In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced with SAP HANA 2.0 Support Package Stack (SPS) 01.
The topic of this blog is database backup and recovery.
For the previous version of this blog, see SAP HANA 2.0 SPS 00 What’s New: Database Backup and Recovery – by the SAP HANA Academy.
For the full SAP HANA 2.0 SPS 01 blog list, see: What’s New with SAP HANA 2.0 SPS 01 – by the SAP HANA Academy.
Backup Encryption (New)
Backup encryption by third-party tools has been available since the release of the BACKINT API for SAP HANA, way back in December 2012 with SAP HANA 1.0 SPS 05. New in HANA 2.0 SPS 01 is native backup encryption. in other words, HANA can do it for you. No other tools are needed.
How does this work? Just like with data volume encryption (SAP HANA 1.0 SPS 09) and redo log encryption (SAP HANA 2.0 SPS 00), encryption is enabled using SQL. There is no button or Fiori tile to activate or configure encryption yet in SAP HANA cockpit but, just like for data volume encryption, I would expect this to come in a future release.
The sequence of steps is as follows:
- Create a new backup root key but do not activate it yet
- Make a backup of the encryption root keys (all instance SSFS root keys)
- Enable the new backup root key
- Switch backup encryption on
-- 1. create the backup root key ALTER SYSTEM BACKUP ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE -- 2. make a backup of all SSFS root keys ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD "0penSes@me" -- ALTER SYSTEM VALIDATE ENCRYPTION ROOT KEYS BACKUP PASSWORD "0penSes@me" -- 3. active the backup root key ALTER SYSTEM BACKUP ENCRYPTION ACTIVATE NEW ROOT KEY -- 4. turn backup encryption ALTER SYSTEM BACKUP ENCRYPTION ON
The backup encryption root key (the key in the hot pink bubblegum colour in the illustration below) is stored in the instance SSFS; a store and key file on the file system that you need to backup and restore independently of the SAP HANA database. To recover the database from an encrypted backup, you first need to recover (import) the backup root keys into the instance SSFS.
Only one backup encryption root key can be active (per tenant database) and the encryption is enabled for both the data (full and delta) and log backups. You either encrypt or you don’t. You cannot encrypt a single backup for a specific purpose in the current implementation.
See the links below in the section SAP Help Portal, for the limitations and points to note for backup encryption.
The M_ENCRYPTION_OVERVIEW view has been added and the M_BACKUP_CATALOG view has been modified to support this feature.
The encryption key hash is also displayed in the SAP HANA cockpit as indicator that the backup has been encrypted.
An information alert informs you that backup encryption has been activated.
Support for Third-Party Backup Tools (New)
As mentioned, the BACKINT API to support third-party backup tools has been around for almost 5 years now, with support added in SPS 10 to back up and restore multi-container systems.
New in SAP HANA 2.0 SPS01 is the option to use backups created with third-party backup tools to copy a tenant database to a different system. This also works if the source system is single container, say HANA 1.0 SPS 12, and the target system is running the latest HANA 2.0 SPS 01 version in multi-container database mode.
For the full list of support backup tools, see SAP Certified Solution Directory for “HANA-brint”.
Recovery From Storage Snapshots (New)
You can use storage snapshots to complement your SAP HANA backup strategy for about as long as the BACKINT API has been around. Unlike regular backups, storage snapshots occur not at the database layer but at the storage layer and this has some implications (the fine print).
On the positive side, using storage snapshots will be faster for both backup and restore of the SAP HANA database.
On the less positive side, you cannot use the new backup encryption feature for storage snapshots (tip: use data volume encryption) and storage snapshots are not yet fully compatible with the new default multi-tenant database container operation mode.
Fortunately, the first step in this direction has been made. It is now possible to create a storage snapshot for a multi-tenant database container system on the condition that there is only a single tenant database (a ‘single-tenant system’ in the documentation).
Just like with backup encryption, the interface for this feature is SQL. The ‘FOR FULL SYSTEM’ clause of the BACKUP DATA SNAPSHOT statement triggers the creation of a snapshot of the system database. Without this clause, a snapshot of the tenant database is made.
-- 1. create snapshot BACKUP DATA FOR FULL SYSTEM CREATE SNAPSHOT COMMENT 'Storage snapshot' -- SELECT * FROM M_BACKUP_CATALOG WHERE ENTRY_TYPE_NAME = 'data snapshot' SELECT ENTRY_ID FROM M_BACKUP_CATALOG WHERE ENTRY_TYPE_NAME = 'data snapshot' AND COMMENT = 'Storage snapshot' --2 close snapshot succesful BACKUP DATA FOR FULL SYSTEM CLOSE SNAPSHOT BACKUP_ID 1495207394627 SUCCESSFUL 'SNAP_01' -- 2b or discard it BACKUP DATA FOR FULL SYSTEM CLOSE SNAPSHOT BACKUP_ID 1495207307659 UNSUCCESSFUL 'Do not use - was manually terminated';
Enhancement for Tenant Databases (Changed)
Finally, a small but important enhancement has been made to tenant database backup. As of SPS 01, when you add or remove a service from a database – for example, the script server required for the predictive analysis library (PAL) – you no longer break the backup history, nor do you have to make a full backup after the configuration change. This means that it is now possible to recover an SAP HANA database using backups that were created before a topology change was made to recover to a point in time after the topology was changed.
On the SAP HANA Academy, there is a full playlist covering all aspects of database fbackup and recovery: bit.ly/SAPHANADBR
For more information see:
SAP Help Portal
- What’s New in the SAP HANA Platform 2.0 (Release Notes) – SAP HANA Database Backup and Recovery (New and Changed) – SAP HANA Release Notes
- SAP HANA Database Backup and Recovery – SAP HANA Administration Guide
- Backup Encryption – SAP HANA Security Guide
- Encryption Key Management – SAP HANA Security Guide
- ALTER SYSTEM BACKUP ENCRYPTION Statement (System Management) – SAP HANA SQL and System Views Reference
- ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD Statement (System Management) – SAP HANA SQL and System Views Reference
- Storage Snapshots – SAP HANA Administration Guide
- 2404375 – SAP HANA Platform 2.0 SPS 01 Release Note
- 2422689 – SAP HANA 2.0 SPS 01 Database Revision 010
- 1642148 – FAQ: SAP HANA Database Backup & Recovery
- 2444090 – FAQ: SAP HANA Backup Encryption
- 2039883 – FAQ: SAP HANA database and storage snapshots
- 1730932 – Using backup tools with Backint for HANA
- SAP Certified Solution Directory for “HANA-brint”
SAP HANA Blogs
Thank you for watching
The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.
For the full list of blogs, see Blog Posts – by the SAP HANA Academy.