Introduction

In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced with SAP HANA 2.0 Support Package Stack (SPS) 00.

The topic of this blog is security.

For the complete list of blogs by the SAP HANA Academy for SAP HANA 2.0, see: https://blogs.sap.com/2016/12/01/whats-new-with-sap-hana-2.0-sps-00-by-the-sap-hana-academy/

Tutorial Video

What’s New?

Encryption

Data volume encryption was introduced with SAP HANA 1.0 SPS 09. With 2.0, log volume encryption is now also supported. You enable log volume encryption using SQL. Data volume encryption can also be enabled using the new SAP HANA cockpit.

-- enable data volume encryption 
ALTER SYSTEM PERSISTENCE ENCRYPTION ON 
-- ALTER SYSTEM PERSISTENCE ENCRYPTION OFF

-- enable redo log encryption 
ALTER SYSTEM LOG ENCRYPTION ON
-- ALTER SYSTEM LOG ENCRYPTION OFF

-- Query status
SELECT * FROM M_ENCRYPTION_OVERVIEW

The management of the encryption root keys used for data volume encryption, redo log encryption, and the internal application encryption service has been enhanced:

  • You can now update all three root keys by SQL statement
  • You can now backup all three root keys to a dedicated password-protected file

For this, a new system privilege has been added: ENCRYPTION ROOT KEY ADMIN.

You may recall that to change encryption root keys in HANA 1.0, you could SQL for the data volume encryption root key but to change the application encryption service root key, only the command line tool hdbnsutil was available.

This illustration shows the three root keys stored in the Instance SSFS (Secure Store in the File System); think of it as a safe.

  • application encryption service (orange)
  • data volume (persistence) encryption (green)
  • log volume encryption (blue)

The contents of the Instance SSFS can be exported in a password protected file.

This illustration shows the hand-over flow for changing master and root keys. You would follow this flow when you receive SAP HANA as an appliance from a hardware vendor, or SAP HANA express edition on a virtual machine (for production use).

To avoid any data loss in a disaster scenario, the best approach is to first create a new key in the safe (SSFS) but not activate it:

-- change encryption root keys
ALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE 
ALTER SYSTEM LOG ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE
ALTER SYSTEM APPLICATION ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE

Next, perform the backup of the root key(s). This will ensure that you have a backup of the new key before it is actually being used by HANA. Should you need to recover the encryption root key store, you can be confident that your backup contains all the root keys that are potentially needed.

To backup the root keys, you can use the follow SQL statement:

ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD <passphrase>

Next, create the root key backup file with RKB extension, using either SQL:

SELECT ENCRYPTION_ROOT_KEYS_EXTRACT_KEYS 
 ('PERSISTENCE, APPLICATION, LOG') FROM DUMMY
-- copy the CLOB result and save it to a file 
-- at a secure external location (with extension *.rkb)

… or the hdbnsutil tool with -backupRootKeys flag:

# alternatively use command line
hdbnsutil -backupRootKeys <filename>.rkb --type='ALL' [--dbid=dbid ]
hdbnsutil -validateRootKeysBackup <filename> [--password=<passphrase>]

You can backup each key separately or you can backup all keys together.

The DBID parameter is used for tenant databases, as in multitenant database containers systems each tenant has its own root keys.

Then, when you are confident that the root key backup is good, that is the validation is successful (and maybe have tested recovering the key on a test system), you can now activate the new root key(s):

-- activate the key
ALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEY
ALTER SYSTEM LOG ENCRYPTION ACTIVATE NEW ROOT KEY
ALTER SYSTEM APPLICATION ENCRYPTION ACTIVATE NEW ROOT KEY

Should you need to recover the keys, here is the command:

hdbnsutil -recoverRootKeys <filename>.rkb --type='ALL' [--dbid=<dbid>]
   [--password=<passphrase>]

Authorization – LDAP Groups

You can now take advantage of LDAP group membership to authorize SAP HANA users, for those environments that use an LDAP-compliant identity management server to manage users and their access to resources. There are many different LDAP-compliant IdM implementations, SAP provides one, but also Microsoft with Active Directory, others are open source.

The new system privilege LDAP ADMIN is required to configure LDAP group authorization.

The following figures illustrates how a user is authorized on the basis of their LDAP group membership:

You can create an LDAP provider by SQL statement:

-- create LDAP provider
CREATE LDAP PROVIDER my_ldap_provider 
CREDENTIAL TYPE ‘PASSWORD’ 
USING ‘user=cn=LookupAccount,o=sap.com;password=hUWe8ZTiQyG’ 
USER LOOKUP URL
'ldap://idp.sap.com:389/ou=Users,dc=sap,dc=com??sub?(&(objectClass=user)(sAMAccountName=*))'
ATTRIBUTE DN 'distinguishedName'
ATTRIBUTE MEMBER_OF 'memberOf'
SSL ON 
DEFAULT ON 
ENABLE PROVIDER

User authorization is then delegated to the LDAP provider:

-- validate the LDAP provider
VALIDATE LDAP PROVIDER my_ldap_provider CHECK USER user1

-- create user with LDAP authorization
CREATE USER user1 PASSWORD <password> AUTHORIZATION LDAP

For more information, see https://blogs.sap.com/2016/12/06/ldap-group-authorization/

Authorization – GRANT | REVOKE PUBLIC role

Restricted users can now be converted into a standard user (or vice versa) by SQL statement:

-- granting (or revoking) the PUBLIC role 
ALTER USER <username> GRANT  ROLE PUBLIC;
ALTER USER <username> REVOKE ROLE PUBLIC;

-- granting (or revoking) authorization to create objects in the user's own schema 
ALTER USER <username> GRANT  CREATE ANY ON OWN SCHEMA;
ALTER USER <username> REVOKE CREATE ANY ON OWN SCHEMA;

-- enabling (or disabling) full SQL 
ALTER USER <user_name> ENABLE CLIENT CONNECT ;

Security Administration with SAP HANA Cockpit

The SAP HANA cockpit for SAP HANA 2.0 has been completely redesigned both from an architecture perspective as in the way the cockpit looks (within the Fiori framework).

The three tiles, Data Storage Security, Auditing, and Authentication, clearly show important security information, for example when SSFS master keys or the SYSTEM user password were last changed.

Selecting the tile will open the respective app, to configure data volume encryption, auditing or password policies.

New is that in cockpit 2.0, you can also create and configure database users, both standard and restricted.

Playlist

On the SAP HANA Academy, there is a full playlist covering all aspects of security: bit.ly/SAPHANASecurity

Documentation

For more information see:

SAP HANA

SAP Help Portal

SAP Notes

 

Thank you for watching

The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.

Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.

For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.

For the full list of blogs, see Blog Posts – by the SAP HANA Academy.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply