You are on page 1of 85

PUBLIC

SAP HANA Appliance Software SPS 05


Document Version: 1.1 - 2012-12-21

SAP HANA Security Guide

Table of Contents
1

Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1

Target Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2

About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.1

SAP HANA Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.2

Important SAP Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

3.3

Additional Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

SAP HANA Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

SAP HANA Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

5.1

Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14


5.1.1

Securing Data Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5.1.2

Communication Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

SAP HANA User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6.1

User Administration Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

6.2

User Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6.3

Standard Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

SAP HANA Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

7.1

Password Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
7.1.1

Password Policy Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

7.2

Password Blacklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

7.3

Resetting the SYSTEM User Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

7.4

Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

7.5

Authentication Using SAML Bearer Token. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29


7.5.1

User Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

SAP HANA Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

8.1

Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

8.2

8.1.1

Analytic Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

8.1.2

Creation and Management of Analytic Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
8.2.1

8.3

Standard Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Authorization in the Repository of the SAP HANA Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Table of Contents

8.3.1

User Authorization for the Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

8.3.2

_SYS_REPO Authorization in the Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

8.3.3

Granting and Revoking Privileges on Activated Repository Objects. . . . . . . . . . . . . . . . . . . . 40

Secure Communication in the SAP HANA Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

9.1

Configuring HTTPS Between SAP HANA Database and SAP HANA Studio. . . . . . . . . . . . . . . . . . . . . . 42
9.1.1

Setup on Server-Side. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

9.1.2

Setup on Client-Side (SQLDBC-Based Connections). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

9.1.3

Setup on Client-Side (JDBC-Based Connections). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

9.1.4

Setup of SAP HANA Studio Connections (JDBC-Based-Connections). . . . . . . . . . . . . . . . . . 47

9.2

Configuring SSL for SAP HANA Database Internal Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . 47

9.3

Configuring HTTPS (SSL) for Client Application Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

10

SAP HANA Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

10.1

Data Protection on File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

10.2

Data Volume Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51


10.2.1

Implications of Persistence Encryption for Backup and Recovery. . . . . . . . . . . . . . . . . . . . . . 52

10.2.2

Periodic Administration Tasks for Persistence Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . 52

10.3

Secure Data Storage for SAP HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

10.4

Secure User Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

11

Auditing Activity in SAP HANA Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

11.1

Audit Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

11.2

Audit Trail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

11.3

Auditing Configuration and Audit Policy Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

12

SAP HANA Additional Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

12.1

SAP HANA Information Composer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

12.2

Lifecycle Management Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

12.3

Unified Installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

12.4

SAP HANA UI Toolkit for Info Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

12.5

SAP HANA UI Integration Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

12.6

Application Function Library (AFL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

12.7

SAP HANA Extended Application Services (SAP HANA XS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

12.8

R Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

13

Security for SAP HANA Replication Technologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

14

Security Reference Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

14.1

SAP HANA Port and Connection Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70


14.1.1

SAP HANA Database Internal Communication Ports and Connections. . . . . . . . . . . . . . . . . . 70

14.1.2

SAP HANA Database Client Access Ports and Connections. . . . . . . . . . . . . . . . . . . . . . . . . . 71

14.1.3

SAP HANA Extended Application Services Ports and Connections. . . . . . . . . . . . . . . . . . . . . 71

14.1.4

SAP HANA Administrative Ports and Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

SAP HANA Security Guide


Table of Contents

PUBLIC
2012 SAP AG. All rights reserved.

14.2

14.1.5

Remote Support Ports and Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

14.1.6

Additional Scenarios Ports and Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

SAP HANA Replication Technologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73


14.2.1

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

14.2.2

Trigger-Based Replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

14.2.3

ETL-Based Replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

14.2.4

SAP HANA Direct Extractor Connection (DXC). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

14.2.5

Comparison of Replication Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

PUBLIC

SAP HANA Security Guide


Table of Contents

2012 SAP AG. All rights reserved.

Document History

The document history includes all versions of the document that have been published.
Version

Date

SAP HANA Revision

Description

1.1

21 Dec 2012

47

Content has been added


to the following sections:

Section 2.2, About this

Section 12.5, SAP

Document
HANA UI Integration
Services

SAP HANA Security Guide


Document History

PUBLIC
2012 SAP AG. All rights reserved.

Introduction
Caution:
This guide does not replace the administration or operation guides that are available for productive
operations.

2.1

Target Audience

Technology consultants

Security consultants

System administrators

This document is not included as part of the installation guides, configuration guides, technical operation
manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software lifecycle, whereas
security guides provide information that is relevant for all lifecycle phases.

2.2

About this Document

The SAP HANA Security Guide provides an overview of the security-relevant information that applies to the SAP
HANA appliance software, including the SAP HANA database.
The SAP HANA Security Guide comprises the following main sections:

Before You Start


This section contains references to the most important SAP Notes that apply to the security of the SAP HANA
appliance software and further helpful resources.

SAP HANA Technical System Landscape


This section provides an overview of the technical components, including a technical system landscape
diagram.

SAP HANA Network Security


This section provides an overview of the network security concepts for the SAP HANA appliance software. To
restrict access at the network level, it also includes recommendations for the network topology.

SAP HANA User Management


This section provides an overview of the following:

Concepts related to user management in SAP HANA

Tools for user administration

Types of users in SAP HANA

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Introduction

Standard users delivered with SAP HANA

SAP HANA Authentication


This section provides an overview of the authentication mechanisms supported by SAP HANA, including
integration into single sign-on environments.

SAP HANA Authorization


This section provides an overview of the authorization concept of SAP HANA (privileges and roles), including
authorization in the SAP HANA repository.

Secure Communication in the SAP HANA Landscape


This section provides an overview of the applicable communication paths used by SAP HANA and the security
mechanisms.

SAP HANA Data Storage Security


This section provides an overview of applicable critical data that is used by the SAP HANA database and the
security mechanisms, including a subsection about data volume encryption.

Auditing Activity in SAP HANA Systems


This section provides an overview of the auditing feature of the SAP HANA database.

SAP HANA Additional Components


In addition to the SAP HANA database, the following components are part of the SAP HANA landscape and
are documented in this guide:

SAP HANA Information Composer


This topic provides security-relevant information about the SAP HANA information composer, which is a
Web application that allows you to upload data to and manipulate data on the SAP HANA database.

Lifecycle Management Tools


This topic provides security-relevant information about Lifecycle Management Tools such as the
Software Update Manager (SUM).

Unified Installer
This topic provides security-relevant information for the Unified Installer, which is a tool for installing the
SAP HANA appliance software in a single, unified, and predefined way.

SAP HANA UI Toolkit for Info Access


This topic provides security-relevant information about the SAP HANA UI Toolkit for Info Access, which
provides HTML5 UI building blocks for developing search-based applications on SAP HANA.

SAP HANA UI Integration Services


This topic provides security-related information about SAP HANA UI Integration Services, which enable
you to integrate standalone SAP HANA client applications into web user interfaces to support end-to-end
business scenarios.

Application Function Library (AFL)


SAP HANA provides several techniques to move application logic into the database, and one of the most
important is the use of application functions. This topic provides security-relevant information about the
Application Function Library (AFL).

SAP HANA Extended Application Services (SAP HANA XS)

SAP HANA Security Guide


Introduction

PUBLIC
2012 SAP AG. All rights reserved.

This topic provides security-related information about SAP HANA Extended Application Services (SAP
HANA XS), which enables you to define access to each individual application package that you want to
develop and deploy.

R Integration
This topic provides security-related information about R, an open source programming language and
software environment for statistical computing and graphics.

Security for SAP HANA Replication Technologies


This section provides an overview of the security aspects of the various replication technologies.
Note: For more detailed information about the security of the SAP HANA replication technologies, see
the security guides for these technologies at SAP HANA Appliance Software SAP Help Portal.

Security Reference Information

SAP HANA Port and Connection Tables


This section provides tables of the SAP HANA port and connection types for configuring firewalls and
networks.

SAP HANA Replication Technologies


This section provides general information about the replication technologies that may be used with SAP
HANA, as well as a comparison of the replication methods.

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Introduction

Before You Start

3.1

SAP HANA Guides

For more information about SAP HANA landscape, security, installation, and administration, see the resources
listed below:
Topic

Location

Quick Link

SAP HANA landscape,


deployment, and
installation

SAP HANA Knowledge


Center on SAP Service
Marketplace

https://service.sap.com/hana:

SAP HANA administration


and security

3.2

SAP HANA Knowledge


Center on the SAP Help
Portal

SAP HANA Master Guide

SAP HANA Installation Guide with SAP HANA


Unified Installer

SAP HANA Master Update Guide

SAP HANA Automated Update Guide

http://help.sap.com/hana_appliance:

SAP HANA Technical Operations Manual

SAP HANA Security Guide

Important SAP Notes

Important SAP Notes that apply to SAP HANA appliance software and SAP HANA database security are shown in
the table below.
Note: SAP supports that customers install additional tools on the SAP HANA appliance within defined
boundaries. It is the responsibility of the customer to ensure that the network channels used by those
tools are appropriately protected. For detailed information, see the SAP Notes listed below.
In addition, you can find a list of security-relevant SAP Notes on the SAP Service Marketplace at https://
service.sap.com/securitynotes.
SAP Note

Title

1598623

SAP HANA appliance: Security

1514967

SAP HANA appliance: Central Note

1730928

Using external software in an SAP HANA appliance

1730929

Using external tools in an SAP HANA appliance

SAP HANA Security Guide


Before You Start

PUBLIC
2012 SAP AG. All rights reserved.

SAP Note

Title

1730930

Using antivirus software in an SAP HANA appliance

1730932

Using backup tools with Backint for SAP HANA

1730996

Nonrecommended external software and software


versions

1730997

Nonrecommended versions of antivirus software

1730998

Nonrecommended versions of backup tools

1730999

Configuration changes in SAP HANA appliance

1731000

Nonrecommended configuration changes

3.3

Additional Information

For more information about specific topics, see the Quick Links in the table below.
Content

Quick Link on the SAP Service Marketplace or SDN

Security

https://sdn.sap.com/irj/sdn/security

Security Guides

https://service.sap.com/securityguide

Related SAP Notes

https://service.sap.com/notes
https://service.sap.com/securitynotes

Released platforms

https://service.sap.com/pam

Network security

https://service.sap.com/securityguide

SAP Solution Manager

https://service.sap.com/solutionmanager

SAP NetWeaver

http://sdn.sap.com/irj/sdn/netweaver

In-Memory Computing

http://www.sdn.sap.com/irj/sdn/in-memory

10

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Before You Start

4 SAP HANA Technical System


Landscape
The diagram below shows an overview of the technical system landscape for the SAP HANA appliance software
and its related components. The related components include the SAP HANA studio and other applications, such
as the SAP HANA information composer.
Note: The diagram below shows a sample configuration with one SAP HANA appliance and three SAP
HANA hosts, as well as some optional components that must be purchased separately.

SAP HANA Security Guide


SAP HANA Technical System Landscape

PUBLIC
2012 SAP AG. All rights reserved.

11

12

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Technical System Landscape

SAP HANA Network Security

This topic provides you with the information about the different network channels of your SAP HANA system, the
required access for different scenarios, as well as configuration options provided by SAP HANA. There are
different network channels that are required for communication between different parts of an SAP HANA
landscape, as shown in the topic SAP HANA Technical System Landscape.
It is recommended security practice to have a well-defined network topology to control and restrict network
access to the SAP HANA system to only the communication channels required for your respective scenario and to
apply appropriate additional security measures, such as encryption, where necessary. This can be achieved by
using different means such as separate network zones, network firewalls, or through configuration options, such
as encryption, provided by SAP HANA. The detailed setup is dependent on the specific customer environment, the
SAP HANA scenarios, and the security requirements or policies of the customer. Based on the information in this
chapter, customers can decide how SAP HANA can be securely integrated in their respective network
environment.
Note: For information about configuring network parameters in a distributed system, see the section
Network Security in SAP HANA Administration Guide.
When using SAP HANA appliance software, we recommend operating different components of the solution in
separate network segments. In order to prevent any unauthorized access to the SAP HANA appliance and the
SAP HANA database through the network, we recommend controlling the network traffic between the different
network segments by using a firewall or a packet filter. For more information about additional security
mechanisms using encrypted communication, see Secure Communication in the SAP HANA Landscape.
The system landscape gives an overview of the different network segments that, depending on the individual
configuration, are available. The detailed setup is dependent on the specific application scenario and customer
network infrastructure.
The SAP HANA appliance should be operated in a protected data center environment. Only dedicated authorized
network traffic should be allowed from other network zones (for example, user access from client network zone):

Client access (that is, all access to external standard database functionality, for example, SQL) only requires
access to the client access port.
Note:
In distributed scenarios, clients must be able to access every node of the distributed SAP HANA
appliance.

Client HTTP access (for example, browser) in scenarios that use the HTTP access feature of SAP HANA
Extended Application Services (SAP HANA XS), for example, ETL-based Data Acquisition by SAP HANA
Direct Extractor Connection and SAP HANA UI Toolkit for Info Access.

For some administrative functions (for example, starting and stopping the SAP HANA instance), access to the
administrative ports is additionally required.

Database internal communication is only used for communication within the database or in a distributed
scenario, for the communication between hosts.

In a single blade scenario (one instance of SAP HANA on one blade), access to those ports from other
network hosts must be blocked.

SAP HANA Security Guide


SAP HANA Network Security

PUBLIC
2012 SAP AG. All rights reserved.

13

In a distributed scenario of SAP HANA (one instance of SAP HANA on multiple blades), we recommend
operating all blades in a dedicated subnet. We further recommend to ensure that communication on the
internal communication channels is restricted to communication between authorized hosts of an
instance.
Caution:
The internal communication must be strictly separated from the external or client communication
paths. Access from hosts that are not part of an instance of the SAP HANA appliance should be
blocked.
If your setup does not allow having the internal communication in a dedicated subnet, we
recommend protecting the internal communication using encryption. For more information, see
Secure Communication in the SAP HANA Landscape.

Additional network configurations may be required for specific replication scenarios. For more information about
SAP HANA replication technologies, see Security Considerations for SAP HANA Replication Technologies.
Also see the SAP Library on SAP Help Portal at http://help.sap.com under
7.3

System Administration

Security Guide

SAP NetWeaver

SAP NetWeaver

SAP NetWeaver Security Guide .

Related Links

Security Considerations for SAP HANA Replication Technologies [page 68]


Secure Communication in the SAP HANA Landscape [page 42]
SAP HANA Technical System Landscape [page 11]
SAP NetWeaver 7.3 Network and Communication Security
SAP NetWeaver 7.3 Security Guides for Connectivity and Interoperability Technologies
SAP HANA Administration Guide

5.1

Communication Channel Security

The network communication channels in a SAP HANA landscape can be separated into different groups:

SAP HANA database client access


These are the network channels which are used for client access to the database or SAP HANA-based
applications. There are two scenarios:

SAP HANA database clients to access the SQL interface of the SAP HANA database. The client in this
case can be application servers that use SAP HANA as a database, direct end-user clients such as

Microsoft Excel that access the database directly via the provided database clients or access with the
SAP HANA studio, such as for modeling.

Access to functionality provided by SAP HANA Extended Application Services (SAP HANA XS) via HTTP.
Examples for this are applications based on SAP HANA Extended Application Services which are
accessed using a web browser or mobile devices.

Administrative access
There are additional network channels which are used for specific remote administrative task such as starting
or stopping the SAP HANA instances, updating the SAP HANA appliance software, and so on. Some
administrative functions require access to the database SQL interface or the HTTP interface.

14

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Network Security

SAP HANA database internal communication


Those network channels are only used internally in the SAP HANA database to communicate between the
different components of the SAP HANA database or for communication between the different hosts in a
distributed SAP HANA instance.

