In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced with SAP HANA 2.0 Support Package Stack (SPS) 01.
The topic of this blog is security.
For the previous version of this blog, see SAP HANA 2.0 SPS 00 What’s New: Security – by the SAP HANA Academy
For the full SAP HANA 2.0 SPS 01 blog list, see: What’s New with SAP HANA 2.0 SPS 01 – by the SAP HANA Academy
For an overview on the topic from Andrea Kristen, Product Management, see
Native Encryption of Persistence
SAP HANA 2.0 SPS 01 completes the encryption sequence started back in June 2014 with SAP HANA 1.0 SPS 08 when data volume encryption (data area) was introduced. Log area encryption was added in SAP HANA 2.0 SPS 01 (see SAP HANA 2.0 SPS 00 What’s New: Security – by the SAP HANA Academy) and now, with SPS 02, SAP HANA also supports native encryption of both data and log backups (in hot pink below).
Third-party backup encryption, of course, has been available since the BACKINT API interface was introduced back in 2012 (see Andrea’s Backint for SAP HANA Certification Available Now).
Here we have the sequence of steps:
- First, you need to create a new root key, that’s the hot pink encryption root key in the instance SSFS – the Secure Store key store safe on the File System.
- Next – better be safe than sorry – make a password-protected backup of this still inactive root key (together with all the other active ones)
- Activate the new backup encryption root key
- Activate backup encryption
- Make the backup
There are two new views to support backup encryption operations.
Not encrypted, but hidden from view all the same can be achieved with the new data masking feature for SQL and Calculation Views. Data masking allows you to shield sensitive data from being seen by default, unless the viewer has specifically received the UNMASKED object privilege.
For an overview from Aleks Aleksic, Product Management, see
Below a simple example how to set this up (you can find others in the Security Guide, for Example: Masking Data Using a Built-In Procedure)
Anyone that queries the data without the UNMASKED object privilege, only sees the mask:
The nugget here is in the new WITH MASK clause:
There is another full example of how you can implement this in the CREATE VIEW Statement from the SAP HANA SQL and System Views Reference.
Reset SYSTEM User of Tenant Database
As discussed in SAP HANA 2.0 SPS 01 What’s New: Installation and Update – by the SAP HANA Academy, as of SPS 01, all HANA 2.0 systems are multi-tenant.
To facilitate the ease of administration of such a multi-tenant environment, resetting the SYSTEM user password has been simplified.
Forgetting a superuser password is never a good idea and in case of SAP HANA this is no exception. For those not familiar, here is video about you can Reset the SYSTEM user password for the SystemDB from the SAP HANA Express playlist:
For MDC systems before SPS 01, resetting the system user password for a tenant database involves the same sequence of steps:
- Stop the database
- Start the hdbindexserver with resetSystemUser flag
- Start the database
As of SPS 01, this has been made much easier with the SYSTEM USER PASSWORD clause in the ALTER DATABASE statement:
As discussed in SAP HANA 2.0 SPS 00 What’s New: Security – by the SAP HANA Academy, HANA 2.0 now support LDAP group authorisations.
With SPS 01, there have been some enhancements in the technical implementation to secure communications between the HANA and the LDAP server:
- SAP CommonCryptoLib is now used and open source OpenSSL is no longer supported.
- The trust store for secure communication must now be an in-database certificate collection; the ldap.conf configuration file is no longer supported.
- New system properties sslMinProtocolVersion, sslMaxProtocolVersion, sslCipherSuites, and timeout set in in the ldap section of the global.ini file are available to manage secure communication
For more information, see 2438641 – TLS Connections to LDAP Server After Upgrade from SAP HANA 2.0 SPS 00 to SAP HANA 2.0 SPS 01
SAP HANA cockpit 2.0 SP 02
As discussed in SAP HANA 2.0 SPS 00 What’s New: Administration – by the SAP HANA Academy, as of HANA 2.0, the SAP HANA cockpit no longer comes embedded in HANA but is now a separate system. As a consequence, SAP HANA cockpit has its own release cycle. Updates are called Support Packs (SP) – so without the stack – similar to other optional components like Dynamic Tiering.
