SAP HANA SPS 09 - What s New? Security

SAP HANA SPS 09 - What s New? Security (Delta from SPS 08 to SPS 09) Andrea Kristen, SAP HANA Product Management November, 2014 2014 SAP AG or an SAP affiliate company. All rights reserved. 1

Agenda Authentication User/role management Authorization Encryption Audit logging Antivirus software support Support for multitenant database containers 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 2

Authentication

Changed emergency reset mechanism for the of SYSTEM user password The new mechanism for resetting the SYSTEM user password uses the index server in emergency mode This password reset mechanism should only be used if the SYSTEM user password was lost. Emergency reset of the SYSTEM user password Prerequisite: Credentials of the operating system administrator <sid>adm, access to the master index server 1. As <sid>adm, log on to the server on which the master index server is running 2. On the command line, shut down the SAP HANA system, then start the name, compile and index servers 3. Use the following command to reset the password /usr/sap/<sid>/hdb<instance>/exe/hdbindexserver resetusersystem Afterwards, the index server is automatically stopped 4. End the name and compile server processes 5. On the command line, start the SAP HANA system Note: In a system with multitenant database containers, you can reset the passwords of the SYSTEM users in the same way by starting the name server (for the system database) or index server (for tenant databases) in emergency mode 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 4

System view showing authentication method for connected users The system view M_CONNECTIONS now contains additional information about the authentication method Per default, users can only query information about themselves Viewing information for all connected users Prerequisite: system privilege CATALOG READ 1. In SAP HANA Studio, open the SQL editor 2. Enter the following SQL statement: SELECT USER_NAME, AUTHENTICATION_METHOD FROM M_CONNECTIONS 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 5

User/role management

Repository role editor (I) A graphical editor for repository roles is now available as part of the SAP HANA Web-based Development Workbench (Web IDE) In earlier versions, only a text editor in SAP HANA studio was available. There are two types of roles in SAP HANA: catalog roles and repository roles. For most use cases it is recommended to use repository roles. Compared to catalog roles, they offer several advantages, e.g. Versioning Integration with standard transport mechanisms Decoupling of role creation from role granting/revoking Support for standard DEV QA PROD landscapes Separation of duties Role lifecycle 1. A developer/role designer creates the role in the repository of the development system and tests it 2. The role is transported to the production system, e.g. using HALM or CTS+ 3. In the production system, a user administrator grants the role to end users 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 7

Repository role editor (II) Design time Developers/ role designers Runtime User administrators Studio Web IDE New Studio Repository package1 subpackage1.hdbroles Export/import: Delivery Unit (DU) Repository Activation package1 via subpackage1 _SYS_REPO.hdbroles role Database Grant/revoke DEV Transport: HANA Application Lifecycle Manager, CTS+,... PROD 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 8

Repository role editor (III) Creating a new repository role Prerequisites o sap.hana.xs.ide.roles::editordeveloper role o Package privileges on the required packages 1. Open the Editor of the Web IDE in your web browser: http://<database_server>:80<instance_no>/sap/hana/xs/ide/editor 2. In the Content tree, right-click on the folder where you want to create the new role and choose New Role 3. Enter a role name and choose Create 4. Select the roles and privileges that you want to include in the new role 5. Save the role using (Save) Note: The role will be saved and activated in one step. If you want to only save the role, choose (Settings) and select Enable inactive save. An additional icon will be displayed in the toolbar: (Save without Activating) 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 9

Web-based administration and development tools Web-based administration and development tools As part of the general SAP UI strategy, administration and development functions are being made available in web-based tools such as SAP HANA Cockpit and SAP HANA Web-based Development Workbench (Web IDE). One of the prerequisites for using these functions is a web browser with SAPUI5 support. Information on web browsers with SAPUI5 support SAP Note 1716423 - SAPUI5 Browser Support PAM for SAPUI5: https://websmp130.sapag.de/sap(bd1lbizjptawmq==)/support/pam/pam.html?smpsrv=https%3a%2f%2fwebsmp105.sapag.de#pvnr=01200314690900004969&pt=t%7cwbrpfm&ainstnr=01200314694900015214&ts=0 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 10