Communication Ports for Outbound Communication


Note: The Software Update Manager (SUM) connects to the SAP Service Marketplace to check if new
updates for the SAP HANA software are available. In order to do so, the outbound communication channel
from the SUM to SAP Service Marketplace must be enabled by the customers network setup.
Network Zones
SAP recommends the application of network firewall technology to create different network zones for the
different components and restrictively apply filtering of the traffic between those zones implementing a
minimum required communication approach. It is strongly recommended that you apply the measures in this
document to protect the access to the SAP HANA database internal communication channels to mitigate the risk
of unauthorized access to those services.
Tip: Block all access to other ports in the firewall that are not used by the SAP HANA database in your
scenario.
Caution: The internal communication must be strictly separated from the external or client
communication paths. Access from hosts that are not part of an instance of the SAP HANA appliance
should be blocked. If your setup does not allow having the internal communication in a dedicated subnet,
we recommend protecting the internal communication using encryption.
Communication Encryption
As shown in the table below, SAP HANA supports encrypted communication for the client-to-server
communication. We recommend using encrypted channels in all cases where network attacks such as
eavesdropping are not protected by other network security measures, for example, access from end-user
networks. As an alternative, VPN tunnels can be used for the transfer of encrypted information.
Note: For more information about encrypted communication, see Secure Communication in the SAP
HANA Landscape.
Note: For communication within the SAP HANA database, explicit security measures are recommended.
See SAP HANA Network Security.
The table below shows the most relevant communication channels used by SAP HANA, the protocol used for the
connection and the type of data transferred.
Table 1: Communication Paths
Communication Path

Protocol Used

Typ of Data Transferred

Data Requiring Special


Protection

Client Access (for example, replication, application server, end-user client, modeling, SAP HANA studio)
SAP HANA database to
data providers

ODBC/JDBC over TCP

SAP HANA database to


admin client

ODBC/JDBC over TCP

SAP HANA Security Guide


SAP HANA Network Security

All application data

All application data

User data, configuration


data, trace files

User data, configuration


data, trace files

(SSL supported)

(SSL supported)

PUBLIC
2012 SAP AG. All rights reserved.

15

Communication Path

Protocol Used

Typ of Data Transferred

Data Requiring Special


Protection

For modeling: Data


models

For modeling: Data


models

All application data

All application data

SAP HANA database to


end-user clients

ODBC/JDBC over TCP

SAP HANA Extended


Application Services (SAP
HANA XS)

HTTP

All application data

All application data

HTTP/HTTPS

Configuration data, trace


files

Configuration data, trace


files

(SSL supported)

Administrative Access
SAP Start Service

Software Update Manager HTTP/HTTPS


(SUM) with SAP HANA
studio

Configuration data

SUM with SAP host agent

HTTPS

Configuration data

SUM with Service


Marketplace

HTTPS

Configuration data

Operating system access

SSH

Operating system
commands, and so on.

Operating system
commands, and so on.

All application data

All application data

Configuration data

Configuration data

Database Internal Communication


SAP HANA database
internal communication
and communication
between SAP HANA
database instances in
distributed installations

TCP (SSL supported)

Related Links

SAP HANA Port and Connection Tables [page 70]


Tables of all listening TCP / IP network ports that are used by SAP HANA.

5.1.1

Securing Data Communication

As shown in the table above, SAP HANA supports encrypted communication for client-to-server and internal
communication.
We recommend using encrypted channels in all cases where network attacks such as eavesdropping are not
protected by other network security measures (for example, access from end-user networks). For more
information about encrypted communication, see Secure Communication in the SAP HANA Landscape.
For communication within the SAP HANA database, for performance reasons, explicit security measures are
recommended. For more information, see SAP HANA Network Security.

16

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Network Security

5.1.2

Communication Ports

The table below lists the ports that are used by SAP HANA. We recommend controlling the network traffic
between the different network segments by using a firewall or a packet filter.
Tip:
Block all access to other ports in the firewall that are not used by the SAP HANA database.
Note:
In certain scenarios, additional communication channels, for example, for remote operating system
access may be required.
The notation of the ports is as follows: n <instance> xy, where <n> is either 3 or 5 (see table below),
<instance> is a two-digit number representing the instance number of the SAP HANA appliance, and <xy>
represents a consecutive number.

Communication Ports for Inbound Communication


Port Number

Used for

Client Access

3<instance>15

Standard SQL communication for client access. This is


the only port required for client access.

80<instance>/43<instance>

SAP HANA XS (HTTP/HTTPS).


Only enabled in scenarios that use SAP HANA XS (for
example, ETL-based Data Acquisition by SAP HANA
Direct Extractor Connection).

Administrative Access

5<instance>13
5<instance>14
(SSL)

System administration (for example, startup and


shutdown) and communication between SUM and SAP
Start Service on different hosts.
For more information about the SAP Start Service, see
the SAP Library on SAP Help Portal at http://

help.sap.com under
NetWeaver 7.3
Functional Areas

SAP NetWeaver

Functional View

SAP NetWeaver by

Application Server

Server Infrastructure

SAP

Application

Architecture of the SAP

NetWeaver Application Server

SAP Start Service .

Note:

SAP HANA Security Guide


SAP HANA Network Security

PUBLIC
2012 SAP AG. All rights reserved.

17

Port Number

Used for
For SAP HANA appliance software, the SAP
Start Service is only used to start and stop an
instance of the SAP HANA database and to
monitor an instance of the SAP HANA
database.

8080/8443

Software Update Manager (SUM) access (HTTP/


HTTPS)

Database Internal Communication

3<instance>00

Used for database internal communication only. These

3<instance>01

ports should only be accessible from other hosts of the


SAP HANA appliance.

3<instance>02
3<instance>03
3<instance>05
3<instance>07

Communication Ports for Outbound Communication


The SUM connects to the SAP Service Marketplace to check if new updates for the SAP HANA software are
available. In order to do so, the outbound communication channel from the SUM to the SAP Service Marketplaces
address https://service.sap.com must be enabled by the customers network setup.
Related Links

SAP HANA Port and Connection Tables [page 70]


Tables of all listening TCP / IP network ports that are used by SAP HANA.

18

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Network Security

SAP HANA User Management

Every user who wants to work with the SAP HANA database must have a database user. The identity of a database
user accessing the database is verified through a process called authentication. The SAP HANA database
supports internal authentication based on a username-password combination and authentication using external
user repositories.
Note: A user who connects to the database using an external authentication provider must have a
database user known to the database.
Once their identity has been verified, database users can perform database operations on database objects.
Whether or not a user is authorized to perform operations on objects in the database is determined by their
privileges. The database user must have privileges to perform the operation and to access the object (for
example, a table) to which the operation applies. Privileges can be granted to database users either directly, or
indirectly through roles that they have been granted.
All the privileges granted directly or indirectly to a user are combined. This means whenever a user tries to access
an object, the system performs an authorization check on the user, the user's roles, and directly granted
privileges. It is not possible to explicitly deny privileges. This means that the system does not need to check all the
user's roles. As soon as all requested privileges have been found, the system aborts the check and grants access.
Although privileges can be granted directly to users, roles are the standard mechanism of granting privileges as
they allow you to implement both fine-grained and coarse-grained reusable hierarchies of user access that can be
modeled on business roles. Several standard roles are delivered with the SAP HANA database (for example,
MODELING, MONITORING). You can use these as templates for creating your own roles.
The relationship between the entities involved in user management can therefore be summarized as follows:

A principal is either a role or a user.

A known user can log on to the database. A user can be the owner of database objects.

A role is a collection of privileges and can be granted to either a user or another role (nesting).

A privilege is used to impose restrictions on operations carried out on database objects, such as schemas,
tables, and views.

This relationship is depicted in the following figure:

SAP HANA Security Guide


SAP HANA User Management

PUBLIC
2012 SAP AG. All rights reserved.

19

6.1

User Administration Tools

You can create and manage SAP HANA database users with several different tools. The following table lists the
available tools and the administration tasks that you can perform with each.
Tool

User Administration Tasks Possible

SAP HANA studio

You can use the SAP HANA studio for the following tasks related to user
and role administration:

Creating database users

Deleting, deactivating, and reactivating database users

Modeling and activating analytic privileges

Creating roles and role hierarchies


Note: You can create roles in runtime on the basis of SQL
statements or as design-time objects in the repository of the
SAP HANA database. However, it is recommended that you

20

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA User Management

Tool

User Administration Tasks Possible


create roles in the repository as they offer more flexibility (for
example, they can be transported between systems).

Assigning roles and privileges to users

Verifying which privileges individual users have

Command line interface (hdbsql or You can perform all user administration tasks from the command line
using SQL requests. This is useful when using scripts for automated
other SQL tool)
processing.
SAP NetWeaver Identity
Management

SAP HANA On-Site Configuration


tool

SAP NetWeaver Identity Management 7.2 Support Package Stack 3 and


higher contains a connector to the SAP HANA database. With SAP
NetWeaver Identity Management you can perform the following user
administration tasks in the SAP HANA database:

Creating and deleting user accounts

Assigning roles

Setting passwords for users

You can use the SAP HANA On-Site Configuration tool to perform postinstallation steps including changing user passwords.

Related Links

SAP HANA Installation Guide with Unified Installer


SAP HANA Administration Guide
SAP HANA Developer Guide
SAP NetWeaver Identity Management (SAP IdM)

6.2

User Types

It is often necessary to specify different security policies for different types of database user. In the SAP HANA
database, we differentiate between the following user types:

Database users that correspond to real people


The database administrator creates a database user for every person who needs to work in the SAP HANA
database. Database users that correspond to real people are dropped when the person leaves the
organization. This means that database objects that they own are also automatically dropped, and privileges
that they granted are automatically revoked.

Technical database users


Technical database users do not correspond to real people. They are therefore not dropped if a person leaves
the organization. This means that they should be used for administrative tasks such as creating objects and
granting privileges for a particular application.
Some technical users are available as standard, for example, the users SYS, _SYS_STATISTICS, and
_SYS_REPO. It is not possible to log on to the database with these users.
Other technical database users are application specific. For example, an application server may log on to the
SAP HANA database using a dedicated technical database user.

SAP HANA Security Guide


SAP HANA User Management

PUBLIC
2012 SAP AG. All rights reserved.

21

Technically, these user types are the same authentication and authorization are the same for both. The only
difference between them is conceptual.

6.3

Standard Users

Certain users are required for installing, upgrading, and operating the SAP HANA database. The following table
lists the standard users that are available.
User

Description

Password Specification

SYSTEM

The SYSTEM database user is the


You specify the initial password
initial user that is created during the during installation.
installation of the SAP HANA
database. SYSTEM is a powerful
database user it has irrevocable
system privileges, such as the
ability to create other database
users, access system tables, and so
on.
Caution: Do not use the
SYSTEM user for day-today activities. Instead, use
this user to create
dedicated database users
for administrative tasks
and to assign privileges to
these users.

<sid>adm where sid is the ID of the


database system

The <sid>adm user is an operating


system user and is also referred to
as the operating system
administrator.

You specify the initial password


during installation.

This operating system user has


unlimited access to all local
resources related to SAP systems.
This user is not a database user but
a user at the operating system level.
SYS

The SYS is a technical database


user. It is the owner of system
objects such as system tables and
monitoring views.

_SYS_STATISTICS

22

PUBLIC
2012 SAP AG. All rights reserved.

Not applicable
This is a technical database user. It
is not possible to log on with this
user.

_SYS_STATISTICS is a technical
Not applicable
database user used by the statistics
server of the SAP HANA database.

SAP HANA Security Guide


SAP HANA User Management

User

_SYS_REPO

SAP HANA Security Guide


SAP HANA User Management

Description

Password Specification

The statistics server is the main


component of the monitoring
infrastructure of the SAP HANA
database. It collects information
about status, performance, and
resource usage from all
components of the database and
issues alerts if necessary.

This is a technical database user. It


is not possible to log on with this
user.

_SYS_REPO is a technical database


user used by the SAP HANA
repository. The repository consists
of packages that contain design
time versions of various objects,
such as attribute views, analytic
views, calculation views,
procedures, analytic privileges, and
roles. _SYS_REPO is the owner of all
objects in the repository, as well as
their activated runtime versions.

Not applicable
This is a technical database user. It
is not possible to log on with this
user.

PUBLIC
2012 SAP AG. All rights reserved.

23

SAP HANA Authentication

The identity of every database user accessing the database is verified through a process called authentication.
The SAP HANA database supports internal authentication based on a username-password combination and
authentication using external user repositories.

Internal authentication
Users are created in SAP HANA database only. Their identity is verified by means of a username-password
combination.
Note: For some administrative operations (such as start-up, shutdown, and database recovery), the
credentials of the SAP operating system user (<sapsid>adm) are also required.

Authentication using external user repositories based on the following mechanisms:

Kerberos (third-party authentication provider) for integration into single sign-on environments

Security Assertion Markup Language (SAML) bearer token


Note: A user who connects to the database using an external authentication provider must also have a
database user known to the database.

7.1

Password Policy

Passwords for internal authentication of database users are subject to certain security rules. These are
configured using the parameters in the password policy section of the system properties file indexserver.ini.
You can view and change the parameters of system properties files in the Administration editor of the SAP HANA
studio.
The following monitoring views are also available in which you can view the parameters and their current values:

M_INIFILE_CONTENTS

M_PASSWORD_POLICY

Related Links

SAP HANA Administration Guide


SAP HANA System Tables and Monitoring Views Reference

7.1.1

Password Policy Parameters

The table below contains the password policy parameters and their default values, and explains the function of
each parameter.

24

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Authentication

Parameter

Default Value

Description

minimal_password_length 8

Defines the minimum password length. The accepted


value range is 6 to 64 characters. The allowed
character classes are described directly below in the
following table row.

password_layout

Defines the character types that must be used in the


creation of a password.

A1a

Uppercase letter: A-Z

Lowercase letter: a-z

Numbers: 0-9

Special characters: Underscore (_), hyphen (-),


and so on. Any character that is not an uppercase
letter, a lowercase letter, or a number is
considered to be a special character.
According to the example provided in the
Default Value column, passwords would be
required to contain at least one uppercase letter, at
least one number, and at least one lowercase
letter, with special characters being optional.
However, you can use any specific letters and
numbers and special characters to define the
password_layout parameter, and the characters
can be in any order. For example, the default value
example could also have been represented by a1A,

hQ5, or 9fG. If you want to enforce the use of at


least one of each character type including special
characters, you could use A1a_ or 2Bg?.
Tip:
When a password is enclosed in double quotes
(") during user creation, any Unicode
characters may be used.
Caution:
The use of passwords enclosed in double
quotes (") may cause logon issues, depending
on the client used. The SAP HANA studio, for
example, supports passwords enclosed in
double quotes ("), while the hdbsql
command line tool does not.
force_first_password_cha
nge

true

Defines whether users have to change their initial


passwords at first logon.
Logging on with the initial password is still possible but
only the ALTER USER <current_user>

PASSWORD <password> command can be

SAP HANA Security Guide


SAP HANA Authentication

PUBLIC
2012 SAP AG. All rights reserved.

25

Parameter

Default Value

Description
executed. All other statements give the error message
user is forced to change password.
Administrators can force a user to change the
password at any time with the following SQL
command:

ALTER USER <user_name> FORCE


PASSWORD CHANGE
maximum_invalid_connec
t_attempts

Defines how many invalid logon attempts are allowed


before the user account is locked.
Administrators can reset the number of invalid logon
attempts with the following SQL command:

ALTER USER <user_name> RESET


CONNECT ATTEMPTS
With the first successful logon after an invalid logon
attempt, an entry is made into the
INVALID_CONNECT_ATTEMPTS view showing:

The number of invalid logon attempts since the last


successful logon

The time of the last successful logon

Administrators and users can delete the information of


invalid logon attempts with the following SQL
command:

ALTER USER <user_name> DROP


CONNECT ATTEMPTS
password_lock_time

1440

Defines the duration in minutes that a user account is


locked after a defined number of failed logon attempts.
The default value is set to 1,440 minutes (= 24 hours).
Administrators can reset the number of invalid logon
attempts and unlock the user account with the
following SQL command:

ALTER USER <user_name> RESET


CONNECT ATTEMPTS
last_used_passwords

maximum_password_lifeti 182
me

26

PUBLIC
2012 SAP AG. All rights reserved.

Defines the number of last used passwords that the


user is not allowed to use when changing the current
password.
Defines the duration in days that a password is valid.

SAP HANA Security Guide


SAP HANA Authentication

Parameter

Default Value

Description
After the expiry of this validity period, users have to
change their password at the next logon.
Administrators can exclude users from this password
lifetime check with the following SQL command:

ALTER USER <user_name> DISABLE


PASSWORD LIFETIME
Note:
It is recommended to perform this step for
technical users only, not for standard
database users.
password_expire_warning
_time

14

maximum_unused_initial_
password_lifetime

28

Defines a number of days before password expiration.


