SlideShare a Scribd company logo

HANA SPS07 Security

Download as PPTX, PDF
SAP Technology, profile picture
SAP Technology

The document discusses new security features in SAP HANA SPS 07, including: - Support for SPNEGO authentication for SAP HANA XS and SAP Logon/Assertion Tickets for SQL and XS access. - Enhancements to password policies such as disabling periodic password changes for specific users and reducing the default validity of initial passwords. - Improved user and role management capabilities like setting validity periods for users and copying users along with their roles. - New system privileges for repository change management and attaching a debugger to SQLScript code during execution. - Configuration of data volume encryption and changing the SSFS master key directly from SAP HANA studio.

TechnologyTravel
1 of 42
Downloaded 136 times
1
2
3
4
Most read
5
6
7
8
9
Most read
10
11
12
Most read
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
What´s New? SAP HANA SPS 07 Security (Delta from SPS 06 to SPS 07) SAP HANA Product Management November, 2013
Agenda Authentication User/role management Authorization Encryption Audit logging Documentation © 2013 SAP AG. All rights reserved. Public 2
Authentication
What’s New in SAP HANA SPS 07: Security SPNEGO support for SAP HANA XS SPNEGO (Kerberos with Simple and Protected GSSAPI Negotiation Mechanism) is now available as an authentication option for SAP HANA XS Configuration 1. In Microsoft Active Directory, for each host and alias register new service principal names and map them to the (potentially already existing) SAP HANA service user 2. On the SAP HANA server, add the keys for the new service principal names to the keytab 3. In SAP HANA, configure the Kerberos user mapping for the user Note: If the user mapping has already been set up for Kerberos authentication for SQL access, you do not have to change anything here 4. Using the SAP HANA XS Administration Tool (http://<host>:80<sysno>/sap/hana/xs/admin/), select SPNEGO as authentication method for the user © 2013 SAP AG. All rights reserved. Public 4
What’s New in SAP HANA SPS 07: Security SAP Logon Ticket and SAP Assertion Ticket support SAP Logon Tickets and SAP Assertion Tickets are now supported for both SQL and XS access Prerequisites  A separate trust store for SAP Logon and Assertion tickets has been configured  System privilege USER ADMIN Configuration 1. In the Systems view in SAP HANA studio, choose Security 2. Create a new user by right-clicking on Users and choosing New User 3. Select the authentication method(s) and choose the (Deploy) button Notes  Prior to SPS 07, SAP HANA implicitly selected both user name/password and SAP Logon Tickets as authentication methods for new users. Now you have to explicitly set authentication options for new users  To re-enable the old behavior for SAP Logon Tickets, a new configuration parameter has been introduced (Indexserver.ini -> authentication -> SapLogonTicketEnabledForNewUsers). See also SAP Note 1927949 © 2013 SAP AG. All rights reserved. Public 5
What’s New in SAP HANA SPS 07: Security Password policy changes/additions (I) The mandatory periodic password change can now be re-enabled using SQL  In some situations it may be required to exclude specific users from the mandatory periodic password change, for example the technical user that is used by an application server to connect to the database  Prerequisites: System privilege USER ADMIN  Syntax: ALTER USER <user_name> DISABLE PASSWORD LIFETIME ALTER USER <user_name> ENABLE PASSWORD LIFETIME Changed default for maximum_unused_initial_password_lifetime  This parameter specifies the number of days for which initial user passwords are valid. If a user has not logged on within this period of time, the password becomes invalid; the user administrator can reset it if still needed.  New default: 7 days (formerly 28 days)  Prerequisites: System privilege USER ADMIN  To change this parameter, in the Systems view of SAP HANA studio choose Security -> Password Policy -> Lifetime of Initial Password © 2013 SAP AG. All rights reserved. Public 6
What’s New in SAP HANA SPS 07: Security Password policy changes/additions (II) Option to set configuration parameter password_lock_time to infinity Time for which a user is locked after having exhausted the maximum number of failed logon attempts Prerequisites:  System privilege USER ADMIN Configuration – In the Systems view in SAP HANA studio, choose Security -> Password Policy and in the User Lock Settings select Lock indefinitely – When setting the parameter using SQL, use the value -1 © 2013 SAP AG. All rights reserved. Public 7
User/role management
What’s New in SAP HANA SPS 07: Security Set validity period for user in SAP HANA studio You can now set the validity period for a user in SAP HANA studio Prerequisites  System privilege USER ADMIN Configuration 1. In the Systems view in SAP HANA studio, choose Security 2. Expand Users and double-click on the user for which you want to set the validity period, or create a new user by right-clicking on Users and choosing New User 3. Enter the validity period and choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 9
What’s New in SAP HANA SPS 07: Security Copy user You can now create a new user by copying an existing user. The roles granted to the existing user are automatically granted to the new user Prerequisites  System privilege USER ADMIN, SQL privilege EXECUTE on procedure GRANT_ACTIVATED_ROLE Restrictions  Only roles created as design-time roles are copied  Only available in SAP HANA studio Procedure 1. In the Systems view in SAP HANA studio, choose Security -> Users, right-click the user to be copied and choose Copy User 2. Enter the details for the new user 3. Choose the (Deploy) button to create the user © 2013 SAP AG. All rights reserved. Public 10
Authorization
What’s New in SAP HANA SPS 07: Security New system privileges for repository change management New system privileges for repository change management are available Repository change management provides the infrastructure for tracked development. If enabled, the activation of a repository object prompts the developer to assign it to a container or “Change”. A developer must then approve and release his changes in order for the objects in his change to be marked as released. This enables the creation of a delivery unit (DU) that is composed of only released objects. Releasing a change does not trigger any automatic semantic checks but is a manual assurance by the developer that the objects are consistent and ready for transport. Prerequisites  System privilege USER ADMIN Granting system privileges 1. In the Systems view in SAP HANA studio, double-click on the user 2. On the System Privileges tab, add the required system privileges: o REPO.CONFIGURE, REPO.MODIFY_CHANGE, REPO.MODIFY_FOREIGN_CONTRIBUTION, REPO.MODIFY_OWN_C ONTRIBUTION, 3. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 12
What’s New in SAP HANA SPS 07: Security New privilege for debugging SQLScript code You can now allow other users to debug SQLScript code (e.g. a procedure) that is being executed in your session 1. In the Systems view in SAP HANA studio, expand Security -> Users and double-click the user to whom you want to grant debugging privileges o On the Object Privileges tab, add your procedure and select DEBUG o On the Privileges on Users tab, choose the (Add) button and select ATTACH DEBUGGER (see screenshot) 2. Choose the (Deploy) button Example  BOB grants ALICE debugging privileges Note  It is not possible to grant the ATTACH DEBUGGER privilege on behalf of other users © 2013 SAP AG. All rights reserved. Public 13
What’s New in SAP HANA SPS 07: Security SAP HANA studio: Support for smart data access privilege assignment SQL privileges for Smart Data Access scenarios can now be granted using SAP HANA studio Smart data access is SAP HANA’s capability to connect to remote sources and present data in those remote sources as though they were local SAP HANA tables. In SAP HANA, virtual tables are created that represent the tables in the remote source. Via these virtual tables, joins can be executed between tables in SAP HANA and tables in the remote source. The following SQL privileges can now be granted using SAP HANA studio:  CREATE VIRTUAL TABLE (in selected remote source)  DROP (selected remote source) Prerequisites  Remote source has been created Example  User SYSTEM grants a user the privileges to – Create virtual tables for remote source ASE2 – Drop remote source ASE2 © 2013 SAP AG. All rights reserved. Public 14
Encryption
What’s New in SAP HANA SPS 07: Security Support for SAP’s new cryptographic library CommonCryptoLib SAP HANA now supports SAP’s new cryptographic library CommonCryptoLib for operations that require cryptography, for example data volume encryption and SSL communication encryption CommonCryptoLib is the successor of SAPCRYPTOLIB Notes:  CommonCryptoLib will be made available via SAP Service Marketplace  Because the library includes encryption routines, CommonCryptoLib distribution is subject to and controlled by German export regulations and may not be available to all customers. The library may also be subject to local regulations of your own country that may further restrict the import, use, and (re-)export of cryptographic software. © 2013 SAP AG. All rights reserved. Public 16
What’s New in SAP HANA SPS 07: Security SAP HANA studio: Configure data volume encryption (I) Data volume encryption on disk can now be configured using SAP HANA studio After activating encryption, new data that is saved to disk will be encrypted starting with the next savepoint. Existing data starts being encrypted in the background. Depending on the size of the SAP HANA system, this process can take some time. Only after this process has completed is all your data encrypted. You can monitor the encryption progress in SAP HANA studio. Notes  If you want to use data volume encryption, it is recommended to activate it directly after installing the system  The root key for data volume encryption is automatically created during installation. If you have received SAP HANA as an appliance, we recommend to change this key after handover from the hardware vendor © 2013 SAP AG. All rights reserved. Public 17
What’s New in SAP HANA SPS 07: Security SAP HANA studio: Configure data volume encryption (II) Prerequisites  System privilege RESOURCE ADMIN Activating/deactivating data volume encryption 1. In the Systems view in SAP HANA studio, choose Security 2. Open the Data Volume Encryption tab – To activate encryption, select Activate encryption of data volumes – To deactivate encryption, de-select this option 3. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 18
What’s New in SAP HANA SPS 07: Security SSFS: Change master key (I) SSFS master key SAP HANA now provides the ability to change the SSFS master key SSFS (SAP NetWeaver secure storage in the file system) is used by SAP HANA to store  The root key for the data volume encryption  The root key for the internal data protection API (DPAPI). Note: DPAPI is used by the secure internal credential store, which is needed in some scenarios such as smart data access to securely store additional user credentials (e.g. for access to remote systems) SSFS Data volume encryption (root key) Internal data protection API (root key) The keys stored in SSFS are themselves encrypted using the SSFS master key. It is recommended to periodically change the SSFS master key, re-encrypt the SSFS with the new key, SAP HANA file system and save the new key to a secure location. © 2013 SAP AG. All rights reserved. Data volume encryption (savepoint-specific key) Secure credential store (key) SAP HANA database Public 19
What’s New in SAP HANA SPS 07: Security SSFS: Change master key (II) Prerequisites  Credentials of the operating system user (<sid>adm user) that was created when the system was installed  Database user with system privilege INIFILE ADMIN  In a distributed SAP HANA system, every host must be able to access the key file location Changing the SSFS master key 1. Stop the SAP HANA system 2. Log on to the SAP HANA system host as the operating system user <sid>adm 3. Generate a new master key by entering the following command: rsecssfx generatekey 4. Re-encrypt the SSFS with the new master key and save the key file to a secure location as follows: RSEC_SSFS_DATAPATH=/usr/sap/<SID>/global/hdb/security/ssfs RSEC_SSFS_KEYPATH<PATH TO KEYFILE> rsecssfx changekey <NEWKEY> 5. Configure the specified key file location in the cryptography section of the global.ini configuration file with the parameter ssfs_key_file_path © 2013 SAP AG. All rights reserved. Public 20
What’s New in SAP HANA SPS 07: Security SSFS: Data volume encryption root key included in backup If storage snapshots are used for data backup, the root key for the data volume encryption is now included in the automatic backup of the SSFS The SSFS is always part of the data backup, but for file system or BACKINT backups it does not include the data volume encryption root key. The root key is only needed in recovery scenarios where a storage snapshot is used as the basis for the recovery. © 2013 SAP AG. All rights reserved. Public 21
What’s New in SAP HANA SPS 07: Security SSFS: Alert if SSFS is missing An alert is triggered if the SSFS is missing SSFS is used by SAP HANA to store  The root key for the data volume encryption  The root key for the internal data protection API New check  Determines whether the secure storage in the file system (SSFS) is accessible to the database  Alert priority: HIGH  Recommended user action: Check and make sure that the secure storage in the file system (SSFS) is accessible to the database © 2013 SAP AG. All rights reserved. Public 22
What’s New in SAP HANA SPS 07: Security Communication encryption: Force SSL for client SQL connections There is a new configuration parameter which enforces SSL encryption for all client SQL connections to the SAP HANA database Prerequisites  SSL has been configured for the SAP HANA database  System privilege INIFILE ADMIN  You have migrated to the new statistics server implementation (see SAP Note 1917938). Do not enforce SSL for client connections otherwise. Configuration 1. 2. 3. 4. In the Administration editor in SAP HANA studio, open the Configuration tab Navigate to the global.ini file and expand the communication section Set the sslEnforce parameter to true (default: false) New SQL connection attempts by clients without SSL will now be rejected by the SAP HANA database. Note though that existing connections will not be terminated, so if you want to enforce SSL for all connections, it is recommended to restart the database. © 2013 SAP AG. All rights reserved. Public 23
What’s New in SAP HANA SPS 07: Security Communication encryption: SSL support for system replication scenarios The Secure Sockets Layer (SSL) protocol can be used to secure network communication between the primary site and secondary site in system replication scenarios Prerequisites  SSL has been configured for both SAP HANA systems (key creation and CA).  System privilege INIFILE ADMIN Configuration 1. For a scenario involving two systems, carry out the following steps in both systems 1. In the Administration editor in SAP HANA studio, open the Configuration tab 2. In the configuration file global.ini -> section system_replication_communication: Set the parameter enable_ssl to on 2. SSL will be used from the next reconnect between primary and secondary. The easiest way to achieve a reconnect is to restart the secondary system. © 2013 SAP AG. All rights reserved. Public 24
Audit Logging
What’s New in SAP HANA SPS 07: Security Mandatory audit actions If auditing is active, certain actions are always audited and are therefore not available for inclusion in user-defined audit policies In the audit trail, these action are labeled with the internal audit policy MandatoryAuditPolicy. Action CREATE AUDIT POLICY Description Creation, modification, or deletion of audit policies ALTER AUDIT POLICY DROP AUDIT POLICY ALTER SYSTEM CLEAR AUDIT LOG UNITL <timestamp> Deletion of audit entries from the audit trail. This only applies if audit entries are written to column store database tables. ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing configuration','global_auditing_state' ) = <value> with reconfigure; Changes to auditing configuration, that is: ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing configuration','default_audit_trail_type' ) = '<audit_trail_type>' with reconfigure; ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing configuration','default_audit_trail_path' ) = '<path>' with reconfigure; © 2013 SAP AG. All rights reserved. Enabling or disabling auditing Changing the audit trail target Changing the location of the audit trail target if it is a CSV text file Public 26
What’s New in SAP HANA SPS 07: Security Database table as audit trail target (I) As an alternative to syslog, SAP HANA can now write the audit trail to tables within the database itself When an audit policy is triggered, an audit entry is created in the audit trail Audit trail types for production systems:  syslog (logging system of the Linux operating system) o syslog is a secure storage location for the audit trail because not even the database administrator can access or change it. There are also numerous storage possibilities for the syslog, including storing it on other systems. In addition, syslog is the default log daemon in UNIX systems. syslog therefore provides a high degree of flexibility and security, as well as integration into a larger system landscape.  Database table o Using an SAP HANA database table as the target for the audit trail makes it possible to query and analyze auditing information quickly. It also provides a secure and tamper-proof storage location. o Internal column store table in the _SYS_AUDIT schema of the SAP HANA database o Audit entries are only accessible through the public system view AUDIT_LOG. Only SELECT operations can be performed on this view by users with system privilege AUDIT ADMIN or AUDIT OPERATOR o To avoid the audit table growing too large, it is possible to delete old audit entries © 2013 SAP AG. All rights reserved. Public 27
What’s New in SAP HANA SPS 07: Security Database table as audit trail target (II) Prerequisites  System privilege AUDIT ADMIN or INIFILE ADMIN Configuring the audit trail 1. In the Systems view, double-click on Security and open the Auditing tab 2. In the System Settings for Auditing area, set the auditing status to Enabled 3. Configure the target of the audit trail by choosing Database Table 4. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 28
What’s New in SAP HANA SPS 07: Security Database table as audit trail target (III) Prerequisites  System privilege AUDIT ADMIN or AUDIT OPERATOR Viewing the audit trail  In the Systems view of SAP HANA studio, expand the catalog and display the system view AUDIT_LOG  Alternatively, display the system view using SQL commands: SELECT * FROM "PUBLIC"."AUDIT_LOG" © 2013 SAP AG. All rights reserved. Public 29
What’s New in SAP HANA SPS 07: Security Database table as audit trail target (IV) Prerequisites  System privilege AUDIT ADMIN or AUDIT OPERATOR Truncating the audit trail 1. In the Systems view, double-click on Security and open the Auditing tab 2. Choose the (Truncate) button 3. Specify a date/time and click OK Caution: All information in the audit trail that is older will be immediately deleted © 2013 SAP AG. All rights reserved. Public 30
What’s New in SAP HANA SPS 07: Security New audit actions Two additional data definition (DDL) actions can now be audited: CREATE TABLE and ALTER TABLE Prerequisites  System privilege AUDIT ADMIN Creating an audit policy 1. In the Systems view, double-click on Security and open the Auditing tab 2. In the Audit Policies area, choose Create New Policy 3. Enter the policy name 4. Specify the audit actions and further options if required 5. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 31
What’s New in SAP HANA SPS 07: Security Firefighter logging You can log all actions performed by a specific user This covers not only all actions that can be audited individually, but also actions that cannot otherwise be audited. Such a policy is useful if you want to audit the actions of a particularly privileged user. Note  Some actions cannot be audited using database auditing even with a policy that includes all actions, in particular, system restart and system recovery Caution  Firefighter logging may generate a lot of audit entries, so only enable it if required © 2013 SAP AG. All rights reserved. Public 32
What’s New in SAP HANA SPS 07: Security Exempt user from audit policy You can now exempt individual users from an audit policy This can be useful, for example, if you want to exclude the technical user account used by an application server for connections to the SAP HANA database Prerequisites  System privilege AUDIT ADMIN Exempting a user from an audit policy  When creating the audit policy, choose in the Users column  Select the users to be excluded from the audit policy © 2013 SAP AG. All rights reserved. Public 33
What’s New in SAP HANA SPS 07: Security SAP HANA studio: Improved audit action configuration The dialog for selecting audit actions for an audit policy has been improved Not all actions can be combined together in the same policy, therefore compatible audit actions have been grouped together When you select an action, those actions that are not compatible with the selected action become unavailable for selection If you need to two audit incompatible audit actions, you need to create two separate audit policies © 2013 SAP AG. All rights reserved. Public 34
Documentation
What’s New in SAP HANA SPS 07: Security Context-sensitive help in SAP HANA studio SAP HANA studio now provides contextsensitive help for many topic areas, including security To open the context-sensitive help, press F1, or choose Help -> Dynamic Help © 2013 SAP AG. All rights reserved. Public 36
More Information
What’s New in SAP HANA SPS 07: Security More Information SAP HANA documentation Available on the SAP Help Portal  SAP HANA Security Guide, Master Guide (network topics), Developer Guide, SQL Reference Guide (privilege details) Important SAP notes       1598623: SAP HANA appliance: Security (Central Security Note) 1514967: SAP HANA appliance (Central Appliance Note) 1730928: Using external software in a HANA appliance 1730929: Using external tools in an SAP HANA appliance 1730930: Using antivirus software in an SAP HANA appliance 1730999: Configuration changes in HANA appliance Security whitepaper  http://www.saphana.com/docs/DOC-3751 © 2013 SAP AG. All rights reserved. Public 38
Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP’s strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent. © 2013 SAP AG. All rights reserved. Public 39
Thank you Contact information Andrea Kristen SAP HANA Product Management AskSAPHANA@sap.com To get the best overview of what’s new in SAP HANA SPS 07, read this blog.
© 2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. © 2013 SAP AG. All rights reserved. Public 41
© 2013 SAP AG. Alle Rechte vorbehalten. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Einige der von der SAP AG und ihren Distributoren vermarkteten Softwareprodukte enthalten proprietäre Softwarekomponenten anderer Softwareanbieter. Produkte können länderspezifische Unterschiede aufweisen. Die vorliegenden Unterlagen werden von der SAP AG und ihren Konzernunternehmen („SAP-Konzern“) bereitgestellt und dienen ausschließlich zu Informationszwecken. Der SAP-Konzern übernimmt keinerlei Haftung oder Gewährleistung für Fehler oder Unvollständigkeiten in dieser Publikation. Der SAP-Konzern steht lediglich für Produkte und Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren. SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und verschiedenen anderen Ländern weltweit. Weitere Hinweise und Informationen zum Markenrecht finden Sie unter http://www.sap.com/corporateen/legal/copyright/index.epx#trademark. © 2013 SAP AG. All rights reserved. Public 42

