Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Your information has been sent to SAP Database & Technology.

There was an error. Please try again.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SAP HANA SPS08 Security

401

Published on

SAP HANA SPS 08 - What’s New? Security

SAP HANA SPS 08 - What’s New? Security

Published in: Technology, Travel
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
401
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
47
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SAP HANA SPS 08 - What’s New? Security SAP HANA Product Management May, 2014 (Delta from SPS 07 to SPS 08)
  • 2. © 2014 SAP AG. All rights reserved. 2Public Agenda Miscellaneous Authentication User/role management Encryption Audit logging Documentation
  • 3. Miscellaneous
  • 4. © 2014 SAP AG. All rights reserved. 4Public SAP HANA studio warns users when they are working on a production system If during system installation, the new parameter system_usage was set to production, SAP HANA studio warns users when they are about to perform potentially critical operations, e.g. execute SQL statements, restart the system or perform a data backup. The global.ini configuration file contains a new parameter usage in the [system_information] section that allows you to configure system usage after installation. What’s New in SAP HANA SPS 08: Security SAP HANA studio: production system warning
  • 5. Authentication
  • 6. © 2014 SAP AG. All rights reserved. 6Public This alert notifies SAP HANA administrators that a user password is about to expire In general, users get notified that their password is about to expire and needs to be changed. Since technical users might not see this alert, a new alert with priority MEDIUM has been introduced in order to avoid technical users getting locked because their password has expired. Note: You should disable the forced password change for individual technical users, or choose a different authentication mechanism such as Kerberos or SAML. Configuring the alert thresholds  Prerequisite: system privilege INIFILE ADMIN 1. In the Administration editor in SAP HANA Studio, open the Alerts tab and choose the (Configure...) button. 2. Open the Configure Check Thresholds tab and choose check 62. 3. Specify the threshold values. Switching off the alert See SAP Note 1991615 What’s New in SAP HANA SPS 08: Security New alert for password expiration
  • 7. © 2014 SAP AG. All rights reserved. 7Public The configuration page for SAML identity providers was moved to the Security editor in SAP HANA studio Formerly, this configuration page was available in the system properties. Configuring SAML providers  Prerequisites: USER ADMIN 1. In the Systems view in SAP HANA studio, double- click on Security and open the SAML Identity Providers tab. 2. Select the relevant cryptographic provider. 3. Choose Add and enter the identity provider name. 4. You can either import the subject and issuer or enter this information manually. 5. Choose the (Deploy) button. What’s New in SAP HANA SPS 08: Security SAML identity provider configuration moved
  • 8. User/role management
  • 9. © 2014 SAP AG. All rights reserved. 9Public User names can now contain Unicode characters This enables you e.g. to have user names starting with a number. The supported format is CESU-8, with the following restrictions :  Only 1-, 2-, and 3- byte CESU-8 characters are allowed  List of forbidden characters  see table  In addition, the following characters are forbidden as first character in user names: #, $ Syntax and semantics remain unchanged. What’s New in SAP HANA SPS 08: Security User names in Unicode U+0021 ! 21 EXCLAMATION MARK U+0022 " 22 QUOTATION MARK U+0024 $ 24 DOLLAR SIGN U+0025 % 25 PERCENT SIGN U+0027 ' 27 APOSTROPHE U+0028 ( 28 LEFT PARENTHESIS U+0029 ) 29 RIGHT PARENTHESIS U+002A * 2a ASTERISK U+002B + 2b PLUS SIGN U+002C , 2c COMMA U+002D - 2d HYPHEN-MINUS U+002E . 2e FULL STOP U+002F / 2f SOLIDUS U+003A : 3a COLON U+003B ; 3b SEMICOLON U+003C < 3c LESS-THAN SIGN U+003D = 3d EQUALS SIGN U+003E > 3e GREATER-THAN SIGN U+003F ? 3f QUESTION MARK U+0040 @ 40 COMMERCIAL AT U+005B [ 5b LEFT SQUARE BRACKET U+005C 5c REVERSE SOLIDUS U+005D ] 5d RIGHT SQUARE BRACKET U+005E ^ 5e CIRCUMFLEX ACCENT U+0060 ` 60 GRAVE ACCENT U+007B { 7b LEFT CURLY BRACKET U+007C | 7c VERTICAL LINE U+007D } 7d RIGHT CURLY BRACKET U+007E ~ 7e TILDE
  • 10. © 2014 SAP AG. All rights reserved. 10Public By default, new users created in SAP HANA can create objects within their own private schema and read public information. Restricted users initially have no privileges. Restricted users are intended for end users who access SAP HANA through applications. After creation they need to be granted the privileges/roles necessary to use the application. Restricted users initially  Cannot create objects in the database (they are not authorized to create objects in their own database schema)  Cannot view any data in the database (as they are not granted, and cannot be granted, the standard PUBLIC role)  Can only connect via HTTP but not via ODBC or JDBC (to enable restricted users to connect via ODBC or JDBC, they need to be granted the standard roles RESTRICTED_USER_ODBC_ACCESS or RESTRICTED_USER_JDBC_ACCESS) Note: A database user created as a restricted user cannot be converted into a “normal” user. What’s New in SAP HANA SPS 08: Security Restricted users (I)
  • 11. © 2014 SAP AG. All rights reserved. 11Public Creating a restricted user  Prerequisite: system privilege USER ADMIN 1. In the Systems view in SAP HANA studio, choose Security  Users 2. From the context menu, choose New User 3. Specify the user information and select Restricted user 4. Save the user by choosing the (Deploy) button Alternatively, you can use the SQL command CREATE RESTRICTED USER [...] What’s New in SAP HANA SPS 08: Security Restricted users (II) No PUBLIC role!
  • 12. © 2014 SAP AG. All rights reserved. 12Public The SAP_HANA_INTERNAL_SUPPORT role can be granted to a configurable number of users Previously only a single user could be granted this role. This role contains privileges that allow access to certain low-level internal system views needed by SAP HANA development support in support situations, which otherwise would only be accessible to the SYSTEM user. All access is read only, and the role does not allow access to any customer data. The low-level internal system views are not part of the stable end-user interface and might change from revision to revision. To avoid users accidentally accessing these internal system views in applications or scripts, this role is subject to usage restrictions and should be granted only to SAP HANA development support users for their support activities. Configuring the internal_support_user_limit parameter  Prerequisite: system privilege INIFILE ADMIN 1. In the Administration editor in SAP HANA studio, open the Configuration tab 2. Specify the maximum number of users who can be granted the role: global.ini file  [authorization]section  internal_support_user_limit parameter What’s New in SAP HANA SPS 08: Security Changes to the behavior of the SAP_HANA_INTERNAL_SUPPORT role
  • 13. Encryption
  • 14. © 2014 SAP AG. All rights reserved. 14Public You can now change the page encryption key for the data volume encryption using SAP HANA Studio Changing the page encryption key  Prerequisites: System privilege RESOURCE ADMIN 1. In the Systems view in SAP HANA studio, choose Security and open the Data Volume Encryption tab 2. Choose the (Create new page encryption key) button 3. Choose the (Deploy) button 4. Select whether you want to force a re-encryption of existing data with the new page key What’s New in SAP HANA SPS 08: Security Change of page encryption key for data volume encryption in SAP HANA Studio (I)
  • 15. © 2014 SAP AG. All rights reserved. 15Public The page encryption key for the data volume encryption is encrypted with the root key for the data volume encryption. This root key in turn is encrypted within the server-side secure storage in the file system (SSFS). The root key is automatically created during installation. Note: If you want to use data volume encryption, it is recommended to activate it directly after installing the system After activating data volume encryption, new data that is saved to disk (next savepoint) will be encrypted with the current page encryption key. Existing unencrypted data starts being encrypted in the background. After a change of the page encryption key, you can choose whether you also want to re-encrypt existing encrypted data with the new key (this will happen in the background). SSFS Data volume encryption (root key) SAP HANA Data volume encryption (page encryption keys) What’s New in SAP HANA SPS 08: Security Change of page encryption key for data volume encryption in SAP HANA Studio (II)
  • 16. Audit logging
  • 17. © 2014 SAP AG. All rights reserved. 17Public The previous values of parameters are now written to the audit trail if audit logging of configuration changes has been enabled Enabling audit logging for configuration changes  Prerequisites: System privilege AUDIT ADMIN, auditing has been enabled 1. In the Systems view, double-click on Security and open the Auditing tab 2. In the Audit Policies area, choose Create New Policy 3. Enter the policy name 4. Select SYSTEM CONFIGURATION CHANGE in Audited Actions 5. Choose the (Deploy) button What’s New in SAP HANA SPS 08: Security Audit logging of previous values of configuration parameters
