Enabling that back door in SAP HANA Security: Resetting the SYSTEM Password in SPS 09
I know two Jordans with the same surname! Both are friends of mine. One is a six foot five Rastafarian male, the other is a five foot three blonde female. I mention them today because I am going to be looking at the video provided by the SAP HANA Academy on Resetting the System Password in SAP HANA in SPS09. Yes, really, the two Jordans are relevant. The first Jordan and I did the MCSE together. The second Jordan helped me with my first installation of NT Server over the phone while at the supermarket. Passwords are part of most systems and as we know systems should be made to fit around people.
My first two jobs after completing my MCSE involved passwords. My first job was for a company who kept getting their information stolen. I never spoke to users about this problem, only management after hours. There were six types of terminal which depending on their job role users would need different accounts to access. Policies were changed to make users have more complicated passwords that had to be changed more often. Generic accounts were discovered and removed virtually overnight. One day I got to work early and saw users passing around post-it notes. I spoke to management about this and asked to come in early the next day without any formalities to speak to users. I found that the new rules were unpopular. There was a lot of hot desking so users would leave computers logged on for the next user. This was back in the days of proper blue screens of death. Computers often needed rebooting so users would leave the account logins and passwords on the computers ready for the next user. I asked the Jordans to go in and collect these post-it notes and whatever else they could find so that I could illustrate to the management that the issue was staff training not security. This office was virtually all male and white. However, even without ID, they were not challenged and managed to collect enough account details to “hack” the system. I showed this evidence to the management who reluctantly agreed that staff should be consulted about the changes and, as this was needed due to the range of systems, each user was given one username based on their name and was given the opportunity to set the same password on all systems which would not require changing as frequently.
SAP HANA Security: Reset SYSTEM Password [SPS 09]
The video I am going to cover today is on how to reset the System User password. When a SAP HANA system is created several databases users are created by default including the system database user. This user is the database super user with irrevocable system privileges such as the ability to create other users, access tables etc. According to the SAP HANA Administration Guide this user is not intended for use in production systems. THIS IS EXACTLY THE GENERIC ACCOUNT YOU SHOULD BE CAREFUL OF USING. The only time you would use this account is as follows. If you have just restored a database from backup, but do not know how to connect to it or have any accounts set up, the only way you can gain access is by resetting the system user password. The roles this type of user performs should be divided into logical functions and assigned to staff with a username based on their name. The system user should then be deactivated.
The tutorial describes how to access the SAP HANA database via a terminal in Windows. The tutorial is extremely prescriptive with code being entered explained in depth as it is being typed. Any outputs from the terminal are comprehensively explained. There are a few things that need flagging at the start. The only difference between this version and SPS08 is highlighted in bold.
- Remember you have to log on to the server which has the master index server running.
- Stop the HANA Server from running using HDB stop.
- Start these three services: the name server, the compile server and the index server with a special flag.
- Remember Process IDs 6382 and 6494 for when you need to stop these services. These can change when you restart the HANA instance.
- Start the index server over the database with a special flag “reset user system”. This is new to SPS09.
- Note the database the password rules may still apply when setting your new password.
Passwords! You would think in this day and age that we should not need to bother with them. There should be mice with biometric information in them and users already configured and set up. We should be able to just plug and play. However, for people working with back end systems you are stuck with them. Remember how lucky you are to have the knowledge from this tutorial to get back into a system if you need to. There are also a myriad of other resources which help you set up security in SAP HANA available from the SAP HANA Academy .
My second network job was at a chain of florists. They had an NT Server that was playing up. They had installed Service Pack 6 on it but IIS would only go up to Service Pack 4 so it keeled over. I arrived confident that I could sort this problem out, buy the wife some flowers and be out of there before you could say I am being paid to sit in the sun. I arrived at the back of the main florist and was shown into the room where the server sat by the owner. I managed to restore the server and was finishing off. By sheer instinct I pressed ALT-CTRL_DEL and Enter.
“What are you doing?” screamed the owner.
“Locking the server” I replied
My face fell when he slowly said “How do you unlock it?”
I demonstrated ALT-CTRL_DEL then said “What’s the password?”
“I don’t know” he replied.
A sweat broke out on my forehead. In a few seconds I had tried them all. I was panicking.
My wife was in the neighbourhood and popped her head in.
“Why don’t you try no password?” she said.
I was about to say something disparaging when the owner said “That’s it, I remember, no password!”
I tried it. The owner thanked me for my efforts and asked if we could leave.
So be grateful for this video by the SAP HANA Academy, it might spare your blushes one day.