13    Certificate Management and Encryption

Protect the data transmitted to and from SAP HANA, as well as the data stored in SAP HANA, is vitally important. In this chapter, we’ll discuss SAP HANA’s offerings for stronger security: communication encryption and data-level encryption to prevent unauthorized access to the system and its data.

In addition to authorization and authentication, you’ll also need encryption to protect your SAP HANA systems. Encryption starts with the management of Secure Sockets Layer (SSL) certificates. You then must enable communication encryption between clients and the SAP HANA system. Finally, you must also encrypt the persistent storage volumes that contain a copy of the in-memory data. In this chapter, we’ll discuss these encryption stages. Using and enabling encryption is an excellent way to protect data within SAP HANA.

13.1    SSL Certificates

X.509 is the standard for the public key infrastructure (PKI) implemented to manage digital certificates for the purposes of verification, encryption, and in some cases authentication. SAP HANA supports the use of X.509 certificates for securing both internal and external communication protocols.

In general, we refer to communication protocol security as Transport Layer Security (TLS) or, historically, Secure Sockets Layer (SSL). You’ll often hear both referred to as SSL protocols. The goal of SSL protocols within SAP HANA is to secure the communication channel between a client and the SAP HANA platform. Client communications occur via Java Database Connectivity (JDBC), Open Database Connectivity (ODBC), or Hypertext Transfer Protocol (HTTP) within the SAP HANA platform.

When these communication channels are encrypted with SSL certificates, the individual TCP/IP application layer packets can’t be intercepted and deciphered easily. For example, if you’re using the SAP HANA cockpit’s SAP HANA database explorer to execute queries and return datasets, then enabling SSL in your registered system connection properties will ensure that the datasets are transmitted in an encrypted format. They’re then decrypted SAP HANA database explorer, allowing them to be deciphered by users.

When SAP HANA is deployed, some of the client communication certificates are configured during the installation, which allows items such as HTTPS communication and JDBC/ODBC to support encryption out of the box. In SAP HANA, some X.509 certificates can be stored either in the database itself or within the file system of the operating system managing the SAP HANA instance. In Section 13.1.1, we’ll review the list of certificates that can be managed within the SAP HANA database. In Section 13.1.2, we’ll review the list of certificates that can be managed in the file system.

13.1.1    In-Database Certificate Management

SAP HANA allows X.509 certificates to be stored within the database itself, which means that certificate administrators don’t need access to the operating system (OS) or filesystem hosting the SAP HANA instance. Certificate information can be directly imported into the SAP HANA system using the SQL console and specific SQL commands. Once imported, certificates are assigned to a certificate collection, also called an internal personal security environment (PSE). The internal PSE is a secure location within an SAP HANA database where both public and private key certificates are stored. The PSE can also contain trusted public key certificates and trusted root certificates.

Certificates can be used within SAP HANA for the purposes of both authentication and secure communication with TLS. Figure 13.1 shows the mechanisms and purposes of certificates stored within the internal SAP HANA database.

For the purposes of authentication, SAP HANA can store certificates used for Security Assertion Markup Language (SAML), SAP assertion tickets, and X.509 certificates. To secure client communications at the TLS layer, SAP HANA system replication packets and client communication protocols can be encrypted. Client protocols such as ODBC and JDBC, including all SAP HANA administration tool communications, can all be encrypted using TLS security.

In-database certificate management is accomplished using SQL commands or, in some cases, the SAP HANA cockpit. Commands can be categorized into four groups: commands for adding certificates to the system, commands for managing the certificate collection, commands for managing certificates in the PSE, and commands for defining the purpose of the certificate.

Items Supported in Internal Database Certificate Collections

Figure 13.1    Items Supported in Internal Database Certificate Collections

Adding a Certificate to the In-Database Store

To add a certificate to the in-database certificate store, use the CREATE CERTIFICATE FROM SQL command. To execute this statement, grantees will need the CERTIFICATE ADMIN system privilege. The SQL statement shown in Listing 13.1 illustrates importing a certificate.