More Related Content

PDF
Komatsu PC27R-8 Hydraulic Excavator Service Repair Manual SN: 10001 and up
udfjjsjejkksemm
 
PPT
Simple interest
walter9chambliss
 
PDF
C.g. jung y r. wilhelm el secreto de la flor de oro
charlietrainor76
 
PDF
SAP HANA SPS10- Security
SAP Technology
 
PDF
SAP HANA SPS09 - Security
SAP Technology
 
PDF
Five Reasons To Skip SAP Suite on HANA and Go Directly to SAP S/4HANA
SAP Technology
 
PPTX
SAP HANA SPS08 Security
SAP Technology
 
PDF
SAP HANA SPS09 - Backup and Recovery
SAP Technology
 
Komatsu PC27R-8 Hydraulic Excavator Service Repair Manual SN: 10001 and up
udfjjsjejkksemm
 
Simple interest
walter9chambliss
 
C.g. jung y r. wilhelm el secreto de la flor de oro
charlietrainor76
 
SAP HANA SPS10- Security
SAP Technology
 
SAP HANA SPS09 - Security
SAP Technology
 
Five Reasons To Skip SAP Suite on HANA and Go Directly to SAP S/4HANA
SAP Technology
 
SAP HANA SPS08 Security
SAP Technology
 
SAP HANA SPS09 - Backup and Recovery
SAP Technology
 

Similar to HANA SPS07 Security (20)

PPTX
What's New in SAP HANA SPS 11 Platform Lifecycle Management (Operations)
SAP Technology
 
PPTX
What's new in SAP HANA SPS 11 Security
SAP Technology
 
PPTX
SAP HANA SPS08 Administration & Monitoring
SAP Technology
 
PDF
SAP HANA SPS09- Administration Monitoring
SAP Technology
 
DOCX
SAP_HANA_SECURITY_overview_online_Resear.docx
juancusa
 
PDF
Hana e2 e_adminmonitoring_sps08
RAJAT123523
 
PPTX
HANA SPS07 Administration & Monitoring
SAP Technology
 
PPTX
What's New in SAP HANA SPS 11 Backup and Recovery (Operations)
SAP Technology
 
PPTX
HANA SPS07 Backup & Recovery
SAP Technology
 
PDF
SAP HANA SPS10- Backup/Recovery
SAP Technology
 
PPTX
What's New in SAP HANA SPS 11 Mission Critical Data Center Operations
SAP Technology
 
PDF
SAP HANA SPS10- Multitenant Database Containers
SAP Technology
 
PDF
SAP HANA SPS09 - SAP HANA Workload Management
SAP Technology
 
PDF
SAP HANA SPS10- Scale-Out, High Availability and Disaster Recovery
SAP Technology
 
PDF
SAP HANA SPS10- SAP HANA Platform Lifecycle Management
SAP Technology
 
PDF
SAP HANA SPS10- SAP HANA Dynamic Tiering
SAP Technology
 
PPTX
Itm110 how does sap solution manager support sap hana
Olivier Bilger
 
PPTX
HANA SPS07 Smart Data Access
SAP Technology
 
PPTX
SAP HANA SPS08 Scale-Out, High Availability and Disaster Recovery
SAP Technology
 
PDF
System recommendations-in-sap-solution-manager-7.2
Juan Carlos Flores Lizárraga
 
What's New in SAP HANA SPS 11 Platform Lifecycle Management (Operations)
SAP Technology
 
What's new in SAP HANA SPS 11 Security
SAP Technology
 
SAP HANA SPS08 Administration & Monitoring
SAP Technology
 
SAP HANA SPS09- Administration Monitoring
SAP Technology
 
SAP_HANA_SECURITY_overview_online_Resear.docx
juancusa
 
Hana e2 e_adminmonitoring_sps08
RAJAT123523
 
HANA SPS07 Administration & Monitoring
SAP Technology
 
What's New in SAP HANA SPS 11 Backup and Recovery (Operations)
SAP Technology
 
HANA SPS07 Backup & Recovery
SAP Technology
 
SAP HANA SPS10- Backup/Recovery
SAP Technology
 
What's New in SAP HANA SPS 11 Mission Critical Data Center Operations
SAP Technology
 
SAP HANA SPS10- Multitenant Database Containers
SAP Technology
 
SAP HANA SPS09 - SAP HANA Workload Management
SAP Technology
 
SAP HANA SPS10- Scale-Out, High Availability and Disaster Recovery
SAP Technology
 
SAP HANA SPS10- SAP HANA Platform Lifecycle Management
SAP Technology
 
SAP HANA SPS10- SAP HANA Dynamic Tiering
SAP Technology
 
Itm110 how does sap solution manager support sap hana
Olivier Bilger
 
HANA SPS07 Smart Data Access
SAP Technology
 
SAP HANA SPS08 Scale-Out, High Availability and Disaster Recovery
SAP Technology
 
System recommendations-in-sap-solution-manager-7.2
Juan Carlos Flores Lizárraga
 
Ad

More from SAP Technology (20)

PPTX
SAP Integration Suite L1
SAP Technology
 
PDF
Future-Proof Your Business Processes by Automating SAP S/4HANA processes with...
SAP Technology
 
PDF
7 Top Reasons to Automate Processes with SAP Intelligent Robotic Processes Au...
SAP Technology
 
