SAP HANA 2.0 SPS 00 What’s New: Security – by the SAP HANA Academy

Encryption

Data volume encryption was introduced with SAP HANA 1.0 SPS 09. With 2.0, log volume encryption is now also supported. You enable log volume encryption using SQL. Data volume encryption can also be enabled using the new SAP HANA cockpit.

-- enable data volume encryption

ALTER SYSTEM PERSISTENCE ENCRYPTION ON 

-- ALTER SYSTEM PERSISTENCE ENCRYPTION OFF

-- enable redo log encryption 

ALTER SYSTEM LOG ENCRYPTION ON

-- ALTER SYSTEM LOG ENCRYPTION OFF

-- Query status

SELECT * FROM M_ENCRYPTION_OVERVIEW

The management of the encryption root keys used for data volume encryption, redo log encryption, and the internal application encryption service has been enhanced:

• You can now update all three root keys by SQL statement
• You can now backup all three root keys to a dedicated password-protected file

For this, a new system privilege has been added: ENCRYPTION ROOT KEY ADMIN.

You may recall that to change encryption root keys in HANA 1.0, you could SQL for the data volume encryption root key but to change the application encryption service root key, only the command line tool hdbnsutil was available.

This illustration shows the three root keys stored in the Instance SSFS (Secure Store in the File System); think of it as a safe.

• application encryption service (orange)
• data volume (persistence) encryption (green)
• log volume encryption (blue)

The contents of the Instance SSFS can be exported in a password protected file.

This illustration shows the hand-over flow for changing master and root keys. You would follow this flow when you receive SAP HANA as an appliance from a hardware vendor, or SAP HANA express edition on a virtual machine (for production use).

To backup the root keys, you can use the follow SQL statement:

ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD <passphrase>

Next, create the root key backup file with RKB extension, using either SQL:

SELECT ENCRYPTION_ROOT_KEYS_EXTRACT_KEYS 

 ('PERSISTENCE, APPLICATION, LOG') FROM DUMMY

-- copy the CLOB result and save it to a file 

-- at a secure external location (with extension *.rkb)

Or the hdbnsutil tool with -backupRootKeys flag:

# alternatively use command line

hdbnsutil -backupRootKeys <filename>.rkb --type='ALL' [--dbid=dbid ]

hdbnsutil -validateRootKeysBackup <filename> [--password=<passphrase>]

hdbnsutil -recoverRootKeys <filename>.rkb --type='ALL' [--dbid=<dbid>]

   [--password=<passphrase>]

You can backup each key separately or you can backup all keys together.

The DBID parameter is used for tenant databases, as in multitenant database containers systems each tenant has its own root keys.

Once you have a backup, you can then change the root keys by SQL statement:

-- change encryption root keys

ALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE 

ALTER SYSTEM LOG ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE

ALTER SYSTEM APPLICATION ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE

The WITHOUT ACTIVATE clause is optional but may be a prudent step, in particular when changing the application encryption service key. When ready, you can then activate the new root key:

-- activate the key

ALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEY

ALTER SYSTEM LOG ENCRYPTION ACTIVATE NEW ROOT KEY

ALTER SYSTEM APPLICATION ENCRYPTION ACTIVATE NEW ROOT KEY

Authorization – LDAP Groups

You can now take advantage of LDAP group membership to authorize SAP HANA users, for those environments that use an LDAP-compliant identity management server to manage users and their access to resources. There are many different LDAP-compliant IdM implementations, SAP provides one, but also Microsoft with Active Directory, others are open source.

The new system privilege LDAP ADMIN is required to configure LDAP group authorization.

The following figures illustrates how a user is authorized on the basis of their LDAP group membership:

You can create an LDAP provider by SQL statement:

-- create LDAP provider

CREATE LDAP PROVIDER my_ldap_provider 

CREDENTIAL TYPE ‘PASSWORD’ 

USING ‘user=cn=LookupAccount,o=sap.com;password=hUWe8ZTiQyG’ 

USER LOOKUP URL

'ldap://idp.sap.com:389/ou=Users,dc=sap,dc=com??sub?(&(objectClass=user)(sAMAccountName=*))'

ATTRIBUTE DN 'distinguishedName'

ATTRIBUTE MEMBER_OF 'memberOf'

SSL ON 

DEFAULT ON 

ENABLE PROVIDER

User authorization is then delegated to the LDAP provider:

-- validate the LDAP provider

VALIDATE LDAP PROVIDER my_ldap_provider CHECK USER user1

-- create user with LDAP authorization

CREATE USER user1 PASSWORD <password> AUTHORIZATION LDAP

Authorization – GRANT | REVOKE PUBLIC role

Restricted users can now be converted into a standard user (or vice versa) by SQL statement:

-- granting (or revoking) the PUBLIC role 

ALTER USER <username> GRANT  ROLE PUBLIC;

ALTER USER <username> REVOKE ROLE PUBLIC;

-- granting (or revoking) authorization to create objects in the user's own schema 

ALTER USER <username> GRANT  CREATE ANY ON OWN SCHEMA;

ALTER USER <username> REVOKE CREATE ANY ON OWN SCHEMA;

-- enabling (or disabling) full SQL 

ALTER USER <user_name> ENABLE CLIENT CONNECT ;

Security Administration with SAP HANA Cockpit

The SAP HANA cockpit for SAP HANA 2.0 has been completely redesigned both from an architecture perspective as in the way the cockpit looks (within the Fiori framework).

The three tiles, Data Storage Security, Auditing, and Authentication, clearly show important security information, for example when SSFS master keys or the SYSTEM user password were last changed.

Selecting the tile will open the respective app, to configure data volume encryption, auditing or password policies.

New is that in cockpit 2.0, you can also create and configure database users, both standard and restricted.

Source: go.sap.com