CREATE CERTIFICATE FROM 
'-----BEGIN CERTIFICATE-----
ERGJKjCCAz6gAwIDGDddtJHdfDFVmGMA0666*GSIb3DQEBBQUAMHkx89SDFGfV
cvdfSFGydfgDGGjgh5$5DSFghghdsdfs4%^SDfsdgfdgsdf++dffYTFTDFDSd
2FFgtDSFSDFdsfds==
-----END CERTIFICATE-----' 
COMMENT 'E-Corp Certificate CA Client Communications';

Listing 13.1    SQL Code to Add a Certificate to the SAP HANA Database Store

To drop a certificate that hasn’t already been added to a certificate collection, use the DROP CERTIFICATE SQL statement. For example, execute the following SQL statement to drop the certificate with the certificate ID of 123454:

DROP CERTIFICATE 123454;

You can query the system view to determine the certificate ID of a previously imported certificate. The following SQL statement will return all certificates currently imported into the system:

SELECT * FROM SYS.CERTIFICATES;

In addition to using SQL, you can also use the SAP HANA cockpit to manage certificates. You can locate the link to the management interface under the Security Related Links tile and the Manage Certificates link. Once you have access to the Certificate Store management interface, you’ll see of list of previously imported certificates starting with the Issued To column. Click on an individual certificate to view further details, view the raw PEM format of the certificate or to delete the certificate. You can also delete the certificate using the x within a circle icon located on the right side of the certificate list.

You can import certificates using the Import link on the right side located just above the certificate list. Once you click the import link, the Import Trusted Certificate window will appear, as shown in Figure 13.2. Certificates can be imported directly using the Import from file section. The selected file must be in a PEM format and be local to your browser’s operating system. Alternatively, you can also paste the raw certificate text, in PEM format, within the Paste content section. Add a custom comment to add additional details describing the certificate.

Importing Certificates Using the SAP HANA Cockpit

Figure 13.2    Importing Certificates Using the SAP HANA Cockpit

Next, we’ll need to assign the certificate to a certificate collection.

Creating/Deleting a Certificate Collection or PSE

Certificates must be associated with a PSE, so you’ll need to create one before you can assign the purpose of the certificate. To create a PSE, execute the CREATE PSE SQL command. To execute this SQL command, the grantee must have the TRUST ADMIN system privilege. The following statements provide the general syntax and an example:

CREATE PSE <PSE_NAME>;
CREATE PSE "BI_SSO_SAM_CERT";

To view a list of certificates by PSE, you can query the PSE_CERTIFICATES system view. For example, to view all the certificate collections or PSEs within an SAP HANA system, use the following SQL query:

SELECT * FROM PSE_CERTIFICATES;

To view a list of PSEs defined in the system, execute the following SQL statement:

SELECT * FROM PSES;

To delete a PSE, use the following SQL command; the first line provides the syntax and the second an example:

DROP PSE <PSE_NAME>;
DROP PSE "BI_SSO_SAM_CERT";

In addition to using SQL, you can also use the SAP HANA cockpit to manage certificate collections. You can locate the link to the management interface under the Security Related Links tile and the Manage Certificate Collections link. The Certificate Collections window will appear, as shown in Figure 13.3. On the left side of the window is a pane with a list of previously defined certificate collections. Click on each listed certificate collection to view details related to it on the right, including a list of associated certificates within the collection and other details like the certificate collection’s purpose. We’ll revisit the interface in more detail in the next section where we’ll demonstrate how to add certificates to the collection and also set the certificate purpose using the SAP HANA cockpit.

SAP HANA Cockpit Certificate Collection Interface

Figure 13.3    SAP HANA Cockpit Certificate Collection Interface

Next, you’ll need to assign a certificate to the PSE.

Managing Certificates within the PSE

You can use SQL commands to add and remove certificates from a PSE or certificate collection. To add a certificate to the PSE, use the ALTER PSE SQL command. To alter the PSE, you must be the owner of the PSE. Alternatively, the grantee must have the ALTER object privilege on the certificate collection or PSE. For example, the following SQL will grant access to a PSE:

GRANT ALTER ON PSE "BI_SSO_SAM_CERT" TO SECURITY_ADMINS;

To add an existing certificate to the PSE, use the following SQL statement:

ALTER PSE <PSE> ADD CERTIFICATE <CERTIFICATE ID>

In the example, replace the <PSE> variable with the name of your PSE and the <CERTIFICATE ID> variable with the ID of the certificate that was previously imported into the SAP HANA system.

To remove a certificate from a PSE, use the following SQL command:

ALTER PSE <PSE> DROP CERTIFICATE <CERTIFICATE ID>

In the example, replace the <PSE> variable with the name of your PSE. Replace the <CERTIFICATE ID> variable with the ID of the certificate associated with the PSE.

In addition to using SQL, you can also use the SAP HANA cockpit to add or remove certificates from a certificate collection. You can locate the link to the management interface under the Security Related Links tile and the Manage Certificate collections link. Within the interface, select an existing certificate collection to view details and associated certificates within the collection, as shown in Figure 13.4.

