hana sps07 new sec

What´s New? SAP HANA SPS 07 Security (Delta from SPS 06 to SPS 07)

SAP HANA Product Management November, 2013

© 2013 SAP AG. All rights reserved. 2 Public

Agenda

Authentication

User/role management

Authorization

Encryption

Audit logging

Documentation

Authentication


SPNEGO (Kerberos with Simple and Protected GSSAPI Negotiation Mechanism) is now

available as an authentication option for SAP HANA XS

Configuration

1. In Microsoft Active Directory, for each host and alias register new service principal names and map them to the

(potentially already existing) SAP HANA service user

2. On the SAP HANA server, add the keys for the new service principal names to the keytab

3. In SAP HANA, configure the Kerberos user mapping for the user

Note: If the user mapping has already been set up for Kerberos authentication for SQL access, you do not

have to change anything here

4. Using the SAP HANA XS Administration Tool (http://<host>:80<sysno>/sap/hana/xs/admin/), select SPNEGO

as authentication method for the user

What’s New in SAP HANA SPS 07: Security SPNEGO support for SAP HANA XS


SAP Logon Tickets and SAP Assertion Tickets are now supported for both SQL and XS access

Prerequisites

A separate trust store for SAP Logon and Assertion tickets

has been configured

System privilege USER ADMIN

Configuration

1. In the Systems view in SAP HANA studio, choose Security

2. Create a new user by right-clicking on Users and choosing

New User

3. Select the authentication method(s) and choose the (Deploy) button

Notes

Prior to SPS 07, SAP HANA implicitly selected both user name/password and SAP Logon Tickets as

authentication methods for new users. Now you have to explicitly set authentication options for new users

To re-enable the old behavior for SAP Logon Tickets, a new configuration parameter has been introduced

(Indexserver.ini -> authentication -> SapLogonTicketEnabledForNewUsers). See also SAP Note 1927949

What’s New in SAP HANA SPS 07: Security SAP Logon Ticket and SAP Assertion Ticket support

https://service.sap.com/sap/support/notes/1927949


The mandatory periodic password change can now be re-enabled using SQL

In some situations it may be required to exclude specific users from the mandatory periodic password change,

for example the technical user that is used by an application server to connect to the database

Prerequisites: System privilege USER ADMIN

Syntax:

ALTER USER <user_name> DISABLE PASSWORD LIFETIME

ALTER USER <user_name> ENABLE PASSWORD LIFETIME

Changed default for maximum_unused_initial_password_lifetime

This parameter specifies the number of days for which initial user passwords are valid. If a user has not logged

on within this period of time, the password becomes invalid; the user administrator can reset it if still needed.

New default: 7 days (formerly 28 days)

Prerequisites: System privilege USER ADMIN

To change this parameter, in the Systems view of SAP HANA studio choose Security -> Password Policy ->

Lifetime of Initial Password

What’s New in SAP HANA SPS 07: Security Password policy changes/additions (I)

https://sapjira.wdf.sap.corp/browse/TIPHANA15IT03-603


Option to set configuration parameter password_lock_time to infinity

Time for which a user is locked after having exhausted the maximum number of failed logon attempts

Prerequisites:


Configuration

– In the Systems view in SAP HANA studio, choose Security -> Password Policy and in the User Lock Settings

select Lock indefinitely

– When setting the parameter using SQL, use the value -1

What’s New in SAP HANA SPS 07: Security Password policy changes/additions (II)

User/role management


What’s New in SAP HANA SPS 07: Security Set validity period for user in SAP HANA studio

You can now set the validity period for a user in SAP HANA studio

Prerequisites


Configuration

1. In the Systems view in SAP HANA studio, choose Security

2. Expand Users and double-click on the user for which you want to set the validity period,

or create a new user by right-clicking on Users and choosing New User

3. Enter the validity period and choose the (Deploy) button


You can now create a new user by copying an

existing user. The roles granted to the existing

user are automatically granted to the new user

Prerequisites

System privilege USER ADMIN, SQL privilege

EXECUTE on procedure GRANT_ACTIVATED_ROLE

Restrictions

Only roles created as design-time roles are copied

Only available in SAP HANA studio

Procedure

1. In the Systems view in SAP HANA studio, choose

Security -> Users, right-click the user to be copied

and choose Copy User

2. Enter the details for the new user

3. Choose the (Deploy) button to create the user

What’s New in SAP HANA SPS 07: Security Copy user

Authorization


New system privileges for repository change management are available

Repository change management provides the infrastructure for tracked development. If enabled, the

activation of a repository object prompts the developer to assign it to a container or “Change”. A

developer must then approve and release his changes in order for the objects in his change to be

marked as released. This enables the creation of a delivery unit (DU) that is composed of only

released objects. Releasing a change does not trigger any automatic semantic checks but is a manual

assurance by the developer that the objects are consistent and ready for transport.

Prerequisites


Granting system privileges

1. In the Systems view in SAP HANA studio, double-click on the user

2. On the System Privileges tab, add the required system privileges:

o REPO.CONFIGURE, REPO.MODIFY_CHANGE, REPO.MODIFY_FOREIGN_CONTRIBUTION,

REPO.MODIFY_OWN_CONTRIBUTION,

3. Choose the (Deploy) button

What’s New in SAP HANA SPS 07: Security New system privileges for repository change management


You can now allow other users to debug

SQLScript code (e.g. a procedure) that is being

executed in your session

1. In the Systems view in SAP HANA studio, expand

Security -> Users and double-click the user to whom

you want to grant debugging privileges

o On the Object Privileges tab, add your procedure and

select DEBUG

o On the Privileges on Users tab, choose the (Add)

button and select ATTACH DEBUGGER (see screenshot)


Example

BOB grants ALICE debugging privileges

Note

It is not possible to grant the ATTACH DEBUGGER

privilege on behalf of other users

What’s New in SAP HANA SPS 07: Security New privilege for debugging SQLScript code


SQL privileges for Smart Data Access scenarios can now be granted using SAP HANA studio

Smart data access is SAP HANA’s capability to connect to remote sources and present data in those

remote sources as though they were local SAP HANA tables. In SAP HANA, virtual tables are created

that represent the tables in the remote source. Via these virtual tables, joins can be executed between

tables in SAP HANA and tables in the remote source.

The following SQL privileges can now be granted using SAP HANA studio:

CREATE VIRTUAL TABLE (in selected remote source)

DROP (selected remote source)

Prerequisites

Remote source has been created

Example

User SYSTEM grants a user the privileges to

– Create virtual tables for remote source ASE2

– Drop remote source ASE2

What’s New in SAP HANA SPS 07: Security SAP HANA studio: Support for smart data access privilege assignment

Encryption


SAP HANA now supports SAP’s new cryptographic library CommonCryptoLib for operations

that require cryptography, for example data volume encryption and SSL communication

encryption

CommonCryptoLib is the successor of SAPCRYPTOLIB

Notes:

CommonCryptoLib will be made available via SAP Service Marketplace

Because the library includes encryption routines, CommonCryptoLib distribution is subject to and controlled by

German export regulations and may not be available to all customers. The library may also be subject to local

regulations of your own country that may further restrict the import, use, and (re-)export of cryptographic

software.

What’s New in SAP HANA SPS 07: Security Support for SAP’s new cryptographic library CommonCryptoLib


Data volume encryption on disk can now be configured using SAP HANA studio

After activating encryption, new data that is saved to disk will be encrypted starting with the next

savepoint. Existing data starts being encrypted in the background. Depending on the size of the SAP

HANA system, this process can take some time. Only after this process has completed is all your data

encrypted. You can monitor the encryption progress in SAP HANA studio.

Notes

If you want to use data volume encryption, it is recommended to activate it directly after installing the system

The root key for data volume encryption is automatically created during installation. If you have received SAP

HANA as an appliance, we recommend to change this key after handover from the hardware vendor

What’s New in SAP HANA SPS 07: Security SAP HANA studio: Configure data volume encryption (I)


What’s New in SAP HANA SPS 07: Security SAP HANA studio: Configure data volume encryption (II)

Prerequisites

System privilege RESOURCE ADMIN

Activating/deactivating data volume encryption

1. In the Systems view in SAP HANA studio, choose

Security

2. Open the Data Volume Encryption tab

– To activate encryption, select Activate encryption of

data volumes

– To deactivate encryption, de-select this option



SAP HANA now provides the ability to change

the SSFS master key

SSFS (SAP NetWeaver secure storage in the file

system) is used by SAP HANA to store

The root key for the data volume encryption

The root key for the internal data protection API

(DPAPI). Note: DPAPI is used by the secure internal

credential store, which is needed in some scenarios

such as smart data access to securely store additional

user credentials (e.g. for access to remote systems)

The keys stored in SSFS are themselves encrypted

using the SSFS master key.

It is recommended to periodically change the SSFS

master key, re-encrypt the SSFS with the new key,

and save the new key to a secure location.

What’s New in SAP HANA SPS 07: Security SSFS: Change master key (I)

SAP HANA

file system

SSFS master key

SSFS

Data volume encryption

(root key)

Internal data protection API

(root key)

SAP HANA database

Secure credential store

(key)

Data volume encryption

(savepoint-specific key)


Prerequisites

Credentials of the operating system user (<sid>adm user) that was created when the system was installed

Database user with system privilege INIFILE ADMIN

In a distributed SAP HANA system, every host must be able to access the key file location

Changing the SSFS master key

1. Stop the SAP HANA system

2. Log on to the SAP HANA system host as the operating system user <sid>adm

3. Generate a new master key by entering the following command:

rsecssfx generatekey

4. Re-encrypt the SSFS with the new master key and save the key file to a secure location as follows:

RSEC_SSFS_DATAPATH=/usr/sap/<SID>/global/hdb/security/ssfs

RSEC_SSFS_KEYPATH<PATH TO KEYFILE> rsecssfx changekey <NEWKEY>

5. Configure the specified key file location in the cryptography section of the global.ini configuration file with the

parameter ssfs_key_file_path

What’s New in SAP HANA SPS 07: Security SSFS: Change master key (II)


If storage snapshots are used for data backup, the root key for the data volume encryption is

now included in the automatic backup of the SSFS

The SSFS is always part of the data backup, but for file system or BACKINT backups it does not

include the data volume encryption root key.

The root key is only needed in recovery scenarios where a storage snapshot is used as the basis for

the recovery.

What’s New in SAP HANA SPS 07: Security SSFS: Data volume encryption root key included in backup


An alert is triggered if the SSFS is missing

SSFS is used by SAP HANA to store

The root key for the data volume encryption

The root key for the internal data protection API

New check

Determines whether the secure storage in the file system (SSFS) is accessible to the database

Alert priority: HIGH

Recommended user action: Check and make sure that the secure storage in the file system (SSFS) is

accessible to the database

What’s New in SAP HANA SPS 07: Security SSFS: Alert if SSFS is missing


There is a new configuration parameter which enforces SSL encryption for all client SQL

connections to the SAP HANA database

Prerequisites

SSL has been configured for the SAP HANA database

System privilege INIFILE ADMIN

You have migrated to the new statistics server implementation (see SAP Note 1917938). Do not enforce SSL for

client connections otherwise.

Configuration

1. In the Administration editor in SAP HANA studio, open the Configuration tab

2. Navigate to the global.ini file and expand the communication section

3. Set the sslEnforce parameter to true (default: false)

4. New SQL connection attempts by clients without SSL will now be rejected by the SAP HANA database. Note

though that existing connections will not be terminated, so if you want to enforce SSL for all connections, it is

recommended to restart the database.

What’s New in SAP HANA SPS 07: Security Communication encryption: Force SSL for client SQL connections



The Secure Sockets Layer (SSL) protocol can be used to secure network communication

between the primary site and secondary site in system replication scenarios

Prerequisites

SSL has been configured for both SAP HANA systems (key creation and CA).

