You are on page 1of 42

Whats New?

SAP HANA SPS 07


Security
(Delta from SPS 06 to SPS 07)

SAP HANA Product Management November, 2013
2013 SAP AG. All rights reserved. 2 Public
Agenda
Authentication
User/role management
Authorization
Encryption
Audit logging
Documentation
Authentication
2013 SAP AG. All rights reserved. 4 Public
SPNEGO (Kerberos with Simple and Protected GSSAPI Negotiation Mechanism) is now
available as an authentication option for SAP HANA XS
Configuration
1. In Microsoft Active Directory, for each host and alias register new service principal names and map them to the
(potentially already existing) SAP HANA service user
2. On the SAP HANA server, add the keys for the new service principal names to the keytab
3. In SAP HANA, configure the Kerberos user mapping for the user
Note: If the user mapping has already been set up for Kerberos authentication for SQL access, you do not
have to change anything here
4. Using the SAP HANA XS Administration Tool (http://<host>:80<sysno>/sap/hana/xs/admin/), select SPNEGO
as authentication method for the user
Whats New in SAP HANA SPS 07: Security
SPNEGO support for SAP HANA XS
2013 SAP AG. All rights reserved. 5 Public
SAP Logon Tickets and SAP Assertion Tickets are now supported for both SQL and XS access
Prerequisites
A separate trust store for SAP Logon and Assertion tickets
has been configured
System privilege USER ADMIN
Configuration
1. In the Systems view in SAP HANA studio, choose Security
2. Create a new user by right-clicking on Users and choosing
New User
3. Select the authentication method(s) and choose the (Deploy) button
Notes
Prior to SPS 07, SAP HANA implicitly selected both user name/password and SAP Logon Tickets as
authentication methods for new users. Now you have to explicitly set authentication options for new users
To re-enable the old behavior for SAP Logon Tickets, a new configuration parameter has been introduced
(Indexserver.ini -> authentication -> SapLogonTicketEnabledForNewUsers). See also SAP Note 1927949
Whats New in SAP HANA SPS 07: Security
SAP Logon Ticket and SAP Assertion Ticket support
2013 SAP AG. All rights reserved. 6 Public
The mandatory periodic password change can now be re-enabled using SQL
In some situations it may be required to exclude specific users from the mandatory periodic password change,
for example the technical user that is used by an application server to connect to the database
Prerequisites: System privilege USER ADMIN
Syntax:
ALTER USER <user_name> DISABLE PASSWORD LIFETIME
ALTER USER <user_name> ENABLE PASSWORD LIFETIME
Changed default for maximum_unused_initial_password_lifetime
This parameter specifies the number of days for which initial user passwords are valid. If a user has not logged
on within this period of time, the password becomes invalid; the user administrator can reset it if still needed.
New default: 7 days (formerly 28 days)
Prerequisites: System privilege USER ADMIN
To change this parameter, in the Systems view of SAP HANA studio choose Security -> Password Policy ->
Lifetime of Initial Password
Whats New in SAP HANA SPS 07: Security
Password policy changes/additions (I)
2013 SAP AG. All rights reserved. 7 Public
Option to set configuration parameter password_lock_time to infinity
Time for which a user is locked after having exhausted the maximum number of failed logon attempts
Prerequisites:
System privilege USER ADMIN
Configuration
In the Systems view in SAP HANA studio, choose Security -> Password Policy and in the User Lock Settings
select Lock indefinitely






When setting the parameter using SQL, use the value -1

Whats New in SAP HANA SPS 07: Security
Password policy changes/additions (II)
User/role management
2013 SAP AG. All rights reserved. 9 Public
Whats New in SAP HANA SPS 07: Security
Set validity period for user in SAP HANA studio
You can now set the validity period for a user in SAP HANA studio
Prerequisites
System privilege USER ADMIN
Configuration
1. In the Systems view in SAP HANA studio, choose Security
2. Expand Users and double-click on the user for which you want to set the validity period,
or create a new user by right-clicking on Users and choosing New User
3. Enter the validity period and choose the (Deploy) button
2013 SAP AG. All rights reserved. 10 Public
You can now create a new user by copying an
existing user. The roles granted to the existing
user are automatically granted to the new user
Prerequisites
System privilege USER ADMIN, SQL privilege
EXECUTE on procedure GRANT_ACTIVATED_ROLE
Restrictions
Only roles created as design-time roles are copied
Only available in SAP HANA studio
Procedure
1. In the Systems view in SAP HANA studio, choose
Security -> Users, right-click the user to be copied
and choose Copy User
2. Enter the details for the new user
3. Choose the (Deploy) button to create the user



Whats New in SAP HANA SPS 07: Security
Copy user
Authorization
2013 SAP AG. All rights reserved. 12 Public
New system privileges for repository change management are available
Repository change management provides the infrastructure for tracked development. If enabled, the
activation of a repository object prompts the developer to assign it to a container or Change. A
developer must then approve and release his changes in order for the objects in his change to be
marked as released. This enables the creation of a delivery unit (DU) that is composed of only
released objects. Releasing a change does not trigger any automatic semantic checks but is a manual
assurance by the developer that the objects are consistent and ready for transport.
Prerequisites
System privilege USER ADMIN
Granting system privileges
1. In the Systems view in SAP HANA studio, double-click on the user
2. On the System Privileges tab, add the required system privileges:
o REPO.CONFIGURE, REPO.MODIFY_CHANGE, REPO.MODIFY_FOREIGN_CONTRIBUTION,
REPO.MODIFY_OWN_CONTRIBUTION,
3. Choose the (Deploy) button
Whats New in SAP HANA SPS 07: Security
New system privileges for repository change management
2013 SAP AG. All rights reserved. 13 Public
You can now allow other users to debug
SQLScript code (e.g. a procedure) that is being
executed in your session
1. In the Systems view in SAP HANA studio, expand
Security -> Users and double-click the user to whom
you want to grant debugging privileges
o On the Object Privileges tab, add your procedure and
select DEBUG
o On the Privileges on Users tab, choose the (Add)
button and select ATTACH DEBUGGER (see screenshot)
2. Choose the (Deploy) button
Example
BOB grants ALICE debugging privileges
Note
It is not possible to grant the ATTACH DEBUGGER
privilege on behalf of other users



Whats New in SAP HANA SPS 07: Security
New privilege for debugging SQLScript code
2013 SAP AG. All rights reserved. 14 Public
SQL privileges for Smart Data Access scenarios can now be granted using SAP HANA studio
Smart data access is SAP HANAs capability to connect to remote sources and present data in those
remote sources as though they were local SAP HANA tables. In SAP HANA, virtual tables are created
that represent the tables in the remote source. Via these virtual tables, joins can be executed between
tables in SAP HANA and tables in the remote source.
The following SQL privileges can now be granted using SAP HANA studio:
CREATE VIRTUAL TABLE (in selected remote source)
DROP (selected remote source)
Prerequisites
Remote source has been created
Example
User SYSTEM grants a user the privileges to
Create virtual tables for remote source ASE2
Drop remote source ASE2


Whats New in SAP HANA SPS 07: Security
SAP HANA studio: Support for smart data access privilege assignment
Encryption
2013 SAP AG. All rights reserved. 16 Public
SAP HANA now supports SAPs new cryptographic library CommonCryptoLib for operations
that require cryptography, for example data volume encryption and SSL communication
encryption
CommonCryptoLib is the successor of SAPCRYPTOLIB
Notes:
CommonCryptoLib will be made available via SAP Service Marketplace
Because the library includes encryption routines, CommonCryptoLib distribution is subject to and controlled by
German export regulations and may not be available to all customers. The library may also be subject to local
regulations of your own country that may further restrict the import, use, and (re-)export of cryptographic
software.

Whats New in SAP HANA SPS 07: Security
Support for SAPs new cryptographic library CommonCryptoLib
2013 SAP AG. All rights reserved. 17 Public
Data volume encryption on disk can now be configured using SAP HANA studio
After activating encryption, new data that is saved to disk will be encrypted starting with the next
savepoint. Existing data starts being encrypted in the background. Depending on the size of the SAP
HANA system, this process can take some time. Only after this process has completed is all your data
encrypted. You can monitor the encryption progress in SAP HANA studio.
Notes
If you want to use data volume encryption, it is recommended to activate it directly after installing the system
The root key for data volume encryption is automatically created during installation. If you have received SAP
HANA as an appliance, we recommend to change this key after handover from the hardware vendor
Whats New in SAP HANA SPS 07: Security
SAP HANA studio: Configure data volume encryption (I)
2013 SAP AG. All rights reserved. 18 Public
Whats New in SAP HANA SPS 07: Security
SAP HANA studio: Configure data volume encryption (II)
Prerequisites
System privilege RESOURCE ADMIN
Activating/deactivating data volume encryption
1. In the Systems view in SAP HANA studio, choose
Security
2. Open the Data Volume Encryption tab
To activate encryption, select Activate encryption of
data volumes
To deactivate encryption, de-select this option
3. Choose the (Deploy) button
2013 SAP AG. All rights reserved. 19 Public
SAP HANA now provides the ability to change
the SSFS master key
SSFS (SAP NetWeaver secure storage in the file
system) is used by SAP HANA to store
The root key for the data volume encryption
The root key for the internal data protection API
(DPAPI). Note: DPAPI is used by the secure internal
credential store, which is needed in some scenarios
such as smart data access to securely store additional
user credentials (e.g. for access to remote systems)
The keys stored in SSFS are themselves encrypted
using the SSFS master key.
It is recommended to periodically change the SSFS
master key, re-encrypt the SSFS with the new key,
and save the new key to a secure location.
Whats New in SAP HANA SPS 07: Security
SSFS: Change master key (I)
SAP HANA
file system
SSFS master key
SSFS
Data volume encryption
(root key)
Internal data protection API
(root key)
SAP HANA database
Secure credential store
(key)
Data volume encryption
(savepoint-specific key)
2013 SAP AG. All rights reserved. 20 Public
Prerequisites
Credentials of the operating system user (<sid>adm user) that was created when the system was installed
Database user with system privilege INIFILE ADMIN
In a distributed SAP HANA system, every host must be able to access the key file location
Changing the SSFS master key
1. Stop the SAP HANA system
2. Log on to the SAP HANA system host as the operating system user <sid>adm
3. Generate a new master key by entering the following command:
rsecssfx generatekey
4. Re-encrypt the SSFS with the new master key and save the key file to a secure location as follows:
RSEC_SSFS_DATAPATH=/usr/sap/<SID>/global/hdb/security/ssfs
RSEC_SSFS_KEYPATH<PATH TO KEYFILE> rsecssfx changekey <NEWKEY>
5. Configure the specified key file location in the cryptography section of the global.ini configuration file with the
parameter ssfs_key_file_path
Whats New in SAP HANA SPS 07: Security
SSFS: Change master key (II)
2013 SAP AG. All rights reserved. 21 Public
If storage snapshots are used for data backup, the root key for the data volume encryption is
now included in the automatic backup of the SSFS
The SSFS is always part of the data backup, but for file system or BACKINT backups it does not
include the data volume encryption root key.
The root key is only needed in recovery scenarios where a storage snapshot is used as the basis for
the recovery.
Whats New in SAP HANA SPS 07: Security
SSFS: Data volume encryption root key included in backup
2013 SAP AG. All rights reserved. 22 Public
An alert is triggered if the SSFS is missing
SSFS is used by SAP HANA to store
The root key for the data volume encryption
The root key for the internal data protection API
New check
Determines whether the secure storage in the file system (SSFS) is accessible to the database
Alert priority: HIGH
Recommended user action: Check and make sure that the secure storage in the file system (SSFS) is
accessible to the database




Whats New in SAP HANA SPS 07: Security
SSFS: Alert if SSFS is missing
2013 SAP AG. All rights reserved. 23 Public
There is a new configuration parameter which enforces SSL encryption for all client SQL
connections to the SAP HANA database
Prerequisites
SSL has been configured for the SAP HANA database
System privilege INIFILE ADMIN
You have migrated to the new statistics server implementation (see SAP Note 1917938). Do not enforce SSL for
client connections otherwise.
Configuration
1. In the Administration editor in SAP HANA studio, open the Configuration tab
2. Navigate to the global.ini file and expand the communication section
3. Set the sslEnforce parameter to true (default: false)
4. New SQL connection attempts by clients without SSL will now be rejected by the SAP HANA database. Note
though that existing connections will not be terminated, so if you want to enforce SSL for all connections, it is
recommended to restart the database.
Whats New in SAP HANA SPS 07: Security
Communication encryption: Force SSL for client SQL connections
2013 SAP AG. All rights reserved. 24 Public
The Secure Sockets Layer (SSL) protocol can be used to secure network communication
between the primary site and secondary site in system replication scenarios
Prerequisites
SSL has been configured for both SAP HANA systems (key creation and CA).
System privilege INIFILE ADMIN
Configuration
1. For a scenario involving two systems, carry out the following steps in both systems
1. In the Administration editor in SAP HANA studio, open the Configuration tab
2. In the configuration file global.ini -> section system_replication_communication: Set the parameter enable_ssl to on
2. SSL will be used from the next reconnect between primary and secondary. The easiest way to achieve a
reconnect is to restart the secondary system.
Whats New in SAP HANA SPS 07: Security
Communication encryption: SSL support for system replication scenarios
Audit Logging
2013 SAP AG. All rights reserved. 26 Public
If auditing is active, certain actions are always audited and are therefore not available for
inclusion in user-defined audit policies
In the audit trail, these action are labeled with the internal audit policy MandatoryAuditPolicy.

Whats New in SAP HANA SPS 07: Security
Mandatory audit actions
Action Description
CREATE AUDIT POLICY
ALTER AUDIT POLICY
DROP AUDIT POLICY
Creation, modification, or deletion of audit policies
ALTER SYSTEM CLEAR AUDIT LOG UNITL <timestamp>
Deletion of audit entries from the audit trail. This only applies if
audit entries are written to column store database tables.
ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing
configuration','global_auditing_state' ) = <value> with reconfigure;
ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing
configuration','default_audit_trail_type' ) = '<audit_trail_type>' with
reconfigure;
ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing
configuration','default_audit_trail_path' ) = '<path>' with reconfigure;
Changes to auditing configuration, that is:
Enabling or disabling auditing
Changing the audit trail target
Changing the location of the audit trail target if it is a CSV text
file

2013 SAP AG. All rights reserved. 27 Public
Whats New in SAP HANA SPS 07: Security
Database table as audit trail target (I)
As an alternative to syslog, SAP HANA can now write the audit trail to tables within the
database itself
When an audit policy is triggered, an audit entry is created in the audit trail
Audit trail types for production systems:
syslog (logging system of the Linux operating system)
o syslog is a secure storage location for the audit trail because not even the database administrator can access or change it.
There are also numerous storage possibilities for the syslog, including storing it on other systems. In addition, syslog is the
default log daemon in UNIX systems. syslog therefore provides a high degree of flexibility and security, as well as
integration into a larger system landscape.
Database table
o Using an SAP HANA database table as the target for the audit trail makes it possible to query and analyze auditing
information quickly. It also provides a secure and tamper-proof storage location.
o Internal column store table in the _SYS_AUDIT schema of the SAP HANA database
o Audit entries are only accessible through the public system view AUDIT_LOG. Only SELECT operations can be performed
on this view by users with system privilege AUDIT ADMIN or AUDIT OPERATOR
o To avoid the audit table growing too large, it is possible to delete old audit entries
2013 SAP AG. All rights reserved. 28 Public
Prerequisites
System privilege AUDIT ADMIN or INIFILE ADMIN
Configuring the audit trail
1. In the Systems view, double-click on Security and
open the Auditing tab
2. In the System Settings for Auditing area, set the
auditing status to Enabled
3. Configure the target of the audit trail by choosing
Database Table
4. Choose the (Deploy) button
Whats New in SAP HANA SPS 07: Security
Database table as audit trail target (II)
2013 SAP AG. All rights reserved. 29 Public
Prerequisites
System privilege AUDIT ADMIN or AUDIT OPERATOR
Viewing the audit trail
In the Systems view of SAP HANA studio, expand the
catalog and display the system view AUDIT_LOG
Alternatively, display the system view using SQL
commands:
SELECT * FROM "PUBLIC"."AUDIT_LOG"
Whats New in SAP HANA SPS 07: Security
Database table as audit trail target (III)
2013 SAP AG. All rights reserved. 30 Public
Prerequisites
System privilege AUDIT ADMIN or AUDIT OPERATOR
Truncating the audit trail
1. In the Systems view, double-click on Security and
open the Auditing tab
2. Choose the (Truncate) button
3. Specify a date/time and click OK
Caution: All information in the audit trail that is older will
be immediately deleted

Whats New in SAP HANA SPS 07: Security
Database table as audit trail target (IV)
2013 SAP AG. All rights reserved. 31 Public
Two additional data definition (DDL) actions
can now be audited: CREATE TABLE and
ALTER TABLE
Prerequisites
System privilege AUDIT ADMIN
Creating an audit policy
1. In the Systems view, double-click on Security and
open the Auditing tab
2. In the Audit Policies area, choose Create New Policy
3. Enter the policy name
4. Specify the audit actions and further options if
required
5. Choose the (Deploy) button
Whats New in SAP HANA SPS 07: Security
New audit actions
2013 SAP AG. All rights reserved. 32 Public
You can log all actions performed by a specific
user
This covers not only all actions that can be audited
individually, but also actions that cannot otherwise
be audited. Such a policy is useful if you want to
audit the actions of a particularly privileged user.
Note
Some actions cannot be audited using database
auditing even with a policy that includes all actions, in
particular, system restart and system recovery
Caution
Firefighter logging may generate a lot of audit entries,
so only enable it if required
Whats New in SAP HANA SPS 07: Security
Firefighter logging
2013 SAP AG. All rights reserved. 33 Public
You can now exempt individual users from an
audit policy
This can be useful, for example, if you want to
exclude the technical user account used by an
application server for connections to the SAP
HANA database
Prerequisites
System privilege AUDIT ADMIN
Exempting a user from an audit policy
When creating the audit policy, choose in the Users
column
Select the users to be excluded from the audit policy
Whats New in SAP HANA SPS 07: Security
Exempt user from audit policy
2013 SAP AG. All rights reserved. 34 Public
The dialog for selecting audit actions for an
audit policy has been improved
Not all actions can be combined together in the
same policy, therefore compatible audit actions
have been grouped together
When you select an action, those actions that are
not compatible with the selected action become
unavailable for selection
If you need to two audit incompatible audit actions,
you need to create two separate audit policies
Whats New in SAP HANA SPS 07: Security
SAP HANA studio: Improved audit action configuration
Documentation
2013 SAP AG. All rights reserved. 36 Public
Whats New in SAP HANA SPS 07: Security
Context-sensitive help in SAP HANA studio
SAP HANA studio now provides context-
sensitive help for many topic areas, including
security
To open the context-sensitive help, press F1, or
choose Help -> Dynamic Help
More Information
2013 SAP AG. All rights reserved. 38 Public
SAP HANA documentation
Available on the SAP Help Portal
SAP HANA Security Guide, Master Guide (network topics),
Developer Guide, SQL Reference Guide (privilege details)
Important SAP notes
1598623: SAP HANA appliance: Security (Central Security Note)
1514967: SAP HANA appliance (Central Appliance Note)
1730928: Using external software in a HANA appliance
1730929: Using external tools in an SAP HANA appliance
1730930: Using antivirus software in an SAP HANA appliance
1730999: Configuration changes in HANA appliance
Security whitepaper
http://www.saphana.com/docs/DOC-3751
Whats New in SAP HANA SPS 07: Security
More Information
2013 SAP AG. All rights reserved. 39 Public
Disclaimer
This presentation outlines our general product direction and should not be relied on in making
a purchase decision. This presentation is not subject to your license agreement or any other
agreement with SAP.
SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and
SAPs strategy and possible future developments are subject to change and may be changed
by SAP at any time for any reason without notice.
This document is provided without a warranty of any kind, either express or implied, including
but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or
non-infringement. SAP assumes no responsibility for errors or omissions in this document,
except if such damages were caused by SAP intentionally or grossly negligent.

Thank you
Contact information

Andrea Kristen
SAP HANA Product Management
AskSAPHANA@sap.com

To get the best overview of whats new in SAP HANA SPS 07, read this blog.
2013 SAP AG. All rights reserved. 41 Public
2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and
SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in
the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other
countries.
Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
2013 SAP AG. All rights reserved. 42 Public
2013 SAP AG. Alle Rechte vorbehalten.
Weitergabe und Vervielfltigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrckliche schriftliche
Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen knnen ohne vorherige Ankndigung gendert werden.
Einige der von der SAP AG und ihren Distributoren vermarkteten Softwareprodukte enthalten proprietre Softwarekomponenten anderer Softwareanbieter.
Produkte knnen lnderspezifische Unterschiede aufweisen.
Die vorliegenden Unterlagen werden von der SAP AG und ihren Konzernunternehmen (SAP-Konzern) bereitgestellt und dienen ausschlielich zu Informationszwecken.
Der SAP-Konzern bernimmt keinerlei Haftung oder Gewhrleistung fr Fehler oder Unvollstndigkeiten in dieser Publikation. Der SAP-Konzern steht lediglich fr Produkte
und Dienstleistungen nach der Magabe ein, die in der Vereinbarung ber die jeweiligen Produkte und Dienstleistungen ausdrcklich geregelt ist. Keine der hierin
enthaltenen Informationen ist als zustzliche Garantie zu interpretieren.
SAP und andere in diesem Dokument erwhnte Produkte und Dienstleistungen von SAP sowie die dazugehrigen Logos sind Marken oder eingetragene Marken der SAP
AG in Deutschland und verschiedenen anderen Lndern weltweit. Weitere Hinweise und Informationen zum Markenrecht finden Sie unter http://www.sap.com/corporate-
en/legal/copyright/index.epx#trademark.