SAP HANA 2.0 SPS 00 What’s New: Security – by the SAP HANA Academy

Introduction

In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 00.

The topic of this blog is security.

For the previous versions of this blog, see

• SAP HANA 1.0 SPS 12 What’s New: Security – by the SAP HANA Academy
• SAP HANA 1.0 SPS 11 What’s New: Security – by the SAP HANA Academy
• SAP HANA 1.0 SPS 10 What’s New: Security – by the SAP HANA Academy

For the full SAP HANA 2.0 SPS 00 blog list, see

• What’s New with SAP HANA 2.0 SPS 00 – by the SAP HANA Academy

Tutorial Video

What’s New?

Encryption

Data volume encryption was introduced with SAP HANA 1.0 SPS 09. With 2.0, log volume encryption is now also supported. You enable log volume encryption using SQL. Data volume encryption can also be enabled using the new SAP HANA cockpit.

-- enable data volume encryption 
ALTER SYSTEM PERSISTENCE ENCRYPTION ON 
-- ALTER SYSTEM PERSISTENCE ENCRYPTION OFF

-- enable redo log encryption 
ALTER SYSTEM LOG ENCRYPTION ON
-- ALTER SYSTEM LOG ENCRYPTION OFF

-- Query status
SELECT * FROM M_ENCRYPTION_OVERVIEW

The management of the encryption root keys used for data volume encryption, redo log encryption, and the internal application encryption service has been enhanced:

• You can now update all three root keys by SQL statement
• You can now backup all three root keys to a dedicated password-protected file

For this, a new system privilege has been added: ENCRYPTION ROOT KEY ADMIN.

You may recall that to change encryption root keys in HANA 1.0, you could SQL for the data volume encryption root key but to change the application encryption service root key, only the command line tool hdbnsutil was available.

This illustration shows the three root keys stored in the Instance SSFS (Secure Store in the File System); think of it as a safe.

• application encryption service (orange)
• data volume (persistence) encryption (green)
• log volume encryption (blue)

The contents of the Instance SSFS can be exported in a password protected file.

This illustration shows the hand-over flow for changing master and root keys. You would follow this flow when you receive SAP HANA as an appliance from a hardware vendor, or SAP HANA express edition on a virtual machine (for production use).

To avoid any data loss in a disaster scenario, the best approach is to first create a new key in the safe (SSFS) but not activate it:

-- change encryption root keys
ALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE 
ALTER SYSTEM LOG ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE
ALTER SYSTEM APPLICATION ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE

Next, perform the backup of the root key(s). This will ensure that you have a backup of the new key before it is actually being used by HANA. Should you need to recover the encryption root key store, you can be confident that your backup contains all the root keys that are potentially needed.

To backup the root keys, you can use the follow SQL statement:

ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD <passphrase>

Next, create the root key backup file with RKB extension, using either SQL:

SELECT ENCRYPTION_ROOT_KEYS_EXTRACT_KEYS 
 ('PERSISTENCE, APPLICATION, LOG') FROM DUMMY
-- copy the CLOB result and save it to a file 
-- at a secure external location (with extension *.rkb)

… or the hdbnsutil tool with -backupRootKeys flag:

# alternatively use command line
hdbnsutil -backupRootKeys <filename>.rkb --type='ALL' [--dbid=dbid ]
hdbnsutil -validateRootKeysBackup <filename> [--password=<passphrase>]

You can backup each key separately or you can backup all keys together.

The DBID parameter is used for tenant databases, as in multitenant database containers systems each tenant has its own root keys.

Then, when you are confident that the root key backup is good, that is the validation is successful (and maybe have tested recovering the key on a test system), you can now activate the new root key(s):

-- activate the key
ALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEY
ALTER SYSTEM LOG ENCRYPTION ACTIVATE NEW ROOT KEY
ALTER SYSTEM APPLICATION ENCRYPTION ACTIVATE NEW ROOT KEY

Should you need to recover the keys, here is the command:

hdbnsutil -recoverRootKeys <filename>.rkb --type='ALL' [--dbid=<dbid>]
   [--password=<passphrase>]

Authorization – LDAP Groups

You can now take advantage of LDAP group membership to authorize SAP HANA users, for those environments that use an LDAP-compliant identity management server to manage users and their access to resources. There are many different LDAP-compliant IdM implementations, SAP provides one, but also Microsoft with Active Directory, others are open source.

