Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
dvankempen
Product and Topic Expert
Product and Topic Expert

Introduction


In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 01.

The topic of this blog is security.

For the previous versions of this blog, see

For the full SAP HANA 2.0 SPS 02 blog list, see

For an overview on the topic from Product Management, see

 

Tutorial Video




 

What's New?


Native Encryption of Persistence


SAP HANA 2.0 SPS 01 completes the encryption sequence started back in June 2014 with SAP HANA 1.0 SPS 08 when data volume encryption (data area) was introduced. Log area encryption was added in SAP HANA 2.0 SPS 01 (see SAP HANA 2.0 SPS 00 What’s New: Security – by the SAP HANA Academy) and now, with SPS 02, SAP HANA also supports native encryption of both data and log backups (in hot pink below).

Third-party backup encryption, of course, has been available since the BACKINT API interface was introduced back in 2012 (see Andrea's Backint for SAP HANA Certification Available Now).



 

Here we have the sequence of steps:

  1. First, you need to create a new root key, that's the hot pink encryption root key in the instance SSFS - the Secure Store key store safe on the File System.

  2. Next - better be safe than sorry - make a password-protected backup of this still inactive root key (together with all the other active ones)

  3. Activate the new backup encryption root key

  4. Activate backup encryption

  5. Make the backup




 

There are two new views to support backup encryption operations.



Data Masking


Not encrypted, but hidden from view all the same can be achieved with the new data masking feature for SQL and Calculation Views. Data masking allows you to shield sensitive data from being seen by default, unless the viewer has specifically received the UNMASKED object privilege.

For an overview from aleks.aleksic, Product Management, see

https://blogs.sap.com/2017/04/12/protect-your-sensitive-data-using-sap-hanas-new-dynamic-data-maskin...

Below a simple example how to set this up (you can find others in the Security Guide, for Example: Masking Data Using a Built-In Procedure)



Anyone that queries the data without the UNMASKED object privilege, only sees the mask:



 

The nugget here is in the new WITH MASK clause:



There is another full example of how you can implement this in the CREATE VIEW Statement from the SAP HANA SQL and System Views Reference.

 

Reset SYSTEM User of Tenant Database


As discussed in SAP HANA 2.0 SPS 01 What’s New: Installation and Update – by the SAP HANA Academy, as of SPS 01, all HANA 2.0 systems are multi-tenant.

To facilitate the ease of administration of such a multi-tenant environment, resetting the SYSTEM user password has been simplified.

Forgetting a superuser password is never a good idea and in case of SAP HANA this is no exception. For those not familiar, here is video about you can Reset the SYSTEM user password for the SystemDB from the SAP HANA Express playlist



For MDC systems before SPS 01, resetting the system user password for a tenant database involves the same sequence of steps:

  • Stop the database

  • Start the hdbindexserver with resetSystemUser flag

  • Start the database


As of SPS 01, this has been made much easier with the SYSTEM USER PASSWORD clause in the ALTER DATABASE statement:



 

LDAP


As discussed in SAP HANA 2.0 SPS 00 What’s New: Security – by the SAP HANA Academy, HANA 2.0 now support LDAP group authorisations.

With SPS 01, there have been some enhancements in the technical implementation to secure communications between the HANA and the LDAP server:

  • SAP CommonCryptoLib is now used and open source OpenSSL is no longer supported.

  • The trust store for secure communication must now be an in-database certificate collection; the ldap.conf configuration file is no longer supported.

  • New system properties sslMinProtocolVersion, sslMaxProtocolVersion, sslCipherSuites, and timeout set in in the ldap section of the global.ini file are available to manage secure communication


For more information, see 2438641 - TLS Connections to LDAP Server After Upgrade from SAP HANA 2.0 SPS 00 to SAP HANA 2.0 SPS ...

 

SAP HANA cockpit 2.0 SP 02


As discussed in SAP HANA 2.0 SPS 00 What’s New: Administration – by the SAP HANA Academy, as of HANA 2.0, the SAP HANA cockpit no longer comes embedded in HANA but is now a separate system. As a consequence, SAP HANA cockpit has its own release cycle. Updates are called Support Packs (SP) - so without the stack - similar to other optional components like Dynamic Tiering.

Fortunately, SAP HANA cockpit 2.0 SP 02 is released at the same time as SAP HANA 2.0 SPS 01 - so we can cover new features here together. SAP HANA cockpit 2.0 SP 01 was released in February without much ado. For the full feature list, see What's New in the SAP HANA Platform 2.0 (Release Notes) - SAP HANA Cockpit (New and Changed).

You can download cockpit from the SAP HANA platform edition page in the Software Download Center. It is a big download, because it is a full SAP HANA (express) system, similar to HANA revisions.

 



 

Password Policy Editor


SAP HANA cockpit 2.0 SP 02 introduces an enhancement to the Password Policy editor. As security administrator, you can now enforce the number of lowercase, uppercase, number or special characters required in a password: so 2 uppercase, 3 digits, etc.

All that's missing is that you can specify the order of the characters, as in: start with 2 uppercases, then 3 numbers, a special character, one lowercase, another number, and end with a special character: the perfect password recipe cookbook!

For all the password policy options see, SAP HANA Administration Guide - Password Policy Configuration Options.

Note that this is a HANA cockpit feature, not a HANA studio feature. There is no more feature development for the Eclipse plug-in.



 

Role Editor


As the HANA cockpit is replacing HANA studio as the standard administration tool for HANA 2.0, there was some feature catch-up to do.

The initial release introduced Manage users (User Editor) and now with SP02 Manage roles (Role Editor) has been added.



As you would expect from a Fiori UI, it is all very straight forward. Select a role to edit it or click the + in the toolbar to add a new role and then click add to a role, system privileges, etc.



 

JSON Web Token authentication


Another enhancement in the domain of authentication, is the addition of JSON Web Tokens (JWT).

It is similar to SAML and, like SAML, Kerberos, X509 and the SAP Logon/Assertion tickets used for single sign-on.

For a good introduction into the topic, see Introduction to JSON Web Tokens and SAP HANA Administration Guide - Single Sign-On Using JSON Web Tokens.

 



 

Playlist


On the SAP HANA Academy, there is a full playlist covering all aspects of security: bit.ly/SAPHANASecurity


Documentation


For more information see:

SAP HANA Blogs



 

SAP Help Portal



 

SAP Notes



 

Thank you for watching


The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.

For the full library, see SAP HANA Academy Library - by the SAP HANA Academy

For the full list of blogs, see Blog Posts – by the SAP HANA Academy