Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
dvankempen
Product and Topic Expert
Product and Topic Expert
Recently, we have published a number of new tutorial videos to the SAP HANA Express edition playlist on our SAP HANA Academy YouTube Channel.

In this playlist you will find video tutorials about miscellaneous topics; some included in the Getting Started with SAP HANA express edition guide (PDF) that comes with the download, others not (yet). Some examples:

.. and there is more to come.



In this blog, I will provide some background about an important security topic: managing encryption keys.

SAP HANA uses the same technology as ABAP systems to protect encryption root keys, namely, the secure store in the file system (SSFS).

This technology is used for two different purposes:

  • Secure internal communication channels (PKI SSFS)

  • Server-side data encryption (instance SSFS)


All internal SAP HANA communication can be secured using TLS/SSL and for this a public-key infrastructure (PKI) is set up during installation. These keys are stored in the PKI SSFS.

The figure below shows some examples where this is used. For SAP HANA, express edition, this applies to localhost, multitenant database container system (MDC), and smart data access communication. Multiple hosts, dynamic tiering and system replication are not in the feature scope but, as stated in the Feature Scope Description document, they 'are subject to change without prior notice'.



For server-side data encryption, another SSFS is used. This store protects the root keys for data volume encryption and for the internal data encryption service, currently used for:

  • Database-internal secure credential store for outbound connections (for example, smart data access)

  • SAP HANA XS security store API 

  • Private key store for secure client-server connections (for example, SAP HANA studio connections using SSL)


The figure below shows where the master and root keys are stored.



SSFS master keys and the different root keys are generated at installation time.

If you have downloaded SAP HANA express edition as a VM this means that your keys are not unique but are exactly the same as on all the other VM's.

This is a similar situation to those customers who received SAP HANA as an appliance from a hardware vendor or hosting partner.

As mentioned in the SAP HANA Administration Guide, the Security Guide (see below under Help Portal) and also, for example, in the Checklist for Secure Handover, or SAP Note
2183624 - Potential information leakage using default SSFS master key in HANA, you need to change the encryption keys to ensure they are not known outside your organization.

So how can you do this? It is simple.

1. Watch the video


2. Run the script: https://github.com/saphanaacademy/HXE/tree/master/SSFS

WARNING!!

On the server-plus-apps VM, a PSE certificate with name SAPXSUAASAML
is stored in the database encrypted by the DPAPI root key.

Generating a new DPAPI root key will delete the old key.
As a result, you will no longer be able to access the
XS Advanced applications.


Thank you for watching. Your comments are welcome.


Blog Series


This blog is part of a series:





Help Portal


Change the SSFS Master Keys
Change the Root Key of the Internal Data Encryption Service
Secure Storage in the File System (AS ABAP)

SAP Notes

2183624 - Potential information leakage using default SSFS master key in HANA
2228829 - How to Change the DPAPI Root Key

 

Thank you for watching


The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.

Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.

For the full library, see SAP HANA Academy Library - by the SAP HANA Academy.

For the full list of blogs, see Blog Posts - by the SAP HANA Academy.
2 Comments