The new system privilege LDAP ADMIN is required to configure LDAP group authorization.

The following figures illustrates how a user is authorized on the basis of their LDAP group membership:

You can create an LDAP provider by SQL statement:

-- create LDAP provider
CREATE LDAP PROVIDER my_ldap_provider 
CREDENTIAL TYPE ‘PASSWORD’ 
USING ‘user=cn=LookupAccount,o=sap.com;password=hUWe8ZTiQyG’ 
USER LOOKUP URL
'ldap://idp.sap.com:389/ou=Users,dc=sap,dc=com??sub?(&(objectClass=user)(sAMAccountName=*))'
ATTRIBUTE DN 'distinguishedName'
ATTRIBUTE MEMBER_OF 'memberOf'
SSL ON 
DEFAULT ON 
ENABLE PROVIDER

User authorization is then delegated to the LDAP provider:

-- validate the LDAP provider
VALIDATE LDAP PROVIDER my_ldap_provider CHECK USER user1

-- create user with LDAP authorization
CREATE USER user1 PASSWORD <password> AUTHORIZATION LDAP

For more information, see

• LDAP group authorization – by Aleks Aleksic

Authorization – GRANT | REVOKE PUBLIC role

Restricted users can now be converted into a standard user (or vice versa) by SQL statement:

-- granting (or revoking) the PUBLIC role 
ALTER USER <username> GRANT  ROLE PUBLIC;
ALTER USER <username> REVOKE ROLE PUBLIC;

-- granting (or revoking) authorization to create objects in the user's own schema 
ALTER USER <username> GRANT  CREATE ANY ON OWN SCHEMA;
ALTER USER <username> REVOKE CREATE ANY ON OWN SCHEMA;

-- enabling (or disabling) full SQL 
ALTER USER <user_name> ENABLE CLIENT CONNECT ;

Security Administration with SAP HANA Cockpit

The SAP HANA cockpit for SAP HANA 2.0 has been completely redesigned both from an architecture perspective as in the way the cockpit looks (within the Fiori framework).

The three tiles, Data Storage Security, Auditing, and Authentication, clearly show important security information, for example when SSFS master keys or the SYSTEM user password were last changed.

Selecting the tile will open the respective app, to configure data volume encryption, auditing or password policies.

New is that in cockpit 2.0, you can also create and configure database users, both standard and restricted.

Playlist

On the SAP HANA Academy, there is a full playlist covering all aspects of security: bit.ly/SAPHANASecurity

Documentation

For more information see:

SAP HANA

• SAP HANA Security on sap.com
• SAP HANA Security Whitepaper
• LDAP group authorization – by Aleks Aleksic

SAP Help Portal

• How and when to change encryption keys (SAP HANA Security Guide)
• Root Key Backup
• Internal Application Encryption Service
• Configure LDAP Group Authorization
• SAP HANA Cockpit

SAP Notes

• 2380257 – SAP HANA Platform 2.0 SPS 00 Release Note
• 2159014 – FAQ: SAP HANA Security
• 2380291 – SAP HANA 2.0 Cockpit Central Release Note

Thank you for watching

The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.

For the full library, see SAP HANA Academy Library – by the SAP HANA Academy

For the full list of blogs, see Blog Posts – by the SAP HANA Academy

• Subscribe to our YouTube channel for updates
• Join us on LinkedIn: linkedin.com/in/saphanaacademy
• Follow us on Twitter: @saphanaacademy
• Google+: plus.google.com/+saphanaacademy
• Facebook:  facebook.com/saphanaacademy