ssl configuration within sap hana

11
How to Secure Communication within SAP HANA Prepared by Debajit Banerjee http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 1 How to secure communication between SAP HANA Server and HANA Studio? By configuring open SSL between SAP HANA Server and HANA Studio, we can secure communication. Before moving to SSL configuration, let’s have a look at SAP HANA Security Architecture. SAP HANA – Secure communication and encryption Communication encryption – SSL Encryption at rest – On the roadmap HANA SAP HANA – Authorization Framework System privileges – for Administrative actions SQL privileges – access to data & operations on database objects Analytical privileges – for runtime access; row-level access based on dimensions of the respective view (analytical, calculation, attribute) Repository privileges – access to in the repository(modeling) at design time It also take care of User & Role Management; Roles are used to bundle and structure privileges; Privileges or Roles can be assigned to Users and Privileges control what Users can do. SAP HANA – Authentication and Single Sign-on User name and Password – Password policy Kerberos Authentication – including delegation SAML Authentication – Bearer Token Logging Framework is mainly used for Audit logging and HANA Studio is used for general Security Administration purposes.

Upload: debajit-banerjee

Post on 05-Jul-2015

353 views

Category:

Technology


7 download

DESCRIPTION

To secure communication, SAP HANA supports use of either the SAPCrypto libraries or OpenSSL. Any hardware vendors not configuring Secure Socket Layer(SSL) communication for SAP HANA. This attached guide provides you the steps required to configure and enable OpenSSL communication between SAP HANA Studio and SAP HANA Server.

TRANSCRIPT

Page 1: SSL Configuration within SAP HANA

How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 1

How to secure communication between SAP HANA Server and HANA Studio? By configuring open SSL between SAP HANA Server and HANA Studio, we can secure communication. Before moving to SSL configuration, let’s have a look at SAP HANA Security Architecture.

SAP HANA – Secure communication and encryption

Communication encryption – SSL

Encryption at rest – On the roadmap HANA SAP HANA – Authorization Framework

System privileges – for Administrative actions

SQL privileges – access to data & operations on database objects

Analytical privileges – for runtime access; row-level access based on dimensions of the respective view (analytical, calculation, attribute)

Repository privileges – access to in the repository(modeling) at design time It also take care of User & Role Management; Roles are used to bundle and structure privileges; Privileges or Roles can be assigned to Users and Privileges control what Users can do. SAP HANA – Authentication and Single Sign-on

User name and Password – Password policy

Kerberos Authentication – including delegation

SAML Authentication – Bearer Token Logging Framework is mainly used for Audit logging and HANA Studio is used for general Security Administration purposes.

Page 2: SSL Configuration within SAP HANA

How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 2

So, from the above, it is obvious that SSL Configuration for SAP HANA is one of the basic necessity to step forward ahead in HANA Security aspects, e.g., SSO configuration,etc. How to configure SSL for SAP HANA? Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet. SAP HANA Server runs on SLES 11 SP1 or SP2 and generally people access the server from their desktops/laptops running on linux or windows. Administrators, Modelers/Developers and Security team access SAP HANA Server through SAP HANA Studio. SAP HANA supports use of either the SAPCrypto libraries or OpenSSL to secure communication. Here I will discuss about OpenSSL. First, just check whether SSL has been already configured for your SAP HANA Server.

When you are connecting to SAP HANA Server, please tick on “Connect Using SSL” option. If it is not SSL configured, it will throw the below error:

Page 3: SSL Configuration within SAP HANA

How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 3

Now here are the steps to configure SSL for SAP HANA –

A.) Activities at SAP HANA Server end

Step 1. As user ‘root’, check for existence of libssl.so, if the file does not exist create a symbolic link to libssl.so.0.9.8

Step 2. Create “root Certificate” using <sid>adm user

Page 4: SSL Configuration within SAP HANA

How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 4

Step 3. Using <sid>adm user, creation of “Server Certificate”

Page 5: SSL Configuration within SAP HANA

How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 5

Step 4. Signature of the Server Certificate

This activity will generate CA_Cert.srl and Server_Cert.pem files. Step 5. Chain the Server Certificate

The structure of Server Certificate looks like:- ----- BEGIN CERTIFICATE ----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ----- END CERTIFICATE ----- ----- BEGIN RSA PRIVATE KEY ---- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ----- END RSA PRIVATE KEY ---- ----- BEGIN CERTIFICATE ----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ----- END CERTIFICATE -----

Page 6: SSL Configuration within SAP HANA

How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 6

Step 6. Copy the Server Certificate to trust.pem

Step 7. Restart SAP HANA Server

Page 7: SSL Configuration within SAP HANA

How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 7

B-I) Activities at SAP HANA Client end (if Client is on Linux) Step 1. Check JAVA Version and JAVA_HOME

Step 2. Import ‘trust.pem’ into the JAVA Keystore on the client

B-II) Activities at SAP HANA Client end (If Client is on Windows) For Windows box, please use Administrator for performing the below activities - From HANA Studio, one can figure out JAVA_HOME

Page 8: SSL Configuration within SAP HANA

How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 8

Before execute the keytool command, better to check the existence of cacerts file.

Page 9: SSL Configuration within SAP HANA

How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 9

Page 10: SSL Configuration within SAP HANA

How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 10

C) SSL Enablement within SAP HANA Studio Connect using SSL option.

Now SAP HANA Studio will communicate using SSL, the hover tooltip should now show SSL, and the system node icon should show a small lock. Now I am trying with another user

Page 11: SSL Configuration within SAP HANA

How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 11

So, it is working perfectly. The above steps required to configure and enable OpenSSL communication between SAP HANA Server and SAP HANA Studio.

===== End of Document ======