SAP HANA SPS 11 What's New: Security - by the SAP ...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 02.
Three new parameters have been added to the password policy:
force_first_password_change
password_lock_for_system_user
detailed_error_on_connect
Parameter force_first_password_change governs whether the user needs to change the password upon first logon. For a technical user, this might not be necessary. This flag can also be set when creating or change a user with SQL.
CREATE USER <user_name> PASSWORD <password> [NO FORCE_FIRST_PASSWORD_CHANGE]
Parameter password_lock_for_system_user specifies whether or not the user SYSTEM is locked after the maximum number of failed logon attempts. The default value is true. The Security editor of the SAP HANA studio supports this setting but not yet in the Web-based Development Workbench (use SQL).
Parameter detailed_error_on_connect configures the detail level of error information returned when a logon attempt fails. The default value is false, which means that only the information authentication failed is returned. If this parameter is set to true, the exact reason for authentication failure is output
Invalid user password
User is locked
Connect try is outside validity period
User is deactivated
For internal applications more information might be helpful. For internet applications, however, security could be more easily compromised if too much information is provided.
To make encryption both more secure and easier to use, the following changes have been implemented:
The initial master keys of the instance Secure Storage on the File System (SSFS) and the system PKI SSFS are now changed automatically after installation or upgrade. These keys are used for data storage and network encryption.
The initial default encryption key of the secure user store (hdbuserstore) is now automatically changed when the first entry is created. This store is the client-side tool for storing user logon information for connecting to an SAP HANA system, used for example for ODBC/JDBC connections for application servers, backup scripts, etc.
Communication encryption between SAP HANA processes (database engine, name server, application server, etc.) is now automatically enabled when internal communication in a multiple-host SAP HANA system is activated.
For data management purposes, you can now delete all audit entries in the database table used as audit trail target with SQL.
ALTER SYSTEM CLEAR AUDIT LOG ALL
This is for those exceptional cases that the table has grown so large that there is not enough memory to delete old entries. Better of course would be to do some regular monitoring of your audit tables!
The following user actions in SAP HANA can now be audited:
Integration of SAP HANA into SAP Security Baseline, Early Watch Alert and Configuration Validation has been improved. The checks were first delivered with the SAP Solution Manager Plug-In ST-SER 620_2005_1 and they have been revised several times since then. See SAP Note: 863362 - Security checks in SAP EarlyWatch Alert, EarlyWatch and GoingLive sessions
The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.