Starting at the given period before the expiration date,
users receive notification when logging on that their
password will soon expire.
Defines the duration in days that an initial password for
a user account is valid.
If an initial password has not been used for the first
time within the given period of time, the password
becomes invalid and the password must be reset.
If the value of this parameter is set to 0, no check is
performed.

maximum_unused_produ
ctive_password_lifetime

365

Defines the duration in days that a user-defined


password is valid.
If a user-defined password has not been reused within
the given period of time, the password becomes invalid
and the password must be reset.
If the value of this parameter is set to 0, no check is
performed.

minimum_password_lifeti
me

Defines the minimum duration in days that a newly


entered user-defined password remains valid before
the user can change it again.
If the value of this parameter is set to 0, no check is
performed.

SAP HANA Security Guide


SAP HANA Authentication

PUBLIC
2012 SAP AG. All rights reserved.

27

7.2

Password Blacklist

A password blacklist is a list of words or blacklist terms not being allowed as passwords or parts of passwords.
SAP HANA performs a password check when you create or alter a user's password but not when the password is
used during logon.
Note: It is possible that a password exists that does not adhere to the current blacklist rules because it
may have been defined before the current state of the blacklist was reached.
The password blacklist allows you to specify the following:

If the blacklist term check is case sensitive.

If the blacklist term check applies to either whole or partial passwords.

The password blacklist in SAP HANA has been implemented with the following table:

CREATE TABLE _SYS_SECURITY._SYS_PASSWORD_BLACKLIST


(BLACKLIST_TERM
NVARCHAR(256) NOT NULL,
CHECK_PARTIAL_PASSWORD
VARCHAR(6) NOT NULL,
CHECK_CASE_SENSITIVE
VARCHAR(6) NOT NULL,
PRIMARY KEY (CHECK_PARTIAL_PASSWORD, CHECK_CASE_SENSITIVE,
BLACKLIST_TERM) )
This table is empty when you create a new instance. The _SYS_SECURITY schema and the
_SYS_PASSWORD_BLACKLIST table are owned by the SYSTEM user. The SYSTEM user is allowed to select,
insert, update, and delete rows in this table and may grant the corresponding privileges to those users who may
need them.
Caution: For security reasons even the privilege to select should be handled very carefully to prevent users
from being able to view those items not allowed as password or parts of passwords.
The BLACKLIST_TERM column is populated with the blacklist terms. According to the value in the
CHECK_CASE_SENSITIVE column, you can determine whether the blacklist term is case sensitive.
The columns CHECK_PARTIAL_PASSWORD and CHECK_CASE_SENSITIVE are populated with the values <TRUE>
or <FALSE>.

INSERT INTO _SYS_SECURITY._SYS_PASSWORD_BLACKLIST VALUES ('sap',


'TRUE', 'FALSE')
Related Links

SAP HANA Administration Guide

7.3

Resetting the SYSTEM User Password

If the SYSTEM user's password is lost, you can use the SAP operating system user to reset the password. To
recover an SAP HANA instance where the SYSTEM user's password is lost, you therefore need to have

<sid>adm access to the instance on which the master index server of the SAP HANA database is running.

28

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Authentication

1.

Open a command line interface, and log on to the server on which the instance of the SAP HANA master index
server is running.

2.

Shut down the instance.

3.

Start the name server by executing the following commands:

4.

/usr/sap/<SID>/HDB<instance>/hdbenv.sh

/usr/sap/<SID>/HDB<instance>/exe/hdbnameserver

Start an index server in console mode by executing the following commands:

/usr/sap/<SID>/HDB<instance>/hdbenv.sh

/usr/sap/<SID>/HDB<instance>/exe/hdbindexserver -console

You see the output of a starting index server. When the service has started, you have a console to the SAP
HANA instance where you are logged on as the SYSTEM user.
5.

You can reset the SYSTEM user's password and store the new password in a secure location with the
following SQL command:

ALTER USER SYSTEM password <new password>


The password for the SYSTEM user is reset. As you are logged on as the SYSTEM user in this console, you do not
have to change this new password the next time you log on with this user, regardless of what your password policy
setting is.

7.4

Integration into Single Sign-On Environments

SAP HANA supports Kerberos version 5 for single sign-on based on Active Directory (Microsoft Windows Server)
or Kerberos authentication servers. Both ODBC database clients and JDBC database clients support the Kerberos
protocol.
For more information about configuring Kerberos for SAP HANA hosts, see the SAP HANA Administration Guide.
Related Links

SAP HANA Administration Guide

7.5

Authentication Using SAML Bearer Token

SAP HANA supports the Security Assertion Markup Language (SAML) as an additional authentication mechanism
besides username/password and Kerberos. SAML is only used for authentication purposes and not for
authorization.
SAP HANA supports logon using SAML bearer assertions via the standard ODBC/JDBC database clients. It is the
database clients' responsibility to retrieve the SAML assertion used for the logon process.

SAP HANA Security Guide


SAP HANA Authentication

PUBLIC
2012 SAP AG. All rights reserved.

29

Supported SAML Features


SAP HANA supports plain SAML 2.0 assertions as well as unsolicited SAML responses that include an
unencrypted SAML assertion. SAML assertions and responses have to be signed using XML signatures.
The following features of XML signatures are supported:

SHA1 and MD5 for hash algorithms

RSA-SHA1 as signature algorithm

X509Certificate elements
Note: The XML signature must contain the X.509 certificate of the identity provider within the
<X509Certificate> element.

The following SAML assertion features are supported:

Assertion Subject with NameID

Qualified NameID with SPProvidedID and SPNameQualifier

Validity conditions (NotBefore, NotOnOrAfter)

Audience restrictions
Note:

SAML is not supported in distributed environments.

Automatic client reconnect is not supported for SAML authenticated connections.

Assertion Properties Checked


The following properties of a SAML assertion are evaluated:

saml:Assertion/@Version: Must be 2.0.

saml:Subject/saml:NameID: Must exist.

saml:Subject/saml:NameID/@Format: Must be "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".

saml:Subject/saml:NameID/@SPProvidedID: Must either match an explicit mapping in the SAP HANA


database or a wildcard mapping must have been set for the user.

saml:Subject/saml:SubjectConfirmation: Must be {{"urn:oasis:names:tc:SAML:2.0:cm:bearer"}} if it exists.

saml:Conditions: The following conditions are currently evaluated:

@NotBefore

@NotOnOrAfter: Must be set.

AudienceRestriction

7.5.1

User Mapping

An identity provider must be configured as a logon option for each database user. The following types of user
mapping are supported:

30

SAP HANA-based user mappings:

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Authentication

The mapping to an SAP HANA database user is explicitly configured within SAP HANA for each identity
provider. The corresponding assertion subject looks like this:

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified">zgc2VLavgYy4hsohfYPM21</NameID>

Identity provider-based user mappings:


The identity provider maps its users to SAP HANA database users and provides this information using the
SPProvidedID attribute. The corresponding assertion subject looks like this:

<NameID
Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified" SPProvidedID="BILLG">zgc2VLavgYy4hsohfYPM21</NameID>
Note:
If an SAP HANA-based user mapping exists for a given identity provider and a conflicting SPProvidedID is
sent from the identity provider, an error is returned.
For more information about configuring identity providers, see the SAP HANA Administration Guide.
Related Links

SAP HANA Administration Guide

SAP HANA Security Guide


SAP HANA Authentication

PUBLIC
2012 SAP AG. All rights reserved.

31

SAP HANA Authorization

When a user accesses the SAP HANA database using a client interface (such as ODBC, JDBC, MDX), his or her
ability to perform database operations on database objects is determined by the privileges that he or she has
been granted.
The authorization concept of the SAP HANA database operates at different levels.
SQL Authorization

System privileges
System-wide SQL privileges exist to control general system activities and are mainly for administrative
purposes, such as creating schemas, creating and changing users, performing data backups, managing
licenses, and so on.

Object privileges
For each SQL statement type (for example, SELECT, UPDATE, or CALL), a corresponding object privilege
exists. If a user wants to execute a particular statement on a database object (for example, table, view, or
stored procedure), he or she must have the corresponding object privilege for either the actual object itself or
the schema in which the object is located. This is because the schema is an object type that contains other
objects. A user who has object privileges for a schema automatically has the same privileges for all objects
currently in the schema and any objects created there in the future.
Initially, the owner of an object and the owner of the schema in which the object is located are the only users
who can access the object and grant object privileges on it to other users.
An object can therefore only be accessed by the following users:

The owner of the object

The owner of the schema in which the object is located

Users to whom the owner of the object has granted privileges

Users to whom the owner of the parent schema has granted privileges
Caution: The database owner concept stipulates that when a database user is deleted, all objects
created by that user and privileges granted to others by that user are also deleted. If the owner of a
schema is deleted, all objects in the schema are also deleted even if they are owned by a different
user. All privileges on these objects are also deleted.

Row-Level Authorization
In addition to SQL authorization at activity and object level, analytic privileges are used to provide row-level
authorization on certain kinds of database objects, such as analytic views. Analytic privileges can only be used for
read operations and not for write operations. Using analytic privileges, it is possible to restrict the data in a view
that a user can see. An analytic privilege enables the grantee to see certain view rows that are identified by one or
more column values. For example, an analytic privilege could enable the grantee to see only those entries in the
SALES view for the years with the values 2006 to 2008.
Authorization in the SAP HANA Repository
In addition to privileges described above, package privileges provide a further means of restricting access to
different design-time objects that are bundled in packages in the repository of the SAP HANA database.

32

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Authorization

Authorization Check
All the privileges granted directly or indirectly (through roles) to a user are combined. This means that whenever a
user tries to access an object, the system performs an authorization check on the user, the user's roles, and
directly granted privileges. It is not possible to explicitly deny privileges. This means that the system does not
need to check all the user's privileges. As soon as all requested privileges have been found, the system aborts the
check and grants access.

8.1

Privileges

The table below describes the types of privileges used by SAP HANA.
Privilege Type

Description

System privilege

System privileges are SQL privileges that control


general system activities. They are mainly for
administrative purposes, such as creating schemas,
creating and changing users and roles, performing data
backups, managing licenses, and so on.

Object privilege

Object privileges are SQL privileges that are used to


restrict access to and modification of database
objects, such as tables and views. Depending on the
object type, different actions can be authorized (for
example, SELECT, CREATE ANY, ALTER, DROP, and so
on).
Currently, SELECT, DROP, and DEBUG are the only
privileges that can be granted on attribute views,
analytic views, and calculation views.

Analytic privilege

Analytic privileges are used to restrict read access to


data in SAP HANA information models (that is analytic
views, attribute views, and calculation views)
depending on certain values or combinations of values.
Analytic privileges are evaluated during query
processing.

Package privilege

Package privileges are used to restrict access to and


the ability to work in packages in the repository of the
SAP HANA database.
Packages contain design time versions of various
objects, such as analytic views, attribute views,
calculation views, and analytic privileges.

Application privilege

SAP HANA Security Guide


SAP HANA Authorization

Developers of SAP HANA XS applications can create


application privileges to authorize user and client
access to their application.

PUBLIC
2012 SAP AG. All rights reserved.

33

Privilege Type

Description
Application privileges are granted and revoked through
the procedures GRANT_APPLICATION_PRIVILEGE and
REVOKE_APPLICATION_PRIVILEGE procedure in the
_SYS_REPO schema.
It is not possible to grant application privileges to users
or roles in the SAP HANA studio. It is recommended
that you grant application privileges to roles created in
the repository.

Related Links

SAP HANA SQL Reference


SAP HANA Developer Guide

8.1.1

Analytic Privileges

SQL privileges impose coarse-grained restrictions at object level only. Users either have access to an object, such
as a table, view or procedure, or they do not. While this is often sufficient, there are cases when access to data in
an object depends on certain values or combinations of values. Analytic privileges are used in the SAP HANA
database to provide such fine-grained control of which data individual users can see within the same view.
Note: Sales data for all regions are contained within one analytic view. However, regional sales managers
should only see the data for their region. In this case, an analytic privilege could be modeled so that they
can all query the view, but only the data that each user is authorized to see is returned.
Analytic privileges are intended to control access to SAP HANA information models, that is:

Attribute views

Analytic views

Calculation views

Therefore, all column views modeled and activated in the SAP HANA modeler automatically enforce an
authorization check based on analytic privileges. Column views created using SQL must be explicitly registered
for such a check (by passing the parameter REGISTERVIEWFORAPCHECK).
Note: Analytic privileges do not apply to database tables or views modeled on row-store tables. Access to
database tables and row views is controlled entirely by SQL object privileges.
You create and manage analytic privileges in the SAP HANA modeler.
Note: Some advanced features of analytic privileges, namely dynamic value filters, can only be
implemented using SQL. The management of such analytic privileges created in SQL also varies to those
created in the SAP HANA modeler.

8.1.2

Creation and Management of Analytic Privileges

Analytic privileges can be created, dropped, and changed in the SAP HANA modeler and using SQL statements.
The SAP HANA modeler should be used in all cases except if you are creating analytic privileges that use
dynamic procedure-based value filters.
To create analytic privileges, the system privilege CREATE STRUCTURED PRIVILEGE is required. To drop analytic
privileges, the system privilege STRUCTUREDPRIVILEGE ADMIN is required.
In the SAP HANA modeler, repository objects are technically created by the technical user _SYS_REPO, which by
default has the system privileges for both creating and dropping analytic privileges. To be able to create, activate,

34

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Authorization

drop, and redeploy analytic privileges in the SAP HANA modeler therefore, a database user requires the package
privileges REPO.EDIT_NATIVE_OBJECTS and REPO.ACTIVATE_NATIVE_OBJECTS for the relevant package.

Implications of Creating Analytic Privileges Using SQL


The SAP HANA modeler is the recommended method for creating and managing analytic privileges. However, it is
necessary to use SQL to implement those features of analytic privileges not available in the modeler, that is,
dynamic, procedure-based value filters as attribute restrictions.
In the SAP HANA modeler, analytic privileges are created as design-time repository objects owned by the
technical user _SYS_REPO. They must be activated to become runtime objects available in the database. Analytic
privileges created using SQL statements are activated immediately. However, they are also owned by the
database user who executes the SQL statements. This is the main disadvantage of using SQL to create analytic
privileges. If the database user who created the analytic privilege is deleted, all objects owned by the user will also
be deleted. Therefore, if you are using SQL to create analytic privileges, we recommend that you create a
dedicated database user (that is, a technical user) for this purpose to avoid the potential loss of complex modeled
privileges.
An additional disadvantage of creating analytic privileges using SQL is that these analytic privileges are not in the
SAP HANA repository and they cannot be transported between different systems.

Granting and Revoking Analytic Privileges


Analytic privileges are granted and revoked as part of user provisioning.
If the analytic privilege was created and activated using the SAP HANA modeler, the analytic privilege is owned by
the _SYS_REPO user. Therefore, to be able to grant and revoke the analytic privilege, a user needs the privilege
EXECUTE on the procedures GRANT_ACTIVATED_ANALYTICAL_PRIVILEGE and
REVOKE_ACTIVATED_ANALYTICAL_PRIVILEGE respectively.
If the analytic privilege was created using SQL, only the owner (that is, the creator) of the analytic privilege can
grant and revoke it.
Related Links

SAP HANA Administration Guide


SAP HANA Developer Guide

8.2

Roles

A role is a collection of privileges that can be granted to either a user or another role in runtime.
A role typically contains the privileges required for a particular function or task, for example:

Business end users reading reports using client tools such as Microsoft Excel

Modelers creating models and reports in the modeler of the SAP HANA studio

SAP HANA Security Guide


SAP HANA Authorization

PUBLIC
2012 SAP AG. All rights reserved.

35

Database administrators operating and maintaining the database and users in the Administration editor of the
SAP HANA studio

Privileges can be granted directly to users of the SAP HANA database. However, roles are the standard
mechanism of granting privileges as they allow you to implement complex, reusable hierarchies of user access
that can be modeled on business roles. Several standard roles are delivered with the SAP HANA database (for
example, MODELING, MONITORING). You can use these as templates for creating your own roles.
Roles in the SAP HANA database can exist as runtime objects only, or as design-time objects that become
runtime objects on activation.