Adding Certificates to a Collection Using the SAP HANA Cockpit

Figure 13.4    Adding Certificates to a Collection Using the SAP HANA Cockpit

To add a certificate, locate the Add Certificate button just above the certificate list. The Select Certificate window will appear, where you can search for and then select an existing certificate within the SAP HANA database. Figure 13.4 shows where an existing certificate was added to the none collection. To delete the certificate from the collection, click the x within a circle icon located on the right side of the listed certificate. The Set Own Certificate button will allow you to directly import a new certificate into the database while also adding it to the collection at the same time.

Next, you’ll need to define the purpose of the PSE.

Defining the Purpose of the PSE

The final step in in-database certificate management is to define the purpose of the PSE and its certificates. The purpose of the PSE indicates how it will be used, and the purpose name you provide is meaningful to specific use cases within the database. For example, the purpose LDAP tells the database that the certificate is used to trust a configured LDAP provider and to communicate with it over TLS. You can use in-database PSEs for the purposes of authentication or TLS secure communications. For example, if you’re using the PSE for SSO with SAML, you must define the purpose of the PSE as SAML. The system allows the purposes listed in Table 13.1 to be assigned.

Purpose

Use

SAML

If the PSE is used for SAML SSO authentication

SAP LOGON

If the PSE is used for SAP assertion ticket authentication

X509

If the PSE is used for X.509 certificate-based authentication

SSL/TLS

If the PSE is used to secure communications with JDBC, ODBC, or SAP HANA administration tool connections

DATABASE REPLICATION

If the PSE is used to secure the network data packets communicated during system replication

JWT

If the PSE is used for JSON web token authentication

LDAP

If the PSE is used for the purpose of securing communication with a trusted LDAP server via TLS

Table 13.1    Supported PSE Purposes for In-Database Certificate Management

There are two possible system privileges that a grantee must have when assigning the purpose of a PSE. First, if the PSE purpose is related to authentication, the grantee must have access to the PSE and the USER ADMIN system privilege. Second, if the PSE purpose is related to client communications or system replication, the grantee must have access to the PSE and the SSL ADMIN system privilege.

If a grantee doesn’t have access to the PSE or isn’t the owner of the PSE, the REFERENCES object privileges must be assigned to the grantee. For example, the following SQL command will grant REFERENCES to the CERT_ADMINS role:

GRANT REFERENCES ON PSE "BI_SSO_SAM_CERT" TO CERT_ADMINS;

To define the purpose of the PSE, execute the SET PSE SQL command, as follows:

SET PSE <PSE Name> PURPOSE <Purpose>;
SET PSE "BI_SSO_SAM_CERT" PURPOSE SAML;

In the first example, replace the <PSE Name> variable with the name of the PSE. Replace the <Purpose> variable with one of the purposes listed in Table 13.1.

To remove the purpose, use the UNSET PSE SQL command. For example, to remove the SAML purpose from PSE BI_SSO_SAM_CERT, execute the following SQL command:

UNSET PSE "BI_SSO_SAM_CERT" PURPOSE SAML;

In addition to using SQL, you can also use the SAP HANA cockpit to set the purposes of a certificate collection. You can locate the link to the management interface under the Security Related Links tile and the Manage Certificate collections link. Within the interface, select an existing certificate collection to view details and associated certificates within the collection. Just above the list of associated certificates is the Edit Purpose link. Once you click the link, the Edit Purpose window will appear, with a dropdown list of existing certificate purposes defined in the database, as shown in Figure 13.5. Choose the correct purposes from the list or set it to NONE if the purpose is not known. Click the Save button within the popup window to activate the purpose.

Editing the Certificate Collection Purpose Using the SAP HANA Cockpit

Figure 13.5    Editing the Certificate Collection Purpose Using the SAP HANA Cockpit

The internal certificate store doesn’t include all possible certificates. Let’s look at how you can also use files within the OS to store certificates.