Accessing the web-based user and catalog role editors in Web IDE The SAP HANA Web IDE contains a user editor and a catalog role editor for scenarios where only web-based tools are available Access from Web IDE Prerequisites: o USER ADMIN or ROLE ADMIN system privilege o sap.hana.xs.ide.roles::securityadmin role 1. Log on to Web IDE (http://<host>:<port>/sap/hana/xs/ide) 2. Click on the Security tile Access from SAP HANA Cockpit Prerequisites (in addition to above): o sap.hana.admin.roles::monitoring 1. Log on to SAP HANA Cockpit (http://<host>:<port>/sap/hana/admin/cockpit) 2. Click on the Manage Roles and Users tile 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 11

Maintaining user parameters in SAP HANA Studio You can now maintain user parameters in SAP HANA Studio Users can change their own parameters. Maintaining user parameters for other users Prerequisites: USER ADMIN system privilege 1. In the Systems view, double-click the user under Security Users and open the User Parameters tab 2. Choose the user parameter and enter a value 3. Save by choosing the (Deploy) button User parameter EMAIL ADDRESS LOCALE PRIORITY Description E-mail address Locale The priority with which the thread scheduler handles statements executed by the user MEMORY STATEMENT LIMIT The maximum memory (in GB) that can be used by a statement executed by the user (if feature enabled globally) TIME ZONE Time zone 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 12

New alert: Support role granted to users Alert notifies administrators when a user is granted the SAP_HANA_INTERNAL_SUPPORT role The support role contains privileges that allow access to certain low-level internal system views needed by SAP HANA development support in support situations, which otherwise would only be accessible to the SYSTEM user. All access is read only, and the role does not allow access to any customer data. The low-level internal system views are not part of the stable end-user interface and might change from revision to revision. To avoid users accidentally accessing these internal system views in applications or scripts, this role is subject to usage restrictions. Configuring the alert thresholds Prerequisite: system privilege INIFILE ADMIN 1. In the Administration editor in SAP HANA Studio, open the Alerts tab and choose the (Configure...) button. 2. Open the Configure Check Thresholds tab and choose check 63. 3. Specify the threshold values. Default: 1 user, alert priority low Switching off the alert See SAP Note 1991615 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 13

New built-in procedures to check compliance with password policy Application developers can use the new procedures to verify that a new user name and password are compliant before actually creating the user Some restrictions apply to the characters that may be used in user names. Passwords need to adhere to the password policy that has been configured for the system. Procedures: SYS.IS_VALID_USER_NAME SYS.IS_VALID_PASSWORD Syntax Prerequisite: EXECUTE privilege on the procedures IS_VALID_USER_NAME (IN user_name NVARCHAR(256), OUT error_code INT, OUT error_message NVARCHAR(5000)) IS_VALID_PASSWORD(IN password NVARCHAR(256), OUT error_code INT, OUT error_message NVARCHAR(5000)) 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 14

Web-based user self-services (I) SAP HANA now provides web-based user selfservices for resetting your own password and for requesting a new user account The user self-services are part of the HANA_XS_BASE delivery unit (autocontent). When enabled, they are available on the SAP HANA logon screen. They are disabled by default. 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 15

Web-based user self-services (II) Configuring user self-services Prerequisites: o See the SAP HANA Administration Guide 1. Configure the XSSQLCC technical user which is used by the user self-services 2. Configure the user self-service parameters in the xsengine.ini file 3. Configure the SMTP server that SAP HANA XS applications can use to send mails 4. Configure dedicated administrators for the user selfservice administration tool. These administrators process user requests and manage blacklists and whitelists Parameter Description Default automatic_user_creation forgot_password request_new_user reset_locked_user sender_email token_expiry_time Defines whether a user creation request needs approval Defines whether the password reset self-service is enabled Defines whether the new user account self-service is enabled Defines whether password reset for a locked user is enabled Mail address for sending out the registration mails/tokens Duration (in s) for which a generated token is valid user_creation_request_count Number of times a user with the same mail address can request an account before being added to the blacklist false false false false 3600 3 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 16

Web-based user self-services (III) Resetting your password Prerequisite: o User self-service is enabled in the SAP HANA system 1. On the SAP HANA logon page, choose Forgot your password? 2. Enter your user name 3. A mail is sent to your mail address with a link to reset the password 4. Enter a new password and answer the security question that you specified when you initially set up your account 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 17

