SAP HANA Multitenancy Multi-tenant Database encryption with change of encryption root key for SYSTEMDB
Why This Blog:
In the course of my work, I am currently, amongst other things, setting up a SAP HANA system running multiple database tenants with high level of security.
In this case, the high level security measure is to enable Data Volume Encryption on the Hana system.
This is the first time I have enabled Data Volume Encryption with a Hana Multitenant Database.
After we have executed steps described in SAP HANA Administration guide, for enabling Data Volume Encryption, the alert ’57’ was raised in our SYSTEMDB reporting “Inconsistent SSFS”. At this point our tenant DB was working without issues including backup. For system DB we were experiencing all symptoms reported by SAP Note 2097613.
9 Data Storage Security in SAP HANA
18.104.22.168 Enable Data Volume Encryption Without System Reinstallation
4.4.2 Data Volume Encryption in Multitenant Database Containers
As part of the procedure you have option to change the encryption key. You have decided to change the encryption key of your SYSTEMDB.
You have just converted your Single node SAP HANA system to MDC. There is SYSTEMDB and Single Tenant running in our system.
You have fully encrypted both SYSTEMDB and Tenant DB.
You have change the root encryption of your tenant DB therefore you are not able to do restore of SSFS described in SAP Note above which would render the DB unusable.
Reseting persistency information of SYSTEMDB in SSFS
Login to your SAP HANA system via <sid>adm user and execute following commands:
\e hdbnameserver <instance no.> <SAP HANA System name> – This will connect to nameserver of the “SYSTEMDB”
crypto ssfs resetConsistency – This command will reset the consistency information in the SSFS activating new key