Role Structure
A role can contain any number of the following privileges:

System privileges for administrative tasks (for example, AUDIT ADMIN, BACKUP ADMIN, CATALOG READ)

Object privileges on database objects (for example, SELECT, INSERT, UPDATE)

Package privileges on repository packages (for example, REPO.READ, REPO.EDIT_NATIVE_OBJECTS,


REPO.ACTIVATE_NATIVE_OBJECTS)

Analytic privileges on SAP HANA information models

Application privileges for enabling access to SAP HANA XS applications


Note: Application privileges cannot be granted to roles in the SAP HANA studio.

A role can also extend other roles.

Role Modeling
You can model roles in the following ways:

As runtime objects on the basis of SQL statements

As design-time objects in the repository of the SAP HANA database

It is recommended that you model roles as design-time objects for the following reasons.
Firstly, unlike roles created in runtime, roles created as design-time objects can be transported between systems.
This is important for application development as it means that developers can model roles as part of their
application's security concept and then ship these roles or role templates with the application. Being able to
transport roles is also advantageous for modelers implementing complex access control on analytic content. They
can model roles in a test system and then transport them into a productive system. This avoids unnecessary
duplication of effort.
Secondly, roles created as design-time objects are not directly associated with a database user. They are created
by the technical user _SYS_REPO and granted through the execution of stored procedures. Any user with access
to these procedures can grant and revoke a role. Roles created in runtime are granted directly by the database
user and can only be revoked by the same user. Additionally, if the database user is deleted, all roles that he or she
granted are revoked. As database users correspond to real people, this could impact the implementation of your
authorization concept, for example, if an employee leaves the organization or is on vacation.

36

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Authorization

Caution: The design-time version of a role in the repository and its activated runtime version should
always contain the same privileges. In particular, additional privileges should not be granted to the
activated runtime version of a role created in the repository. Although there is no mechanism of
preventing a user from doing this, the next time the role is activated in the repository, any changes made
to the role in runtime will be reverted. It is therefore important that the activated runtime version of a role
is not changed in runtime.

8.2.1

Standard Roles

Privileges can be granted directly to users of the SAP HANA database. However, roles are the standard
mechanism of granting privileges as they allow you to implement complex, reusable hierarchies of user access
that can be modeled on business roles. Several standard roles are delivered with the SAP HANA database. You
can use these as templates for creating your own roles.
Note: The roles listed below are runtime objects. They are not roles created in the repository.
Role

Description

MODELING

This role contains all the privileges required for using the information modeler in the
SAP HANA studio.
It therefore provides a modeler with the database authorization required to create
all kinds of views and analytic privileges.
Caution: The MODELING role contains the standard analytic privilege
_SYS_BI_CP_ALL. This analytic privilege potentially allows a user to access
all the data in all activated views, regardless of any other analytic privileges
that apply. Although the user must also have the SELECT object privilege
on the views to actually be able to access data, the _SYS_BI_CP_ALL
analytic privilege should not be granted to users, particularly in productive
systems. For this reason, the MODELING role should only be used as a
template.

MONITORING

This role contains privileges for full read-only access to all metadata, the current
system status in system and monitoring views, and the data collected by the
statistics server.

PUBLIC

This role contains privileges for filtered read-only access to the system views. Only
objects for which the users have access rights are visible. By default, this role is
granted to every user.

CONTENT_ADMIN

This role contains the same privileges as the MODELING role but with additional
authorization to grant these privileges to other users. It also contains system
privileges for working with imported objects in the SAP HANA repository. You can
use this role as a template for creating roles for content administrators.

SUPPORT

This role is meant to be used for support cases.


This role contains privileges for read-only access to all metadata, the current
system status in system and monitoring views, and the data of the statistics server.
Additionally, it contains the privileges to access the base information of the system
and monitoring views. Without the support role, this base information can be

SAP HANA Security Guide


SAP HANA Authorization

PUBLIC
2012 SAP AG. All rights reserved.

37

Role

Description
selected only by the SYSTEM user. Only the monitoring views can be selected by
everyone.
To restrict this role to support usage, the following restrictions apply:

It cannot be granted to the SYSTEM user.

It cannot be granted to more than one user at a time.

It cannot be granted to another role.

No role can be granted to it.

Only system privileges can be granted to this role.


Note: If you need to grant other privileges to the user who will be in the
support role, it is recommended to grant these privileges to the user
and not to the SUPPORT role.

With every update of the SAP HANA database software, the privileges in this
role are reset.

8.3 Authorization in the Repository of the SAP HANA


Database
The following sections explains how the authorization concept is applied in the repository of the SAP HANA
database. The following aspects are covered:

The privileges required by database users to work in the repository

The implications of _SYS_REPO ownership of repository objects

How privileges are granted and revoked on the activated runtime versions of repository objects

Related Links

SAP HANA Developer Guide

8.3.1

User Authorization for the Repository

The repository of the SAP HANA database consists of packages that contain design time versions of various
objects, such as attribute views, analytic views, calculation views, procedures, analytic privileges, and roles. All
repository methods that provide read or write access to content are secured with authorization checks. To allow
database users to work with packages in the repository, they must have the required package and system
privileges.
In addition, to be able to access the repository in the SAP HANA studio or another client, users need the EXECUTE
privilege on the database procedure SYS.REPOSITORY_REST.
The required privileges can be granted to users directly or indirectly through roles in the SAP HANA studio as part
of user provisioning.

38

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Authorization

Package Privileges
The SAP HANA database repository is structured hierarchically with packages assigned to other packages as subpackages. If you grant privileges to a user for a package, the user is automatically also authorized for all
corresponding sub-packages.
In the SAP HANA database repository, a distinction is made between native and imported packages. Native
packages are packages that were created in the current system and should therefore be edited in the current
system. Imported packages from another system should not be edited, except by newly imported updates. An
imported package should only be manually edited in exceptional cases.
The database users of developers should be granted the following privileges for native packages:

REPO.READ
This privilege authorizes read access to packages and design-time objects, including both native and
imported objects.

REPO.EDIT_NATIVE_OBJECTS
This privilege authorizes all kinds of inactive changes to design-time objects in native packages.

REPO.ACTIVATE_NATIVE_OBJECTS
This privilege authorizes the user to activate or reactivate design-time objects in native packages.

REPO.MAINTAIN_NATIVE_PACKAGES
This privilege authorizes the user to update or delete native packages, or create sub-packages of native
packages.

Developers should only be granted the following privileges for imported packages in exceptional cases:

REPO.EDIT_IMPORTED_OBJECTS
This privilege authorizes all kinds of inactive changes to design-time objects in imported packages.

REPO.ACTIVATE_IMPORTED_OBJECTS
This privilege authorizes the user to activate or reactivate design-time objects in imported packages.

REPO.MAINTAIN_IMPORTED_PACKAGES
This privilege authorizes the user to update or delete imported packages, or create sub-packages of imported
packages.

System Privileges
Developers require the following system privileges to be able to work in the repository:

REPO.EXPORT
This privilege authorizes the user to export, for example, delivery units.

REPO.IMPORT

SAP HANA Security Guide


SAP HANA Authorization

PUBLIC
2012 SAP AG. All rights reserved.

39

This privilege authorizes the user to import transport archives.

REPO.MAINTAIN_DELIVERY_UNITS
This privilege authorizes the user to maintain delivery units (DU, DU vendor and system vendor must be the
same).

REPO.WORK_IN_FOREIGN_WORKSPACE
This privilege authorizes the user to work in a foreign inactive workspace.

8.3.2

_SYS_REPO Authorization in the Repository

The repository of the SAP HANA database stores both runtime objects, such as calculation scenarios, and designtime objects, such as models used in analytic scenarios (attribute views, analytic views, calculation views, and
analytic privileges). Design-time objects must be activated to become runtime objects so that they can be used by
regular users of SAP HANA and the SAP HANA database.
Inside the repository, only the technical user _SYS_REPO is used. Therefore, this user is the owner of the objects
created in the repository and initially is the only user with privileges on these objects. This includes the following
objects:

All tables in the repository schema (_SYS_REPOSITORY)

All activated objects such as procedures, views, analytic privileges, and roles

Objects in the repository are however modeled on data objects, such as tables. _SYS_REPO does not
automatically have authorization to access these objects. _SYS_REPO must therefore be granted the SELECT
privilege (with grant option) on all data objects behind all objects modeled in the repository. If this privilege is
missing, the activated objects will be invalidated.

8.3.3 Granting and Revoking Privileges on Activated


Repository Objects
Only the _SYS_REPO user has any privileges on objects in the repository. Therefore, only this user can grant
privileges on them. Since no user can log on as _SYS_REPO, another means of granting privileges is used.
This is provided by stored procedures in the _SYS_REPO schema. These procedures can be used to grant and
revoke privileges on activated objects or schemas, analytic privileges, and roles. Stored procedures are beneficial
because a user is not required to have a privilege in order to grant it.
The following procedures exist:
Activated Object Type

Procedure for Grant and Revoke

Modeled objects, such as calculation views

GRANT_PRIVILEGE_ON_ACTIVATED_CONTENT

REVOKE_PRIVILEGE_ON_ACTIVATED_CONTENT

GRANT_SCHEMA_PRIVILEGE_ON_ACTIVATED_C
ONTENT

REVOKE_SCHEMA_PRIVILEGE_ON_ACTIVATED_
CONTENT

GRANT_ACTIVATED_ANALYTICAL_PRIVILEGE

REVOKE_ACTIVATED_ANALYTICAL_PRIVILEGE

Schema containing modeled objects

Analytic privilege

40

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Authorization

Activated Object Type

Procedure for Grant and Revoke

Application privilege

GRANT_APPLICATION_PRIVILEGE

REVOKE_APPLICATION_PRIVILEGE

GRANT_ACTIVATED_ ROLE

REVOKE_ACTIVATED_ ROLE

Role

Note: Public synonyms of these procedures exist. Therefore, these procedures can be used without
specifying schema _SYS_REPO.
Having the EXECUTE privilege on any of the procedures enables a user to grant or revoke privileges. Using stored
procedures and a technical user for privilege management also changes the behavior in terms of how privileges
are revoked.
With regular SQL, privileges that were granted by a user are revoked when this user is dropped or loses the
privilege that was granted. Also, only the granter can revoke privileges with SQL. Both details are not true with this
approach. Any user with EXECUTE privilege on the revoke privilege procedure can revoke any privilege that was
granted, regardless of the granter. Also, if a user that has granted privileges is dropped, none of the privileges that
the user granted is revoked as part of dropping the user.
When using the SAP HANA studio for privilege management, this behavior is hidden. If privileges on activated
objects or schemas are granted or revoked, the procedures are used automatically.

Critical Combinations
Caution:
Bear in mind that users who can change and activate objects as well as grant privileges on activated
objects have access to all SAP HANA content.

SAP HANA Security Guide


SAP HANA Authorization

PUBLIC
2012 SAP AG. All rights reserved.

41

9 Secure Communication in the SAP


HANA Landscape
The SAP HANA appliance uses the secure sockets layer (SSL) protocol to ensure secure communication between
the individual components and client connections. Authentication is ensured by using certificates.
The communication between the following components can be secured by using SSL:

Any ODBC-based or JDBC-based connection

The SAP HANA studio and the SAP HANA database (server authentication)
For more information, see Configuring HTTPS Between SAP HANA Database and SAP HANA Studio [page
42].

The SAP HANA studio and the Software Update Manager for SAP HANA
For more information, see the SAP HANA Automated Update Guide.

The Software Update Manager for SAP HANA and SAP Service Marketplace
SAP HANA needs an SAP Service Marketplace user (S-user) to access SAP Service Marketplace. These
credentials are sent only by encrypted communication channels using an HTTPS connection. For more
information about how to configure access to SAP Service Marketplace, see the SAP HANA Automated
Update Guide.

The Software Update Manager for SAP HANA and the SAP Host Agent
For more information about how to configure HTTPS for the SAP Host Agent, see the SAP HANA Automated
Update Guide .

SAP HANA information composer and internet browser


For more information, see SAP HANA Information Composer.

Internal communication among the different components of a running SAP HANA system
For more information, see Configuring SSL for SAP HANA Database Internal Communication [page 47].

Client applications accessing SAP HANA through the SAP Web Dispatcher
For more information, see Configuring HTTPS (SSL) for Client Application Access [page 48]

9.1 Configuring HTTPS Between SAP HANA Database and


SAP HANA Studio
The SAP HANA appliance software supports the following cryptographic libraries for Linux-based installations:

OpenSSL (default)

SAP Cryptographic Library

42

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Secure Communication in the SAP HANA Landscape

9.1.1

Setup on Server-Side

To protect your data during network transmission, only secure connections should be used. We recommend using
the tools provided with OpenSSL to create the certificates required for SSL configuration.

Prerequisites

The server possesses a public and private key pair and public-key certificate.
The SSL protocol uses public-key technology to provide its protection. Therefore, the server must possess a
public and private key pair and a corresponding public-key certificate. It must possess one key pair and
certificate to identify itself as the server component and another key pair. The key pair and certificate are
stored in the server's own personal security environments (PSE), the SSL server PSE, and the SSL client PSE,
respectively.
Note:
In case, your server keys are compromised, replace the certificate.

You have installed a cryptographic provider such as OpenSSL or the SAP Cryptographic Library.
Caution:
The distribution of the SAP Cryptographic Library is subject to and controlled by German export
regulations and is not available to all customers. In addition, usage of the SAP Cryptographic Library
or OpenSSL library may be subject to local regulations of your own country that may further restrict
the import, use, and export or reexport of cryptographic software. If you have any further questions
about this issue, contact your local SAP office.

Features
By supporting SSL, the SAP HANA appliance software can provide the following:

Server-side authentication
With server-side authentication, the server identifies itself to the client when the connection is established.
This reduces the risk of using fake servers to gain information from clients.

Data encryption
In addition to authenticating the communication partners, the data being transferred between the client and
server is encrypted which provides for integrity and privacy protection. An eavesdropper cannot access or
manipulate the data.

Client-side authentication and mutual authentication are not currently supported.


The following parameters can be used to configure the server connectivity. They are located in the

indexserver.ini file, in the communication section.

SAP HANA Security Guide


Secure Communication in the SAP HANA Landscape

PUBLIC
2012 SAP AG. All rights reserved.

43

Note:
Configuration of cryptographic library providers is optional.
The parameters in the following table can be configured for the setup of secure connections.
Table 2: Configuration Parameters on Server-Side
Property Name

Property Value

Default

Description

sslCryptoProvider

{sapcrypto | openssl}

1. sapcrypto (if installed)

Cryptographic library
provider to use for SSL

2. openssl

connectivity.

sslKeyStore

<file>

$HOME/.ssl/key.pem

Path to keystore file.

sslTrustStore

<file>

$HOME/.ssl/trust.pem

Path to trust store file.

sslValidateCertificate

<bool value>

false

If set to true, validate the


certificate of the
communication partner.

sslCreateSelfSignedCertifi <bool value>

false

If set to true, create a self-

cate

signed certificate if the


keystore cannot be found.

No Configuration Provided
If no configuration for secure connections has been provided, the system determines which cryptographic library
provider should be used as follows:
1.

Checks whether the environment variable <SECUDIR> is set.


a.

If the environment variable <SECUDIR> is set, it tries to load the sapcrypto library using the regular paths
for library lookup. The recommended location of the sapcrypto library is /usr/sap/<SID>/SYS/
global/security/lib.

b.

If sapcrypto cannot be loaded, it proceeds with the next cryptographic library provider.

c.

If sapcrypto was loaded, it uses the path names given in sslKeyStore and sslTrustStore to check for a
*.pse store.

d.

If a PSE store could be found, the system verifies its integrity.

e.

If no PSE store could be found or the PSE stores integrity could not be verified, SSL initialization fails and
SSL is not available.

2.

Checks whether OpenSSL is available.


a.

If OpenSSL is available, it checks for key certificates at the path given in sslKeyStore and trusted
certificates at the path given in sslTrustStore.

44

b.

If any certificates were found, it checks for the integrity of the certificates.

c.

If any of the above fails, SSL initialization fails and SSL is not available.

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Secure Communication in the SAP HANA Landscape

Configuration Provided

If the value of the sslCryptoProvider parameter is set, the system tries to initialize the given cryptographic
library provider. Any other installed cryptographic library providers are ignored.

If the value of the sslCryptoProvider parameter is set but no paths are given for the sslKeyStore and
sslTrustStore parameters, the system uses the default paths for initialization as if no configuration were
provided.

If the value of the sslKeyStore parameter or the sslTrustStore parameter is set, the system does not check
the default paths. In this case, the sslCryptoProvider parameter must be set.

If the values of both the sslKeyStore parameter and the sslTrustStore parameter are set, a value for the
sslCryptoProvider parameter also has to be set; otherwise SSL initialization fails and SSL is not available.

9.1.2

Setup on Client-Side (SQLDBC-Based Connections)

Set the parameter values according to the operating system installed on the clients. For SQLDBC-based
connectivity (for example ODBC), the parameters and their names are the same as for the server. Additionally,
the encrypt parameter is available to initiate an SSL-secured connection.
Table 3: Configuration Parameters on Client-Side for SQLDBC-Based Connections
Property Name

Property Value

Default

Description

encrypt

<bool value>

False

Enables or disables SSL


encryption.

sslCryptoProvider

{sapcrypto | openssl |
mscrypto}

1. sapcrypto (if installed)

Cryptographic library
provider to use for SSL
connectivity.

sslKeyStore

<file>

$HOME/.ssl/key.pem

Path to keystore file.


Leave empty when using
mscrypto.

sslTrustStore

<file>

$HOME/.ssl/trust.pem

Path to trust store file.


Leave empty when using
mscrypto.

sslValidateCertificate

<bool value>

true

If set to true, validate the


certificate of the
communication partner.

sslHostNameInCertificate

<string value>

<empty>

Use the given host name


for validation.

2. openssl/mscrypto

Tip:
Use this host
name when
validating the
communication
partners
certificate.
Wildcards are not

SAP HANA Security Guide


Secure Communication in the SAP HANA Landscape

PUBLIC
2012 SAP AG. All rights reserved.

45

Property Name

Property Value

Default

Description
allowed. If the
given host name
is * then host
name validation is
disabled.

sslCreateSelfSignedCertifi <bool value>


cate

9.1.3

false

If set to true, create a selfsigned certificate if the


keystore cannot be found.

Setup on Client-Side (JDBC-Based Connections)

For JDBC connections, the parameter names are the same as those for SQLDBC-based connections except for
the missing prefix SSL. Additionally, some additional parameters to further characterize the (Java-based)
keystore and its password are used. If you use JDBC connections, deploy the certificates to the Java keystore.
For JDBC connections, the automatic creation of a self-signed certificate is currently not supported. Therefore,
the createSelfSignedCertificate parameter is not available.
Table 4: Configuration Parameters on Client-Side for JDBC-Based Connections
Property Name

Property Value

Default

Description

encrypt

<bool value>

false

Enables or disables SSL


encryption.

validateCertificate

<bool value>

true

If set to true, validate the


certificate of the
communication partner.

hostNameInCertificate

<string value>

<empty>

Use the given host name


for validation.
Tip:
Use this host
name when
validating the
communication
partners
certificate.
Wildcards are not
allowed. If the
given host name
is * then host
name validation is
disabled.

keyStore

<file | store name>

<VM default>

keyStoreType

<JKS | PKCS12>

<VM default>

46

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Secure Communication in the SAP HANA Landscape

Property Name

Property Value

Default

Description

keyStorePassword

<password>

<VM default>

Password used to access


the keystore.

trustStore

<file | store name>

<VM default>

trustStoreType

<JKS>

<VM default>

trustStorePassword

<password>

<VM default>

Password used to access


the trust store.

If you do not specify any values for the *Store* parameters, the system uses the default values.

9.1.4 Setup of SAP HANA Studio Connections (JDBC-BasedConnections)


As a prerequisite for SSL-secured connections to and from SAP HANA studio, the root certificate that was used to
sign the server certificate must be available in the Java trust store. SAP HANA studio allows you to use either the
system-wide trust store or the default user trust store for certificate validation. For more information about how
to import certificates into trust stores, see the Java documentation.

9.2 Configuring SSL for SAP HANA Database Internal


Communication
The certificates for internal network communication in the SAP HANA appliance software are specific for each
host and different for the client and server side. This is necessary as every host shall be verified with its fully
qualified domain name (FQDN). Because the SAP HANA database deals with a set of certificates, we recommend
using a dedicated certificate authority (CA) to sign these.
1.

Download the SAP Cryptographic Library:


The standard installer does not provide the required binaries. You have to download them separately. The
SAP Cryptographic Library is available at the SAP Service Marketplace.

2.

Create a certificate authority (CA) designated to this installation using external tools, for example, the
OpenSSL command line tool.
We recommend storing your CA certificate in $DIR_INSTANCE/ca.

3.

Create certificates:
On every host you have to create the client-side and the server-side certificate. You have to sign these at the
CA just created. The common name (CN) has to be the FQDN of the host you get by reverse DNS lookup. The
other fields describe your organization. Make sure that the client-side certificate is created without a
password. Create a local keystore named SAPSSLC.pse in directory $SECUDIR on every host and import the
hosts client certificate into SAPSSLC.pse.

4.

Activate secure sockets:


Add the section [communication] to the custom layer of the file global.ini. Set the key ssl = on.

SAP HANA Security Guide


Secure Communication in the SAP HANA Landscape

PUBLIC
2012 SAP AG. All rights reserved.

47

9.3

Configuring HTTPS (SSL) for Client Application Access

To improve the security of your SAP HANA landscape, you can configure the SAP Web Dispatcher to use HTTPS
(SSL) for incoming requests from UI front ends and applications, for example, SAP HANA applications. The
requests are then forwarded to SAP HANA.
The SAP Web dispatcher lies between the Internet and your SAP system. It is the entry point for HTTP(s) requests
into your system. If you want to set up a secure SSL connection (Secure Socket Layer) between client
applications and the SAP Web Dispatcher, the following components are prerequisites:

SAP Cryptographic library SAPCRYPTOLIB (libsapcrypto.so)

SAP Cryptographic tool SAPGENPSE

The SAP root certificate SAPNetCA.cer issued by the SAPNet certificate authority

To configure the SAP Web Dispatcher to use SSL for inbound application requests, perform the following steps:
1.

Log on to the SAP HANA server at operating system level with the <sid>adm user.

2.

Open the instance profile of your SAP Web Dispatcher.


The SAP Web Dispatcher profile is located at /usr/sap/<SAPSID>/SYS/profile/.

3.

Add the following parameters to the profile:

wdisp/shm_attach_mode = 6
wdisp/ssl_encrypt = 0
wdisp/add_client_protocol_header = true
ssl/ssl_lib = /usr/sap/<SAPSID>/SYS/global/security/lib/sapcrypto.so
ssl/server_pse = /usr/sap/<SAPSID>/HDB<instance_no>/sec/SAPSSL.pse
icm/HTTPS/verify_client = 0
4.

Add the HTTPS port as follows:

icm/server_port_1 = PROT=HTTPS,PORT=443,EXTBIND=1
5.

Copy the SAP Cryptographic Library (libsapcrypto.so) to the SAP HANA blade.
To enable secure HTTP communication between Web browsers and the SAP Web Dispatcher using SSL
(HTTPS), you must copy the SAP Cryptographic Library (libsapcrypto.so) to the SAP HANA blade.
The SAP Cryptographic Library libsapcrypto.so must be located in the directory /usr/sap/
<SAPSID>/SYS/global/security.

6.

Install the root certificate SAPNetCA.cer.


Place the root certificate SAPNetCA.cer that you have downloaded from SAP Service Marketplace into the
following directory: /usr/sap/<SAPSID>/HDB<INSTANCE>/sec .

7.

Set the SECUDIR environment variable to point to your instance directory.


Execute the following command: export SECUDIR="/usr/sap/<SAPSID>/HDB<INSTANCE>/sec"
Alternatively, you can add the export command to the .cshrc profile file of your <sapsid>adm user.

8.

Make the sapgenpse file available and executable.


a) Place a copy of the sapgenpse file in the following location: /usr/sap/<SAPSID>/SYS/global/
security/lib.
b) Set permissions for the file sapgenpse, for example: chmod 777 sapgenpse.

9.

48

Create an SSL key pair and a certificate request:

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Secure Communication in the SAP HANA Landscape

a) Change to the following directory.


cd /usr/sap/<SAPSID>/SYS/global/security/lib
b) Add the security directly to your library path.
export LD_LIBRARY_PATH=/usr/sap/XSE/SYS/global/security/
c) Run the SAP Cryptographic tool SAPGENPSE

./sapgenpse get_pse -p SAPSSL.pse -x <PIN> -r SAPSSL.req "CN=<webdisp>,


OU=<org_unit>, O=<company>, C=<country>"
For <org_unit>, enter your SID. For CN, enter the host name of the NC host (<webdisp>, where the SAP
Web dispatcher is installed) in the user LAN, as this is the host that decrypts the SSL. If you do not use the
-x parameter, sapgenpse interactively asks for a personal identification number (PIN). The PIN request
provides extra security since nobody can read the password from the screen or find it in the command
history.
The export command creates two files, one in the /sec directory and one in the current directory. The file
SAPSSL.req is a simple ASCII file whose content must be sent to a CA (certification authority). According
to the rules of the CA, the CA will sign the request and return a file with the signed certificate. SAP offers
CA services via http://service.sap.com/Trust, where you can have test certificates signed instantly.
There is also a navigation point called SSL Test Server Certificates https://websmp106.sap-ag.de/
SSLTest.
10. Import the signed certificate.
Copy and paste the signed certificate into a file on the server hosting the SAP Web Dispatcher and execute
the commands indicated below:
a) Paste the text of the signed certificate into SAPSSL.cer at /usr/sap/X12/HDB00/sec/.
b) Copy sapgenpse to /usr/sap/X12/HDB00/sec/.
c) Place the certificate SAPServerCA.der that you have downloaded from SAP Service Marketplace into
the /usr/sap/<SAPSID>/HDB<INSTANCE>/sec directory.
d) Import the certificate.

./sapgenpse import_own_cert -c SAPSSL.cer -p SAPSSL.pse -x <PIN> -r


SAPServerCA.der
Make sure that the date and time settings on the server hosting the SAP Web Dispatcher are correct and
synchronized with the certificate authority (CA) that issued the certificate you import, otherwise the
certificate might be interpreted as invalid.
11. Create a credentials file for the PSE.
The SAP Web Dispatcher requires a password to access the PSE file. Instead of supplying the password in the
profile, you must create a credential file, whose owner has access to the PSE. To create the credentials file,
run the following command:

./sapgenpse seclogin -p SAPSSL.pse -x <PIN> -O <sapsid>adm


If successful, the command creates the file cred_v2 in the /sec directory. Since this file contains the
password for the SAP Web dispatcher, restrict access to the owner by executing the following command in
the /sec directory:

chmod 600 cred_v2


The /sec folder of your SAP Web Dispatcher host should now look similar to this:
blade1:s1wadm 77> ls -la /usr/sap/S1W/W00/sec/
drwxr-xr-x s1wadm sapsys 4096 2007-06-21 11:32 . drwxr-xr-x s1wadm sapsys 4096
2007-06-10 11:12 .. -rw------- s1wadm sapsys 164 2007-06-21 11:32 cred_v2 -

SAP HANA Security Guide


Secure Communication in the SAP HANA Landscape

PUBLIC
2012 SAP AG. All rights reserved.

49

rw------- s1wadm sapsys 542 2007-06-21 11:13 dev_sapstart -rw------- s1wadm sapsys
1655 2007-06-21 10:45 SAPSSL.pse
12. Restart the SAP Web Dispatcher.
Use the commands stopsap and startsap to stop and restart the SAP Web Dispatcher. You can check the
functioning of the SAP Web Dispatcher by starting the SAP Web Dispatcher administration console under
https://<host_name>/sap/admin. You will require the name and the master password defined for
webadm user during installation of the SAP Web Dispatcher. You can also check the logs in the usr/sap/
<sapsid>adm/W<instance_no>/work directory.
13. Bind the default SSL port to use
Since only users with superuser authorization rights can bind ports < 1024 (well-known ports) on a UNIX
system and the ICM process or the SAP Web Dispatcher should not have these rights (and ICM cannot have
them for technical reasons), the port must be bound by an external program and the listen socket then
transferred to the calling process. You can use the icmbnd command.

icmbnd -S <server port> -l <listen port> -p <protocol>


Related Links

SAP Web Dispatcher

50

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Secure Communication in the SAP HANA Landscape

10 SAP HANA Data Storage Security


The SAP HANA database is stored in the file system (including configuration data). You can configure the base
path during installation. For more information about how to create a distributed system, see the SAP HANA
Installation Guide with SAP HANA Unified Installer.
Related Links

SAP HANA Installation Guide with SAP HANA Unified Installer

10.1 Data Protection on File System


The file permissions of the operating system are strictly configured. Therefore, we recommend that you do not
change them after the installation of the SAP HANA database.

10.2 Data Volume Encryption


The SAP HANA database persistence layer ensures that changes made in the row store or column store are
durable and that the database can be restored to the most recent committed state after a restart. For this reason,
data is stored in persistent disk volumes that are organized in pages.
Privacy of data on disk can be ensured globally by enabling SAP HANA data volume encryption. If this is the case,
all pages that reside in the data area on disk are encrypted using the AES-256-CBC algorithm. Pages are
transparently decrypted as part of the load process. When pages reside in memory they are therefore not
encrypted and there is no performance overhead for in-memory page accesses. When changes to data are
persisted to disk, the relevant pages are automatically encrypted as part of the Write operation.
Pages are encrypted and decrypted using 256-bit persistence encryption page keys. Page keys are valid for a
certain range of savepoints and can be changed by executing SQL statements. After switching on persistence
encryption, an initial page key is automatically generated. Page keys are never readable in plaintext, but are
encrypted themselves using a dedicated persistence encryption root key.
During start-up, administrator interaction is not required. The root key is stored using the SAP NetWeaver Secure
Store File System (SSFS) functionality and is automatically retrieved from there. SAP HANA uses SAP NetWeaver
SSFS to protect the root encryption keys that are used to protect all encryption keys used in the SAP HANA
system from unauthorized access.
Note: For more information about SAP NetWeaver SSFS, seeSystem Security for SAP NetWeaver AS
ABAP Only.
Persistence encryption does not include:

Encryption of database redo log files.

SAP HANA Security Guide


SAP HANA Data Storage Security

PUBLIC
2012 SAP AG. All rights reserved.

51

Note: If the protection of database redo log files is required, we recommend using operating system
facilities, such as encryption, at the file system level.

Backups of the database.


Note: If encryption of backups is required, we recommend using third-party solutions that integrate
with the Backint for SAP HANA functionality for backups.

Database traces.
Note: For security reasons, we recommend not running the system with extended tracing for more
than short-term analysis, since tracing might expose sensitive data, which would be encrypted by
persistence, but not in the trace. Therefore, you should not keep such trace files on disk beyond the
respective analysis task.

10.2.1 Implications of Persistence Encryption for Backup and


Recovery
This topic includes backup and recovery recommendations for data volume encryption.
An SAP HANA database with an encrypted data area can be backed up just like an unencrypted system. The
backup contents are always unencrypted, regardless of the encryption state of the data area of the productive
system.
For recovery, the target system should already have the persistence encryption feature enabled. All data restored
during the data and log recovery phases are then automatically encrypted.

10.2.2 Periodic Administration Tasks for Persistence


Encryption
Certain tasks should be performed periodically regarding data encryption.
Depending on your security policy, we recommend periodically changing the page keys in order to limit the
potential impact of a key being compromised. A new page key will be active for new data as of the next savepoint
operation. The SAP HANA database provides system views that allow monitoring of the page keys used for data
encryption and their age.
An administrator can also trigger a re-encryption of the entire data area using the current page key.
Note: For specific information and procedures about changing the page keys or triggering a re-encryption
of the entire data area using the current page key, see SAP HANA Administration Guide.

10.3 Secure Data Storage for SAP HANA


On the SAP HANA database server, passwords are stored as follows:

System passwords are protected by the methods of the respective operating systems (for example, /etc/
password in UNIX).

All database user passwords are hashed with the secure hash algorithm SHA-256.

On the client side there are two facilities for storing user passwords:

52

For connecting client programs to the database without explicitly logging in, logon information can be stored
in the secure user store of the SAP HANA client (hdbuserstore, see ch. 5.3.4)

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Data Storage Security

Note: For more information about hdbuserstore, see Secure User Store.

When using the SAP HANA studio, the Eclipse secure storage is used to store saved passwords.

