In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced with SAP HANA 2.0 Support Package Stack (SPS) 00.
The topic of this blog is security.
For the complete list of blogs by the SAP HANA Academy for SAP HANA 2.0, see: https://blogs.sap.com/2016/12/01/whats-new-with-sap-hana-2.0-sps-00-by-the-sap-hana-academy/
Data volume encryption was introduced with SAP HANA 1.0 SPS 09. With 2.0, log volume encryption is now also supported. You enable log volume encryption using SQL. Data volume encryption can also be enabled using the new SAP HANA cockpit.
-- enable data volume encryption ALTER SYSTEM PERSISTENCE ENCRYPTION ON -- ALTER SYSTEM PERSISTENCE ENCRYPTION OFF -- enable redo log encryption ALTER SYSTEM LOG ENCRYPTION ON -- ALTER SYSTEM LOG ENCRYPTION OFF -- Query status SELECT * FROM M_ENCRYPTION_OVERVIEW
The management of the encryption root keys used for data volume encryption, redo log encryption, and the internal application encryption service has been enhanced:
- You can now update all three root keys by SQL statement
- You can now backup all three root keys to a dedicated password-protected file
For this, a new system privilege has been added: ENCRYPTION ROOT KEY ADMIN.
You may recall that to change encryption root keys in HANA 1.0, you could SQL for the data volume encryption root key but to change the application encryption service root key, only the command line tool hdbnsutil was available.
This illustration shows the three root keys stored in the Instance SSFS (Secure Store in the File System); think of it as a safe.
- application encryption service (orange)
- data volume (persistence) encryption (green)
- log volume encryption (blue)
The contents of the Instance SSFS can be exported in a password protected file.
This illustration shows the hand-over flow for changing master and root keys. You would follow this flow when you receive SAP HANA as an appliance from a hardware vendor, or SAP HANA express edition on a virtual machine (for production use).
To avoid any data loss in a disaster scenario, the best approach is to first create a new key in the safe (SSFS) but not activate it:
-- change encryption root keys ALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE ALTER SYSTEM LOG ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE ALTER SYSTEM APPLICATION ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE
Next, perform the backup of the root key(s). This will ensure that you have a backup of the new key before it is actually being used by HANA. Should you need to recover the encryption root key store, you can be confident that your backup contains all the root keys that are potentially needed.
To backup the root keys, you can use the follow SQL statement:
ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD <passphrase>
Next, create the root key backup file with RKB extension, using either SQL:
SELECT ENCRYPTION_ROOT_KEYS_EXTRACT_KEYS ('PERSISTENCE, APPLICATION, LOG') FROM DUMMY -- copy the CLOB result and save it to a file -- at a secure external location (with extension *.rkb)
… or the hdbnsutil tool with -backupRootKeys flag:
# alternatively use command line hdbnsutil -backupRootKeys <filename>.rkb --type='ALL' [--dbid=dbid ] hdbnsutil -validateRootKeysBackup <filename> [--password=<passphrase>]
You can backup each key separately or you can backup all keys together.
The DBID parameter is used for tenant databases, as in multitenant database containers systems each tenant has its own root keys.
Then, when you are confident that the root key backup is good, that is the validation is successful (and maybe have tested recovering the key on a test system), you can now activate the new root key(s):
-- activate the key ALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEY ALTER SYSTEM LOG ENCRYPTION ACTIVATE NEW ROOT KEY ALTER SYSTEM APPLICATION ENCRYPTION ACTIVATE NEW ROOT KEY
Should you need to recover the keys, here is the command:
hdbnsutil -recoverRootKeys <filename>.rkb --type='ALL' [--dbid=<dbid>] [--password=<passphrase>]
Authorization – LDAP Groups
You can now take advantage of LDAP group membership to authorize SAP HANA users, for those environments that use an LDAP-compliant identity management server to manage users and their access to resources. There are many different LDAP-compliant IdM implementations, SAP provides one, but also Microsoft with Active Directory, others are open source.
The new system privilege LDAP ADMIN is required to configure LDAP group authorization.
The following figures illustrates how a user is authorized on the basis of their LDAP group membership:
You can create an LDAP provider by SQL statement:
-- create LDAP provider CREATE LDAP PROVIDER my_ldap_provider CREDENTIAL TYPE ‘PASSWORD’ USING ‘user=cn=LookupAccount,o=sap.com;password=hUWe8ZTiQyG’ USER LOOKUP URL 'ldap://idp.sap.com:389/ou=Users,dc=sap,dc=com??sub?(&(objectClass=user)(sAMAccountName=*))' ATTRIBUTE DN 'distinguishedName' ATTRIBUTE MEMBER_OF 'memberOf' SSL ON DEFAULT ON ENABLE PROVIDER
User authorization is then delegated to the LDAP provider:
-- validate the LDAP provider VALIDATE LDAP PROVIDER my_ldap_provider CHECK USER user1 -- create user with LDAP authorization CREATE USER user1 PASSWORD <password> AUTHORIZATION LDAP
For more information, see https://blogs.sap.com/2016/12/06/ldap-group-authorization/
Authorization – GRANT | REVOKE PUBLIC role
Restricted users can now be converted into a standard user (or vice versa) by SQL statement:
-- granting (or revoking) the PUBLIC role ALTER USER <username> GRANT ROLE PUBLIC; ALTER USER <username> REVOKE ROLE PUBLIC; -- granting (or revoking) authorization to create objects in the user's own schema ALTER USER <username> GRANT CREATE ANY ON OWN SCHEMA; ALTER USER <username> REVOKE CREATE ANY ON OWN SCHEMA; -- enabling (or disabling) full SQL ALTER USER <user_name> ENABLE CLIENT CONNECT ;
Security Administration with SAP HANA Cockpit
The SAP HANA cockpit for SAP HANA 2.0 has been completely redesigned both from an architecture perspective as in the way the cockpit looks (within the Fiori framework).
The three tiles, Data Storage Security, Auditing, and Authentication, clearly show important security information, for example when SSFS master keys or the SYSTEM user password were last changed.
Selecting the tile will open the respective app, to configure data volume encryption, auditing or password policies.
New is that in cockpit 2.0, you can also create and configure database users, both standard and restricted.
On the SAP HANA Academy, there is a full playlist covering all aspects of security: bit.ly/SAPHANASecurity
For more information see:
- SAP HANA Security on sap.com
- SAP HANA Security Whitepaper
SAP Help Portal
- How and when to change encryption keys (SAP HANA Security Guide)
- Root Key Backup
- Internal Application Encryption Service
- Configure LDAP Group Authorization
- SAP HANA Cockpit
- 2380257 – SAP HANA Platform 2.0 SPS 00 Release Note
- 2159014 – FAQ: SAP HANA Security
- 2380291 – SAP HANA 2.0 Cockpit Central Release Note
Thank you for watching
You can view more online videos and hands-on use cases to help you answer the What, How and Why questions about SAP HANA and the SAP HANA Cloud Platform on the SAP HANA Academy at youtube.com/saphanaacademy.