Sap Hana SPS 09 - Security

1 2014 SAP AG or an SAP affiliate company. All rights reserved.

SAP HANA SPS 09 - Whats New? Security

Andrea Kristen, SAP HANA Product Management November, 2014

(Delta from SPS 08 to SPS 09)

2014 SAP SE or an SAP affiliate company. All rights reserved. 2 Public

Agenda

Authentication

User/role management

Authorization

Encryption

Audit logging

Antivirus software support

Support for multitenant database containers

Authentication


Whats New in SAP HANA SPS09: Security Changed emergency reset mechanism for the of SYSTEM user password

The new mechanism for resetting the SYSTEM user password uses the index server in

emergency mode

This password reset mechanism should only be used if the SYSTEM user password was lost.

Emergency reset of the SYSTEM user password

Prerequisite: Credentials of the operating system administrator adm, access to the master index server

1. As adm, log on to the server on which the master index server is running

2. On the command line, shut down the SAP HANA system, then start the name, compile and index servers

3. Use the following command to reset the password /usr/sap//HDB/exe/hdbindexserver resetUserSystem

Afterwards, the index server is automatically stopped

4. End the name and compile server processes

5. On the command line, start the SAP HANA system

Note: In a system with multitenant database containers, you can reset the passwords of the SYSTEM users in the

same way by starting the name server (for the system database) or index server (for tenant databases) in

emergency mode


Whats New in SAP HANA SPS09: Security System view showing authentication method for connected users

The system view M_CONNECTIONS now

contains additional information about the

authentication method

Per default, users can only query information about

themselves

Viewing information for all connected users

Prerequisite: system privilege CATALOG READ

1. In SAP HANA Studio, open the SQL editor

2. Enter the following SQL statement:

SELECT USER_NAME, AUTHENTICATION_METHOD

FROM M_CONNECTIONS

User/role management


Whats New in SAP HANA SPS09: Security Repository role editor (I)

A graphical editor for repository roles is now available as part of the SAP HANA Web-based

Development Workbench (Web IDE)

In earlier versions, only a text editor in SAP HANA studio was available.

There are two types of roles in SAP HANA: catalog roles and repository roles. For most use cases it is

recommended to use repository roles. Compared to catalog roles, they offer several advantages, e.g.

Versioning

Integration with standard transport mechanisms

Decoupling of role creation from role granting/revoking

Support for standard DEV QA PROD landscapes

Separation of duties

Role lifecycle

1. A developer/role designer creates the role in the repository of the development system and tests it

2. The role is transported to the production system, e.g. using HALM or CTS+

3. In the production system, a user administrator grants the role to end users


PROD DEV

Repository

package1

subpackage1

.hdbroles

Repository

package1

subpackage1

.hdbroles

Database

role

Developers/

role designers

User

administrators

Design time Runtime

Studio Web IDE

Export/import:

Delivery Unit (DU)

Transport:

HANA Application

Lifecycle Manager,

CTS+, ...

Studio

Activation

via

_SYS_REPO

Grant/revoke

New

Whats New in SAP HANA SPS09: Security Repository role editor (II)


Whats New in SAP HANA SPS09: Security Repository role editor (III)

Creating a new repository role

Prerequisites o sap.hana.xs.ide.roles::EditorDeveloper role

o Package privileges on the required packages

1. Open the Editor of the Web IDE in your web browser: http://:80/sap/hana/xs/ide/editor

2. In the Content tree, right-click on the folder where you

want to create the new role and choose New Role

3. Enter a role name and choose Create

4. Select the roles and privileges that you want to

include in the new role

5. Save the role using (Save)

Note: The role will be saved and activated in one step. If

you want to only save the role, choose (Settings) and

select Enable inactive save. An additional icon will be

displayed in the toolbar: (Save without Activating)


Whats New in SAP HANA SPS09: Security Web-based administration and development tools

Web-based administration and development tools

As part of the general SAP UI strategy, administration and development functions are being made

available in web-based tools such as SAP HANA Cockpit and SAP HANA Web-based Development

Workbench (Web IDE).

One of the prerequisites for using these functions is a web browser with SAPUI5 support.

Information on web browsers with SAPUI5 support

SAP Note 1716423 - SAPUI5 Browser Support

PAM for SAPUI5: https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/support/pam/pam.html?smpsrv=https%3A%2F%2Fwebsmp105.sap-

ag.de#pvnr=01200314690900004969&pt=t%7CWBRPFM&ainstnr=01200314694900015214&ts=0


Whats New in SAP HANA SPS09: Security Accessing the web-based user and catalog role editors in Web IDE

The SAP HANA Web IDE contains a user editor

and a catalog role editor for scenarios where

only web-based tools are available

Access from Web IDE

Prerequisites: o USER ADMIN or ROLE ADMIN system privilege

o sap.hana.xs.ide.roles::SecurityAdmin role

1. Log on to Web IDE (http://:/sap/hana/xs/ide)

2. Click on the Security tile

Access from SAP HANA Cockpit

Prerequisites (in addition to above): o sap.hana.admin.roles::Monitoring

1. Log on to SAP HANA Cockpit

(http://:/sap/hana/admin/cockpit)

2. Click on the Manage Roles and Users tile


You can now maintain user parameters in SAP

HANA Studio

Users can change their own parameters.

Maintaining user parameters for other users

Prerequisites: USER ADMIN system privilege

1. In the Systems view, double-click the user under

Security Users and open the User Parameters tab

2. Choose the user parameter and enter a value

3. Save by choosing the (Deploy) button

Whats New in SAP HANA SPS09: Security Maintaining user parameters in SAP HANA Studio

User parameter Description

EMAIL ADDRESS E-mail address

LOCALE Locale

PRIORITY The priority with which the thread scheduler handles statements executed by the user

MEMORY STATEMENT LIMIT The maximum memory (in GB) that can be used by a statement executed by the user (if feature enabled globally)

TIME ZONE Time zone


Whats New in SAP HANA SPS09: Security New alert: Support role granted to users

Alert notifies administrators when a user is granted the SAP_HANA_INTERNAL_SUPPORT role

The support role contains privileges that allow access to certain low-level internal system views

needed by SAP HANA development support in support situations, which otherwise would only be

accessible to the SYSTEM user. All access is read only, and the role does not allow access to any

customer data. The low-level internal system views are not part of the stable end-user interface and

might change from revision to revision. To avoid users accidentally accessing these internal system

views in applications or scripts, this role is subject to usage restrictions.

Configuring the alert thresholds

Prerequisite: system privilege INIFILE ADMIN

1. In the Administration editor in SAP HANA Studio, open the Alerts tab and choose the (Configure...) button.

2. Open the Configure Check Thresholds tab and choose check 63.

3. Specify the threshold values. Default: 1 user, alert priority low

Switching off the alert

See SAP Note 1991615


Whats New in SAP HANA SPS09: Security New built-in procedures to check compliance with password policy

Application developers can use the new procedures to verify that a new user name and

password are compliant before actually creating the user

Some restrictions apply to the characters that may be used in user names. Passwords need to adhere

to the password policy that has been configured for the system.

Procedures:

SYS.IS_VALID_USER_NAME

SYS.IS_VALID_PASSWORD

Syntax

Prerequisite: EXECUTE privilege on the procedures

IS_VALID_USER_NAME (IN user_name NVARCHAR(256), OUT error_code INT, OUT

error_message NVARCHAR(5000))

IS_VALID_PASSWORD(IN password NVARCHAR(256), OUT error_code INT, OUT error_message

NVARCHAR(5000))


Whats New in SAP HANA SPS09: Security Web-based user self-services (I)

SAP HANA now provides web-based user self-

services for resetting your own password and

for requesting a new user account

The user self-services are part of the

HANA_XS_BASE delivery unit (autocontent).

When enabled, they are available on the SAP

HANA logon screen. They are disabled by default.


Whats New in SAP HANA SPS09: Security Web-based user self-services (II)

Configuring user self-services

Prerequisites: o See the SAP HANA Administration Guide

1. Configure the XSSQLCC technical user which is used

by the user self-services

2. Configure the user self-service parameters in the xsengine.ini file

3. Configure the SMTP server that SAP HANA XS

applications can use to send mails

4. Configure dedicated administrators for the user self-

service administration tool. These administrators

process user requests and manage blacklists and

whitelists

Parameter Description Default

automatic_user_creation Defines whether a user creation

request needs approval

false

forgot_password Defines whether the password reset

self-service is enabled

false

request_new_user Defines whether the new user

account self-service is enabled

false

reset_locked_user Defines whether password reset for

a locked user is enabled

false

sender_email Mail address for sending out the

registration mails/tokens

token_expiry_time Duration (in s) for which a generated

token is valid

3600

user_creation_request_count Number of times a user with the

same mail address can request an

account before being added to the

blacklist

3


Whats New in SAP HANA SPS09: Security Web-based user self-services (III)

Resetting your password

Prerequisite: o User self-service is enabled in the SAP

HANA system

1. On the SAP HANA logon page, choose

Forgot your password?

2. Enter your user name

3. A mail is sent to your mail address with

a link to reset the password

4. Enter a new password and answer the

security question that you specified

when you initially set up your account


Whats New in SAP HANA SPS09: Security Web-based user self-services (IV)

Requesting a new account

Prerequisite: o User self-service is enabled in the SAP

HANA system

1. On the SAP HANA logon screen, choose

Request account

2. Choose a user name and enter your mail

address

3. A verification link is sent to your mail

address

4. After clicking the verification link, choose

a password and a security question

5. Your request is sent to the system

administrator for approval

6. After approval, your account is activated

and you get notified by mail


Whats New in SAP HANA SPS09: Security Web-based user self-services (V)

Approving new account requests

Prerequisites: o User self-service is enabled in the SAP HANA system

o sap.hana.xs.selfService.admin.roles::USSAdministrator

role

1. Log on to the user self-service administration tool: http://:/sap/hana/xs/selfService/admin

2. Review the pending requests

o Approve/reject request

o Assign application roles if required

Note: To assign roles, you can use the Web IDE user and

role editor

o Add domain/mail address/IP range to blacklist if required

3. After you have approved a request, a notification mail

is sent to the user. Open user and role editor in Web IDE

Account is requested

for this XS application

User is activated

and notified

Authorization


Whats New in SAP HANA SPS09: Security Extension of SQL-based analytic privileges

SQL-based analytic privileges can now also be used with SQL views

In earlier versions, SQL-based analytic privileges could only be applied to analytic views.

Analytic privileges allow row-based access control to views. They filter query results according to the

attributes of the session user.

Comparison between XML-based and SQL-based analytic privileges

XML-based analytic privileges SQL-based analytic privileges

More difficult to use due to complex XML format

Limited expressiveness with regard to filtering capabilities

Only analytic views are supported

Design time available

Intuitive specification using SQL syntax

Flexible combination of filters

Sub-queries as filters

Analytic and SQL views are supported

No design time support yet

CREATE STRUCTURED PRIVILEGE

CREATE STRUCTURED PRIVILEGE FOR

SELECT ON WHERE a=10


Whats New in SAP HANA SPS09: Security New system privilege: TABLE ADMIN

A new system privilege for administrators has been introduced

The new system privilege TABLE ADMIN authorizes the following administrative actions that are

related to the management of tables:

LOAD Load specified column store tables from disk into memory (otherwise they will be loaded into memory on first

access)

UNLOAD Unload specified column store tables from memory to disk (e.g. to free up memory; the tables will be loaded into

memory again on next access)

MERGE DELTA Merge the column store tables delta storage to the tables main storage

Encryption


Whats New in SAP HANA SPS09: Security XS encryption service for applications

XS applications can now store values in encrypted form

Application developers can use the XS API $.security.Store to define a secure store for

encrypted name-value pairs for their XS application.

Options

Application-wide data visibility

All users of the XS application have access to one secure store

All users share the same data and can decrypt or encrypt data

Example: passwords for a remote system

User-specific data visibility

Each user of the XS application has a separate container to securely store encrypted data

Only the owner of the secure store and the respective user can decrypt the data

Examples: credit card numbers or personal-information-number (PIN) codes

More information

SAP HANA Developer Guide


Whats New in SAP HANA SPS09: Security CommonCryptoLib part of standard delivery

CommonCryptoLib is now part of the SAP HANA standard delivery.

Up to now, customers were required to download CommonCryptoLib from SAP Marketplace.

SAP CommonCryptoLib is the successor of SAPCRYPTOLIB and is the default cryptographic library

for SAP HANA. It is used for operations that require cryptography, for example data volume encryption

and SSL communication encryption.

CommonCryptoLib is installed as part of SAP HANA server installation at the default location for library lookup: /usr/sap//SYS/exe/hdb/libsapcrypto.so

Note: The OpenSSL library is also installed as part of the operating system installation. For most use

cases it is also possible to use OpenSSL instead of CommonCryptoLib. However, there are already

some features in SAP HANA that are only supported by CommonCryptoLib, and future features might

also only be supported by CommonCryptoLib.

For information on the migration process from OpenSSL to CommonCryptoLib, see SAP Note

2093286.

Audit logging


Whats New in SAP HANA SPS09: Security Specify schema when creating audit policy on database objects

You can now specify a schema if you want to

audit all database objects belonging to the

schema

Creating an audit policy for a schema

Prerequisites: System privilege AUDIT ADMIN

1. In the Systems view, double-click on Security and

open the Auditing tab

2. In the Audit Policies area, choose Create New Policy

3. Enter the policy name

4. In Audited Actions, select an audit action that applies

to database objects, e.g. DELETE

5. As Target Object, select the schema

6. Choose the (Deploy) button


Whats New in SAP HANA SPS09: Security More granular audit trail target definition (I)

You can now specify the audit trail target per audit policy

Options for the audit trail target

System-wide default: Audit entries are written to the audit trail target(s) configured for the system if no other trail target has been configured per audit level

Audit level (optional): Audit entries from audit policies with the audit level EMERGENCY, CRITICAL, or ALERT are written to the specified audit trail target(s). If no audit trail target is configured, entries are written to the audit

trail target configured for the system.

Audit policy (optional): Audit entries from a particular policy are written to the specified audit trail target(s). If no audit trail target is configured for an audit policy, entries are written to the audit trail target for the

audit level if configured, or the audit trail target configured for the system. Several audit trail targets are

configurable for each individual policy.

New


Whats New in SAP HANA SPS09: Security More granular audit trail target definition (II)

Specifying multiple audit trail targets

Prerequisites: system privilege AUDIT ADMIN, auditing has been enabled

1. In the Systems view, double-click on Security and

open the Auditing tab

2. In the Audit Trail Target section of the audit policy,

select the audit trail targets

3. Choose the (Deploy) button.


Whats New in SAP HANA SPS09: Security Audit entries of prepared statements show parameter values

Parameter values in prepared statements are

now recorded in the audit trail

Up to now, only ? was displayed in the audit trail.

Example

1. Create and deploy a new audit policy for INSERT

actions on your test table

2. Insert a value into the test table using a prepared

SQL statement

3. Check the STATEMENT_STRING field in the audit

trail


Whats New in SAP HANA SPS09: Security New audit actions for data volume encryption

Changes to the data volume encryption can

now be recorded in the audit trail

When you include ALTER PERSISTENCE

ENCRYPTION in an audit policy, the following

actions will be recorded in the audit trail:

Switching the data volume encryption on/off

Creating a new encryption key

Re-encrypting old encrypted data with the current key

Antivirus software support


Whats New in SAP HANA SPS09: Security XS antivirus interface

XS applications can now integrate antivirus tools to check uploaded data

Application developers can use the XS API $.security.Antivirus to integrate an antivirus engine

with their XS applications.

Note: For production systems, only certified antivirus engines should be used.

More information:

SAP HANA Developer Guide

Supported antivirus engines/certification: SAP Note 786179

Support for multitenant

database containers


Whats New in SAP HANA SPS09: Security Multitenant database containers: Overview

Multitenant database containers are a new way

to run multiple applications/scenarios on one

SAP HANA system

1 system database and multiple tenant databases

Shared installation of database system software

Strong isolation features, the system database and each of the tenant databases have their own:

Database users, database catalog, repository, persistence, backups, traces and diagnosis files

Distinction between tasks performed at system level and those performed at database level

Integration with data center operation procedures

*tenant database = database container

Application 1

SAP HANA system

Application 2

Tenant

database 1*

Tenant

database 2

System

database


Whats New in SAP HANA SPS09: Security Security aspects of multitenant database containers (I)

Clients connect via dedicated ports to individual databases

Security-relevant features are configurable per database

Only controlled access between databases

Tenant databases are created and managed from the system database

o But: No direct access to tenant database

table content from the system database

SAP HANA System

Host 1

Tenant DB1

SQL - Port

3XX13

Tenant DB2 Tenant DB3

Metadata Tables

Metadata Tables

Metadata Tables

Web Dispatcher

System database

Metadata Landscape info

http - Virtual host names per XS

XS

XS XS XS SQL - Port

3XX41

SQL - Port

3XX45

SQL - Port

3XX49


Whats New in SAP HANA SPS09: Security Security aspects of multitenant database containers (II)

Unlike a single database system in which system and database are a single unit and

administered as one, an MDC system has 2 levels of administration.

Administration tasks performed in the system database include:

Starting and stopping the whole system

Monitoring the system

Configuring parameters at system level

Managing tenant databases: Creating/dropping databases, configuring database-specific parameters, adding services to databases for scalability, backing up databases, recovering databases

Administration tasks performed in tenant databases include:

Monitoring the database

Provisioning database users

Creating and deleting schemas, tables, and indexes in the database

Backing up the database

Configuring database-specific parameters


Function Details

Authentication User name and password (incl. password policy), Kerberos/SPNEGO, SAML, SAP logon and assertion tickets, X.509 (XS access only)

Note: For details on the available configuration options (system-wide/per database), please refer to the documentation.

Users and roles Isolation of users and roles between the system database and all of the tenant databases

SYSTEM user in system database and SYSTEM user in each tenant database

Authorization Standard privilege concept

Additional system privilege DATABASE ADMIN in the system database for tenant database administration

Read-only cross-database queries supported (disabled by default)

Option to disable specific administration functions in tenant databases, e.g. export/import

Encryption Communication encryption (SSL), data volume encryption (per database, separate root keys), backup encryption via 3rd party backup tools

Audit logging Standard audit logging concept; audit trail written to Linux syslog or to SAP HANA database table

Audit trail configuration via system database, audit policy configuration per database

Security

administration

SAP HANA Studio, XS Administration Tool, SQL interface (command line tool hdbsql)

Whats New in SAP HANA SPS09: Security Security aspects of multitenant database containers (III)


Whats New in SAP HANA SPS09: Security Restricted features in tenant databases (I)

Certain security-relevant features can be enabled/disabled in tenant databases

Not all features are required/desirable in all environments, e.g. features that provide direct access to

the file system, the network, or other critical resources.

The system view M_CUSTOMIZABLE_FUNCTIONALITIES provides information about such restricted features that can be disabled in tenant databases. This view exists in both the SYS schema of every database, where it

contains database-specific information, and in the SYS_DATABASES schema of the system database, where it

contains information about the enablement of features in all databases.

You disable/enable restricted features in tenant databases via the global.ini file of the system database.

All restricted features are enabled in the system database and cannot be disabled there.


Whats New in SAP HANA SPS09: Security Restricted features in tenant databases (II)

Enabling/disabling features in tenant databases

Prerequisites: User in the system database with CATALOG READ and INIFILE ADMIN privileges

1. In the Administration editor in SAP HANA Studio,

open the Configuration tab

2. In the global.ini file customizable_functionalities section,

double-click on the feature to be disabled

3. Select Database as the layer and set the value to

FALSE. Note: Features are hierarchically structured. If

you enable a feature with sub-features, these are also

enabled.

4. Restart the tenant database. ALTER SYSTEM STOP DATABASE ;

ALTER SYSTEM START DATABASE ;

Prerequisite: DATABASE ADMIN privilege


Whats New in SAP HANA SPS09: Security Cross-database queries (I)

In multiple-container systems, read-only

queries across database containers are

supported but not enabled by default

If enabled, a user from one tenant database can

execute queries in another tenant database if this

user is mapped to a user with remote identity there.

A user in the target database can only be associated with one user in the source database

The association is unidirectional

Only the SELECT privileges of the user in the target database are considered during a cross-database

query, all other privileges of the remote user are

ignored. SAP HANA system

Tenant database TN1

(source) Tenant database TN2

(target)

User_1

Table_A

User_2 with

remote identity

SELECT *

FROM TABLE_A


Whats New in SAP HANA SPS09: Security Cross-database queries (II)

Configuring cross-database queries

Prerequisite: DATABASE ADMIN system privilege in the system database

1. In the Administration editor, open the Configuration tab

2. In global.ini cross_database_access system layer, set the property enable to true

3. Add a new parameter targets_for_ and define the

target databases as a comma-separated list

Prerequisite: USER ADMIN system privilege in the target database

1. In the target database, add a remote identity to a user

(= map this user to a user in the source database): ALTER USER ADD REMOTE

IDENTITY AT DATABASE

More Information


SAP HANA information

SAP Help Portal: Security Guide, Master Guide (network topics), Developer Guide, SQL Reference Guide

SAP HANA Security Whitepaper

How to Define Standard Roles for SAP HANA Systems

Important SAP notes

1598623: SAP HANA appliance: Security

1514967: SAP HANA appliance

1730928: Using external software in a HANA appliance

1730929: Using external tools in an SAP HANA appliance

1730930: Using antivirus software in an SAP HANA appliance

786179: Supported antivirus engines/certification

784391: SAP support terms and 3rd-party Linux kernel drivers

1730999: Configuration changes in HANA appliance

863362: Security checks with SAP EarlyWatch Alert

More information


SAP HANA security patches

Operating system security patches

Support operating systems: SUSE Linux Enterprise and RedHat Enterprise

Operating system security patches are provided and published by the operating system vendors

SAP HANA security patches

SAP HANA security patches are published as part of the SAP Security Patch strategy (SAP Security Notes)

Security notes for all SAP products are available at: http://service.sap.com/securitynotes

For SAP HANA, filter for component HAN*

Patches are delivered as SAP HANA revisions

More information:

FAQ SAP Security Notes

FAQ SAP Security Patch Process


SAP security approach

Security is an important and integral part of every step of the SAP Development Lifecycle which

applies to all products. This includes security testing as well as a defined and established process to

report and deal with potential security issues.

SAP security solutions

http://www.sap.com/security

SAP security approach and vulnerability reporting

http://www.sap.com/pc/tech/application-foundation-security/software/security-at-sap/index.html


2014 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate

company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its

affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services

are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an

additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or

release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for

any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-

looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place

undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

Documents

Sap Hana SPS 09 - Security