SAP HANA 2.0 SPS 01 What's New: Security - by the ...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 01.
SAP HANA 2.0 SPS 01 completes the encryption sequence started back in June 2014 with SAP HANA 1.0 SPS 08 when data volume encryption (data area) was introduced. Log area encryption was added in SAP HANA 2.0 SPS 01 (see SAP HANA 2.0 SPS 00 What’s New: Security – by the SAP HANA Academy) and now, with SPS 02, SAP HANA also supports native encryption of both data and log backups (in hot pink below).
First, you need to create a new root key, that's the hot pink encryption root key in the instance SSFS - the Secure Store key store safe on the File System.
Next - better be safe than sorry - make a password-protected backup of this still inactive root key (together with all the other active ones)
Activate the new backup encryption root key
Activate backup encryption
Make the backup
There are two new views to support backup encryption operations.
Data Masking
Not encrypted, but hidden from view all the same can be achieved with the new data masking feature for SQL and Calculation Views. Data masking allows you to shield sensitive data from being seen by default, unless the viewer has specifically received the UNMASKED object privilege.
For an overview from aleks.aleksic, Product Management, see
To facilitate the ease of administration of such a multi-tenant environment, resetting the SYSTEM user password has been simplified.
Forgetting a superuser password is never a good idea and in case of SAP HANA this is no exception. For those not familiar, here is video about you can Reset the SYSTEM user password for the SystemDB from the SAP HANA Express playlist:
For MDC systems before SPS 01, resetting the system user password for a tenant database involves the same sequence of steps:
Stop the database
Start the hdbindexserver with resetSystemUser flag
Start the database
As of SPS 01, this has been made much easier with the SYSTEM USER PASSWORD clause in the ALTER DATABASE statement:
With SPS 01, there have been some enhancements in the technical implementation to secure communications between the HANA and the LDAP server:
SAP CommonCryptoLib is now used and open source OpenSSL is no longer supported.
The trust store for secure communication must now be an in-database certificate collection; the ldap.conf configuration file is no longer supported.
New system properties sslMinProtocolVersion, sslMaxProtocolVersion, sslCipherSuites, and timeout set in in the ldap section of the global.ini file are available to manage secure communication
As discussed in SAP HANA 2.0 SPS 00 What’s New: Administration – by the SAP HANA Academy, as of HANA 2.0, the SAP HANA cockpit no longer comes embedded in HANA but is now a separate system. As a consequence, SAP HANA cockpit has its own release cycle. Updates are called Support Packs (SP) - so without the stack - similar to other optional components like Dynamic Tiering.
SAP HANA cockpit 2.0 SP 02 introduces an enhancement to the Password Policy editor. As security administrator, you can now enforce the number of lowercase, uppercase, number or special characters required in a password: so 2 uppercase, 3 digits, etc.
All that's missing is that you can specify the order of the characters, as in: start with 2 uppercases, then 3 numbers, a special character, one lowercase, another number, and end with a special character: the perfect password recipe cookbook!
Note that this is a HANA cockpit feature, not a HANA studio feature. There is no more feature development for the Eclipse plug-in.
Role Editor
As the HANA cockpit is replacing HANA studio as the standard administration tool for HANA 2.0, there was some feature catch-up to do.
The initial release introduced Manage users (User Editor) and now with SP02 Manage roles (Role Editor) has been added.
As you would expect from a Fiori UI, it is all very straight forward. Select a role to edit it or click the + in the toolbar to add a new role and then click add to a role, system privileges, etc.
JSON Web Token authentication
Another enhancement in the domain of authentication, is the addition of JSON Web Tokens (JWT).
It is similar to SAML and, like SAML, Kerberos, X509 and the SAP Logon/Assertion tickets used for single sign-on.
The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.