• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Hana1 slt repli_sec_en
 

Hana1 slt repli_sec_en

on

  • 1,626 views

sap hana replication method

sap hana replication method

Statistics

Views

Total Views
1,626
Views on SlideShare
1,626
Embed Views
0

Actions

Likes
1
Downloads
56
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Hana1 slt repli_sec_en Hana1 slt repli_sec_en Document Transcript

    • SAP HANA Security Guide - Trigger-Based Replication SAP In-Memory Appliance (SAP HANA) 1.0 Target Audience Consultants Administrators SAP Hardware Partner OthersPublicDocument version 1.0 – 06/27/2011
    • Copyright© Copyright 2011 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP AG. The information contained herein may bechanged without prior notice.Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of MicrosoftCorporation.IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM,z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower,PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBMCorporation.Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin aretrademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, WorldWide Web Consortium, Massachusetts Institute of Technology.Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license fortechnology invented and implemented by Netscape.SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, andother SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and other countries.Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, CrystalDecisions, Web Intelligence, Xcelsius, and other Business Objects products and servicesmentioned herein as well as their respective logos are trademarks or registered trademarks ofBusiness Objects S.A. in the United States and in other countries. Business Objects is anSAP company.All other product and service names mentioned are the trademarks of their respectivecompanies. Data contained in this document serves informational purposes only. Nationalproduct specifications may vary.These materials are subject to change without notice. These materials are provided by SAPAG and its affiliated companies ("SAP Group") for informational purposes only, withoutrepresentation or warranty of any kind, and SAP Group shall not be liable for errors oromissions with respect to the materials. The only warranties for SAP Group products and
    • SAP HANA Security Guide – Trigger-Based Replication June 2011services are those that are set forth in the express warranty statements accompanying suchproducts and services, if any. Nothing herein should be construed as constituting anadditional warranty.Icons in Body Text Icon Meaning Caution Example Note Recommendation SyntaxAdditional icons are used in SAP Library documentation to help you identify different types ofinformation at a glance. For more information, see Help on Help General InformationClasses and Information Classes for Business Information Warehouse on the first page of anyversion of SAP Library.Typographic Conventions Type Style Description Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table titles. EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. <Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.SAP In-Memory Appliance (SAP HANA) 2
    • SAP HANA Security Guide – Trigger-Based Replication June 2011 User Administration and Authentication .............................................................................. 6 Authorizations .................................................................................................................... 7 Network and Communication Security................................................................................ 8 Network Security ............................................................................................................ 8 Communication Destinations .......................................................................................... 8 Configuration ..................................................................................................................... 8 Configuration .................................................................................................................. 8SAP In-Memory Appliance (SAP HANA) 3
    • SAP HANA Security Guide – Trigger-Based Replication June 2011 Technical System LandscapeThe Trigger-Based Replication system transfers database activity from source systemdatabases to replicate databases. The source system is typically an SAP ERP or CRMsystem, and the replicate database is the SAP HANA In-Memory Database.The figures below show the two possible technical system landscapes for the Trigger-BasedData Replication Using SAP LT (Landscape Transformation) Replicator.Option 1 - Separate SLT systemWith this option the SLT component is installed in its own SAP system consequently there aretwo network communication channels in use from this system. Firstly there is an RFCconnection to the source system and a second connection to the SAP HANA system.Option 2 - SLT installation in Source systemWith this option the SLT system component is installed in the source system which meansthat only one external network communication channel is required to the SAP HANA system.An overview of the system landscape components is provided below.SAP In-Memory Appliance (SAP HANA) 4
    • SAP HANA Security Guide – Trigger-Based Replication June 2011Source systemThe source system tracks database changes via database triggers and copies relevantchanges into the Logging Tables.SLT componentThe SLT system polls the log tables in the source system via an RFC connection on ascheduled basis. If there is replication data which should be transferred to the SAP HANAsystem this is transferred to via the DB connection.SAP HANA systemThe SAP HANA system contains the SAP In-Memory Database; this is used to store thereplicated data. The connections between the SLT component and the SAP HANA systemare provided by the DB connection.Topic Guide/Tool Quick Link to the SAP Service MarketplaceTrigger- Installation SAP HANA 1.0 Installation Guide – Trigger Based Replicationbased GuideReplicationSAP HANA GuidesFor more information about SAP HANA landscape, security, installation and administration,see the resources listed in the table below.Topic Guide/Tool Quick LinkSAP HANA SAP HANA Knowledge https://service.sap.com/hanaLandscape, Center on SAP ServiceDeployment & Marketplace SAP HANA 1.0 Master GuideInstallation SAP HANA 1.0 Installation GuideSAP HANA SAP HANA Knowledge http://help.sap.com/hanaAdministration & Center on SAP HelpSecurity Portal SAP HANA 1.0 Technical Operations Manual SAP HANA 1.0 Security GuideSAP In-Memory Appliance (SAP HANA) 5
    • SAP HANA Security Guide – Trigger-Based Replication June 2011 User Administration and AuthenticationThe SAP LT Replicator uses the user management and authentication mechanisms providedwith the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server.Therefore, the security recommendations and guidelines for user administration andauthentication as described in the SAP NetWeaver Security Guide [SAP Library]Application Server ABAP Security Guide also apply to the SAP LT Replicator.This section provides information about user management, administration and authenticationthat specifically applies to SAP LT replicator in addition to the standard procedures.For accessing the source systems by remote function call (RFC), requires a communicationuser. As communication user, the access to the source system is exclusively by RFC withoutthe ability to execute steps in dialog mode directly in a system. For more information aboutthis user type, see the section User Types in the SAP Web AS ABAP Security Guide.The following security measures apply with regard to user management for SAP LTReplicator:Irrespective of all security measures, the users who have access to the SLT system will have(indirect) access to the production data in the source system and may be able to seeinformation stored there. Consequently, we recommend that you limit the number of users inthe SLT system to a minimum to prevent unauthorized access to production data.SAP In-Memory Appliance (SAP HANA) 6
    • SAP HANA Security Guide – Trigger-Based Replication June 2011 AuthorizationsThe SAP LT Replicator uses the authorization concept provided by the SAP NetWeaver ASABAP. Therefore, the recommendations and guidelines for authorizations as described in theSAP NetWeaver AS Security Guide ABAP and SAP NetWeaver AS Security Guide Java alsoapply to the SAP LT Replicator.The SAP NetWeaver authorization concept is based on assigning authorizations to usersbased on roles. For role maintenance, use the profile generator (transaction PFCG) on the ASABAP and the User Management Engine’s user administration console on the AS Java. For more information about how to create roles, see Role Administration (SAP Library)Specific authorizations apply for each system. Authorizations for source system(s) and SLTsystem are available in user profiles to control the actions that a user is authorized to perform.Amongst many other existing SAP NetWeaver based authorization objects, the followingauthorization objects are specifically important for the use of SAP LT replicator: S_DMIS Description: Authority object for SAP SLO Data migration Authorization fields Field name Heading MBT_PR_ARE MBT PCL: Scenario MBT_PR_LEV MBT PCL: Processing Role Level ACTVT Activity S_DMC_S_R Description: MWB: Reading / writing authorization in sender / receiver Authorization fields Field name Heading ACTVT ActivityUser RolesWith SAP LT replicator, the composite role SAP_IUUC_USER is available that includes thefollowing roles: SAP_IUUC_REMOTE SAP_DMIS_USER SAP_SLOP_USERSAP In-Memory Appliance (SAP HANA) 7
    • SAP HANA Security Guide – Trigger-Based Replication June 2011 Network SecurityAccess to source systems using SAP LT replicator takes place exclusively through RFCconnections. For more information about security issues in connection with RFC, see therelevant sections in the SAP Library on SAP Help Portal. Communication DestinationsSAP LT replicator does not come with fixed destinations or user names. The followingdestinations need to be created:Source System(s)Users in RFC destinations need to be of type Communication / CPIC – and requireauthorizations specified by one of the following composite roles: o SAP_LT_RFC_USER o SAP_LT_RFC_USER_700 o SAP_IUUC_USER or SAP_IUUC_REMOTE ConfigurationConfiguration settings as defined in LT based replication schemas are be stored in SAP LTreplicator control tables on the SLT system.In source system(s), there is no specific initial configuration data created, however with theinitialization of the data replication, DB triggers and logging tables are created.For logging tables, it is possible to create a separate table space within the database formonitoring the size of logging tables.No specific configuration settings are required on the SAP HANA system.SAP In-Memory Appliance (SAP HANA) 8