Web-based user self-services (IV) Requesting a new account Prerequisite: o User self-service is enabled in the SAP HANA system 1. On the SAP HANA logon screen, choose Request account 2. Choose a user name and enter your mail address 3. A verification link is sent to your mail address 4. After clicking the verification link, choose a password and a security question 5. Your request is sent to the system administrator for approval 6. After approval, your account is activated and you get notified by mail 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 18

Web-based user self-services (V) Approving new account requests Prerequisites: o User self-service is enabled in the SAP HANA system o sap.hana.xs.selfservice.admin.roles::ussadministrator role 1. Log on to the user self-service administration tool: http://<host>:<port>/sap/hana/xs/selfservice/admin 2. Review the pending requests o Approve/reject request o Assign application roles if required Note: To assign roles, you can use the Web IDE user and role editor o Add domain/mail address/ip range to blacklist if required 3. After you have approved a request, a notification mail is sent to the user. Account is requested for this XS application Open user and role editor in Web IDE User is activated and notified 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 19

Authorization

Extension of SQL-based analytic privileges SQL-based analytic privileges can now also be used with SQL views In earlier versions, SQL-based analytic privileges could only be applied to analytic views. Analytic privileges allow row-based access control to views. They filter query results according to the attributes of the session user. Comparison between XML-based and SQL-based analytic privileges XML-based analytic privileges More difficult to use due to complex XML format Limited expressiveness with regard to filtering capabilities Only analytic views are supported Design time available CREATE STRUCTURED PRIVILEGE <xml_definition> SQL-based analytic privileges Intuitive specification using SQL syntax Flexible combination of filters Sub-queries as filters Analytic and SQL views are supported No design time support yet CREATE STRUCTURED PRIVILEGE <name> FOR SELECT ON <view> WHERE a=10 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 21

New system privilege: TABLE ADMIN A new system privilege for administrators has been introduced The new system privilege TABLE ADMIN authorizes the following administrative actions that are related to the management of tables: LOAD Load specified column store tables from disk into memory (otherwise they will be loaded into memory on first access) UNLOAD Unload specified column store tables from memory to disk (e.g. to free up memory; the tables will be loaded into memory again on next access) MERGE DELTA Merge the column store table s delta storage to the table s main storage 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 22

Encryption

XS encryption service for applications XS applications can now store values in encrypted form Application developers can use the XS API $.security.store to define a secure store for encrypted name-value pairs for their XS application. Options Application-wide data visibility All users of the XS application have access to one secure store All users share the same data and can decrypt or encrypt data Example: passwords for a remote system User-specific data visibility Each user of the XS application has a separate container to securely store encrypted data Only the owner of the secure store and the respective user can decrypt the data Examples: credit card numbers or personal-information-number (PIN) codes More information SAP HANA Developer Guide 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 24

CommonCryptoLib part of standard delivery CommonCryptoLib is now part of the SAP HANA standard delivery. Up to now, customers were required to download CommonCryptoLib from SAP Marketplace. SAP CommonCryptoLib is the successor of SAPCRYPTOLIB and is the default cryptographic library for SAP HANA. It is used for operations that require cryptography, for example data volume encryption and SSL communication encryption. CommonCryptoLib is installed as part of SAP HANA server installation at the default location for library lookup: /usr/sap/<sid>/sys/exe/hdb/libsapcrypto.so Note: The OpenSSL library is also installed as part of the operating system installation. For most use cases it is also possible to use OpenSSL instead of CommonCryptoLib. However, there are already some features in SAP HANA that are only supported by CommonCryptoLib, and future features might also only be supported by CommonCryptoLib. For information on the migration process from OpenSSL to CommonCryptoLib, see SAP Note 2093286. 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 25

Audit logging

Specify schema when creating audit policy on database objects You can now specify a schema if you want to audit all database objects belonging to the schema Creating an audit policy for a schema Prerequisites: System privilege AUDIT ADMIN 1. In the Systems view, double-click on Security and open the Auditing tab 2. In the Audit Policies area, choose Create New Policy 3. Enter the policy name 4. In Audited Actions, select an audit action that applies to database objects, e.g. DELETE 5. As Target Object, select the schema 6. Choose the (Deploy) button 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 27

More granular audit trail target definition (I) You can now specify the audit trail target per audit policy Options for the audit trail target System-wide default: Audit entries are written to the audit trail target(s) configured for the system if no other trail target has been configured per audit level Audit level (optional): Audit entries from audit policies with the audit level EMERGENCY, CRITICAL, or ALERT are written to the specified audit trail target(s). If no audit trail target is configured, entries are written to the audit trail target configured for the system. New Audit policy (optional): Audit entries from a particular policy are written to the specified audit trail target(s). If no audit trail target is configured for an audit policy, entries are written to the audit trail target for the audit level if configured, or the audit trail target configured for the system. Several audit trail targets are configurable for each individual policy. 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 29

More granular audit trail target definition (II) Specifying multiple audit trail targets Prerequisites: system privilege AUDIT ADMIN, auditing has been enabled 1. In the Systems view, double-click on Security and open the Auditing tab 2. In the Audit Trail Target section of the audit policy, select the audit trail targets 3. Choose the (Deploy) button. 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 30

Audit entries of prepared statements show parameter values Parameter values in prepared statements are now recorded in the audit trail Up to now, only? was displayed in the audit trail. Example 1. Create and deploy a new audit policy for INSERT actions on your test table 2. Insert a value into the test table using a prepared SQL statement 3. Check the STATEMENT_STRING field in the audit trail 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 31

New audit actions for data volume encryption Changes to the data volume encryption can now be recorded in the audit trail When you include ALTER PERSISTENCE ENCRYPTION in an audit policy, the following actions will be recorded in the audit trail: Switching the data volume encryption on/off Creating a new encryption key Re-encrypting old encrypted data with the current key 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 32

Antivirus software support

XS antivirus interface XS applications can now integrate antivirus tools to check uploaded data Application developers can use the XS API $.security.antivirus to integrate an antivirus engine with their XS applications. Note: For production systems, only certified antivirus engines should be used. More information: SAP HANA Developer Guide Supported antivirus engines/certification: SAP Note 786179 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 34

Support for multitenant database containers

Multitenant database containers: Overview Multitenant database containers are a new way to run multiple applications/scenarios on one SAP HANA system 1 system database and multiple tenant databases Shared installation of database system software Strong isolation features, the system database and each of the tenant databases have their own: Database users, database catalog, repository, persistence, backups, traces and diagnosis files Distinction between tasks performed at system level and those performed at database level Integration with data center operation procedures System database Application 1 Tenant database 1* Application 2 Tenant database 2 SAP HANA system *tenant database = database container 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 36

Security aspects of multitenant database containers (I) http - Virtual host names per XS Clients connect via dedicated ports to individual databases Security-relevant features are configurable per database Only controlled access between databases Tenant databases are created and managed from the system database o But: No direct access to tenant database table content from the system database SQL - Port 3XX13 SQL - Port 3XX41 Host 1 XS System database Metadata Landscape info Tenant DB1 Tenant DB2 Web Dispatcher XS XS XS Tenant DB3 SQL - Port 3XX45 SQL - Port 3XX49 Metadata Tables Metadata Tables SAP HANA System Metadata Tables 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 37

Security aspects of multitenant database containers (II) Unlike a single database system in which system and database are a single unit and administered as one, an MDC system has 2 levels of administration. Administration tasks performed in the system database include: Starting and stopping the whole system Monitoring the system Configuring parameters at system level Managing tenant databases: Creating/dropping databases, configuring database-specific parameters, adding services to databases for scalability, backing up databases, recovering databases Administration tasks performed in tenant databases include: Monitoring the database Provisioning database users Creating and deleting schemas, tables, and indexes in the database Backing up the database Configuring database-specific parameters 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 38

Security aspects of multitenant database containers (III) Function Details Authentication User name and password (incl. password policy), Kerberos/SPNEGO, SAML, SAP logon and assertion tickets, X.509 (XS access only) Note: For details on the available configuration options (system-wide/per database), please refer to the documentation. Users and roles Isolation of users and roles between the system database and all of the tenant databases SYSTEM user in system database and SYSTEM user in each tenant database Authorization Standard privilege concept Additional system privilege DATABASE ADMIN in the system database for tenant database administration Read-only cross-database queries supported (disabled by default) Option to disable specific administration functions in tenant databases, e.g. export/import Encryption Communication encryption (SSL), data volume encryption (per database, separate root keys), backup encryption via 3 rd party backup tools Audit logging Standard audit logging concept; audit trail written to Linux syslog or to SAP HANA database table Audit trail configuration via system database, audit policy configuration per database Security administration SAP HANA Studio, XS Administration Tool, SQL interface (command line tool hdbsql) 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 39