System privilege INIFILE ADMIN

Configuration

1. For a scenario involving two systems, carry out the following steps in both systems

1. In the Administration editor in SAP HANA studio, open the Configuration tab

2. In the configuration file global.ini -> section system_replication_communication: Set the parameter enable_ssl to on

2. SSL will be used from the next reconnect between primary and secondary. The easiest way to achieve a

reconnect is to restart the secondary system.

What’s New in SAP HANA SPS 07: Security Communication encryption: SSL support for system replication scenarios

Audit Logging


If auditing is active, certain actions are always audited and are therefore not available for

inclusion in user-defined audit policies

In the audit trail, these action are labeled with the internal audit policy MandatoryAuditPolicy.

What’s New in SAP HANA SPS 07: Security Mandatory audit actions

Action Description

CREATE AUDIT POLICY

ALTER AUDIT POLICY

DROP AUDIT POLICY

Creation, modification, or deletion of audit policies

ALTER SYSTEM CLEAR AUDIT LOG UNITL <timestamp> Deletion of audit entries from the audit trail. This only applies if

audit entries are written to column store database tables.

ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing

configuration','global_auditing_state' ) = <value> with reconfigure;


configuration','default_audit_trail_type' ) = '<audit_trail_type>' with

reconfigure;


configuration','default_audit_trail_path' ) = '<path>' with reconfigure;

Changes to auditing configuration, that is:

Enabling or disabling auditing

Changing the audit trail target

Changing the location of the audit trail target if it is a CSV text

file


What’s New in SAP HANA SPS 07: Security Database table as audit trail target (I)

As an alternative to syslog, SAP HANA can now write the audit trail to tables within the

database itself

When an audit policy is triggered, an audit entry is created in the audit trail

Audit trail types for production systems:

syslog (logging system of the Linux operating system)

o syslog is a secure storage location for the audit trail because not even the database administrator can access or change it.

There are also numerous storage possibilities for the syslog, including storing it on other systems. In addition, syslog is the

default log daemon in UNIX systems. syslog therefore provides a high degree of flexibility and security, as well as

integration into a larger system landscape.

Database table

o Using an SAP HANA database table as the target for the audit trail makes it possible to query and analyze auditing

information quickly. It also provides a secure and tamper-proof storage location.

o Internal column store table in the _SYS_AUDIT schema of the SAP HANA database

o Audit entries are only accessible through the public system view AUDIT_LOG. Only SELECT operations can be performed

on this view by users with system privilege AUDIT ADMIN or AUDIT OPERATOR

o To avoid the audit table growing too large, it is possible to delete old audit entries


Prerequisites

System privilege AUDIT ADMIN or INIFILE ADMIN

Configuring the audit trail

1. In the Systems view, double-click on Security and

open the Auditing tab

2. In the System Settings for Auditing area, set the

auditing status to Enabled

3. Configure the target of the audit trail by choosing

Database Table


What’s New in SAP HANA SPS 07: Security Database table as audit trail target (II)


Prerequisites

System privilege AUDIT ADMIN or AUDIT OPERATOR

Viewing the audit trail

In the Systems view of SAP HANA studio, expand the

catalog and display the system view AUDIT_LOG

Alternatively, display the system view using SQL

commands:

SELECT * FROM "PUBLIC"."AUDIT_LOG"

What’s New in SAP HANA SPS 07: Security Database table as audit trail target (III)


Prerequisites

System privilege AUDIT ADMIN or AUDIT OPERATOR

Truncating the audit trail



2. Choose the (Truncate) button

3. Specify a date/time and click OK

Caution: All information in the audit trail that is older will

be immediately deleted

What’s New in SAP HANA SPS 07: Security Database table as audit trail target (IV)


Two additional data definition (DDL) actions

can now be audited: CREATE TABLE and

ALTER TABLE

Prerequisites

System privilege AUDIT ADMIN

Creating an audit policy



2. In the Audit Policies area, choose Create New Policy

3. Enter the policy name

4. Specify the audit actions and further options if

required


What’s New in SAP HANA SPS 07: Security New audit actions


You can log all actions performed by a specific

user

This covers not only all actions that can be audited

individually, but also actions that cannot otherwise

be audited. Such a policy is useful if you want to

audit the actions of a particularly privileged user.

