Configure SAP HANA 2.0, express edition Security

0 %

Configure SAP HANA 2.0, express edition Security

Details

// Explore More Tutorials

Configure SAP HANA 2.0, express edition Security

John Currie

11/26/2018

Beginner

5 min.

Your SAP HANA, express edition installation has several preconfigured security settings. Before using SAP HANA, express edition, complete these security tasks.

You will learn

How to perform security tasks to ensure that your security settings are not known outside your organization

Step 1: The SAP HANA, express-edition license

Installing SAP HANA 2.0, express edition installs a permanent 32 GB license automatically. No license configuration is required.

Step 2: Change the SSFS Master Keys and Root Keys

Every user who downloads SAP HANA, express edition receives the same default encryption settings. Use the change_key.sh utility to change encryption automatically.

Important: SAP recommends you run change_key.sh immediately after installation to ensure your security settings are not known outside your organization.

The change_key.sh utility:

Changes the secure stores in the file system (SSFS) master keys. The script re-encrypts the master key of the instance SSFS and re-encrypts the system PKI SSFS with a new key.
Changes the encryption root keys. The script generates new keys, backs them up, and activates them.

Step 3: Run the script

Follow this procedure to run the script:

At the command prompt, type:

/usr/sap/HXE/home/bin/change_key.sh

Step 4: Input details

The script prompts you for:

Prompt	Description
HANA Instance Number	Enter the default (90).
System user password	You specified this password when you were prompted for HANA database master password.
Root key backup password	Enter a strong password. The root key backup password is required to securely back up the root keys and subsequently restore the backed-up root keys during data recovery. For information on root key backup, see Root Key Backup.
Root key directory	A directory to store the root key backup password securely. Choose a non-temporary directory. For example `/usr/sap/HXE/HDB90`.

Step 5: Enter Y when prompted

Enter Y when prompted. The script runs. Wait for the hxehost:hxeadm> prompt to return (approximately 30 seconds).

New data will now be encrypted with the new keys.

Step 6: Deactivate the SYSTEM user

SYSTEM is the database superuser and is not intended for day-to-day activities in production systems. For better security, you can create other database users with only the privileges that they require for their tasks (for example, user administration), then deactivate the SYSTEM user.

Step 7: Log in as the hxeadmS user

In a terminal, log in as the hxeadm user:

sudo su -l hxeadm

Step 8: Create a new admin user

View Full Instructions

Create a new admin user with the USER ADMIN system privilege:

/usr/sap/HXE/HDB90/exe/hdbsql -i 90 -d SystemDB -u SYSTEM -p "<SYSTEM-password>" "CREATE USER <admin-username> PASSWORD <admin-password> NO FORCE_FIRST_PASSWORD_CHANGE;"

/usr/sap/HXE/HDB90/exe/hdbsql -i 90 -d SystemDB -u SYSTEM -p "<SYSTEM-password>" "GRANT USER ADMIN TO <admin-username> WITH ADMIN OPTION;"

Step 9: Deactivate the SYSTEM user

View Full Instructions

Use the new admin user to deactivate the SYSTEM user:

/usr/sap/HXE/HDB90/exe/hdbsql -i 90 -d SystemDB -u <admin-username> -p "<admin-password>" "ALTER USER SYSTEM DEACTIVATE USER NOW;"

Next Steps

Prerequisites

Start Using SAP HANA 2.0, express edition

Navigate tutorial steps

Step 1: The SAP HANA, express-edition license
Step 2: Change the SSFS Master Keys and Root Keys
Step 3: Run the script
Step 4: Input details
Step 5: Enter Y when prompted
Step 6: Deactivate the SYSTEM user
Step 7: Log in as the hxeadmS user
Step 8: Create a new admin user
Step 9: Deactivate the SYSTEM user
Back to Top

QR Code

Configure SAP HANA 2.0, express edition Security

Configure SAP HANA 2.0, express edition Security

You will learn

Next Steps

Prerequisites

Call me now