13.1.2    External SAP HANA PSE File and Certificate Management

Certificates can also be stored and managed within files located in the file system of the SAP HANA instance. By default, they’re stored in the following path:

/hana/shared/<SID>/HDB<instance number>/<host name>/sec

The <SID> variable must be replaced with the SID of the SAP HANA system. A two-digit instance number should replace the <instance number> variable. The <host name> variable represents the configured host name of the SAP HANA system. The following example shows the path for an example SAP HANA system with a SID of PJ5, instance of 25, and host name of w4-hana-05:

/hana/shared/PJ5/HDB25/w4-hana-05/sec

Within this path, you’ll find several files with a .pse extension. For example, the sapsrv.pse, saplogon.pse, sapsslc.pse, sapssls.pse, sap_system_pki_instance.pse, sapsrv_internal.pse, and sapsrv_internal_*.pse files. Each file has an intended purpose and are used to store the public and private certificate keys for either authentication or TLS secure communication. Figure 13.6 shows an overview of these files and how they relate to a given purpose.

Items Supported with External PSE Files

Figure 13.6    Items Supported with External PSE Files

Items in the Authentication section are related to supported external authentication providers. Items in the Transport Security Layer (TLS/SSL) section are related to client communication protocols, the web application SSL protocols in the SAP HANA extended application services, classic model engine (XS engine), and internal sever communication protocols. In Section 13.1.1, we identified several supported purposes for in-database managed certificates. Some of those same purposes can also be implemented using the PSE files on the file system. However, the PSE files in the file system are the only items in which internal server communication encryption and HTTP communication encryption can be configured.

There are two main ways to configure the PSE files. First, you can use the SAPGENPSE tool. This command-line interface tool can be used to manage SAP HANA PSE files. Second, you can use the web-based SAP Web Dispatcher administration graphical user interface (GUI) hosted in the XS engine. Most users will find managing PSE files via the SAP Web Dispatcher much easier than the SAPGENPSE tool. Thus, in this chapter, we’ll only explore the options available in the SAP Web Dispatcher.

To access the SAP Web Dispatcher administration GUI, a grantee must have the role sap.hana.xs.wdisp.admin::WebDispatcherAdmin. Use the following URL with your host and instance details added to access this web-based GUI:

With the variables unique to our hypothetical environment filled in, this URL could look like the following example:

When accessing SAP Web Dispatcher, you’ll need to authenticate using a mechanism set up within your environment. In most environments, you’re presented with a logon form in which you’ll enter an SAP HANA internal user name and password. The landing page will default to the SAP Web Dispatcher Monitor, as shown in Figure 13.7.

SAP Web Dispatcher Monitor

Figure 13.7    SAP Web Dispatcher Monitor

On the left, you’ll see the Menu contains several hierarchically oriented options. Look for the PSE Management option just under the SSL and Trust Configuration menu list item. Figure 13.8 shows an example of the interface that will appear when you click PSE Management.

PSE Management Area in SAP Web Dispatcher

Figure 13.8    PSE Management Area in SAP Web Dispatcher

In the interface, use the Manage PSE dropdown list, located on the top left, to the right of the Menu pane, to select the PSE file that you want to manage. With the PSE file selected, you can perform several actions, as listed in Table 13.2.

Interface Option

Description

Recreate PSE

When selected, the active PSE file will be reset to a default state. All certificates will also be removed from the trust store.

Delete PSE

To delete a PSE from the file system, select the PSE file in the Manage PSE dropdown list, then select this option.

Create New PSE

To create a new PSE, when clicked, a new window will appear, allowing you to define the PSE encryption algorithm, key length, distinguished name, and file name.

Export Own
Certificate

When selected, a new window will appear containing the certificate of the selected PSE file.

Create CA Request

When selected, a new window will appear containing the certificate request text. Copy this text to a certificate authority (CA) to generate a new certificate response.

Import
CA Response

When selected, a new window will appear containing a text entry block in which the certificate response text can be pasted or entered.

Import Certificate

When selected, a new window will appear containing a test entry block in which a trusted certificate’s text can be pasted or entered.

Table 13.2    SAP Web Dispatcher PSE Management Options

Configuring and Managing Certificates

The processes and workflows required to configure certificates for authentication and secure communications seem to change with each new version of SAP HANA. Thus, you should always consult the documentation for your version of SAP HANA. In most cases, you’ll find the configuration steps in the SAP HANA 2.0 SPS 04 Administration Guide, available at http://s-prs.co/v498216.

The SAP HANA 2.0 SPS 04 Security Guide also provides a few additional details about the configuration process and is available at http://s-prs.co/v498217.

Using the SAP Web Dispatcher administration GUI will greatly simplify the process of managing PSE files and their certificates. You could argue that using the in-database PSE management options when applicable is best. However, some features, such as HTTP SSL and internal server encryption, must still be managed in the PSE files found on the file system. In the next section, we’ll explore the options available for enabling encryption for clients connecting to SAP HANA.