds to a disabled password lifetime.
Thank you for watching
The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.
For the full list of blogs, see Blog Posts – by the SAP HANA Academy.