On-demand Encryption in SAP Adaptive Server Enterprise
Data Encryption in SAP ASE
SAP ASE comes with several encryption options allowing you to comply with your security requirements. For example, database encryption, column encryption, on-demand encryption etc. This blog will cover on-demand encryption for SAP ASE server and various supported clients: Open Client, jConnect, ADO.NET, and ODBC.
What is On-demand Encryption?
On-demand encryption allows you to encrypt commands and system procedures that contain sensitive data. You can perform encryption as needed: for an entire isql session or on ad hoc basis when you want to encrypt individual commands.
When you use on-demand encryption, the client encrypts the command before sending it to the server. The server decrypts the command before processing it.
On-demand encryption requires both the client and server to run SAP ASE versions 16.0 SP03 or later, or the system returns an error.
Why use On-demand Encryption?
In previous releases of SAP ASE, SSL and Kerberos (with confidentiality mode) were used for data encryption. However, encrypting a full session with these services can cause latency issues.
With on-demand encryption, now you can encrypt specific command on the fly.
For example, you have a large installation base with over 1000 SAP ASE servers and a single system executes the
alter login command to change the passwords for all other SAP ASE servers.
In this scenario, using full encryption/SSL to encrypt this single
alter login command (executed from the central host to all SAP ASE servers) is probably not the best option considering the performance impact and the cost involved. For such use case, you may consider on-demand encryption to encrypt the required command.
You don’t need to purchase a separate license or perform additional installation or configuration steps to enable on-demand encryption, it comes fully enabled with SAP ASE 16.0 SP03.
On-demand Encryption for SAP ASE Clients
The client applications use SAP Common Crypto Library for cryptographic services, such as encryption and decryption. For each client, you can set command encryption either at a command or connection-level.
Configuring encryption on a connection lets you encrypt all client commands on that connection.
To enable on-demand encryption, client-specific properties (at connection-level and command-level) are added as described in the following table:
For more information, refer to the SAP Open Server and SDK for SAP Adaptive Server Enterprise 16.0 SP03 New Features Guide.