Beruflich Dokumente
Kultur Dokumente
Mymanagercameupwithaninterestingtopicaboutdatabaseencryption.Tobehonest,
it'snotsomethingIwasworriedaboutuntilthismorningbutgiventhefactthat
everyoneandeverythingnowmovingtothePublicCloudSecurityisplayinganever
moreimportantroleforEnterprisebusinessapplications.
WithSAPHANAdatabase,thereareoptionstorunthedatabaseonpremiseand
cloud.ThereisnodoubtHANAdatabasecanrunthemostcriticalapplicationprocesses
forclientsSAPBusinessUnitmakingitvulnerableforthehackers/competitorsto
exploit.
AlthoughSAPdocumentationisveryclearonthestepsrequiredtoenabletheHANA
DataVolumeEncryption,thisistosharemyunderstanding/experiencewiththeprocess.
SAPHANAmakesuseofCryptographicserviceprovider[(default)CommonCryptoLib
orOpenSSL]forallEncryptionServices.Oncedatavolumeencryptionfeatureis
enabledonHANAsystem,allpagesondiskareencryptedusingtheAES256CBC
algorithm.Pagesaretransparentlydecryptedbyloadprocessinmemoryandwhen
changestodataarepersistedondisk,writeoperationautomaticallyencryptsthe
relevantpagesondisk.
https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 1/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn
Pagesareencryptedanddecryptedusing256bitpageencryptionkeys.Thedatavolume
encryptionrootkeyisstoredusingthesecurestorageinthefilesystem(SSFS),root
keysareencryptedusingtheSSFSmasterkey.SSFSisimplementedbySAPHANAto
protecttherootencryptionkeys,usedtoprotectallencryptionkeys.
Cryptographicservice
provider[(default)CommonCryptoLibor
OpenSSL]isusedbySAPHANAforall
EncryptionServices.
SAPHANAInstaller(HDBLCM)doesnotenabletheDataVolumeencryptionaspart
oftheinstallationprocess,itishighlyrecommendedtoenableDataVolumeencryption
immediatelyaftersystemInstallation.
Bydefault,HANADatavolumeencryptionis
notenabled
StandardSAPAdmintoolsareavailableasstandardtoupdatedatavolumeencryption
statusforHANAsystem
DataVolumeEncryptionstatuscanbereviewedfromSecurityconsoleofSAPHANA
StudiounderDataVolumeEncryptiontab
Select"DataVolumeEncryption"tabtocheckstatusofEncryption
https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 2/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn
SAPHANACockpitisaccessedthroughtheURL,
https://<FQDNHostName>:<HTTPSPort>/sap/hana/admin/cockpit
SAPHANASecurityOverviewshowsthestatusofDataVolumeEncryption
HANAcomeswithsystemviewstomonitorencryptionstatus
(M_PERSISTENCE_ENCRYPTION_STATUS)
OpenHANASQLConsoleandexecutecommand
Select*FROMM_PERSISTENCE_ENCRYPTION_STATUS
EncryptionofDataVolumecanbeenabledduringnewsysteminstallationandonan
existing/runningsystem
IfyouareinstallingnewSAPHANADatabase,youcanactivatedatavolume
encryptionimmediatelyaftersysteminstallation
TheproblemariseswhenSAPHANAsystemisactivelyusedbyendusersandthe
applicationteamwithminimumroomfordowntime.Dependinguponyoursystem
statusandclientsviewondowntime,therearetwowaystoplanDATAVolume
encryptionwithrunningHANAsystem
4.2.1OPTION#1:ReInstallSAPHANA
ItistherecommendedmethodtoenabledatavolumeencryptionforrunningSAP
system
Pros:SAPRecommendedway
Cons:Longersystemdowntime
Steps:
4.2.1.a.RunHANADBbackup
4.2.1.b.UninstallSystem[overwritetheformerdataareawithrandomvalueswhere
possibletoavoidsecurityrisk]
4.2.1.c.ReInstallsystem.[configuresystemreplicationbeforeenablingdatavolume
encryption,ifapplicabletoyourlandscape]
4.2.1.d.Enabledatavolumeencryption
4.2.1.e.RecoverDBusinglatestbackup[fromstep4.2.1.a].
4.2.2OPTION#2:EnableDataVolumeEncryptiononrunningSAPHANA
Itisnotalwayspossibletoconvinceclientstoallowlongerdowntimeeventhough
securityishighontheiragenda,itisstillpossible(theclientmightrefuselonger
downtimetoavoidrevenueloss).Insuchcase,DataVolumeEncryptioncanstillbe
activatedontherunningsystem.
https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 4/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn
Pros:NoServiceDowntime
Cons:Onlypagesinusewillbeencryptedimmediately,restofdatawillbefully
protectedafterdelay.
Steps:pleasereferpoint3[mentionedbelow]
BelowstepsneedtocarryoutimmediatelyafterNewInstallationortoenabledata
volumeencryptionoranytimeforrunningsystemwheredowntimeisnotpossible
4.3.1SAPCryptographicLibrary(CommonCryptoLib)isusedbySystem
EnsureSAPCryptographicLibrary(CommonCryptoLib)isconfiguredandusedby
System,canbecheckedfromSAPHANACockpit.
