Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
dvankempen
Product and Topic Expert
Product and Topic Expert

Introduction


In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 00.

The topic of this blog is security.

For the previous versions of this blog, see

For the full SAP HANA 2.0 SPS 00 blog list, see

 

Tutorial Video



What's New?


Encryption


Data volume encryption was introduced with SAP HANA 1.0 SPS 09. With 2.0, log volume encryption is now also supported. You enable log volume encryption using SQL. Data volume encryption can also be enabled using the new SAP HANA cockpit.
-- enable data volume encryption 
ALTER SYSTEM PERSISTENCE ENCRYPTION ON
-- ALTER SYSTEM PERSISTENCE ENCRYPTION OFF

-- enable redo log encryption
ALTER SYSTEM LOG ENCRYPTION ON
-- ALTER SYSTEM LOG ENCRYPTION OFF

-- Query status
SELECT * FROM M_ENCRYPTION_OVERVIEW

The management of the encryption root keys used for data volume encryption, redo log encryption, and the internal application encryption service has been enhanced:

  • You can now update all three root keys by SQL statement

  • You can now backup all three root keys to a dedicated password-protected file


For this, a new system privilege has been added: ENCRYPTION ROOT KEY ADMIN.

You may recall that to change encryption root keys in HANA 1.0, you could SQL for the data volume encryption root key but to change the application encryption service root key, only the command line tool hdbnsutil was available.



This illustration shows the three root keys stored in the Instance SSFS (Secure Store in the File System); think of it as a safe.

  • application encryption service (orange)

  • data volume (persistence) encryption (green)

  • log volume encryption (blue)


The contents of the Instance SSFS can be exported in a password protected file.



This illustration shows the hand-over flow for changing master and root keys. You would follow this flow when you receive SAP HANA as an appliance from a hardware vendor, or SAP HANA express edition on a virtual machine (for production use).

To avoid any data loss in a disaster scenario, the best approach is to first create a new key in the safe (SSFS) but not activate it:
-- change encryption root keys
ALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE
ALTER SYSTEM LOG ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE
ALTER SYSTEM APPLICATION ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE

Next, perform the backup of the root key(s). This will ensure that you have a backup of the new key before it is actually being used by HANA. Should you need to recover the encryption root key store, you can be confident that your backup contains all the root keys that are potentially needed.

To backup the root keys, you can use the follow SQL statement:
ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD <passphrase>

Next, create the root key backup file with RKB extension, using either SQL:
SELECT ENCRYPTION_ROOT_KEYS_EXTRACT_KEYS 
('PERSISTENCE, APPLICATION, LOG') FROM DUMMY
-- copy the CLOB result and save it to a file
-- at a secure external location (with extension *.rkb)

... or the hdbnsutil tool with -backupRootKeys flag:
# alternatively use command line
hdbnsutil -backupRootKeys <filename>.rkb --type='ALL' [--dbid=dbid ]
hdbnsutil -validateRootKeysBackup <filename> [--password=<passphrase>]

You can backup each key separately or you can backup all keys together.

The DBID parameter is used for tenant databases, as in multitenant database containers systems each tenant has its own root keys.

Then, when you are confident that the root key backup is good, that is the validation is successful (and maybe have tested recovering the key on a test system), you can now activate the new root key(s):
-- activate the key
ALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEY
ALTER SYSTEM LOG ENCRYPTION ACTIVATE NEW ROOT KEY
ALTER SYSTEM APPLICATION ENCRYPTION ACTIVATE NEW ROOT KEY

Should you need to recover the keys, here is the command:
hdbnsutil -recoverRootKeys <filename>.rkb --type='ALL' [--dbid=<dbid>]
[--password=<passphrase>]

Authorization - LDAP Groups


You can now take advantage of LDAP group membership to authorize SAP HANA users, for those environments that use an LDAP-compliant identity management server to manage users and their access to resources. There are many different LDAP-compliant IdM implementations, SAP provides one, but also Microsoft with Active Directory, others are open source.

The new system privilege LDAP ADMIN is required to configure LDAP group authorization.

The following figures illustrates how a user is authorized on the basis of their LDAP group membership:



You can create an LDAP provider by SQL statement:
-- create LDAP provider
CREATE LDAP PROVIDER my_ldap_provider
CREDENTIAL TYPE ‘PASSWORD’
USING ‘user=cn=LookupAccount,o=sap.com;password=hUWe8ZTiQyG’
USER LOOKUP URL
'ldap://idp.sap.com:389/ou=Users,dc=sap,dc=com??sub?(&(objectClass=user)(sAMAccountName=*))'
ATTRIBUTE DN 'distinguishedName'
ATTRIBUTE MEMBER_OF 'memberOf'
SSL ON
DEFAULT ON
ENABLE PROVIDER


User authorization is then delegated to the LDAP provider:
-- validate the LDAP provider
VALIDATE LDAP PROVIDER my_ldap_provider CHECK USER user1

-- create user with LDAP authorization
CREATE USER user1 PASSWORD <password> AUTHORIZATION LDAP


For more information, see

 

Authorization - GRANT | REVOKE PUBLIC role


Restricted users can now be converted into a standard user (or vice versa) by SQL statement:
-- granting (or revoking) the PUBLIC role 
ALTER USER <username> GRANT ROLE PUBLIC;
ALTER USER <username> REVOKE ROLE PUBLIC;

-- granting (or revoking) authorization to create objects in the user's own schema
ALTER USER <username> GRANT CREATE ANY ON OWN SCHEMA;
ALTER USER <username> REVOKE CREATE ANY ON OWN SCHEMA;

-- enabling (or disabling) full SQL
ALTER USER <user_name> ENABLE CLIENT CONNECT ;

Security Administration with SAP HANA Cockpit


The SAP HANA cockpit for SAP HANA 2.0 has been completely redesigned both from an architecture perspective as in the way the cockpit looks (within the Fiori framework).

The three tiles, Data Storage Security, Auditing, and Authentication, clearly show important security information, for example when SSFS master keys or the SYSTEM user password were last changed.

Selecting the tile will open the respective app, to configure data volume encryption, auditing or password policies.



New is that in cockpit 2.0, you can also create and configure database users, both standard and restricted.


Playlist


On the SAP HANA Academy, there is a full playlist covering all aspects of security: bit.ly/SAPHANASecurity


Documentation


For more information see:

SAP HANA



SAP Help Portal



SAP Notes



 

Thank you for watching


The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.

For the full library, see SAP HANA Academy Library - by the SAP HANA Academy

For the full list of blogs, see Blog Posts – by the SAP HANA Academy