10.4 Secure User Store


In the secure user store of the SAP HANA client hdbuserstore, you can securely store the user logon
information, including passwords, using the SAP NetWeaver Secure Store File System (SSFS) functionality. This
allows client programs to connect to the database without having to manually enter a password. The secure user
store is installed with the SAP HANA client package. After installation, it is located in the /usr/sap/hdbclient
directory. The secure user store runs on all platforms supported by SAP HANA client interfaces and SAP BASIS
7.20 EXT.
The logon information is stored in one of the following directories. If the path does not already exist, it is created
by the hdbuserstore command.

For systems using Microsoft Windows , the path is defined by <PROGRAMDATA>\.hdb


\<COMPUTERNAME><SID>.
Where PROGRAMDATA is the path defined by CSIDL_COMMON_APPDATA resp.
FOLDERID_PROGRAMDATA and SID is the system ID of the user that uses the stored logon information.

For systems using other operating systems, the path is defined by <HOME>/.hdb/<COMPUTERNAME>.
HOME is the home directory of the user that uses the logon information.

When executing the hdbuserstore script (in the context of the correct operating system user), the user store
can be opened using a user key. Only the operating system user owning the corresponding secure password store
files can access the secure user store.
To edit the stored logon information, you can use the following hdbuserstore commands:
Command

Parameter

Description
Displays a help message.

HELP
LIST

<user_key>

Lists entries with the key.


Passwords are not displayed.

DELETE

<user_key>

Deletes entries with the key.

SET

<user_key>

Sets the entry key.

<env>

Sets the connection environment


(host and port).

<user_name>

Sets the user name for the profile.

<password>

Sets the password for the profile.

Create a user key in the user store and store the password under this user key:

hdbuserstore SET <user_key> <env> <user_name> <password>

SAP HANA Security Guide


SAP HANA Data Storage Security

PUBLIC
2012 SAP AG. All rights reserved.

53

For example:

hdbuserstore SET millerj localhost:30115 JohnMiller 2wsx$RFV

List all available user keys (passwords are not displayed):

hdbuserstore LIST <user_key>


For example:

hdbuserstore LIST millerj


The following information is displayed:
KEY: millerj
ENV: localhost:30115
USER: JohnMiller

Call hdbsql with the user key:

hdbsql -U <user_key>
For example:

hdbsql -U millerj

Encryption Keys
All password information contained in the secure user store is encrypted using an encryption key. The system is
provided with a default encryption key. If the encryption key is compromised, you can change the key.
Caution:
If the user forgets the stored password, you cannot recover that password because the system does not
display passwords in a human-readable form. We recommend changing the encryption key.

Changing the Secure User Store Encryption Keys


To change the secure user store encryption keys:
1.

Get the RSECSSFX command from SAP BASIS 7.20 EXT.

2.

Specify the path based on the platform, as described above. The key path is the same as the data path.

3.

Define the SAP system name as HDB.

4.

Use the CHANGEKEY command to change the key.

Related Links

System Security for SAP NetWeaver AS ABAP Only

54

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Data Storage Security

11 Auditing Activity in SAP HANA


Systems
The auditing feature of the SAP HANA database allows you to monitor and record selected actions performed in
your system. In other words, it provides you with visibility on who did what (or tried to do what) and when.
Although auditing does not directly increase your system's security, if wisely designed, it can help you achieve
greater security in the following ways:

Uncover security holes if too many privileges were granted to some user

Show attempts to breach security

Protect the system owner against accusations of security violations and data misuse

Allow the system owner to meet security standards

The following actions are typically audited:

Changes to user authorization

Creation or deletion of database objects

Authentication of users

Changes to system configuration

Changes to auditing configuration

Access to or changing of sensitive information

Constraints
Only actions that take place inside the database engine can be audited. If the database engine is not online when
an action occurs, it cannot be detected and therefore cannot be audited.
This is important to bear in mind in the following cases:

Upgrade of a SAP HANA database instance


Upgrade is triggered when the instance is offline. When it becomes available online again, it is not possible to
determine which user triggered the upgrade and when.

Changes to system configuration files


Only changes that are made using SQL are visible to the database engine. It is also possible to change
configuration files when the system is offline.

A further scenario that cannot be meaningfully audited is the activation of roles in the repository of the SAP HANA
database. This is important to bear in mind if you are using roles created in the repository to grant privileges to
users.

SAP HANA Security Guide


Auditing Activity in SAP HANA Systems

PUBLIC
2012 SAP AG. All rights reserved.

55

11.1

Audit Policies

Auditing is implemented through the creation and activation of audit polices. An audit policy defines the actions to
be audited, as well as the conditions under which the action must be performed to be relevant for auditing. For
example, actions in a particular policy are audited only when they are performed by a particular user on a
particular object. When an action occurs, the audit policy is triggered and an audit event is written to the audit
trail.

Audited Actions
An action corresponds to the execution of an action in the database by SQL statement. For example, you want to
track user provisioning in your system, so you create an audit policy that audits the execution of the SQL
statements CREATE USER and DROP USER. Although most actions correspond to the execution of a single SQL
statement, some actions can cover the execution of multiple SQL statements. For example, the action GRANT
ANY will audit the granting of multiple entities on the basis of the SQL statements GRANT PRIVILEGE, GRANT
ROLE, GRANT STRUCTURED PRIVILEGE, and GRANT APPLICATION PRIVILEGE.
An audit policy can specify any number of actions to be audited, but not all actions can be combined together in
the same policy. Actions can be grouped in the following main ways:

All actions
You can include all auditable actions in a single policy, but only in conjunction with a specific user. This is
useful if you want to audit the actions of a particularly privileged user.

Data manipulation actions


You can include any actions that involve data manipulation together in a single policy, for example actions that
audit SELECT, INSERT, UPDATE, DELETE, and EXECUTE statements on database objects. A policy that
includes these actions requires at least one target object that allows the actions in question. This type of
policy is useful if you want to audit a particularly critical or sensitive database object.

Data definition actions


Other action types, for example actions that involve data definition, can only be combined together in a single
policy if they are compatible. For example, the action GRANT PRIVILEGE can be combined with REVOKE
PRIVILEGE but not with CREATE USER. The action CREATE USER can be combined with DROP USER.

For more information about auditable actions, see the SAP HANA SQL Reference.

Audit Policy Parameters


In addition to the actions to be audited, an audit policy specifies additional parameters that further narrow the
number of events actually audited.

Audited action status


For each audit policy, it must be specified when the actions in the policy are to be audited:

56

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Auditing Activity in SAP HANA Systems

On successful execution

On unsuccessful execution

On both successful and unsuccessful execution


Note: An unsuccessful attempt to execute an action means that the user was not authorized to
execute the action. If another error occurs (for example, misspellings in user or object names and
syntax errors), the action is generally not audited. In the case of actions that involve data manipulation
(that is, INSERT, SELECT, UPDATE, DELETE, and EXECUTE statements), additional errors (for
example, invalidate views) are audited.

Target object(s)
Actions that involve data manipulation require at least one target object. The following target object types are
possible:

Tables

Views

Procedures

Target objects are specified at the level of audit policy, so if an audit policy contains several data manipulation
actions, the target object must be valid for all actions in the policy. In the case of the action EXECUTE, the only
valid target object is procedure. In addition, procedure is valid only for this action. This means that the action
EXECUTE cannot be combined with any other actions.
Note: An object must exist before it can be named as the target object of an audit policy. However, if
the target object of an audit policy is deleted, the audit policy remains valid. This means that if the
object is recreated, that is the same object type with the same name is created, the audit policy will
work for this object again.

Audited user(s)
It is possible to specify that the actions in the policy be audited only when performed by a particular user. In
the case of a policy that contains all auditable actions, a user must be specified.
Note: Users must exist before they can be named in an audit policy.

Audit level
Each audit policy must be assigned one of the following levels:

EMERGENCY

ALERT

CRITICAL

WARNING

INFO

SAP HANA Security Guide


Auditing Activity in SAP HANA Systems

PUBLIC
2012 SAP AG. All rights reserved.

57

When the audit policy is triggered, an audit entry of the corresponding level is written to the audit trail. This
allows tools checking audited actions to find the most important information, for example.
Related Links

SAP HANA SQL Reference

11.2

Audit Trail

When an audit policy is triggered, that is, when an action in the policy occurs under the conditions defined in the
policy, an audit entry is created in the audit trail.
The logging system of the Linux operating system (syslog) is the only supported audit trail target. The syslog is a
secure storage location for the audit trail because not even the database administrator can access or change it.
There are also numerous storage possibilities for the syslog, including storing it on other systems. In addition, the
syslog is the default log daemon in UNIX systems. The syslog therefore provides a high degree of flexibility and
security, as well as integration into a larger system landscape. For more information about how to configure
syslog, refer to the documentation of your operating system.
Note: For test purposes in non-productive systems, you can use a CSV text file as the audit trail. However,
you must not use this for a productive system as it has severe restrictions. Firstly, it is not sufficiently
secure. By default, this file is written to the same directory as trace files, so database users with the
system privilege DATA ADMIN, CATALOG READ, TRACE ADMIN, or INIFILE ADMIN can access it. At
operating system level, any user in the SAPSYS group can access it. Secondly, audit trails are created for
each server in a distributed database system. This makes it more difficult to trace audit events that were
executed across multiple servers (distributed execution).
For each occurrence of an audited action, one or more audit entries are created.
Note: If an action that involves data manipulation was executed implicitly by a procedure, the call to this
procedure is audited together with the audited action. If the action does not involve data manipulation,
then an implicitly executed procedure is not audited. For example, if there is an active audit policy that
audits the action of creating users, the execution of CREATE USER statements within procedures will be
audited but not the procedures themselves.
Audit entries written to the audit trail have the following fields with the following meaning:
Field

Description

Sample Value

Event Timestamp

Time (UTC) of event occurrence

2012-09-19 15:44:53

Service Name

Name of the service where the


action occurred

Indexserver

Hostname

Name of the host where the action


occurred

myhanablade23.customer.corp

SID

System ID

HAN

Instance Number

Instance number

23

Port Number

Port number

32303

Policy Name

Audit policy that was triggered

AUDIT_GRANT

58

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Auditing Activity in SAP HANA Systems

Field

Description

Sample Value

Audit Level

Severity of audited action

CRITICAL

Audit Action

Action that was audited and thus


triggered the policy

GRANT PRIVILEGE

Active User

User who performed the action

MYADMIN

Target Schema

Name of the schema where the


action occurred, for example, a
privilege was granted on a schema,
or a statement was executed on
object in a schema

PRIVATE

Target Object

Name of the object on which an


action was performed, for example,
a privilege was granted

Privilege Name

Name of the privilege that was


granted or revoked

SELECT

Grantable

Indication of whether the privilege


or role was granted with or without
GRANT/ADMIN OPTION

NON GRANTABLE

Role Name

Name of the role that was granted


or revoked

Target Principal

Name of the target user of the


action, for example, grantee in a
GRANT statement

HAXXOR

Action Status

Execution status of the statement

SUCCESSFUL

Component

Currently not applicable

Section

Currently not applicable

Parameter

Currently not applicable

Old Value

Currently not applicable

New Value

Currently not applicable

Comment

Currently not applicable

Executed Statement

Statement that was executed

GRANT SELECT ON SCHEMA


PRIVATE TO HAXXOR

Session ID

ID of the session in which the


statement was executed

400006

In both the syslog and CSV file audit trails, the above fields are separated by ';'.
An audit entry therefore looks like this:

<Event Timestamp>;<Service Name>;<Hostname>;<SID>;


<Instance Number>;<Port Number>;<Policy Name>;<Audit Level>;
<Audited action >;<Active User>;<Target Schema>;<Target Object>;

SAP HANA Security Guide


Auditing Activity in SAP HANA Systems

PUBLIC
2012 SAP AG. All rights reserved.

59

<Privilege Name>;<Grantable>;<Role Name>;<Target Principal>;


<Action Status>;<Component>;<Section>;<Parameter>;<Old Value>;
<New Value>;<Comment>;<Executed Statement>;<Session Id>;

11.3

Auditing Configuration and Audit Policy Management

To be able to audit database activity, the auditing feature must first be activated for the system. It is then possible
to create and activate the required audit policies. Audit policies can also be deactivated and reactivated later, or
deleted altogether.
You configure auditing and manage auditing policies in the Security editor of the SAP HANA studio.
Related Links

SAP HANA Administration Guide

60

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Auditing Activity in SAP HANA Systems

12 SAP HANA Additional Components

12.1

SAP HANA Information Composer

The SAP HANA information composer is a Web application that allows you to upload and manipulate data on the
SAP HANA database. The SAP HANA information composer uses a Java server which interacts with the SAP
HANA database.
The Java server communicates with the SAP HANA information composer client via HTTP or HTTPS. The
following ports are used by default:

HTTP port 8080

HTTPS port 8443

If HTTPS is used, the SSL certification must be configured by the administrator.


Note:
The SAP HANA information composer can be configured to use antivirus software.
The SAP HANA information composer client is accessible to users who are assigned the IC_MODELER role. This
role allows users to upload new content into the SAP HANA database and to create physical tables and calculation
views.
When content is marked as shared, it is accessible from users who are assigned the IC_PUBLIC role. By default,
the physical tables and calculation views are marked as private. This means that they are only visible to the user
who created them. Calculation views are created by the _SYS_REPO user in the _SYS_BIC schema within the

Column Views node in the SAP HANA studio.


The physical tables and calculation views can be shared with users who are assigned the IC_PUBLIC role. The

IC_PUBLIC role is included in the IC_MODELER role.


The created calculation view inherits the analytical privileges of the source data that is being used. Objects that
are based on user data (spreadsheets) have no analytical privileges.
The SAP_IC technical user is created during installation. After completing the installation, SAP_IC is locked.
Note:
As long as the SAP HANA information composer is in use, the SAP_IC user must not be deleted because
otherwise, the role assignments created by this user will also be deleted.
Related Links

SAP HANA Information Composer Installation and Configuration Guide

SAP HANA Security Guide


SAP HANA Additional Components

PUBLIC
2012 SAP AG. All rights reserved.

61

12.2 Lifecycle Management Tools


You can access the Lifecycle Management Tools from the Lifecycle Management perspective of the SAP HANA
studio. The Software Update Manager (SUM), which is part of the Lifecycle Management Tools, can be used to
update the components of your SAP HANA installation.
To work properly, the SUM needs credentials for the following users:

sapadm used to authenticate to SAP Host Agent

<sid>adm required by SAP HANA database server update

SAP Service Marketplace user used to authenticate to SAP Service Marketplace

The SUM for SAP HANA communicates with the following components:

SAP HANA studio

SAP Service Marketplace

SAP Host Agent

All these channels use encryption via HTTPS. For communication with the SAP HANA studio, the SUM for SAP
HANA opens the server ports 8080 and 8443.
See the SAP HANA Automated Update Guide at https://service.sap.com/hana for more information about:

How to set up and update the SUM (section Configuring HTTPS for SAP HANA Automated Update).

How to set up and update the Lifecycle Management Perspective (section Setting Up the SAP HANA
Studio).

12.3 Unified Installer


The SAP HANA Unified Installer is a tool for installing the SAP HANA appliance software in a single, unified, and
predefined way. It is designed to be used by the SAP HANA hardware partners within their factory process.
The SAP HANA Unified Installer can be used to change the initial passwords provided by the hardware partner.
Note: After you receive the SAP HANA appliance, we recommend changing the initial passwords provided
by the partner by using the SAP HANA On-Site Configuration tool. For more information about working
with this tool, see the SAP HANA Installation Guide with SAP HANA Unified Installer.
Related Links

SAP HANA Installation Guide with SAP HANA Unified Installer

12.4 SAP HANA UI Toolkit for Info Access


The SAP HANA UI toolkit for Info Access provides HTML5 UI building blocks for developing search-based
applications on SAP HANA. Such applications provide real-time information access and faceted search features
on huge volumes of structured and unstructured text data. The UI toolkit is connected to the database through

62

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Additional Components

the SAP HANA Info Access service that wraps search and analytic SQL queries and exposes them through an
HTTP interface.
Note: The service runs on SAP HANA XS. For information about activating and deactivating SAP HANA
XS, see the section "Starting and Stopping Database Services" in the SAP HANA Administration Guide.
Both the UI toolkit and the HTTP service are part of the default SAP HANA shipment, but they are not installed
automatically. They are shipped as separate delivery units that you need to import and activate manually.
Note: For information about setting up the service and the toolkit and developing search apps, see the
section "Building Search Apps" in the SAP HANA Developer Guide.
When activated, the service:

Is available via the HTTP/S port.

Provides end users access to search data, which requires creating database users and giving them privileges
on certain schemas and views.

Related Links

SAP HANA Administration Guide


SAP HANA Developer Guide

12.5 SAP HANA UI Integration Services


Security aspects of SAP HANA UI Integration Services.
SAP HANA UI Integration Services is a set of Eclipse-based and browser-based tools, as well as client-side APIs,
which enable you to integrate standalone SAP HANA Extended Application Services (XS) client applications into
web user interfaces to support end-to-end business scenarios. These user interfaces are referred to as
application sites. Pre-built standalone SAP HANA XS client applications that are integrated into application
sites are referred to as widgets.
The following topics discuss the security aspects of SAP HANA UI Integration Services. Other security aspects,
such as those related to network and communication or databases, that are not specific for, but apply to SAP
HANA UI Integration Services, are described in the respective sections of the SAP HANA Security Guide.

Roles and Permissions


The following roles are predefined in the SAP HANA user management system for SAP HANA UI Integration
Services:
Role

Description

sap.hana.uis.db Runtime usage of application sites. The role's permissions enable authorized users to
::SITE_USER

do the following:

Read information about the activated sites

Write security messages to the audit log

SAP HANA Security Guide


SAP HANA Additional Components

PUBLIC
2012 SAP AG. All rights reserved.

63

Role

Description

sap.hana.uis.db Design and runtime usage of application sites. The role's permissions enable authorized
::SITE_DESIGNER users to do the following:

All permissions of SITE_USER

Access the SAP HANA repository

Read a specific table in the UIS schema that contains all the information about the
activated widgets

Security Auditing
All security-related events in application sites are saved to the table

UIS.sap.hana.uis.db::DEFAULT_AUDIT_TBL. Any authorized SAP HANA user can write to this table
using the UIS.sap.hana.uis.db/LOG_AUDIT_MESSAGE stored procedure. No user can read this table
without read permissions granted by the system administrator.

Security Considerations for Widget Development


When developing widgets with the help of SAP HANA UI Integration Services, take into account the following
security considerations :

Each widget is responsible for its own security so you should take measures to protect its data and resources.
However, you can assume that only authenticated SAP HANA users can access application sites at runtime,
since logon credentials are requested at start.

The sap-context feature supports communication between widgets in a site by enabling widgets to publish
events or subscribe to events. No out-of-the-box mechanism is supplied to validate a publisher or subscriber
of the context, so the published data is not automatically protected.

The gadgetprefs feature allows any widget to save properties on the application server.
Caution: Using the feature's API, a widget can read and write its own properties only; however, all
properties are visible to anyone who has read permissions for an application site in which the widget is
running. Therefore we recommend that you avoid storing sensitive data using this feature.

12.6 Application Function Library (AFL)


You can dramatically increase performance by executing complex computations in the database instead of at the
application sever level.
SAP HANA provides several techniques to move application logic into the database, and one of the most
important is the use of application functions. Application functions are like database procedures written in C++
and called from outside to perform data intensive and complex operations. Functions for a particular topic are

64

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Additional Components

grouped into an application function library (AFL), such as the Predictive Analytical Library (PAL) or the Business
Function Library (BFL).
Currently, all AFLs are delivered in one archive (that is, one SAR file with the name AFL<version_string>.SAR).
Note: The AFL archive is not part of the SAP HANA appliance, and must be installed separately by an
administrator. For more information about installing the AFL archive, see the SAP HANA Installation Guide
with SAP HANA Unified Installer.
AFL Security

User and Schema


During startup, the system creates the user _SYS_AFL, whose default schema _SYS_AFL.
Note: The user and its schema _SYS_AFL are created during a new installation or update process if
they do not already exist.
All AFL objects, such as areas, packages, functions, and procedures, are created under this user and schema.
Therefore, all these objects have fully specified names in the form of _SYS_AFL.<object name>.

Roles
For each AFL library, there is a role. You must be assigned this role to execute the functions in the library. The
role for each library is named: AFL__SYS_AFL_<AREA NAME>_EXECUTE. For example, the role for
executing PAL functions is AFL__SYS_AFL_AFLPAL_EXECUTE.
Note: There are 2 underscores between AFL and SYS.
Note: Once a role is created, it cannot be dropped. In other words, even when an area with all its objects is
dropped and recreated during system startup, the user still keeps the role that was previously granted.

Related Links

SAP HANA Installation Guide with SAP HANA Unified Installer

12.7 SAP HANA Extended Application Services (SAP HANA


XS)
SAP HANA Extended Application Services (SAP HANA XS) enables you to define access to each individual
application package that you want to develop and deploy.
The application access file enables you to specify who or what is authorized to access the content exposed by the
application package and what content they are allowed to see. For example, you use the application access
file .xsaccess to specify if authentication is to be used to check access to package content, and whether
rewrite rules are in place for the exposure of target and source URLs.
For security information on the following items related to SAP HANA XS, see the SAP HANA Developer Guide .

Data Authorization

SAP HANA Security Guide


SAP HANA Additional Components

PUBLIC
2012 SAP AG. All rights reserved.

65

Privileges for users, roles, views, schemas, tables, packages, applications, repository, and so on.

Server-side JavaScript
Scripting best practices for XSS, XSRF, and so on.

Application Access

.xsaccess

ODATA Services
Service definition, service start, URLs

XMLA Services
Service definition, service start, URLs

Table Import
Permission to execute select statements on created tables

SAP HANA XS Ports and Connections


For a table with detailed information about ports and connections for SAP HANA XS, see SAP HANA Extended

Application Services Ports and Connections.

Starting and Stopping SAP HANA XS


Note: For information about activating and deactivating SAP HANA XS, see the section "Starting and
Stopping Database Services" in SAP HANA Administration Guide.

Configuring HTTPS (SSL) for SAP HANA XS


Note: For information about configuring HTTPS (SSL) for SAP HANA XS, see Configuring HTTPS (SSL) for

Client Application Access .


Related Links

SAP HANA Developer Guide


SAP HANA Administration Guide

12.8 R Integration
R is an open source programming language and software environment for statistical computing and graphics.
SAP HANA allows R code to be processed inline as part of a SQLScript procedure.
Note: The R server is not provided by SAP.
The current implementation has the following security considerations:

Data channel between SAP HANA and R is unencrypted.

Rserve can be configured to use authentication based on a password. In this case, the password is stored
unencrypted in a configuration file on the SAP HANA server.

66

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


SAP HANA Additional Components

SQLScript R functions can contain code that can harm security on the server where the Rserve is running,
such as the following:

Access file system (read/write)

Install new add-on/R packages which can contain binary code (for example, written in C)

Execute operation system commands

Open network connections and download files or open connections to other servers

Only authorized database users are allowed to create SQLScript R functions. Because of this, you should grant the
CREATE R SCRIPT privilege only to trusted database users who are allowed to create SQLScript R functions. To
do so, a user who has this privilege WITH ADMIN OPTION can execute the following SQL command:

GRANT CREATE R SCRIPT TO user [WITH ADMIN OPTION]


Related Links

SAP HANA R Integration Guide

SAP HANA Security Guide


SAP HANA Additional Components

PUBLIC
2012 SAP AG. All rights reserved.

67

13 Security for SAP HANA Replication


Technologies
This topic describes the security considerations of the supported SAP HANA replication technologies.
Note: For more details about the specific replication technologies and a table comparing them, see SAP
HANA Replication Technologies.

SAP HANA Extraction-Transformation-Load (ETL) Data Services


The SAP HANA Extraction-Transformation-Load (ETL) data replication technology uses SAP BusinessObjects
Data Services (hereafter referred to as Data Services) to load the relevant business data from the SAP ERP
source system and replicate it to the target SAP HANA database. This method allows you to read the required
business data on the application layer level. You deploy this method by defining data flows in Data Services and
scheduling the replication jobs.
Since this method uses batch processing, it also enables data checks, transformations, synchronizing with
additional data providers, and the merging of data streams. The main components are the Data Services
Designer, where you model the data flow, and the Data Services Job Server for the execution of the replication
jobs. An additional repository is used to store the metadata and the job definitions.
Data Services relies on the Central Management Server (CMS) for authentication and security features. For
complete information about the security features provided by the CMS, see the SAP BusinessObjects Enterprise

Administrator's Guide or the SAP BusinessObjects Information Platform Services Administrator's Guide at SAP
HANA Appliance Software.
To ensure security for your Data Services environment, use a firewall to prevent unintended remote access to
administrative functions. In a distributed installation, you need to configure your firewall so that the Data Services
components are able to communicate with each other as needed. For information about configuring ports on your
firewall, see your firewall documentation.
For more information about ETL data replication technology using the SAP BusinessObjects Data Services
database, see the Security section in the SAP BusinessObjects Data Services Administrators Guide.

SAP HANA Direct Extractor Connection (DXC)


By default, the SAP HANA Direct Extractor Connection technology is switched off. For more information about
how to switch it on, see the SAP HANA Direct Extractor Connection Implementation Guide at SAP HANA

Appliance Software.
For secure communication, the SAP HANA Direct Extractor Connection technology uses the SSL protocol
(HTTPS) based on the Internet Communication Manager (ICM). For more information about ICM and SSL

68

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Security for SAP HANA Replication Technologies

configuration, see the SAP Library on SAP Help Portal at http://help.sap.com under
NetWeaver 7.3
Infrastructure

SAP NetWeaver Library: Function-Oriented View

Application Server

SAP NetWeaver

SAP

Application Server

Internet Communication Manager (ICM) .

Trigger-Based Data Replication using SAP LT (Landscape Transformation)


Replication Server (SLT)
SAP Landscape Transformation replication server is a replication technology to provide data from SAP systems in
an SAP HANA environment. It acts as a key enabler for SAP HANA customers to supply their SAP HANA
environment with relevant data.
When using a distributed system, you need to be sure that your data and processes support your business needs
without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation
of your system should not result in loss of information or processing time. These demands on security apply
likewise to the trigger-based data replication using the SAP LT (Landscape Transformation) replication server.
The SAP LT replication server and the SAP source system use the user management and authentication
mechanisms provided by the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server.
Therefore, the security recommendations and guidelines for user administration and authentication as described
in the SAP NetWeaver Security Guide [SAP Library] Application Server ABAP Security Guide also apply to the
SAP LT Replication Server and an SAP source system.
The SAP LT replication server and the SAP source system use the authorization concept provided by the SAP
NetWeaver AS ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP
NetWeaver AS Security Guide ABAP also apply to the SAP LT replication server. In SAP NetWeaver,
authorizations are assigned to users based on roles. For role maintenance, use the profile generator (transaction
PFCG) on the AS ABAP. For more information about how to create roles, see Role Administration (SAP Library).
Related Links

SAP BusinessObjects Data Services Administrators Guide


SAP HANA Replication Technologies [page 73]
SAP HANA Security Guide - Trigger-Based Replication (SLT)

SAP HANA Security Guide


Security for SAP HANA Replication Technologies

PUBLIC
2012 SAP AG. All rights reserved.

69

14 Security Reference Information

14.1 SAP HANA Port and Connection Tables


Tables of all listening TCP / IP network ports that are used by SAP HANA.
The port and connection tables for SAP HANA are listed in the subsections below:

SAP HANA Database Internal Communication Ports and Connections

SAP HANA Database Client Access Ports and Connections

SAP HANA Extended Application Services (SAP HANA XS) Ports and Connections

SAP HANA Administrative Ports and Connections

Remote Support Ports and Connections

Additional Scenarios Ports and Connections

14.1.1 SAP HANA Database Internal Communication Ports


and Connections
This topic includes port and connection information for SAP HANA database internal communication.
Tip:
In SAP HANA, most network ports depend on the two-digit instance number of the installation. In the
following, the <inst> needs to be replaced with the actual instance number of the installation, for
example:
The instance number 00 should be 3<inst>00 = 30000
Table 5: HANA Database Internal Communication Ports and Connections
Communication Type

Listening TCP / IP

Comment

Communication channels are used

3<inst>00

SAP HANA database internal (local

only to communicate internally


between different components of an

only)
3<inst>01

SAP HANA database internal

as the different hosts in a

3<inst>02

SAP HANA database internal

distributed installation.

3<inst>03

SAP HANA database internal

3<inst>05

SAP HANA database internal

3<inst>07

SAP HANA database internal

3<inst>17

SAP HANA database internal

SAP HANA database instance, such

70

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Security Reference Information

14.1.2 SAP HANA Database Client Access Ports and


Connections
This topic includes port and connection information for SAP HANA database client access.
Tip:
In SAP HANA, most network ports depend on the two-digit instance number of the installation. In the
following the <inst> needs to be replaced with the actual instance number of the installation, for
example:
Instance number 00 should be 3<inst>00 = 30000
Table 6: SAP HANA Database Client Access Ports and Connections
Communication Type

Listening TCP / IP

Comment

SQL / MDX access port for

3<inst>15

External SQL interface. Access port

standard database access. Access

for all database access by

to these ports needs to be enabled

applications/application servers,

for all database clients.

end-user clients or SAP HANA


studio, such as for modeling or

Note: This access is also

database administration.

required for some


administrative functions.

14.1.3 SAP HANA Extended Application Services Ports and


Connections
This topic includes port and connection information for SAP HANA Extended Application Services (SAP HANA
XS).
Tip:
In SAP HANA, most network ports depend on the two-digit instance number of the installation. In the
following the <inst> needs to be replaced with the actual instance number of the installation, for
example:
Instance number 00 should be 3<inst>00 = 30000
Table 7: SAP HANA XS Ports and Connections
Communication Type

Listening TCP / IP

Comment

SAP HANA XS HTTP access

80<inst>

HTTP access to applications


based on SAP HANA XS.

SAP HANA XS HTTPs access

43<inst>

HTTPs access to applications


based on SAP HANA XS.

14.1.4 SAP HANA Administrative Ports and Connections


This topic includes port and connection information for SAP HANA administration.

SAP HANA Security Guide


Security Reference Information

PUBLIC
2012 SAP AG. All rights reserved.

71

Tip:
In SAP HANA, most network ports depend on the two-digit instance number of the installation. In the
following the <inst> needs to be replaced with the actual instance number of the installation, for
example:
Instance number 00 should be 3<inst>00 = 30000
Table 8: SAP HANA Administrative Ports and Connections
Communication Type

Listening TCP / IP

Instance Agent: SAP Start administrative channel for

5<inst>13

low-level access to the SAP HANA instance to allow


features such as starting or stopping of the SAP HANA

5<inst>14 (SSL)

database.
Host Agent: SAP Start administrative channel for lowlevel access to the SAP HANA appliance system.

Software Update Manager: Access to trigger actions

1128
1129 (SSL)
8443 (SSL)

of the SUM such as updating the SAP HANA database


software.
Software Update Manager: Connection to SAP

Outgoing to service.sap.com:443

Service Market Place to check for updates.

14.1.5

Remote Support Ports and Connections

This topic includes port and connection information for remote support.
Tip:
In SAP HANA, most network ports depend on the two-digit instance number of the installation. In the
following the <inst> needs to be replaced with the actual instance number of the installation, for
example:
Instance number 00 should be 3<inst>00 = 30000
Table 9: Remote Support Ports and Connections
Communication Type

Listening TCP / IP

Comment

SAP Solution Manager: via SMD

Outgoing connection

All connections from the SMD agent

agent

to the Solution Manager are


outgoing connections which are
opened by the SMD agent.

SAP Router Access: development


support access

72

PUBLIC
2012 SAP AG. All rights reserved.

3<inst>09

Not active by default and required in


only certain support cases. For

SAP HANA Security Guide


Security Reference Information

Communication Type

Listening TCP / IP

Comment
more details see "Opening a
Support Connection" in SAP HANA

Administration Guide.
Related Links

SAP HANA Administration Guide

14.1.6 Additional Scenarios Ports and Connections


This topic includes port and communication information for additional scenarios.
Tip:
In SAP HANA, most network ports depend on the two-digit instance number of the installation. In the
following the <inst> needs to be replaced with the actual instance number of the installation, for
example:
Instance number 00 should be 3<inst>00 = 30000
Table 10: Additional Scenarios Ports and Connections
Communication Type

Listening TCP / IP

Comment

R Integration: Communication

Outgoing connection

Only required for scenarios which

between SAP HANA and R

use the R integration supported by

environment (separate server).

