SAP HCI – Security FAQ and Checklist!
In this blog I want to talk about SAP HCI related Security questions, customers frequently ask.
SAP HANA Cloud Integration or SAP HCI as most call it, enables you to connect your cloud applications quickly and seamlessly to other SAP and non-SAP application (on-cloud or on-premise).
As more and more customers started using SAP HANA Cloud Integration for Process Integration, lots of questions were asked around security and connections. Setting up a secure connection between a customer system and the integration platform (which is based on SAP HANA Cloud Platform) also requires the cooperation of experts at SAP and at the customer’s side.
We as a team(Piyush Gakhar, Patrick Kelleher and myself) have come up with a SAP HCI Security FAQ and Checklist.
Hope this helps you as you work on your customer project!
(Note: For terminology you could refer to the SAP HCI Operations Guide)
So here we go…
1. How to add new users and Authorizations when customer gets the SAP HCI tenant? Who is authorized to add new users?
While SAP provisions a tenant, admin rights are given to customer’s S-userid as mentioned in the order form during contract signing. This admin user can go to HANA Cloud Platform cockpit and add further admin and users and assign them roles and authorizations. By default, SAP HCI uses SAP Cloud identity provider. Hence all the users must have valid S—userids or P-user ids that can be requested/generated from Service Market Place or SAP Community Network.
2. Where are all the roles & authorizations mentioned, that can be assigned to users?
Please look at https://cloudintegration.hana.ondemand.com/PI/help > Operating SAP HCI > User Management for SAP HCI > Managing Users and Roles Assignments > Defining Authorizations
3. How to contact SAP HCI Cloud Operations support related to tenant provisioning and security related issue or information?
An incident can be raised on Component LOD-HCI-PI-OPS
4. Are CA signed certificates mandatory for transport level authentication and for which scenarios CA signed certificates are needed
Please refer to table matrix available in Section-2 “Checklist for Security” of this document
5. Where can I find the list of approved CAs by SAP?
Please look at https://cloudintegration.hana.ondemand.com/PI/help > Operating SAP HCI
6. While getting certificates signed from CA, we have multiple systems and we want to use same signed certificate for different systems. Can we put * in the Common Name field (eg *.xxxxx.com) while getting our certificates signed. Is it allowed by SAP?
SAP supports wildcard in CN field only for certificate based client authentication technically but recommendation is to use full host name in the CN field for both inbound and outbound scenarios. However for HTTPS outbound, as SAP manages the CA signed key pairs, SAP uses full hostname in CN field.
7. Can I use self-signed certificates for HTTPS certificate based client authentication (also referred as dual authentication)?
No, self-signed certificates are not supported for transport level security.
8. Self-signed certificates are supported for which scenarios? Can I use them for message level encryption and signing?
Yes, you can use self -signed certificates for message level encryption and signing, however SAP recommends to use CA signed certificates.
9. Who maintains and manages the key store? Can the control be given to the end customer?
As of today, SAP Cloud Operations team manages the key store for Customers. Customer cannot manage the keystore and known host file (known host file is required for SFTP connectivity). As of today, only exception is HCI developer P4EAD edition where partner can manage the keystore and known host file themselves for test tenants.
10. What is the procedure for using certificates for message level encryption and signing?
Customer can use the certificates present in the keystore provided by SAP Cloud Ops team as keystore is managed by SAP. If a customer wants to use its own key pair for some reasons, customer need to raise a ticket to SAP Cloud Ops team LOD-HCI-PI-OPS and SAP will qualify the request. There are different ways in which a customer can sign and encrypt HCI message content (example: PGP, X.509 etc.) covered in the online documentation here.
11. Does a customer need to request separately for HTTP(s) port opening for outbound connectivity?
By default, 443 and all HTTP ports > 1024 are opened. In case of new port requests or if customer faces any difficulty, customer can raise a request at LOD-HCI-PI-OPS
12. What are the IP addresses range for HCI landscape that a customer need to configure in their own firewall for inbound connections (IP whitelisting)?
Please refer to documentation https://cloudintegration.hana.ondemand.com/PI/help > Virtual System Landscapes
13. Where can customer details on SAP DATA Centers and security found?
Details are available on SAP Website SAP Data Centres Information (refer section 2 for Security)
14. What is SAP cloud connector (or HANA Cloud Connector) and is it mandatory?
Cloud connector is a complementary offering to SAP HCI. SAP Cloud Connector needs to be installed on premise and is an integral component of HCP. It acts as a reverse proxy and creates a secure tunnel with customer’s own HCP/HCI account. SAP HCI can route calls via SAP Cloud Connector for HTTP based protocols (eg. SOAP, OData IDoc XMLs etc.). SCC is a preferred mode of communication from HCP customers. However it is not mandatory as customer may use other reverse proxy softwares eg. Web Dispatcher.
Section-2 Checklist for Transport Level Security
(Note: Click the pictures: 3 of them, to see the entire list)
Hope this helped!
This is great info, well organized, and very relevent to any HCI developer.
Thanks for the post.
Thank You Jim!
This is really helful.
Thank you so much for the informative blog.
Very well articulated. Thanks for producing the detailed blog.
I know there are two options - basic auth with s-user and certificate auth (with or without user mapping). Also SAP says certificate auth with user-mapping is the preferred way. But how should that work in production environments?
Let's say we have twenty senders (business) systems. I create/order twenty certificates. To which user shall I map them? S-Users are personal accounts. What, if the user (whoms S-User is defined in the certificate-to-user mapping) leaves the company or deletes his account? This is a huge business impact!
Why isn't it possible to create "technical users" which aren't related to persons but to the technical business systems? Yes, we could use cert-auth without user mapping. But SAP itself proclaims that using usermappings is the way to go. So could you please clarify how the situation described above can be handled?
After long time, just for share.
For each business system we require the creation of a new S user to SAP, to this user we assign only SCP permissions and no launchpad authorization.
This for NEO enviroment, for CloudFoundry look at: