Securing your SAP Database with AIX Encrypted File System (EFS)

Applies to: SAP systems using IBM DB2 LUW on AIX V6 platform.

For more information, visit the Landscape Design and Architecture homepage.

Summary This document describes how to take advantage of the new Encrypted File System (EFS) feature in an SAP/DB2 environment. SAP customers running on IBM DB2 LUW can use this document as a step by step guide to enable this feature on their existing system. Some performance data is also provided based on test analysis done at our lab.

Author: Lili Zhang

Company: IBM Canada

Created on: February 2009

Author Bio Lili Zhang is a member of the IBM SAP Integration and Support Centre at the IBM Toronto Lab. Her current activities include testing of SAP R/3 with DB2 UDB and helping customers with problem analysis and troubleshooting. She is also a customer advocate, providing support for large customer accounts running SAP and DB2.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 1

Securing your SAP Database with AIX Encrypted File System (EFS)

Table of Contents 1. Overview.........................................................................................................................................................3 2. Preparation .....................................................................................................................................................4

2.1 EFS Prerequisites .....................................................................................................................................4 2.2 Enabling EFS on the system.....................................................................................................................5 2.3 Modifying JFS2 file systems attribute to use EFS ....................................................................................6 2.4 Preparing the users db2<sid> and <sid>adm to use EFS........................................................................7

2.4.1 Adding a role with EFS authority to the users .....................................................................................................7 2.4.2 Preparing keystore ..............................................................................................................................................8

3. Encrypting data files .....................................................................................................................................11 4. Adding access to the encrypted file to user <sid>adm.................................................................................14 5. Test results ...................................................................................................................................................15

5.1 Test overview..........................................................................................................................................15 5.2 Non-encrypted database VS encrypted database ..................................................................................15

Test1: Standard SAP SD Benchmark. .......................................................................................................................15 Test 2: Zmerge...........................................................................................................................................................19 Test 3: Client copy/Client delete/SGEN .....................................................................................................................22

5.3 Encrypting specific table spaces.............................................................................................................22 5.4 Test Summary.........................................................................................................................................23

6. Other consideration ......................................................................................................................................23 Related Content................................................................................................................................................24 Disclaimer and Liability Notice..........................................................................................................................25

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 2

Securing your SAP Database with AIX Encrypted File System (EFS)

1. Overview AIX V6.1 has introduced a new security feature, namely encrypted file system or EFS, which provides the ability to encrypt filesystems of type JFS2 at the file level. With this feature, you will be able to encrypt tablespace container files to add extra protection to your sensitive data.

This document will guide you through the steps needed to encrypt your existing SAP database with EFS, and you can also use the performance result as a reference when considering EFS on your system.

The SID AXV will be used for all examples throughout this document.

EFS

The Encrypted File System (EFS) is a JFS2 file system level encryption. Each file is encrypted with a unique AES symmetric key. The specific key and underlying algorithm for each file is saved in the file metadata. The file is encrypted before being written to disk and is decrypted when it is read from disk into memory.

EFS uses RSA private and public key pairs to protect each symmetric key. These keys are stored in containers named keystores. For most operations, the use of the encrypted files is transparent to the users. A user keystore is opened and loaded upon successful login, or through the efskeymgr command. Once the keys are loaded into the kernel, they are associated with the process credentials. If a user requires access to an encrypted file, the traditional file permission is checked first. If the check is passed, the next step is verifying if the user has the proper key loaded that is the same as one of the public keys that can gain access to the file. If both conditions are satisfied, the user will have access to the file. Otherwise, access is denied.

There are two ways to encrypt files:

• Explicitly execute efsmgr –e command on each file that needs to be encrypted.

• Implicitly through EFS inheritance. EFS inheritance can be activated either at the file system level, at a directory level or both. The newly created files under such directory or file system will be encrypted automatically with the inherited cipher.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 3

Securing your SAP Database with AIX Encrypted File System (EFS)

2. Preparation

2.1 EFS Prerequisites

In order to use EFS, the system must meet the following prerequisites:

1. Operating System level should be AIX 6.1 or later.

2. CLiC (cryptographic library) at level 430 must be installed.

3. RBAC(Role Based Access Control) must be enabled.

Checking Operating System level

Your Operating System level needs to be AIX V6.1 or later. This information can be easily obtained by using the command: oslevel.

Example: # oslevel 6.1.0.0

Installing CliC library

CLiC Crypto Library fileset (Clic.rte package) can be found on the expansion pack media. To verify that the library is installed on your system, you can use the command: lslpp. Example: # lslpp –L clic* Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- clic.rte.includes 4.3.0.0 C F CryptoLite for C Library Include File clic.rte.kernext 4.3.0.0 C F CryptoLite for C Kernel clic.rte.lib 4.3.0.0 C F CryptoLite for C Library clic.rte.pkcs11 4.3.0.0 C F PKCS11 Software Token Support

Enabling role based access control

Role based access control is a method to delegate roles and authorizations among one or more general user accounts. By default, enhanced RBAC mode is on for a newly installed system.

To determine if the enhanced RBAC feature is active, use the command lsattr.

Example: # lsattr –El sys0 -a enhanced_RBAC

enhanced_RBAC true Enhanced RBAC Mode True

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 4

Securing your SAP Database with AIX Encrypted File System (EFS)

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 5

2.2 Enabling EFS on the system

Connect to the system as root user or a member of the group security with the additional aix.security.efs authorization, and execute command efsenable –a. This command will prepare the system to use EFS. After the command has been executed successfully, the EFS keystores will be created under the directory /var/efs. The files /etc/security/user and /etc/security/group are updated with the new EFS attributes.

If you run the command without any other options, it will enable EFS on your system with the default value. The algorithm for the keys and the encryption cipher can be changed at a later time with the efskeymgr and efsmgr command.

efsenable -a [ -v ] [ -k <algo> ] [ -f <cipher> ] [ -m <mode> ] [ -u <yes|no> ] [ -e <algo> ] Flags

-a Activates the EFS capability on a system.

-v Verbose mode.

-k algo

Default algorithm for keys. The algo flag can be one of the following values:

RSA_1024 (by default)

RSA_2048

RSA_4096

-f cipher

Default cipher for files. The cipher flag can be one of the following values:

AES_128_CBC (by default)

AES_192_CBC

AES_256_CBC

AES_128_ECB

AES_192_ECB

AES_256_ECB

-m mode

Default mode for keystores. The mode flag can be one of the following values:

admin (by default)

guard

-u [yes|no] Specifies if the user can change the mode. Default value is "yes".

-e algo

Algorithm for the EFS administration key. The possible algo values are the same as those of the -k flag.

-q Displays the list of available algorithms for keystores and ciphers for files.

Example: # efsenable –a Enter password to protect your initial keystore: Enter the same password again:

Note: This command only need to be executed once on your system.

Securing your SAP Database with AIX Encrypted File System (EFS)

2.3 Modifying JFS2 file systems attribute to use EFS

To activate EFS on a file system, the file system attribute EFS enabled need to be set to YES, and it will automatically change Extended attribute format value to V2. You can make the changes through the commands smit, or crfs.

Note: You need to change the attribute for every file system that requires EFS.

You need to change the attribute for every file system that requires EFS.

Example:

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 6

Securing your SAP Database with AIX Encrypted File System (EFS)

2.4 Preparing the users db2<sid> and <sid>adm to use EFS

The following tasks need to be performed for the users db2<sid> and <sid>adm.

2.4.1 Adding a role with EFS authority to the users

This task can be performed through smit or at the command line. The following commands can be used:

• lsauth list authorizations

• mkrole create a new role

• chuser change user role

• lsrole list roles

• lsuser list user attributes

1. Check the authorization name for EFS:

Example: # lsauth ALL | grep efs aix.security.efs id=6130 dfltmsg=Encrypted Filesystem Keystores Administration msgcat=sysauths.cat msgset=8 msgnum=19

2. Create a new role with EFS authorization:

Example: # mkrole authorizations=aix.security.efs sapefsrole # lsrole ALL|grep sapefsrole sapefsrole authorizations=aix.security.efs rolelist= groups= visibility=1 screens=* msgcat= id=22

3. Add the new role to the users:

Example: #chuser roles=sapefsrole db2axv #lsuser db2axv db2axv id=212 pgrp=dbaxvadm groups=dbaxvadm,sapinst home=/db2/db2axv shell=/bin/csh gecos=Database Administrator login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=1 maxage=13 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=8 histexpire=0 histsize=8 pwdchecks= dictionlist= efs_initialks_mode=admin efs_keystore_algo=RSA_1024 efs_keystore_access=file efs_adminks_access=file efs_allowksmodechangebyuser=yes efs_file_algo=AES_128_CBC fsize=-1 cpu=-1 data=-1 stack=-1 core=-1 rss=-1 nofiles=2000 time_last_login=1226531187 time_last_unsuccessful_login=1226087555 tty_last_login=/dev/pts/9 tty_last_unsuccessful_login=/dev/pts/8 host_last_login=liliz1.torolab.ibm.com host_last_unsuccessful_login=liliz1.torolab.ibm.com unsuccessful_login_count=0 roles=sapefsrole

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 7

Securing your SAP Database with AIX Encrypted File System (EFS)

2.4.2 Preparing keystore

A keystore is automatically created when a password is set for the user. If your system is upgraded from a previous AIX version to AIX V6, the keystore for each user is created the first time the user logs in using a valid user id and password. If you log in as root and switched to another user, the keystore for that user will not be created, as the password validation is bypassed.

The user keystore has two modes of operation:

• root admin mode.

• root guard mode.

Root admin mode is the default setting, where the root user can get access to the keystore of users or groups, and reset their passwords. In root guard mode, the root user can not access other users’s passwords. This provides protection against malicious root user. In root guard mode, if a user loses his keystore password, no one can get access to his keys and the encrypted files owned by this user can not be decrypted.

After a keystore is created, a directory for that user is created under /var/efs/users. The initial password of a user keystore is the user login password. You can use the efskeymgr –n command to change your keystore password. However, we recommend you keep the keystore password the same as the login password. This way, the keystore is automatically opened and the keys are loaded to the kernel upon successful login. Otherwise, you have to call efskeymgr –o command to explicitly load the keys to the kernel.

Note: The operating system password and the keystore password are separate from each other. The passwd command will only change the operating system password. To keep these two passwords consistent, you need to run efskeymgr –n command explicitly to change the keystore password after the login password is changed.

It is very important to have a good backup of the keystores. Only users with valid keys are able to access the encrypted files. When you transfer the encrypted files from one machine to another, you will also need to transfer the keystores of the users that require access to the encrypted files. The keystores are located under /efs/var directory. For example, if you want to transfer the keystore of user db2<sid> to another machine, you need to copy the keystore file under /efs/var/users/<db2<sid> directory to the other machine. If the user also has group keys and admin keys, the keystore files under /efs/var/efs_admin, and /efs/var/groups/ directories will also need to be transported.

Syntax

efskeymgr -?

efskeymgr -q

efskeymgr -V

efskeymgr -C <group>

efskeymgr [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -v

efskeymgr [ -d ] [ -k <ks> ] -m

efskeymgr [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -o <cmd>

efskeymgr [ -d ] [ -c <cmd> ]

efskeymgr [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -n

efskeymgr [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -r <mode>

efskeymgr [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -s <ks2>

efskeymgr [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -S <ks2>

efskeymgr [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -R <algo>

efskeymgr [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -D <fp>

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 8

Securing your SAP Database with AIX Encrypted File System (EFS)

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 9

efskeymgr [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -e <file>

Flags

General flags:

-d Verbose mode.

-g Does not process pending operations when opening the keystore.

-k ks

The operation is targeted to the ks keystore instead of the active user's keystore. The ks value can be as follows:

user/<login>

User <login> keystore.

group/<grpname>

Group <grpname> keystore.

admin/

EFS administration keystore.

-p pw

Password to use to open the keystore. It is not advised to use this as it can be seen by other users using the ps command, for example.

Flags for commands (no access to the keystore files):

-? Displays the command help and exits.

-q Displays a list of supported algorithms for the key regeneration.

-V Displays the keys associated with the active process credentials in the kernel.

Flags for commands (read-only access to keystores):

-c <cmd> Removes all keys from the kernel, then runs the cmd command. The keys are restored when the cmd command terminates.

-m Lists all pending operations on the keystore.

-o <cmd> Opens the keystore and pushes the keys, then runs the cmd command. The keys are discarded when the cmd command terminates.

-v Displays the content of the keystore file.

Flags for commands (read/write access to keystores):

-C <group> Creates the keystore of the group group.

-D <fp> Removes a deprecated private key from the keystore. The fp value is the key fingerprint.

-e <file> Exports a keystore to a file. The file is PKCS#12 encoded and contains the public and private keys from the keystore. This file can be used in openssh, for example.

-n

For user keystores, prompts for a new password for the keystore. For group keystores, generates a new access key and sends to group members. For admin keystores, generates a new access key. The key must then be sent to the EFS administrators with the efskeymgr command.

-R <algo> Regenerates the keystore private key. See the -q flag for the valid values for the algo parameter.

Securing your SAP Database with AIX Encrypted File System (EFS)

-r <mode>

Changes the keystore administration mode. The mode value can be as follows:

admin

The EFS administrator can administrate the keystore. Pending operations are applied automatically.

guard

The EFS administrator cannot manage the keystore. The user is prompted for any pending operation.

-S <ks2> Removes the ks2 access key from the keystore. On subsequent opening of keystore, the ks2 private key will no longer be pushed automatically.

-s <ks2> Sends the keystore access key to the ks2 keystore. On subsequent opening of the ks2 key, the keystore private key will be loaded automatically.

Examples:

Checking the content of keystore: db2axv 1> efskeymgr –v Keystore content: Keystore owner ............ : uid 212 Keystore mode ............. : admin: managed by EFS administrator Password changed last on .. : 10/29/08 at 12:58:23 Private key: Algorithm : RSA_1024 Fingerprint : d7aa56a2:6541069b:9c8765d2:48f6450b:8b3c828c Validity : This key is valid.

Loading keys to a kernel: db2axv 8> efskeymgr -o csh db2axv's EFS password:

Displaying the keys loaded in the kernel: db2axv 10> efskeymgr -V List of keys loaded in the current process: Key #0: Kind ..................... User key Id (uid / gid) ......... 212 Type ..................... Private key Algorithm ................ RSA_1024 Validity ................. Key is valid Fingerprint .............. d7aa56a2:6541069b:9c8765d2:48f6450b:8b3c828c

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 10

Securing your SAP Database with AIX Encrypted File System (EFS)

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 11

3. Encrypting data files Only the owner of the file has the authority to encrypt and decrypt that file. For an SAP database, the owner of the data files is db2<sid>.

Before encrypting the data files, please verify the following:

• All db2 processes are stopped.

• Encryption can not be performed on the file if it is being used by any running process. All processes that might be accessing this file must be stopped. Otherwise, the command will fail.

• The private keys for user db2<sid> are loaded into the kernel, as described in section 2.4.2.

The efsmgr command manages file encryption and decryption for the encrypted filesystems. For existing data files, you need to run efsmgr –e explicitly on each file that requires encryption. If you want the newly created files(eg. Table space containers) to be encrypted automatically, you can set the encryption inheritance on the file system or the directory. In this way, all the newly created files will be encrypted by default with the inherited cipher.

Note: Setting or removing inheritance on a directory or a file system has no effect on the existing files. The efsmgr command must be used explicitly to encrypt or decrypt those files.

Syntax

efsmgr -?

efsmgr -q [-v]

efsmgr -C <cipher> [-v]

efsmgr [ -c <file> ] -e <file> [-v]

efsmgr [ -c <cipher> ] [ -s ] -E <dir> [-v]

efsmgr [ -c <cipher> ] -t <file> [-v]

efsmgr [ -c <cipher> ] [ -s ] -T <dir> [-v]

efsmgr -d <file> [-v]

efsmgr [ -s ] -D <dir> [-v]

efsmgr -l <file> [-v]

efsmgr [ -s ] -L <dir> [-v]

efsmgr -a <file> [ -u <user> | -g <group> ] [-v]

efsmgr -r <file> [ -u <user> | -g <group> ] [-v] Flags

-c <cipher> Uses this cipher instead of the inherited or the default cipher. See the -q command for the valid cipher values.

-g <group> This group must be added or removed from the EFS access list. The group value can be either the gid or the group name.

-s

The operation is targeted to a file system rather than a directory. In this case, the dir parameter must be the mount point of a file system with EFS support.

-u <user> This user must be added or removed from the EFS access list. The user value can be either the uid or the login name.

-v Verbose mode.

Securing your SAP Database with AIX Encrypted File System (EFS)

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 12

-? Displays the command help and exits.

-a <file> Adds access to the specified file to a list of users and groups specified with the -u and -g flags.

-C <cipher> Changes the default cipher for your user to the cipher value.

-D <dir> Removes the inheritance on the directory. To apply the command on the whole file system, you must add the -s flag.

-d <file> Decrypts the specified file.

-E <dir> Sets the inheritance on the dir directory. To apply the command on the whole file system, you must add the -s flag.

-e <file> Encrypts the specified file.

-L <dir> Displays the inherited cipher on the specified directory.

-l <file> Lists the encryption information of the specified file: cipher, and keys that can decrypt the file.

-q Displays a list of supported ciphers.

-r <file> Revokes access to the specified file to a list of users and groups specified with the -u and -g flags.

-T <dir> Changes the inherited cipher on the specified directory. To apply the command on the complete file system, you must add the -s flag.

-t <file> Refreshes the encryption keys of the specified file. This can also be used to change the file cipher.

Examples:

Encrypting a file: db2axv 7> pwd /db2/AXV/sapdata1/NODE0000 db2axv 9> efsmgr -e AXV#BTABD.container000 db2axv 11> efsmgr -l AXV#BTABD.container000 EFS File information: Algorithm: AES_128_CBC List of keys that can open the file: Key #1: Algorithm : RSA_1024 Who : uid 212 Key fingerprint : d7aa56a2:6541069b:9c8765d2:48f6450b:8b3c828c

Decrypting a file: db2axv 30> pwd /db2/AXV/sapdata1/NODE0000 db2axv 31> efsmgr -d AXV#BTABD.container000 db2axv 32> efsmgr -l AXV#BTABD.container000 Error getting EFS attributes: Cannot find the requested security attribute.

Setting encryption inheritance for the directory: db2axv 33> efsmgr -E NODE0000 db2axv 34> efsmgr -L NODE0000 EFS inheritance is set with algorithm: AES_128_CBC

Securing your SAP Database with AIX Encrypted File System (EFS)

Disable encryption inheritance for the directory: db2axv 42> efsmgr -D NODE0000 db2axv 43> efsmgr -L NODE0000 Error getting EFS attributes: Cannot find the requested security attribute.

Efsmgr can only be run on a single file or directory. If you want to encrypt all the files under sapdata directory, you can execute efsmgr within a find command:

Example(with a find command): db2axv 52> find /db2/AXV/sapdata* –type f –exec efsmgr –e {} \; db2axv 53> find /db2/AXV/sapdata* –type d –exec efsmgr –E {} \;

The command ls –U lists entries of encrypted files with a preceding “e”. db2axv 55> pwd /db2/AXV/sapdata1/NODE0000 db2axv 56> ls -U total 187077400 -rw-------e 1 db2axv dbaxvadm 13404995584 Nov 27 10:39 AXV#BTABD.container000 -rw-------e 1 db2axv dbaxvadm 3103784960 Nov 27 10:39 AXV#BTABI.container000 -rw-------e 1 db2axv dbaxvadm 387973120 Nov 25 16:46 AXV#CLUD.container000 -rw-------e 1 db2axv dbaxvadm 54525952 Nov 25 16:46 AXV#CLUI.container000 -rw-------e 1 db2axv dbaxvadm 1358954496 Nov 27 10:38 AXV#DBD.container000 -rw-------e 1 db2axv dbaxvadm 314572800 Nov 26 20:04 AXV#DBI.container000 -rw-------e 1 db2axv dbaxvadm 3347054592 Nov 27 10:38 AXV#DDICD.container000 -rw-------e 1 db2axv dbaxvadm 746586112 Nov 25 16:56 AXV#DDICI.container000 -rw-------e 1 db2axv dbaxvadm 104857600 Nov 25 17:24 AXV#DIMD.container000 -rw-------e 1 db2axv dbaxvadm 104857600 Nov 25 17:24 AXV#DIMI.container000 -rw-------e 1 db2axv dbaxvadm 157286400 Nov 25 16:56 AXV#DOCUD.container000 -rw-------e 1 db2axv dbaxvadm 146800640 Nov 25 16:56 AXV#DOCUI.container000 -rw-------e 1 db2axv dbaxvadm 1719664640 Nov 27 10:38 AXV#EL700D.container000 -rw-------e 1 db2axv dbaxvadm 83886080 Nov 26 20:04 AXV#EL700I.container000 -rw-------e 1 db2axv dbaxvadm 30016634880 Nov 27 10:38 AXV#ES700D.container000 -rw-------e 1 db2axv dbaxvadm 7327449088 Nov 26 20:04 AXV#ES700I.container000 -rw-------e 1 db2axv dbaxvadm 3527409664 Nov 25 17:25 AXV#FACTD.container000 -rw-------e 1 db2axv dbaxvadm 1178599424 Nov 25 17:27 AXV#FACTI.container000 -rw-------e 1 db2axv dbaxvadm 104857600 Nov 27 08:33 AXV#LOADD.container000

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 13

Securing your SAP Database with AIX Encrypted File System (EFS)

4. Adding access to the encrypted file to user <sid>adm To access the encrypted data files, the db2 processes must have the security credentials associated with it. In an SAP environment, the DB2 instance is started by user <sid>adm. Therefore, user db2<sid> need to grant access of all the encrypted data files to user <sid>adm.

You can execute Efsmgr –a command on each encrypted file one by one, or use it within a find command to grant access to all the files.

Example: db2axv 60> pwd /db2/AXV/sapdata1/NODE0000 db2axv 62> efsmgr -a AXV#USER1D.container000 -u axvadm db2axv 69> efsmgr -l AXV#USER1D.container000 -u axvadm EFS File information: Algorithm: AES_128_CBC List of keys that can open the file: Key #1: Algorithm : RSA_1024 Who : uid 211 Key fingerprint : 1f47e082:0fe0a825:e6299171:3b8640e5:8485ffa2 Key #2: Algorithm : RSA_1024 Who : uid 212 Key fingerprint : d7aa56a2:6541069b:9c8765d2:48f6450b:8b3c828c

The above example shows that two users (uid 211 and uid 212) have access to the file.

Example (using a find command to grant access to all the encrypted files under sapdata*):

db2axv 11> find /db2/AXV/sapdata* –type f –exec efsmgr –a {} –u axvadm \;

After the access has been granted, user <sid>adm will be able to start SAP successfully if the secure store key is loaded in the kernel when calling the startsap command. You can display the key in the kernel by running efskeymgr –V command as described in section 2.4.2.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 14

Securing your SAP Database with AIX Encrypted File System (EFS)

5. Test results In this section, we will compare the test results of an encrypted database and a non-encrypted database, to identify the performance impact on the SAP system using EFS.