SAP HANA. For more information,


see SAP HANA R Integration Guide.

14.2 SAP HANA Replication Technologies


14.2.1

Introduction

In-memory reporting and analyzing of business data requires the replication of the data from a source system to
the SAP HANA database. This section provides an overview of the possible replication methods that are available
for the SAP HANA appliance. It also describes the application fields and lists the main components required for
each method.

SAP HANA Security Guide


Security Reference Information

PUBLIC
2012 SAP AG. All rights reserved.

73

The figure above focuses on the task of loading business data from an SAP ERP system to the SAP HANA
database.
The methods for performing data replication are shown in the figure below. The main components involved in all
replication scenarios are:

SAP HANA appliance, consisting of the SAP HANA database and SAP HANA studio, which is used to
administer the appliance. User interfaces, such as SAP BusinessObjects Dashboards or Web Intelligence, are
not part of the appliance software.

Source system, such as SAP ERP

Software components supporting the data replication

The software components that support different methods of data replication are described in the following
replication scenarios.

74

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Security Reference Information

The figure above gives an overview of the alternative methods for data replication from a source system to the
SAP HANA database. Each method handles the required data replication differently, and consequently each
method has different strengths. It depends on your specific application field and the existing system landscape as
to which of the methods best serves your needs.

Trigger-Based Replication
Trigger-Based Data Replication Using SAP Landscape Transformation (LT) Replication Server is based on
capturing database changes at a high level of abstraction in the source ERP system. This method of
replication benefits from being database-independent, and can also parallelize database changes on multiple
tables or by segmenting large table changes.

ETL-Based Replication
Extraction-Transformation-Load (ETL) Based Data Replication uses SAP Data Services to specify and load
the relevant business data in defined periods of time from an ERP system into the SAP HANA database. You
can reuse the ERP application logic by reading extractors or utilizing SAP function modules. In addition, the
ETL-based method offers options for the integration of third-party data providers.

Extractor-Based Data Acquisition


The SAP HANA Direct Extractor Connection (DXC) is a means for providing out-of-the-box foundational data
models to SAP HANA, which are based on SAP Business Suite entities. DXC is also a data acquisition method.
The rationale for DXC is essentially simple, low TCO data acquisition for SAP HANA leveraging existing
delivered data models.

Related Links

Product Availability Matrix (PAM) (search for SAP HANA)

SAP HANA Security Guide


Security Reference Information

PUBLIC
2012 SAP AG. All rights reserved.

75

14.2.2 Trigger-Based Replication


The Trigger-Based Replication method uses the SAP Landscape Transformation (LT) Replication Server
component to pass data from the source system to the SAP HANA database target system.

Initial Load and Simultaneous Delta Replication


The initial load of business data is initiated using the SAP HANA studio. The initial load message is sent from the
SAP HANA system to the SLT system (based on SAP NetWeaver 7.02 with kernel 7.20 EXT), which in turn passes
the initialization message to the ERP system. The ERP system begins by setting up database transaction log
tables for each table to be replicated. After the transaction tables are completed, the SLT system begins a multithreaded replication of data to the target system, which enables high speed data transfer.
The initial load of data can be executed while the source system is active. The system load that this process
causes can be controlled by adjusting the number of worker threads performing the initial replication.
In parallel to the initial load, by means of database-specific triggers, the SLT system begins detecting any data
changes that occur while the initial load process is running. These changes are logged to the transaction tables,
and are propagated to the target SAP HANA system. The multi-version concurrency control (MVCC) of the SAP
HANA database prevents issues that might be caused by the overlapping of the initial load process and new
database transactions
Continuous Delta Replication After Initial Load
After the initial load process has completed, the SLT system continues to monitor the transaction tables in the
ERP system, and replicates data changes in the source system to the SAP HANA system in near real time.

76

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Security Reference Information

Required Software Components


This replication method requires the following component:

SAP Landscape Transformation: this controls the entire replication process by triggering the initial load and
coordinating the delta replication.

Installation considerations
The SLT system can be installed in the ways shown below. You can select between these options depending on
your current system landscape and the software versions in your landscape:

Installation on your ERP system

Installation on a standalone SAP system (recommended setup)

Related Links

SAP HANA Installation Guide Trigger-Based Replication

14.2.3 ETL-Based Replication


Extraction-Transformation-Load (ETL) based data replication uses SAP Data Services (referred to as Data
Services from now on) to load the relevant business data from the source system, SAP ERP, and replicate it to the
target, SAP HANA database. This method enables you to read the required business data on the level of the
application layer. You deploy this method by defining data flows in Data Services and scheduling the replication
jobs.
Since this method uses batch processing, it also permits data checks, transformations, synchronizing with
additional data providers, and the merging of data streams.

SAP HANA Security Guide


Security Reference Information

PUBLIC
2012 SAP AG. All rights reserved.

77

The figure above gives an overview of the ETL-based replication method. Here, data replication is operated by
Data Services. Its main components are the Data Services Designer, where you model the data flow, and the Data
Services Job Server for the execution of the replication jobs. An additional repository is used to store the
metadata and the job definitions.
For information about installing ETL-based replication, see SAP HANA Installation Guide with SAP HANA Unified
Installer.
Data Flow
As for any replication scenario you have to define a series of parameters for the two systems involved. Utilizing
Data Services you have to set up datastores to define such parameters. You use the Designer to set up
datastores.
Datastore Setup
Setting up a datastore for the source system SAP ERP, choose SAP Applications for the type of datastore, and
specify the address of the system, the user name and password allowing Data Services to access the system.
Additional settings depend on the type of SAP ERP objects to be read.
For the target system of the replication, the SAP HANA database, you have to set up a separate datastore as done
for the source system.
Data Flow Modeling
Once datastores are set up, Data Services can connect to the source system by RFC. Based on the metadata
imported from the ABAP Data Dictionary to Data Services, you can determine the business data to be replicated.
Data Services offers replication functions for a variety of data source types. However, for the replication of SAP
ERP data to SAP HANA database, we recommend you to use extractors.
Note:

You must apply SAP Note 1522554 to fully benefit from the extractor support.

In the source system, the extractors must be released for the replication access by Data Services. In
addition, you have to indicate the primary key, such as the GUID, to enable the correct replication.

The extractors must support delta handling.

Choose the extractors that are relevant for the replication job.
Model the data flow for each extractor you have selected: indicate the source for the data flow, which is the
extractor. For the target of the replication, choose a template table, which is then used in the SAP HANA database
to store the replaced data.
Data Flow for Initial Load and Update
Both the initial load of business data from the source system into SAP HANA database as well as updating the
replicated data (delta handling) is done using SAP Data Services. The initial load can be set up modeling a simple
data flow from source to target. For the update, in most cases, the data flow is enhanced by a delta handling
element, such as Map_CDC_Operation or Table_Comparison Transform. It depends on the environment and
the requested setup of the target tables which data flow design best serves your requirements.
Although we recommend you to use delta supporting extractors, you can also use SAP ABAP tables.
Replication Job Schedule
Since you can schedule the replication jobs when using Data Services, this method is suitable where the source
system must be protected from additional load during the main business hours. In this way, you can shift the

78

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Security Reference Information

replication workload, for example, to the night. As a result, the data that is available for reporting always
represents the state reached by the time when the latest replication job was started.
Use the Management Console, which comes with Data Services, to schedule replication jobs. You can choose
from different tools and methods for the scheduling. You can also use the Management Console to monitor the
replication process.
Required Software Components
This replication method requires the following main components:

SAP HANA database

SAP BusinessObjects Enterprise

BusinessObjects Enterprise Central Management Server (CMS), which is a part of SAP BusinessObjects
Enterprise

SAP Data Services XI 4.0

Related Links

Product Availability Matrix (PAM) (search for SAP HANA)

14.2.4 SAP HANA Direct Extractor Connection (DXC)


The SAP HANA Direct Extractor Connection (DXC) is a means for providing out-of-the-box foundational data
models to SAP HANA, which are based on SAP Business Suite entities. DXC is also a data acquisition method for
SAP HANA. The rationale for DXC is essentially simple, low TCO data acquisition for SAP HANA leveraging
existing delivered data models.
Customer projects may face significant complexity in modeling entities in SAP Business Suite systems. In many
cases, data from different areas in SAP Business Suite systems requires application logic to appropriately
represent the state of business documents. SAP Business Content DataSource Extractors have been available for
many years as a basis for data modeling and data acquisition for SAP Business Warehouse; now with DXC, these
SAP Business Content DataSource Extractors are available to deliver data directly to SAP HANA.
DXC is a batch-driven data acquisition technique; it should be considered as a form of extraction, transformation
and load although its transformation capabilities are limited to user exit for extraction.
A key point about DXC is that in many use cases, batch-driven data acquisition at certain intervals is sufficient (for
example, every 15 minutes).

Overview of the DXC Rationale

Leverage pre-existing foundational data models of SAP Business Suite entities for use in SAP HANA data mart
scenarios:

Significantly reduces complexity of data modeling tasks in SAP HANA

Speeds up timelines for SAP HANA implementation projects

Provide semantically rich data from SAP Business Suite to SAP HANA:

Ensures that data appropriately represents the state of business documents from ERP

Application logic to give the data the appropriate contextual meaning is already built into many extractors

Simplicity/Low TCO:

SAP HANA Security Guide


Security Reference Information

PUBLIC
2012 SAP AG. All rights reserved.

79

Re-uses existing proprietary extraction, transformation, and load mechanism built into SAP Business
Suite systems over a simple http(s) connection to SAP HANA

No additional server or application needed in system landscape

Change data capture (delta handling):

Efficient data acquisition only bring new or changed data into SAP HANA

DXC provides a mechanism to properly handle data from all delta processing types

Default DXC Configuration for SAP Business Suite


DXC is available in different configurations based on the SAP Business Suite system:

The default configuration is available for SAP Business Suite systems based on SAP NetWeaver 7.0 or higher
such as ECC 6.0.

The alternative configuration is available for SAP Business Suite systems based on releases lower than SAP
NetWeaver 7.0 such as SAP ERP 4.6, for example.

An SAP Business Suite system is based on SAP NetWeaver. As of SAP NetWeaver version 7.0, SAP Business
Warehouse (BW) is part of SAP NetWeaver itself, which means a BW system exists inside SAP Business Suite
systems such as ERP (ECC 6.0 or higher). This BW system is referred to as an embedded BW system. Typically,
this embedded BW system inside SAP Business Suite systems is actually not utilized, since most customers who
run BW have it installed on a separate server, and they rely on that one. With the default DXC configuration, we
utilize the scheduling and monitoring features of this embedded BW system, but do not utilize its other aspects
such as storing data, data warehousing, or reporting / BI. DXC extraction processing essentially bypasses the
normal dataflow, and instead sends data to SAP HANA. The following illustration depicts the default configuration
of DXC.

80

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Security Reference Information

An In-Memory DataStore Object (IMDSO) is generated in SAP HANA, which directly corresponds to the structure
of the DataSource you are working with. This IMDSO consists of several tables and an activation mechanism. The
active data table of the IMDSO can be utilized as a basis for building data models in SAP HANA (attribute views,
analytical views, and calculation views).
Data is transferred from the source SAP Business Suite system using an HTTP connection. Generally, the
extraction and load process is virtually the same as when extracting and loading SAP Business Warehouse you
rely on InfoPackage scheduling, the data load monitor, process chains, etc. which are all well-known from
operating SAP Business Warehouse.
Note:
DXC does not require BW on SAP HANA. Also with DXC, data is not loaded into the embedded BW system.
Instead, data is redirected into SAP HANA.
Related Links

SAP HANA Security Guide


Security Reference Information

PUBLIC
2012 SAP AG. All rights reserved.

81

SAP HANA Direct Extractor Connection Implementation Guide


Editing DataSources and Application Component Hierarchies
Enhancing DataSources

14.2.5 Comparison of Replication Methods


This table compares the key features of each replication method.
Capability

Trigger-Based
Replication
(SLT Replication)

Release coverage

SAP R/3 4.6C - SAP ERP


6.0 (EHP06)

ETL-Based Replication
(Data Services 4.0
SP2)

Extractor-based Data
Acquisition
(DXC)

ERP 4.6c - SAP ERP 6.0

SAP Business Suite


systems based on
NetWeaver ABAP 4.6C or
higher

All other ABAP-based SAP


Applications (Basis 4.6CNW7.02)
Unicode/Non-Unicode

Yes

Yes

Yes

MDMP

Partial (If table contains


only ASCII characters or
language key is included)

Partial (1)

Yes via How to Guide

Transparent Tables

Yes

Yes

Yes- via generic Data


Source

Cluster & Pool Tables

Yes

Yes

Yes- via generic Data


Source

Non-SAP Sources

Yes (for SAP supported


DBs only: Informix on
project base)

Yes

No

Compressed Values DB
Table

Yes

Yes

Yes- via generic Data


Source

Row Compression DB
Table

Yes

Yes

Yes- via generic Data


Source

DB Support (Source side)

All SAP supported DBs,


incl. ASE

All SAP supported DBs,


incl. ASE, and others: see
PAM for full list

All SAP supported DBs

(no MaxDB support)


OS Support (Source side)

All SAP supported OS

All OS supported under


ERP (NO impact of source
OS on Data Services)

All OS supported under


SAP Business Suite
systems

Transactional Integrity

No

No

Yes

82

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Security Reference Information

Capability

Trigger-Based
Replication
(SLT Replication)

ETL-Based Replication

Extractor-based Data
Acquisition

(Data Services 4.0


SP2)

(DXC)

Multi-System Support

Multiple source systems


to multiple SAP HANA
instances

Multiple source systems

Multiple source systems

Workload balancing
(parallelization of
replication)

Yes

Yes

Yes

Real-time and/or
scheduled replication

Real-time and scheduled


(on table level)

Scheduled

Scheduled or Event driven

Initial Load & Delta


replication

Initial load, initial load +


delta replication for
relevant tables

Initial load + delta


replication (for table
based needs delta
information through
timestamp column or
through delta enabled
extractors)

Initial load + delta


replication, for all delta
processing types including
AIM, AIE, AIED, AIMD,
ADD, ADDD, CUBE etc.

Not recommended for use


with DataSource
extractors with delta
processing types AIM, AIE,
AIED, AIMD, ADD, ADDD,
and CUBE
Transformation
capabilities

Capabilities for filtering


and transforming data, as
well as data scrambling.
Data filtering can be done
either via selective
triggers or via replication
configuration settings

Complete ETL engine from Limited for extraction, via


simple functions to very
user exits
complex transformations

Access to performance
statistics

Support dashboard

Via Data Services own


Management Console or
through the integration
with SAP Solution
Manager

Via Monitoring details Tr:


RSMO and via Table View:
M_Extractors in SAP
HANA studio

Via Data Services own


Management Console or
through the integration
with SAP Solution
Manager

Yes, Via Monitoring details


Tr: RSMO, via Table View:
M_Extractors in SAP
HANA studio, and alerts
which can be set in

Access to trouble shooting Yes


feature

SAP HANA Security Guide


Security Reference Information

PUBLIC
2012 SAP AG. All rights reserved.

83

Capability

Trigger-Based
Replication
(SLT Replication)

ETL-Based Replication
(Data Services 4.0
SP2)

Extractor-based Data
Acquisition
(DXC)
statistics server
configuration

(1) SAP Data Services will need a fixed code page for each run. In order to process MDMP, the same job will need
to get executed multiple times, each time with a different code page and with a WHERE clause on the language
key. This would only be manageable for a limited number of code pages.

84

PUBLIC
2012 SAP AG. All rights reserved.

SAP HANA Security Guide


Security Reference Information

www.sap.com/contactsap

2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any


form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System ads, System i5, System
p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/
390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+,
POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter,
System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF,
Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,
WebSphere, Netfinity, Tivoli and Informix are trademarks or
registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks
of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc.,
used under license for technology invented and implemented by
Netscape.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge,
ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. All other product and
service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
These materials are subject to change without notice. These
materials are provided by SAP AG and its affiliated companies
("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only
warranties for SAP Group products and services are those that are
set forth in the express warranty statements accompanying such
products and services, if any. Nothing herein should be construed as
constituting an additional warranty.