  • 18. © 2014 SAP AG. All rights reserved. 18Public You can now configure multiple audit trail targets  System-wide default: Audit entries are written to the audit trail target(s) configured for the system if no other trail target has been configured per audit level  Audit level (optional): Audit entries from audit policies with the audit level EMERGENCY, CRITICAL, or ALERT are written to the specified audit trail target(s). If no audit trail target is configured, entries are written to the audit trail target configured for the system. Specifying multiple audit trail targets  Prerequisites: system privilege AUDIT ADMIN, auditing has been enabled 1. In the Systems view, double-click on Security and open the Auditing tab 2. In the Audit Level Trail Targets section, enter the audit trail targets for the different audit levels 3. Choose the (Deploy) button. What’s New in SAP HANA SPS 08: Security Multiple audit trails
  • 19. © 2014 SAP AG. All rights reserved. 19Public In order to support administrators to monitor database growth, an alert has been implemented for the size of the audit trail table Using an SAP HANA database table as audit trail target makes it possible to query and analyze auditing information quickly. It provides a secure and tamper-proof storage location. Audit entries are only accessible through the public system view AUDIT_LOG. This view is read-only, old entries can only be deleted from the underlying internal table via a dedicated command by a user with system privilege AUDIT OPERATOR (see next slide). SAP HANA monitors the size of the audit table with respect to the overall memory allocation limit of the system and issues an alert when it reaches the following values (default): 5%, 7%, and 9% of the allocation limit Note: This alert only applies if database table was selected as audit trail target (not for syslog) What’s New in SAP HANA SPS 08: Security Alert if the audit database table grows too large (I)
  • 20. © 2014 SAP AG. All rights reserved. 20Public Changing the threshold for the alert  Prerequisite: System privilege INIFILE ADMIN 1. In the Administration editor, open the Alerts tab and choose the Configure... button 2. Open the Configure Check Thresholds tab and select check 64. Directly enter the new threshold values. Truncating the audit table  Prerequisites: System privilege AUDIT OPERATOR, audit trail target is/was Database Table, audit entries that you plan to delete have been archived 1. In the Security editor, choose the Auditing tab 2. Choose the (Truncate the database table audit trail) button and select the date and time until which you want the audit entries to be deleted 3. Choose the (Deploy) button What’s New in SAP HANA SPS 08: Security Alert if the audit database table grows too large (II)
  • 21. Documentation
  • 22. © 2014 SAP AG. All rights reserved. 22Public What’s New in SAP HANA SPS 08: Security Secure programming guidelines Additional guidelines are available for application developers on how to securely develop HANA-based applications The secure programming guidelines are part of the SAP HANA Developer Guide, which is available on the SAP Help Portal at http://help.sap.com/hana_platform
  • 23. More Information
  • 24. © 2014 SAP AG. All rights reserved. 24Public SAP HANA documentation  SAP Help Portal: Security Guide, Master Guide (network topics), Developer Guide, SQL Reference Guide Important SAP notes  1598623: SAP HANA appliance: Security  1514967: SAP HANA appliance  1730928: Using external software in a HANA appliance  1730929: Using external tools in an SAP HANA appliance  1730930: Using antivirus software in an SAP HANA appliance  1730999: Configuration changes in HANA appliance Whitepapers and howtos  Whitepaper: http://www.saphana.com/docs/DOC-3751  How to Define Standard Roles for SAP HANA Systems: https://scn.sap.com/docs/DOC-53974 What’s New in SAP HANA SPS 08: Security More Information
  • 25. © 2014 SAP AG. All rights reserved. 25Public Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP’s strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.
  • 26. © 2014 SAP AG. All rights reserved. 26Public How to find SAP HANA documentation on this topic? SAP HANA Platform SPS  What’s New – Release Notes  Installation – SAP HANA Server Installation Guide  Security  Administration – SAP HANA Administration Guide  Development – SAP HANA Developer Guide  References – SAP HANA SQL Reference • In addition to this learning material, you find SAP HANA documentation on SAP Help Portal knowledge center at http://help.sap.com/hana_platform. • The knowledge center is structured according to the product lifecycle: installation, security, administration, development. So you can find e.g. the SAP HANA Server Installation Guide in the Installation section and so forth …
  • 27. Thank you Contact information Andrea Kristen SAP HANA Product Management AskSAPHANA@sap.com To get the best overview of what’s new in SAP HANA SPS 08, read this blog.
  • 28. © 2014 SAP AG. All rights reserved. 28Public © 2014 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

×