Fortunately, SAP HANA cockpit 2.0 SP 02 is released at the same time as SAP HANA 2.0 SPS 01 – so we can cover new features here together. SAP HANA cockpit 2.0 SP 01 was released in February without much ado. For the full feature list, see What’s New in the SAP HANA Platform 2.0 (Release Notes) – SAP HANA Cockpit (New and Changed).
You can download cockpit from the SAP HANA platform edition page in the Software Download Center. It is a big download, because it is a full SAP HANA (express) system, similar to HANA revisions.
Password Policy Editor
SAP HANA cockpit 2.0 SP 02 introduces an enhancement to the Password Policy editor. As security administrator, you can now enforce the number of lowercase, uppercase, number or special characters required in a password: so 2 uppercase, 3 digits, etc.
All that’s missing is that you can specify the order of the characters, as in: start with 2 uppercases, then 3 numbers, a special character, one lowercase, another number, and end with a special character: the perfect password recipe cookbook!
For all the password policy options see, SAP HANA Administration Guide – Password Policy Configuration Options.
Note that this is a HANA cockpit feature, not a HANA studio feature. There is no more feature development for the Eclipse plug-in.
As the HANA cockpit is replacing HANA studio as the standard administration tool for HANA 2.0, there was some feature catch-up to do.
The initial release introduced Manage users (User Editor) and now with SP02 Manage roles (Role Editor) has been added.
As you would expect from a Fiori UI, it is all very straight forward. Select a role to edit it or click the + in the toolbar to add a new role and then click add to a role, system privileges, etc.
JSON Web Token authentication
Another enhancement in the domain of authentication, is the addition of JSON Web Tokens (JWT).
It is similar to SAML and, like SAML, Kerberos, X509 and the SAP Logon/Assertion tickets used for single sign-on.
For a good introduction into the topic, see Introduction to JSON Web Tokens and SAP HANA Administration Guide – Single Sign-On Using JSON Web Tokens.
On the SAP HANA Academy, there is a full playlist covering all aspects of security: bit.ly/SAPHANASecurity
For more information see:
SAP HANA Blogs
- SAP HANA Security
- Enhanced Data Protection in SAP HANA 2.0 SPS 01
- Protect your sensitive data using SAP HANA’s new dynamic data masking
SAP Help Portal
- What’s New in the SAP HANA Platform 2.0 (Release Notes) – SAP HANA Database Security (New and Changed)
- SAP HANA Security Guide – Backup Encryption
- SAP HANA Administration Guide – Enable and Disable Encryption of Data and Log Backups
- SAP HANA Security Guide – Data Masking
- SAP HANA SQL and System Views Reference – CREATE VIEW Statement
- SAP HANA Security Guide – LDAP Group Authorization
- SAP HANA Administration Guide – Configure LDAP Group Authorization
- SAP HANA SQL and System Views Reference – ALTER DATABASE Statement (Tenant Database Management)
- SAP HANA Administration Guide – Password Policy Configuration Options
- SAP HANA Administration Guide – User Authentication Mechanisms
- SAP HANA Administration Guide – Single Sign-On Using JSON Web Tokens
- 2438641 – TLS Connections to LDAP Server After Upgrade from SAP HANA 2.0 SPS 00 to SAP HANA 2.0 SPS 01
- 2404375 – SAP HANA Platform 2.0 SPS 01 Release Note
- 2422689 – SAP HANA 2.0 SPS 01 Database Revision 010
- 2433764 – SAP HANA cockpit 2.0 SP 02
- 2159014 – FAQ: SAP HANA Security
Thank you for watching
The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.
For the full library, see https://blogs.sap.com/2017/01/18/sap-hana-academy-library-by-the-sap-hana-academy/