Managing Encryption Keys for SAP HANA Express – by the SAP HANA Academy
Recently, we have published a number of new tutorial videos to the SAP HANA Express edition playlist on our SAP HANA Academy YouTube Channel.
In this playlist you will find video tutorials about miscellaneous topics; some included in the Getting Started with SAP HANA express edition guide (PDF) that comes with the download, others not (yet). Some examples:
- Using International Keyboards (VM), in which Philip Mugglestone explains how to enter the password on an AZERTY keyboard
- Start and Stop SAP HANA on the VM – **Spoiler Alert!** – it is not the Reset button on the VM player
- Connecting with Terminal, or how to enable Copy and Paste
.. and there is more to come.
In this blog, I will provide some background about an important security topic: managing encryption keys.
SAP HANA uses the same technology as ABAP systems to protect encryption root keys, namely, the secure store in the file system (SSFS).
This technology is used for two different purposes:
- Secure internal communication channels (PKI SSFS)
- Server-side data encryption (instance SSFS)
All internal SAP HANA communication can be secured using TLS/SSL and for this a public-key infrastructure (PKI) is set up during installation. These keys are stored in the PKI SSFS.
The figure below shows some examples where this is used. For SAP HANA, express edition, this applies to localhost, multitenant database container system (MDC), and smart data access communication. Multiple hosts, dynamic tiering and system replication are not in the feature scope but, as stated in the Feature Scope Description document, they ‘are subject to change without prior notice’.
For server-side data encryption, another SSFS is used. This store protects the root keys for data volume encryption and for the internal data encryption service, currently used for:
- Database-internal secure credential store for outbound connections (for example, smart data access)
- SAP HANA XS security store API
- Private key store for secure client-server connections (for example, SAP HANA studio connections using SSL)
The figure below shows where the master and root keys are stored.
SSFS master keys and the different root keys are generated at installation time.
If you have downloaded SAP HANA express edition as a VM this means that your keys are not unique but are exactly the same as on all the other VM’s.
This is a similar situation to those customers who received SAP HANA as an appliance from a hardware vendor or hosting partner.
As mentioned in the SAP HANA Administration Guide, the Security Guide (see below under Help Portal) and also, for example, in the Checklist for Secure Handover, or SAP Note
2183624 – Potential information leakage using default SSFS master key in HANA, you need to change the encryption keys to ensure they are not known outside your organization.
So how can you do this? It is simple.
1. Watch the video
2. Run the script: https://github.com/saphanaacademy/HXE/tree/master/SSFS
WARNING!!
On the server-plus-apps VM, a PSE certificate with name SAPXSUAASAML
is stored in the database encrypted by the DPAPI root key.
Generating a new DPAPI root key will delete the old key.
As a result, you will no longer be able to access the
XS Advanced applications.
Thank you for watching. Your comments are welcome.
Blog Series
This blog is part of a series:
- https://blogs.sap.com/2016/11/03/running-sap-hana-express-in-cal-by-the-sap-hana-academy/
- https://blogs.sap.com/2016/10/31/backup-databases-sap-hana-express-sap-hana-academy/
- https://blogs.sap.com/2016/10/27/create-tenant-database-sap-hana-express-sap-hana-academy/
- https://blogs.sap.com/2016/10/21/managing-encryption-keys-sap-hana-express-sap-hana-academy/
Help Portal
Change the SSFS Master Keys
Change the Root Key of the Internal Data Encryption Service
Secure Storage in the File System (AS ABAP)
SAP Notes
2183624 – Potential information leakage using default SSFS master key in HANA
2228829 – How to Change the DPAPI Root Key
Thank you for watching
The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.
For the full list of blogs, see Blog Posts – by the SAP HANA Academy.
- Subscribe to our YouTube channel for updates
- Join us on LinkedIn: linkedin.com/in/saphanaacademy
- Follow us on Twitter: @saphanaacademy
- Google+: plus.google.com/+saphanaacademy
- Facebook: facebook.com/saphanaacademy
Hi Denys,
Thanks for providing these tutorials.
In the video on managing encryption keys you check to see that the PSE_CERTIFICATES table does not contain 'OWN' certificate_usage.
In your videos you've been using the
Server Only
version of HANA Express.I've downloaded the
Server + application
one and see that it contains theSAPXSUAASAML
PSE withCERTIFICATE_USAGE = OWN
. I already performed the steps to change the master keys and now I'm unable to access the XSA engine.I've already posted a question on this at the beginning of the month https://answers.sap.com/questions/27365/uaa-security-is-not-up-on-hana-express.html. Do you know what steps to take to reset the certificate?
Hi Niels,
Thanks for watching and thanks for pointing this out.
As discussed in the video and as documented in the SAP HANA administration/security guide and related SAP notes, if you update the DSAPI root key, you can no longer access the objects that have been encrypted with the previous key. This is the reason that can no longer access XSA.
See my comments: http://answers.sap.com/answers/46981/view.html
SAP Note 2229831 - HANA Internal Data Encryption Service and DPAPI Root Key describes how to reset the certificate:
If necessary, you can reset all own certificates by resupplying them in PEM format (own certificate, private key, certificate chain). To this end, for each affected own certificate run the SQL statement
ALTER PSE <PSE name> SET OWN CERTIFICATE '<certificate PEM>'