We will concentrate on evaluating the encryption impact on the runtime and CPU usage. The nmon tool is used to collect performance data, and it is analyzed using the program nmon_analyzer.

5.1 Test overview

Hardware:

SAP host: IBM eServer P5 570, PowerOC_POWER5 CPU divided into 2 LPARs, 16G G of RAM.

Software:

Operating System: AIX v6.1

SAP release: SAP ECC 6.0 SR2, system id AXV

DB2 release: DB2 LUW V9.1 FP5

File system layout:

The database size is 97GB, with 34 regular table spaces. All of the database tablespace containers were located in the subdirectory sapdata1 placed on a single ESS volume.

5.2 Non-encrypted database VS encrypted database

In this section, encrypted database means all the regular tablespace container files are encrypted with EFS. The logs are not encrypted during these tests.

Test1: Standard SAP SD Benchmark.

Our benchmark test uses 300 users and 10 loops. The benchmark driver is running on a separate server.

Runtime: Runtime difference is 1.58%

Non-encrypted Encrypted Difference

Runtime(sec) 1903 1933 1.58%

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 15

Securing your SAP Database with AIX Encrypted File System (EFS)

Physical CPU usage over runtime is demonstrated in the following graph:

At high load interval, the average number of physical CPU used is 3.24 for non-encrypted database and 3.34 for encrypted database. System overview for CPU and disk throughput on a non-encrypted database:

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 16

Securing your SAP Database with AIX Encrypted File System (EFS)

System overview for CPU and disk throughput on an encrypted database:

Comparing the total read&write rate vs. runtime:

At high load interval, the average disk read& write rate is 3492 KB/sec for non-encrypted database and 3419 KB/sec for encrypted database.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 17

Securing your SAP Database with AIX Encrypted File System (EFS)

Comparing system CPU usage:

The above graph shows the system CPU usage is higher for encrypted database. Comparing user CPU usage:

Overall, the performance impact for encryption is very small for benchmark test:

• The runtime degradation is 1.58%. • CPU usage at high workload is increased from 3.24 to 3.34. The increase comes from the system

CPU usage. User CPU usage is about the same.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 18

Securing your SAP Database with AIX Encrypted File System (EFS)

Test 2: Zmerge

Zmerge test is an SAP internal test program consisting of several implementations of the BW ‘compression’ (condense) process:

• Insert/Update • Update via Temp Table • Merge statement • Insert/Merge combination

Runtime: Runtime difference is 12.4%

Non-Encrypted Encrypted Difference

Runtime(sec) 5695 6401 12.4%

Increase in CPU and runtime is shown in the following graph:

Average physical CPU used is 1.0 on non-encrypted database and 1.1 for encrypted database.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 19

Securing your SAP Database with AIX Encrypted File System (EFS)

Overview for CPU and disk throughput on non-encrypted database:

Overview for CPU and disk throughput on encrypted database:

The above graph shows Sys% value increases as the disk throughput rate goes up.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 20

Securing your SAP Database with AIX Encrypted File System (EFS)

Comparing system CPU usage:

System CPU usage is increased. Average sys% is 1.26% for non-encrypted database, and 5.03% for encrypted database. Comparing Disk throughput rate:

This graph confirms the disks read & write rate is lower for encrypted database. Average read&writes rate for non-encrypted database is 8871 KB/sec, and 7674 KB/sec for encrypted database. Overall, the performance impact for zmerge test is noticeable:

• There is 12% degradation in runtime. • The average physical CPU usage is increased from 1.0 to 1.1. System CPU usage is increased

from 1.26% to 5.05%.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 21

Securing your SAP Database with AIX Encrypted File System (EFS)

Test 3: Client copy/Client delete/SGEN

Client Copy/ Client Delete are standard SAP transactions to copy or delete client-specific data to/from SAP tables. SGEN is for SAP code generation. These test cases do not stress CPU or I/O as the benchmark and zmerge test.

The runtime difference between non-encrypted and encrypted database:

Non-Encrypted Encrypted Difference

SGEN 11083 11797 6%

Client Copy 4245 4756 12%

Client Delete 3677 3905 6%

5.3 Encrypting specific table spaces

In this section, we have encrypted the tablespaces BTABD, and BTABI. These two tablespaces are used by the benchmark test. The same benchmark test is performed with 300 users and 10 loops.

The following table shows that the overall physical CPU usage and system CPU usage are lower compared to the encrypted database. The runtime results are very close between the three benchmark runs.

Non-Encrypted Encrypted DB Encrypted TBS

Runtime(sec) 1903 1933 1894

PhysCPU 2.23 2.32 2.27

VP_Usr% 47.7 48.8. 48.8

VP_Sys% 4.78 6.1 5.11

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 22

Securing your SAP Database with AIX Encrypted File System (EFS)

5.4 Test Summary

The performance impact of encryption is directly related to the disk activities.

Since the encryption and decryption work is done as part of the system read/write system calls, we have noticed that the System CPU usage has increased for all the test cases. The higher the disk throughput rate, the higher the system CPU usage over non-encrypted databases. For the benchmark test we have explained earlier, the value Sys% increased by 2 percent. However, in the zmerge test which has a higher disk throughput, the system CPU usage has increased by 3.7% (1.26 vs 5.05%). The user CPU usage does not change significantly. Overall, there will be a slight increase in the total CPU usage.

The runtime difference depends on the disk activity and the number of SAP processes running the job. Zmerge and some other SAP tests use only one SAP process, and the job involves heavy disk read and write activities. As we have observed, the runtime degradation could be as high as 12%. On the other hand, the benchmark test uses multiple SAP processes, and the runtime difference is 1.58%.

You can choose to encrypt only the tablespaces with sensitive data instead of encrypting the whole database. This will save system resources and reduce the performance impact of encryption.

6. Other consideration • EFS can only be used for the database files. It has no functionality to automatically encrypt a

database backup. To encrypt the backup image, you can run efsmgr –e on the backup image after the db2 backup command has completed, or put the backup image in the directory where the encryption inheritance is enabled. The owner of the file can also grant other users access to the backup image, so that it can be restored with different user.

• Key management is critical, as the encrypted file is not accessible without the keys. It is very important to have a backup of the keystore, and the user password for keystore needs to be well maintained.

• 4KB is added to each encrypted file to store the encryption metadata.

• A temporary file will be created in the directory during the encryption and decryption process. The amount of free space on the file system should be greater than the size of the file to be encrypted or decrypted. Otherwise, you will get “file system full” error.

• The file systems /var, /usr, and /opt can not be enabled to use EFS.

• If a JFS2 filesystem has been changed to EFS enabled, the change is permanent.

• NFS export of an EFS file system is not supported.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 23

Securing your SAP Database with AIX Encrypted File System (EFS)

Related Content

1. AIX v6 Advanced Security Features – Introduction and Configuration (Sep 2007) www.redbooks.ibm.com/redbooks/pdfs/sg247430.pdf

2. AIX v6.1 Differences Guide www.redbooks.ibm.com/redbooks/pdfs/sg247559.pdf

3. Locking down files with Encrypted file system http://www.ibmsystemsmag.com/opensystems/augustseptember08/administrator/21607printp1.aspx?ht= 4. Understanding EFS http://www.ibm.com/developerworks/aix/library/au-efs/index.html 5. nmon for AIX and Linux performance monitoring http://www.ibm.com/developerworks/wikis/display/WikiPtype/nmon 6. nmon Analyzer http://www.ibm.com/developerworks/wikis/display/WikiPtype/nmonanalyser 7. AIX info center http://publib.boulder.ibm.com/infocenter/systems/index.jsp

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 24

Securing your SAP Database with AIX Encrypted File System (EFS)

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2009 SAP AG 25

Disclaimer and Liability Notice This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.