Note

Some actions cannot be audited using database

auditing even with a policy that includes all actions, in

particular, system restart and system recovery

Caution

Firefighter logging may generate a lot of audit entries,

so only enable it if required

What’s New in SAP HANA SPS 07: Security Firefighter logging


You can now exempt individual users from an

audit policy

This can be useful, for example, if you want to

exclude the technical user account used by an

application server for connections to the SAP

HANA database

Prerequisites

System privilege AUDIT ADMIN

Exempting a user from an audit policy

When creating the audit policy, choose in the Users

column

Select the users to be excluded from the audit policy

What’s New in SAP HANA SPS 07: Security Exempt user from audit policy


The dialog for selecting audit actions for an

audit policy has been improved

Not all actions can be combined together in the

same policy, therefore compatible audit actions

have been grouped together

When you select an action, those actions that are

not compatible with the selected action become

unavailable for selection

If you need to two audit incompatible audit actions,

you need to create two separate audit policies

What’s New in SAP HANA SPS 07: Security SAP HANA studio: Improved audit action configuration

Documentation


What’s New in SAP HANA SPS 07: Security Context-sensitive help in SAP HANA studio

SAP HANA studio now provides context-

sensitive help for many topic areas, including

security

To open the context-sensitive help, press F1, or

choose Help -> Dynamic Help

More Information


SAP HANA documentation

Available on the SAP Help Portal

SAP HANA Security Guide, Master Guide (network topics),

Developer Guide, SQL Reference Guide (privilege details)

Important SAP notes

1598623: SAP HANA appliance: Security (Central Security Note)

1514967: SAP HANA appliance (Central Appliance Note)

1730928: Using external software in a HANA appliance

1730929: Using external tools in an SAP HANA appliance

1730930: Using antivirus software in an SAP HANA appliance

1730999: Configuration changes in HANA appliance

Security whitepaper

http://www.saphana.com/docs/DOC-3751

What’s New in SAP HANA SPS 07: Security More Information

http://help.sap.com/hana_platform













Disclaimer

This presentation outlines our general product direction and should not be relied on in making

a purchase decision. This presentation is not subject to your license agreement or any other

agreement with SAP.

SAP has no obligation to pursue any course of business outlined in this presentation or to

develop or release any functionality mentioned in this presentation. This presentation and

SAP’s strategy and possible future developments are subject to change and may be changed

by SAP at any time for any reason without notice.

This document is provided without a warranty of any kind, either express or implied, including

but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or

non-infringement. SAP assumes no responsibility for errors or omissions in this document,

except if such damages were caused by SAP intentionally or grossly negligent.

Thank you

Contact information

Andrea Kristen

SAP HANA Product Management

[email protected]

To get the best overview of what’s new in SAP HANA SPS 07, read this blog.

mailto:[email protected]

http://www.saphana.com/community/blogs/blog/2013/11/20/whats-new-in-sap-hana-sps07


© 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and

SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in

the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other

countries.

Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

http://www.sap.com/corporate-en/legal/copyright/index.epx




© 2013 SAP AG. Alle Rechte vorbehalten.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche

Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.

Einige der von der SAP AG und ihren Distributoren vermarkteten Softwareprodukte enthalten proprietäre Softwarekomponenten anderer Softwareanbieter.

Produkte können länderspezifische Unterschiede aufweisen.

Die vorliegenden Unterlagen werden von der SAP AG und ihren Konzernunternehmen („SAP-Konzern“) bereitgestellt und dienen ausschließlich zu Informationszwecken.

Der SAP-Konzern übernimmt keinerlei Haftung oder Gewährleistung für Fehler oder Unvollständigkeiten in dieser Publikation. Der SAP-Konzern steht lediglich für Produkte

und Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich geregelt ist. Keine der hierin

enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren.

SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken oder eingetragene Marken der SAP

AG in Deutschland und verschiedenen anderen Ländern weltweit. Weitere Hinweise und Informationen zum Markenrecht finden Sie unter http://www.sap.com/corporate-

en/legal/copyright/index.epx#trademark.




hana sps07 new sec

Documents