How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

How to secure communication between SAP HANA Server and HANA Studio?

By configuring open SSL between SAP HANA Server and HANA Studio, we can secure communication.
Before moving to SSL configuration, let’s have a look at SAP HANA Security Architecture.

SAP HANA – Secure communication and encryption

 Communication encryption – SSL
 Encryption at rest – On the roadmap HANA

SAP HANA – Authorization Framework

 System privileges – for Administrative actions
 SQL privileges – access to data & operations on database objects
 Analytical privileges – for runtime access; row-level access based on dimensions of the respective view (analytical,
calculation, attribute)
 Repository privileges – access to in the repository(modeling) at design time
It also take care of User & Role Management; Roles are used to bundle and structure privileges; Privileges or Roles can
be assigned to Users and Privileges control what Users can do.

SAP HANA – Authentication and Single Sign-on

 User name and Password – Password policy
 Kerberos Authentication – including delegation
 SAML Authentication – Bearer Token

Logging Framework is mainly used for Audit logging and HANA Studio is used for general Security Administration
purposes.

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 1
 How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

So, from the above, it is obvious that SSL Configuration for SAP HANA is one of the basic necessity to step forward ahead
in HANA Security aspects, e.g., SSO configuration,etc.

How to configure SSL for SAP HANA?

Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the
Internet. SAP HANA Server runs on SLES 11 SP1 or SP2 and generally people access the server from their
desktops/laptops running on linux or windows. Administrators, Modelers/Developers and Security team access SAP
HANA Server through SAP HANA Studio. SAP HANA supports use of either the SAPCrypto libraries or OpenSSL to secure
communication. Here I will discuss about OpenSSL.
First, just check whether SSL has been already configured for your SAP HANA Server.

When you are connecting to SAP HANA Server, please tick on “Connect Using SSL” option.
If it is not SSL configured, it will throw the below error:

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 2
 How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

Now here are the steps to configure SSL for SAP HANA –

A.) Activities at SAP HANA Server end

Step 1. As user ‘root’, check for existence of libssl.so, if the file does not exist create a symbolic link to libssl.so.0.9.8

Step 2. Create “root Certificate” using <sid>adm user

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 3
 How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

Step 3. Using <sid>adm user, creation of “Server Certificate”

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 4
 How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

Step 4. Signature of the Server Certificate

This activity will generate CA_Cert.srl and Server_Cert.pem files.

Step 5. Chain the Server Certificate

The structure of Server Certificate looks like:-

----- BEGIN CERTIFICATE -----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----- END CERTIFICATE -----
----- BEGIN RSA PRIVATE KEY ----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----- END RSA PRIVATE KEY ----
----- BEGIN CERTIFICATE -----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----- END CERTIFICATE -----

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 5
 How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

Step 6. Copy the Server Certificate to trust.pem

Step 7. Restart SAP HANA Server

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 6
 How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

B-I) Activities at SAP HANA Client end (if Client is on Linux)

Step 1. Check JAVA Version and JAVA_HOME

Step 2. Import ‘trust.pem’ into the JAVA Keystore on the client

B-II) Activities at SAP HANA Client end (If Client is on Windows)

For Windows box, please use Administrator for performing the below activities -

From HANA Studio, one can figure out JAVA_HOME

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 7
 How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

Before execute the keytool command, better to check the existence of cacerts file.

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 8
How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 9
 How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

C) SSL Enablement within SAP HANA Studio

Connect using SSL option.

Now SAP HANA Studio will communicate using SSL, the hover tooltip should now show SSL, and the system node icon
should show a small lock.

Now I am trying with another user

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 10
 How to Secure Communication within SAP HANA Prepared by Debajit Banerjee

So, it is working perfectly.

The above steps required to configure and enable OpenSSL communication between SAP HANA Server and SAP HANA
Studio.

===== End of Document ======

http://debajitb.wix.com/debajitbanerjee | http://debajitb.wix.com/debajitbanerjee/apps/blog 11