4.3.2Backupmasterkey
SAPProcessmightcreatebackupduringtheactivationofencryptionbutit'salways
bettertobackupkeythansorrypostactivation
Checkparameterssfs_key_file_path=<pathtokeyfile>[defaultpathofthekeyfileis
$DIR_GLOBAL/hdb/security/ssfs]
WherepossiblesnapshottheVM,asthebackup.
4.3.3DataVolumeEncryptioncanbeactivatedusingdifferentHANAtools
4.3.3.aTheSecurityeditoroftheSAPHANAstudio
DataVolumeEncryptioncanbeactivatedfromSecurityconsoleofSAPHANAStudio
underDataVolumeEncryptiontab
https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 5/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn
SelectEncryptdatavolumes
HitDeploytostarttheEncryptionProcess
Clickrefreshtocheckthestatus
Or
4.3.3.bTheSAPHANACockpit
AccessSAPHANACockpitthroughtheURL,
https://<FQDNHostName>:<HTTPSPort>/sap/hana/admin/cockpit
GotoSAPHANASecurityOverview,
SelectDataStorageSecurity
https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 6/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn
HittheEncryptDataVolumestoinitiatetheEncryptionprocess,itwillstartencryption
withpagesinuse.
SelectOKtoconfirm
Tocheckthestatusrefreshthepage
Or
4.3.3.cTheSQLSAPHANASQLConsole
UsingsystemmanagementstatementALTERSYSTEMPERSISTENCE
ENCRYPTION.
https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 7/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn
SpecifiesONforencryptionshouldbeenabled.Whenyouswitchonencryption,a
randomencryptionkeyispreparedandanasynchronousbackgroundtaskisstartedthat
encryptsalldiskdatawiththiskey.
ALTERSYSTEMPERSISTENCEENCRYPTIONON
ClickDeploy
Tocheckthestatus,execute
Select*FROMM_PERSISTENCE_ENCRYPTION_STATUS
Thebestpracticeistoencryptthedataasmuchaspossibletoreducesecurityrisk,
Reviewtracefilestocaptureanyerror,locationoftracefile
/usr/sap/<SID>/HDB<nn>/<hostname>/trace
Itdependsonthesizeofthedatabaseandactiveoperationsonthesystem,forme,it
took~1hourtoencryptwholeHANADatabaseofSize64GBwith8Core.
Yes,wecandecryptthedatavolumeusingHANAtoolswithoutsystemdowntime.
Hit"DecryptDataVolumes"
OnlyDataVolumesareencryptedwiththisfeature.
DataVolumeEncryptionfeatureonlyencryptsHANADataVolumeandnotdatabase
backup,RedoLog&DatabaseTracefiles
7.1.Databasebackupfiles
Databasebackupfilesarenotencryptedbutdatainstoragesnapshotsisencrypted.
SAPCertifiedThirdpartysolutionsthatintegratewiththeBackintforSAPHANAcan
beimplementedtoachieveencryptionofdatabasebackupfiles[e.g.SEPsesam].
7.2.DatabaseRedologfiles
EncryptionoftheLogVolumeisnotcoveredbythefeatureandencryptionatthefile
systemlevelisrecommendedtosecurelogfilesshouldthatberequired.[e.g.yasttool
ofSUSE].
https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 9/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn
7.3.Databasetraces
Tracefilesunder/usr/sap/<SID>/HDB<nn>/<hostname>/trace,arenotencryptedwith
DataVolumeencryption.Itistoonlyincreasetracelevelduringanalysisandtracelevel
mustbeatdefaultlevelatallothertimestoavoidexposeofcriticalinformationviathe
tracefilesatOS.WithSUSE,yasttoolcanbeusedtoencryptthefilesystem&filesat
OSlevel.
Denunciar esto
Jitendra Singh
SAP HANA & Netweaver Consultant Seguir
1 artculo
6 comentarios Ms reciente
Jitendra Singh 4 mes.
SAP HANA & Netweaver Consultant
Hello Vishal,
The encryption only exists at the Operating System in persistence layer [on disk] but not when
data is available in memory Ver ms
Recomendar Responder 1
https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 10/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn
What if Hollywood Replaced Writers with There's a toy taking over the The Future of Work is Already Here
AI? playgroundis your workplace next? Jacqui Canney en LinkedIn
Robert Light en LinkedIn Dave Crenshaw en LinkedIn
Descubre ms historias
Centrodeayuda Acercade Carrerasprofesionales Publicidad TalentSolutions SalesSolutions SmallBusiness Mvil Idioma Abnateaunacuentasuperior
LinkedInCorporation2017 Condicionesdeuso Polticadeprivacidad Opcionesdeanuncio Directricescomunitarias Polticadecookies Polticadecopyright Enviarcomentarios
https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 11/11