Restricted features in tenant databases (I) Certain security-relevant features can be enabled/disabled in tenant databases Not all features are required/desirable in all environments, e.g. features that provide direct access to the file system, the network, or other critical resources. The system view M_CUSTOMIZABLE_FUNCTIONALITIES provides information about such restricted features that can be disabled in tenant databases. This view exists in both the SYS schema of every database, where it contains database-specific information, and in the SYS_DATABASES schema of the system database, where it contains information about the enablement of features in all databases. You disable/enable restricted features in tenant databases via the global.ini file of the system database. All restricted features are enabled in the system database and cannot be disabled there. 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 40

Restricted features in tenant databases (II) Enabling/disabling features in tenant databases Prerequisites: User in the system database with CATALOG READ and INIFILE ADMIN privileges 1. In the Administration editor in SAP HANA Studio, open the Configuration tab 2. In the global.ini file customizable_functionalities section, double-click on the feature to be disabled 3. Select Database as the layer and set the value to FALSE. Note: Features are hierarchically structured. If you enable a feature with sub-features, these are also enabled. 4. Restart the tenant database. ALTER SYSTEM STOP DATABASE <tenant_db>; ALTER SYSTEM START DATABASE <tenant_db>; Prerequisite: DATABASE ADMIN privilege 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 41

Cross-database queries (I) In multiple-container systems, read-only queries across database containers are supported but not enabled by default If enabled, a user from one tenant database can execute queries in another tenant database if this user is mapped to a user with remote identity there. A user in the target database can only be associated with one user in the source database The association is unidirectional Only the SELECT privileges of the user in the target database are considered during a cross-database query, all other privileges of the remote user are ignored. Tenant database TN1 ( source ) User_1 SELECT * FROM TABLE_A SAP HANA system Tenant database TN2 ( target ) User_2 with remote identity Table_A 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 42

Cross-database queries (II) Configuring cross-database queries Prerequisite: DATABASE ADMIN system privilege in the system database 1. In the Administration editor, open the Configuration tab 2. In global.ini cross_database_access system layer, set the property enable to true 3. Add a new parameter targets_for_<source_db_name> and define the target databases as a comma-separated list Prerequisite: USER ADMIN system privilege in the target database 1. In the target database, add a remote identity to a user (= map this user to a user in the source database): ALTER USER <target_user> ADD REMOTE IDENTITY <source_user> AT DATABASE <source_db> 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 43

More Information

More information SAP HANA information SAP Help Portal: Security Guide, Master Guide (network topics), Developer Guide, SQL Reference Guide SAP HANA Security Whitepaper How to Define Standard Roles for SAP HANA Systems Important SAP notes 1598623: SAP HANA appliance: Security 1514967: SAP HANA appliance 1730928: Using external software in a HANA appliance 1730929: Using external tools in an SAP HANA appliance 1730930: Using antivirus software in an SAP HANA appliance 786179: Supported antivirus engines/certification 784391: SAP support terms and 3rd-party Linux kernel drivers 1730999: Configuration changes in HANA appliance 863362: Security checks with SAP EarlyWatch Alert 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 45

SAP HANA security patches Operating system security patches Support operating systems: SUSE Linux Enterprise and RedHat Enterprise Operating system security patches are provided and published by the operating system vendors SAP HANA security patches SAP HANA security patches are published as part of the SAP Security Patch strategy (SAP Security Notes) Security notes for all SAP products are available at: http://service.sap.com/securitynotes For SAP HANA, filter for component HAN* Patches are delivered as SAP HANA revisions More information: FAQ SAP Security Notes FAQ SAP Security Patch Process 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 46

SAP security approach Security is an important and integral part of every step of the SAP Development Lifecycle which applies to all products. This includes security testing as well as a defined and established process to report and deal with potential security issues. SAP security solutions http://www.sap.com/security SAP security approach and vulnerability reporting http://www.sap.com/pc/tech/application-foundation-security/software/security-at-sap/index.html 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 47

Thank you Contact information Andrea Kristen SAP HANA Product Management AskSAPHANA@sap.com 2014 SAP SE or an SAP affiliate company. All rights reserved.

2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 49