PDF
Extend SAP S/4HANA to deliver real-time intelligent processes
SAP Technology
 
PDF
Process optimization and automation for SAP S/4HANA with SAP’s Business Techn...
SAP Technology
 
PDF
Accelerate your journey to SAP S/4HANA with SAP’s Business Technology Platform
SAP Technology
 
PDF
Accelerate Your Move to an Intelligent Enterprise with SAP Cloud Platform and...
SAP Technology
 
PDF
Transform your business with intelligent insights and SAP S/4HANA
SAP Technology
 
PDF
SAP Cloud Platform for SAP S/4HANA: Accelerate your move to an Intelligent En...
SAP Technology
 
PPTX
Innovate collaborative applications with SAP Jam Collaboration & SAP Cloud Pl...
SAP Technology
 
PDF
The IoT Imperative for Consumer Products
SAP Technology
 
PDF
The IoT Imperative for Discrete Manufacturers - Automotive, Aerospace & Defen...
SAP Technology
 
PDF
IoT is Enabling a New Era of Shareholder Value in Energy and Natural Resource...
SAP Technology
 
PDF
The IoT Imperative in Government and Healthcare
SAP Technology
 
PDF
SAP S/4HANA Finance and the Digital Core
SAP Technology
 
PPTX
SAP Helps Reduce Silos Between Business and Spatial Data
SAP Technology
 
PDF
Why SAP HANA?
SAP Technology
 
PPTX
Spotlight on Financial Services with Calypso and SAP ASE
SAP Technology
 
PPTX
SAP ASE 16 SP02 Performance Features
SAP Technology
 
PDF
Spark Usage in Enterprise Business Operations
SAP Technology
 
SAP Integration Suite L1
SAP Technology
 
Future-Proof Your Business Processes by Automating SAP S/4HANA processes with...
SAP Technology
 
7 Top Reasons to Automate Processes with SAP Intelligent Robotic Processes Au...
SAP Technology
 
Extend SAP S/4HANA to deliver real-time intelligent processes
SAP Technology
 
Process optimization and automation for SAP S/4HANA with SAP’s Business Techn...
SAP Technology
 
Accelerate your journey to SAP S/4HANA with SAP’s Business Technology Platform
SAP Technology
 
Accelerate Your Move to an Intelligent Enterprise with SAP Cloud Platform and...
SAP Technology
 
Transform your business with intelligent insights and SAP S/4HANA
SAP Technology
 
SAP Cloud Platform for SAP S/4HANA: Accelerate your move to an Intelligent En...
SAP Technology
 
Innovate collaborative applications with SAP Jam Collaboration & SAP Cloud Pl...
SAP Technology
 
The IoT Imperative for Consumer Products
SAP Technology
 
The IoT Imperative for Discrete Manufacturers - Automotive, Aerospace & Defen...
SAP Technology
 
IoT is Enabling a New Era of Shareholder Value in Energy and Natural Resource...
SAP Technology
 
The IoT Imperative in Government and Healthcare
SAP Technology
 
SAP S/4HANA Finance and the Digital Core
SAP Technology
 
SAP Helps Reduce Silos Between Business and Spatial Data
SAP Technology
 
Why SAP HANA?
SAP Technology
 
Spotlight on Financial Services with Calypso and SAP ASE
SAP Technology
 
SAP ASE 16 SP02 Performance Features
SAP Technology
 
Spark Usage in Enterprise Business Operations
SAP Technology
 
Ad

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
A Presentation on Artificial Intelligence
memembruh336
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

HANA SPS07 Security

  • 1. What´s New? SAP HANA SPS 07 Security (Delta from SPS 06 to SPS 07) SAP HANA Product Management November, 2013
  • 4. What’s New in SAP HANA SPS 07: Security SPNEGO support for SAP HANA XS SPNEGO (Kerberos with Simple and Protected GSSAPI Negotiation Mechanism) is now available as an authentication option for SAP HANA XS Configuration 1. In Microsoft Active Directory, for each host and alias register new service principal names and map them to the (potentially already existing) SAP HANA service user 2. On the SAP HANA server, add the keys for the new service principal names to the keytab 3. In SAP HANA, configure the Kerberos user mapping for the user Note: If the user mapping has already been set up for Kerberos authentication for SQL access, you do not have to change anything here 4. Using the SAP HANA XS Administration Tool (http://<host>:80<sysno>/sap/hana/xs/admin/), select SPNEGO as authentication method for the user © 2013 SAP AG. All rights reserved. Public 4
  • 5. What’s New in SAP HANA SPS 07: Security SAP Logon Ticket and SAP Assertion Ticket support SAP Logon Tickets and SAP Assertion Tickets are now supported for both SQL and XS access Prerequisites  A separate trust store for SAP Logon and Assertion tickets has been configured  System privilege USER ADMIN Configuration 1. In the Systems view in SAP HANA studio, choose Security 2. Create a new user by right-clicking on Users and choosing New User 3. Select the authentication method(s) and choose the (Deploy) button Notes  Prior to SPS 07, SAP HANA implicitly selected both user name/password and SAP Logon Tickets as authentication methods for new users. Now you have to explicitly set authentication options for new users  To re-enable the old behavior for SAP Logon Tickets, a new configuration parameter has been introduced (Indexserver.ini -> authentication -> SapLogonTicketEnabledForNewUsers). See also SAP Note 1927949 © 2013 SAP AG. All rights reserved. Public 5
  • 6. What’s New in SAP HANA SPS 07: Security Password policy changes/additions (I) The mandatory periodic password change can now be re-enabled using SQL  In some situations it may be required to exclude specific users from the mandatory periodic password change, for example the technical user that is used by an application server to connect to the database  Prerequisites: System privilege USER ADMIN  Syntax: ALTER USER <user_name> DISABLE PASSWORD LIFETIME ALTER USER <user_name> ENABLE PASSWORD LIFETIME Changed default for maximum_unused_initial_password_lifetime  This parameter specifies the number of days for which initial user passwords are valid. If a user has not logged on within this period of time, the password becomes invalid; the user administrator can reset it if still needed.  New default: 7 days (formerly 28 days)  Prerequisites: System privilege USER ADMIN  To change this parameter, in the Systems view of SAP HANA studio choose Security -> Password Policy -> Lifetime of Initial Password © 2013 SAP AG. All rights reserved. Public 6
  • 7. What’s New in SAP HANA SPS 07: Security Password policy changes/additions (II) Option to set configuration parameter password_lock_time to infinity Time for which a user is locked after having exhausted the maximum number of failed logon attempts Prerequisites:  System privilege USER ADMIN Configuration – In the Systems view in SAP HANA studio, choose Security -> Password Policy and in the User Lock Settings select Lock indefinitely – When setting the parameter using SQL, use the value -1 © 2013 SAP AG. All rights reserved. Public 7
  • 9. What’s New in SAP HANA SPS 07: Security Set validity period for user in SAP HANA studio You can now set the validity period for a user in SAP HANA studio Prerequisites  System privilege USER ADMIN Configuration 1. In the Systems view in SAP HANA studio, choose Security 2. Expand Users and double-click on the user for which you want to set the validity period, or create a new user by right-clicking on Users and choosing New User 3. Enter the validity period and choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 9
  • 10. What’s New in SAP HANA SPS 07: Security Copy user You can now create a new user by copying an existing user. The roles granted to the existing user are automatically granted to the new user Prerequisites  System privilege USER ADMIN, SQL privilege EXECUTE on procedure GRANT_ACTIVATED_ROLE Restrictions  Only roles created as design-time roles are copied  Only available in SAP HANA studio Procedure 1. In the Systems view in SAP HANA studio, choose Security -> Users, right-click the user to be copied and choose Copy User 2. Enter the details for the new user 3. Choose the (Deploy) button to create the user © 2013 SAP AG. All rights reserved. Public 10
  • 12. What’s New in SAP HANA SPS 07: Security New system privileges for repository change management New system privileges for repository change management are available Repository change management provides the infrastructure for tracked development. If enabled, the activation of a repository object prompts the developer to assign it to a container or “Change”. A developer must then approve and release his changes in order for the objects in his change to be marked as released. This enables the creation of a delivery unit (DU) that is composed of only released objects. Releasing a change does not trigger any automatic semantic checks but is a manual assurance by the developer that the objects are consistent and ready for transport. Prerequisites  System privilege USER ADMIN Granting system privileges 1. In the Systems view in SAP HANA studio, double-click on the user 2. On the System Privileges tab, add the required system privileges: o REPO.CONFIGURE, REPO.MODIFY_CHANGE, REPO.MODIFY_FOREIGN_CONTRIBUTION, REPO.MODIFY_OWN_C ONTRIBUTION, 3. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 12
  • 13. What’s New in SAP HANA SPS 07: Security New privilege for debugging SQLScript code You can now allow other users to debug SQLScript code (e.g. a procedure) that is being executed in your session 1. In the Systems view in SAP HANA studio, expand Security -> Users and double-click the user to whom you want to grant debugging privileges o On the Object Privileges tab, add your procedure and select DEBUG o On the Privileges on Users tab, choose the (Add) button and select ATTACH DEBUGGER (see screenshot) 2. Choose the (Deploy) button Example  BOB grants ALICE debugging privileges Note  It is not possible to grant the ATTACH DEBUGGER privilege on behalf of other users © 2013 SAP AG. All rights reserved. Public 13
  • 14. What’s New in SAP HANA SPS 07: Security SAP HANA studio: Support for smart data access privilege assignment SQL privileges for Smart Data Access scenarios can now be granted using SAP HANA studio Smart data access is SAP HANA’s capability to connect to remote sources and present data in those remote sources as though they were local SAP HANA tables. In SAP HANA, virtual tables are created that represent the tables in the remote source. Via these virtual tables, joins can be executed between tables in SAP HANA and tables in the remote source. The following SQL privileges can now be granted using SAP HANA studio:  CREATE VIRTUAL TABLE (in selected remote source)  DROP (selected remote source) Prerequisites  Remote source has been created Example  User SYSTEM grants a user the privileges to – Create virtual tables for remote source ASE2 – Drop remote source ASE2 © 2013 SAP AG. All rights reserved. Public 14
  • 16. What’s New in SAP HANA SPS 07: Security Support for SAP’s new cryptographic library CommonCryptoLib SAP HANA now supports SAP’s new cryptographic library CommonCryptoLib for operations that require cryptography, for example data volume encryption and SSL communication encryption CommonCryptoLib is the successor of SAPCRYPTOLIB Notes:  CommonCryptoLib will be made available via SAP Service Marketplace  Because the library includes encryption routines, CommonCryptoLib distribution is subject to and controlled by German export regulations and may not be available to all customers. The library may also be subject to local regulations of your own country that may further restrict the import, use, and (re-)export of cryptographic software. © 2013 SAP AG. All rights reserved. Public 16
  • 17. What’s New in SAP HANA SPS 07: Security SAP HANA studio: Configure data volume encryption (I) Data volume encryption on disk can now be configured using SAP HANA studio After activating encryption, new data that is saved to disk will be encrypted starting with the next savepoint. Existing data starts being encrypted in the background. Depending on the size of the SAP HANA system, this process can take some time. Only after this process has completed is all your data encrypted. You can monitor the encryption progress in SAP HANA studio. Notes  If you want to use data volume encryption, it is recommended to activate it directly after installing the system  The root key for data volume encryption is automatically created during installation. If you have received SAP HANA as an appliance, we recommend to change this key after handover from the hardware vendor © 2013 SAP AG. All rights reserved. Public 17
  • 18. What’s New in SAP HANA SPS 07: Security SAP HANA studio: Configure data volume encryption (II) Prerequisites  System privilege RESOURCE ADMIN Activating/deactivating data volume encryption 1. In the Systems view in SAP HANA studio, choose Security 2. Open the Data Volume Encryption tab – To activate encryption, select Activate encryption of data volumes – To deactivate encryption, de-select this option 3. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 18
  • 19. What’s New in SAP HANA SPS 07: Security SSFS: Change master key (I) SSFS master key SAP HANA now provides the ability to change the SSFS master key SSFS (SAP NetWeaver secure storage in the file system) is used by SAP HANA to store  The root key for the data volume encryption  The root key for the internal data protection API (DPAPI). Note: DPAPI is used by the secure internal credential store, which is needed in some scenarios such as smart data access to securely store additional user credentials (e.g. for access to remote systems) SSFS Data volume encryption (root key) Internal data protection API (root key) The keys stored in SSFS are themselves encrypted using the SSFS master key. It is recommended to periodically change the SSFS master key, re-encrypt the SSFS with the new key, SAP HANA file system and save the new key to a secure location. © 2013 SAP AG. All rights reserved. Data volume encryption (savepoint-specific key) Secure credential store (key) SAP HANA database Public 19
  • 20. What’s New in SAP HANA SPS 07: Security SSFS: Change master key (II) Prerequisites  Credentials of the operating system user (<sid>adm user) that was created when the system was installed  Database user with system privilege INIFILE ADMIN  In a distributed SAP HANA system, every host must be able to access the key file location Changing the SSFS master key 1. Stop the SAP HANA system 2. Log on to the SAP HANA system host as the operating system user <sid>adm 3. Generate a new master key by entering the following command: rsecssfx generatekey 4. Re-encrypt the SSFS with the new master key and save the key file to a secure location as follows: RSEC_SSFS_DATAPATH=/usr/sap/<SID>/global/hdb/security/ssfs RSEC_SSFS_KEYPATH<PATH TO KEYFILE> rsecssfx changekey <NEWKEY> 5. Configure the specified key file location in the cryptography section of the global.ini configuration file with the parameter ssfs_key_file_path © 2013 SAP AG. All rights reserved. Public 20
  • 21. What’s New in SAP HANA SPS 07: Security SSFS: Data volume encryption root key included in backup If storage snapshots are used for data backup, the root key for the data volume encryption is now included in the automatic backup of the SSFS The SSFS is always part of the data backup, but for file system or BACKINT backups it does not include the data volume encryption root key. The root key is only needed in recovery scenarios where a storage snapshot is used as the basis for the recovery. © 2013 SAP AG. All rights reserved. Public 21
  • 22. What’s New in SAP HANA SPS 07: Security SSFS: Alert if SSFS is missing An alert is triggered if the SSFS is missing SSFS is used by SAP HANA to store  The root key for the data volume encryption  The root key for the internal data protection API New check  Determines whether the secure storage in the file system (SSFS) is accessible to the database  Alert priority: HIGH  Recommended user action: Check and make sure that the secure storage in the file system (SSFS) is accessible to the database © 2013 SAP AG. All rights reserved. Public 22
  • 23. What’s New in SAP HANA SPS 07: Security Communication encryption: Force SSL for client SQL connections There is a new configuration parameter which enforces SSL encryption for all client SQL connections to the SAP HANA database Prerequisites  SSL has been configured for the SAP HANA database  System privilege INIFILE ADMIN  You have migrated to the new statistics server implementation (see SAP Note 1917938). Do not enforce SSL for client connections otherwise. Configuration 1. 2. 3. 4. In the Administration editor in SAP HANA studio, open the Configuration tab Navigate to the global.ini file and expand the communication section Set the sslEnforce parameter to true (default: false) New SQL connection attempts by clients without SSL will now be rejected by the SAP HANA database. Note though that existing connections will not be terminated, so if you want to enforce SSL for all connections, it is recommended to restart the database. © 2013 SAP AG. All rights reserved. Public 23
  • 24. What’s New in SAP HANA SPS 07: Security Communication encryption: SSL support for system replication scenarios The Secure Sockets Layer (SSL) protocol can be used to secure network communication between the primary site and secondary site in system replication scenarios Prerequisites  SSL has been configured for both SAP HANA systems (key creation and CA).  System privilege INIFILE ADMIN Configuration 1. For a scenario involving two systems, carry out the following steps in both systems 1. In the Administration editor in SAP HANA studio, open the Configuration tab 2. In the configuration file global.ini -> section system_replication_communication: Set the parameter enable_ssl to on 2. SSL will be used from the next reconnect between primary and secondary. The easiest way to achieve a reconnect is to restart the secondary system. © 2013 SAP AG. All rights reserved. Public 24
  • 26. What’s New in SAP HANA SPS 07: Security Mandatory audit actions If auditing is active, certain actions are always audited and are therefore not available for inclusion in user-defined audit policies In the audit trail, these action are labeled with the internal audit policy MandatoryAuditPolicy. Action CREATE AUDIT POLICY Description Creation, modification, or deletion of audit policies ALTER AUDIT POLICY DROP AUDIT POLICY ALTER SYSTEM CLEAR AUDIT LOG UNITL <timestamp> Deletion of audit entries from the audit trail. This only applies if audit entries are written to column store database tables. ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing configuration','global_auditing_state' ) = <value> with reconfigure; Changes to auditing configuration, that is: ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing configuration','default_audit_trail_type' ) = '<audit_trail_type>' with reconfigure; ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing configuration','default_audit_trail_path' ) = '<path>' with reconfigure; © 2013 SAP AG. All rights reserved. Enabling or disabling auditing Changing the audit trail target Changing the location of the audit trail target if it is a CSV text file Public 26
  • 27. What’s New in SAP HANA SPS 07: Security Database table as audit trail target (I) As an alternative to syslog, SAP HANA can now write the audit trail to tables within the database itself When an audit policy is triggered, an audit entry is created in the audit trail Audit trail types for production systems:  syslog (logging system of the Linux operating system) o syslog is a secure storage location for the audit trail because not even the database administrator can access or change it. There are also numerous storage possibilities for the syslog, including storing it on other systems. In addition, syslog is the default log daemon in UNIX systems. syslog therefore provides a high degree of flexibility and security, as well as integration into a larger system landscape.  Database table o Using an SAP HANA database table as the target for the audit trail makes it possible to query and analyze auditing information quickly. It also provides a secure and tamper-proof storage location. o Internal column store table in the _SYS_AUDIT schema of the SAP HANA database o Audit entries are only accessible through the public system view AUDIT_LOG. Only SELECT operations can be performed on this view by users with system privilege AUDIT ADMIN or AUDIT OPERATOR o To avoid the audit table growing too large, it is possible to delete old audit entries © 2013 SAP AG. All rights reserved. Public 27
  • 28. What’s New in SAP HANA SPS 07: Security Database table as audit trail target (II) Prerequisites  System privilege AUDIT ADMIN or INIFILE ADMIN Configuring the audit trail 1. In the Systems view, double-click on Security and open the Auditing tab 2. In the System Settings for Auditing area, set the auditing status to Enabled 3. Configure the target of the audit trail by choosing Database Table 4. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 28
  • 29. What’s New in SAP HANA SPS 07: Security Database table as audit trail target (III) Prerequisites  System privilege AUDIT ADMIN or AUDIT OPERATOR Viewing the audit trail  In the Systems view of SAP HANA studio, expand the catalog and display the system view AUDIT_LOG  Alternatively, display the system view using SQL commands: SELECT * FROM "PUBLIC"."AUDIT_LOG" © 2013 SAP AG. All rights reserved. Public 29
  • 30. What’s New in SAP HANA SPS 07: Security Database table as audit trail target (IV) Prerequisites  System privilege AUDIT ADMIN or AUDIT OPERATOR Truncating the audit trail 1. In the Systems view, double-click on Security and open the Auditing tab 2. Choose the (Truncate) button 3. Specify a date/time and click OK Caution: All information in the audit trail that is older will be immediately deleted © 2013 SAP AG. All rights reserved. Public 30
  • 31. What’s New in SAP HANA SPS 07: Security New audit actions Two additional data definition (DDL) actions can now be audited: CREATE TABLE and ALTER TABLE Prerequisites  System privilege AUDIT ADMIN Creating an audit policy 1. In the Systems view, double-click on Security and open the Auditing tab 2. In the Audit Policies area, choose Create New Policy 3. Enter the policy name 4. Specify the audit actions and further options if required 5. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 31
  • 32. What’s New in SAP HANA SPS 07: Security Firefighter logging You can log all actions performed by a specific user This covers not only all actions that can be audited individually, but also actions that cannot otherwise be audited. Such a policy is useful if you want to audit the actions of a particularly privileged user. Note  Some actions cannot be audited using database auditing even with a policy that includes all actions, in particular, system restart and system recovery Caution  Firefighter logging may generate a lot of audit entries, so only enable it if required © 2013 SAP AG. All rights reserved. Public 32
  • 33. What’s New in SAP HANA SPS 07: Security Exempt user from audit policy You can now exempt individual users from an audit policy This can be useful, for example, if you want to exclude the technical user account used by an application server for connections to the SAP HANA database Prerequisites  System privilege AUDIT ADMIN Exempting a user from an audit policy  When creating the audit policy, choose in the Users column  Select the users to be excluded from the audit policy © 2013 SAP AG. All rights reserved. Public 33
  • 34. What’s New in SAP HANA SPS 07: Security SAP HANA studio: Improved audit action configuration The dialog for selecting audit actions for an audit policy has been improved Not all actions can be combined together in the same policy, therefore compatible audit actions have been grouped together When you select an action, those actions that are not compatible with the selected action become unavailable for selection If you need to two audit incompatible audit actions, you need to create two separate audit policies © 2013 SAP AG. All rights reserved. Public 34
  • 36. What’s New in SAP HANA SPS 07: Security Context-sensitive help in SAP HANA studio SAP HANA studio now provides contextsensitive help for many topic areas, including security To open the context-sensitive help, press F1, or choose Help -> Dynamic Help © 2013 SAP AG. All rights reserved. Public 36
  • 38. What’s New in SAP HANA SPS 07: Security More Information SAP HANA documentation Available on the SAP Help Portal  SAP HANA Security Guide, Master Guide (network topics), Developer Guide, SQL Reference Guide (privilege details) Important SAP notes       1598623: SAP HANA appliance: Security (Central Security Note) 1514967: SAP HANA appliance (Central Appliance Note) 1730928: Using external software in a HANA appliance 1730929: Using external tools in an SAP HANA appliance 1730930: Using antivirus software in an SAP HANA appliance 1730999: Configuration changes in HANA appliance Security whitepaper  http://www.saphana.com/docs/DOC-3751 © 2013 SAP AG. All rights reserved. Public 38
  • 39. Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP’s strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent. © 2013 SAP AG. All rights reserved. Public 39
  • 40. Thank you Contact information Andrea Kristen SAP HANA Product Management AskSAPHANA@sap.com To get the best overview of what’s new in SAP HANA SPS 07, read this blog.
  • 41. © 2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. © 2013 SAP AG. All rights reserved. Public 41
  • 42. © 2013 SAP AG. Alle Rechte vorbehalten. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Einige der von der SAP AG und ihren Distributoren vermarkteten Softwareprodukte enthalten proprietäre Softwarekomponenten anderer Softwareanbieter. Produkte können länderspezifische Unterschiede aufweisen. Die vorliegenden Unterlagen werden von der SAP AG und ihren Konzernunternehmen („SAP-Konzern“) bereitgestellt und dienen ausschließlich zu Informationszwecken. Der SAP-Konzern übernimmt keinerlei Haftung oder Gewährleistung für Fehler oder Unvollständigkeiten in dieser Publikation. Der SAP-Konzern steht lediglich für Produkte und Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren. SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und verschiedenen anderen Ländern weltweit. Weitere Hinweise und Informationen zum Markenrecht finden Sie unter http://www.sap.com/corporateen/legal/copyright/index.epx#trademark. © 2013 SAP AG. All rights reserved. Public 42

Editor's Notes

  • #5: XS Administration Tool: Web-based tool that enables you to configure and maintain the basic administration-related elements of the application-development process and environment
  • #6: User mapping is not supported.
  • #10: In SPS 6, this functionality was only available as an SQL command.
  • #13: The design-time objects that are stored in the SAP HANA database repository can be transported to other SAP HANA database repository installations and delivered to customers. The transport granularity is the delivery unit (DU). Every repository object belongs to a package. A package can contain an arbitrary number of objects of different types. A package can be assigned to a DU.
  • #14: Use case: development of SAP HANA applications, e.g. if something works for everyone else, but not in your sessionExample: Developer Bob wants to authorize developer Alice to debug a procedure in Bob’s session
  • #15: SAP HANA smart data access can be used, for example, in SAP Business Warehouse installations running on SAP HANA to integrate data from remote sources. Note: There are also system privileges required for Smart Data access, but they have been available in SAP HANA studio in SAP HANA SPS 6 already and are therefore not listed here.
  • #18: Data volume encryption was introduced with SPS 5, but could only be configured using SQL until now. Data volume encryption uses the AEC-256-CBC algorithm. During database start-up, administrator interaction is not required. The data volume root key is stored using the SAP NetWeaver secure storage in the file system (SSFS) functionality and is automatically retrieved from there.
  • #24: For access to the SAP HANA database via XS, SSL encryption could already be enforced for client connections in SPS 6For internal communication between nodes in a scale-out instance, communication automatically uses SSL if this has been configured
  • #25: System replication is a mechanism for ensuring the high availability of SAP HANA systems. Through the continuous replication of data from a primary to a secondary system, including in-memory loading, system replication facilitates rapid failover in the event of a disaster. Productive operations can be resumed with minimal downtime.For more information (e.g. for scenarios involving more than two systems), see the SAP HANA Security Guide
  • #27: Auditing allows you to monitor and record selected actions performed in your system. In other words, it provides you with visibility on who did what (or tried to do what) and when. The following actions are typically audited:Changes to user authorizationCreation or deletion of database objectsAuthentication of usersChanges to system configurationAccess to or changing of sensitive information
  • #28: Note:For test purposes in non-production systems, you can also use a CSV text file as the audit trail. A separate CSV file is created for every service that executes SQL
  • #34: Note: Users must exist before they can be specified in an audit policy