13.2 Client Encryption Settings
In this section, we’ll review the process for enabling TLS or SSL settings for SAP HANA Studio, the XS engine applications, and JDBC/ODBC clients. Your organization must understand how to configure these options to secure the communications or transmissions of data between clients and SAP HANA.
13.2.1 SAP HANA Studio
When configuring a system connection within SAP HANA Studio, several options are available for enabling SSL-based communication. Enabling SSL-based communication encryption is important when accessing SAP HANA using untrusted or unrestricted networks. For example, if you access an SAP HANA cloud-based instance from you desktop at home, the communication channel between your desktop and SAP HANA will likely traverse a number of network hops. Each hop introduces the likelihood that someone or some organization might be monitoring and capturing your TCP/IP packets. Without encryption, these packets could be reconstructed and the information within them exposed to unauthorized individuals. The same vulnerability can even exist on a private corporate network. Therefore, organizations should encrypt communications that could potentially contain sensitive data.
To enable SSL encryption for an existing system connection within SAP HANA Studio, right-click the system listed in the Systems tab. The Properties window will appear, with three properties tabs on the right. The first tab, General, as shown in Figure 13.9, contains the Connect Using SSL checkbox. To force the connection to use SSL encryption, select this checkbox.
Figure 13.9 Configuring SAP HANA Studio Connection for SSL Communication
If you’re using a self-signed certificate or a certificate not trusted in the SAP HANA Studio keystore, select the Additional Properties tab to configure a few additional options. On this tab, deselect the Validate the SSL Certificate checkbox to ignore certificate issues, as shown in Figure 13.10.
SAP HANA systems are deployed with self-signed certificates usable for TLS communications. However, these certificates won’t be trusted by clients such as SAP HANA Studio. Untrusted or self-signed certificates can still provide encrypted communications, however. If SAP HANA Studio cannot validate a certificate, your organization can still rely on the certificate to encrypt communications between client and server, and SAP HANA Studio does provide an option to ignore issues with such certificates.
Figure 13.10 Configuring SAP HANA Studio Connection to Ignore Untrusted SSL Certificate Issues
Click OK to enable the new SSL settings. Your system, listed in the Systems tab, should now display an icon with a closed yellow padlock on the right, indicating that the connection between the client and server is encrypted.
In the next section, we’ll review the steps required to secure communications with web-based applications hosted in the XS engine.
13.2.2 XS Engine Web-Based Applications
By default, SSL access to web-based SAP HANA XS applications is configured during installation using a self-signed certificate. You also have the option of deploying a new certificate from a public trusted certificate authority. The default SSL listening port for web-based SAP HANA XS applications is 43XX, where XX represents the two-digit SAP HANA instance number. Although available by default, SSL access isn’t mandatory for SAP HANA XS engine applications.
To properly secure an SAP HANA XS engine web-based application, the use of SSL should be enforced. This enforcement is enabled on a per-package basis. Repository packages in SAP HANA have a direct relationship to the website folder structure. Therefore, you can enforce SSL access by subweb or website folder structure.
To force SSL, you must access the web-based SAP HANA XS artifact administration application, hosted in the SAP HANA XS engine for each SAP HANA instance. To access this administration portal, use the following URL with your details included; the second URL provides a complete example:
-
http://<hana host>:80<instance number>/sap/hana/xs/admin
-
http://w4-db-hana.e-corp.internal.net:8000/sap/hana/xs/admin/
The landing page, shown in Figure 13.11, will start with the Application Objects pane on the left. The Runtime Configuration Details for each selected application object are located on the right.
Figure 13.11 SAP HANA XS Artifact Administration Landing Page
To edit a package, select the package hierarchy level within the Application Objects pane. In the Runtime Configuration Details pane on the right, click the large Edit button at the bottom of the page to open the package configuration options. Within the Security & Authentication section, select the Force SSL checkbox, as shown in Figure 13.12.
Figure 13.12 Forcing SSL Access
Selecting this checkbox will force the package or corresponding website tree structure to use SSL encryption. Click the Save button at the bottom of the window to activate the new configuration options. Once this option is enabled, users will have no choice but to interact with the web-based application using encryption.
13.2.3 JDBC and ODBC Drivers
JDBC and ODBC are industry-standard application programming interfaces (APIs) used by software applications to interact with SAP HANA. These APIs are included with the SAP HANA client application. The SAP HANA client is application code that contains multiple industry-standard programming interfaces that can be used to access SAP HANA. For example, some organizations use these APIs to grant their software applications query access to the data hosted in SAP HANA. Because the communications between the client application and SAP HANA have the potential to contain sensitive data, these communication channels should be encrypted.
When configuring an ODBC data source name (DSN) on the Windows OS, you’ll find options for configuring an SSL-based connection. Just like in SAP HANA Studio, you can choose to bypass the validation of the SSL certificate.
For example, on a Windows OS with the SAP HANA client installed, you can use the ODBC data source administrator to configure an SAP HANA ODBC DNS. Search for the ODBC manager within the Windows Start menu. With the ODBC manager open, select the System DNS tab. Click Add to set up a new DSN. In the popup window, scroll through the list of data source drivers installed on your system. Look for the driver named HDBODBC32 or HDBODBC (depending on the version of the DSN you’re configuring). Select the driver and click Finish. A new window will appear, allowing you to define the Data Source Name and SAP HANA Server and Port. To configure SSL, click the Settings button at the bottom right. The SAP HDB Advanced Setup window will now appear, as shown in Figure 13.13.
Figure 13.13 Configuring Windows ODBC DNS for SSL Communications
To enable SSL communications, select the Connect using SSL checkbox. If you’re using an SSL certificate that isn’t automatically trusted, leave the Validate the SSL certificate checkbox deselected. If you need to override the common name of the host listed in the SSL certificate, enter the alternative host name in the Override the Hostname in the Certificate field. Click OK to save the advanced settings and then click OK again to save the DSN.
Most JDBC connection strings will provide similar options. JDBC drivers can’t be used in the Windows ODBC manager. Most Java-based applications will provide their own SAP HANA JDBC connection configuration interfaces. Given its proprietary nature, we won’t provide a step-by-step configuration example for the JDBC driver, but note that the same SSL options available for ODBC drivers are also available for JDBC drivers. Application vendors have the API available, even if they choose not to incorporate SSL options into their configuration GUIs. For example, the code shown in Listing 13.2 was taken from the Java-based SAP HANA Studio trace file. In the connection string, you’ll see that the encrypt=true and validateCertificate=false options were listed in the trace file results.
new Connection 'jdbc:sap://w3-hanan01.e-corp.internal.root:30015;
10.54.240.31:30015'
locale=en_US
user=SYSTEM
password=***
reconnect=true
timeout=0
encrypt=true
validateCertificate=false
Listing 13.2 SAP HANA Studio Trace File Showing a Secure JDBC Connection to SAP HANA
Enabling SSL communications for the JDBC or ODBC connection layers is a good practice that ensures that the information exchanged with the client and server is well protected from unauthorized access. However, configuring this setting is optional unless the SAP HANA system itself requires an SSL connection. Fortunately, SAP HANA offers an option to force clients to use an SSL secured connection, found in the Configuration tab under the path global.ini • communication • sslenforce. Figure 13.14 shows an overview of this option in the SAP HANA cockpit INI configuration interface.
This option defaults to False, meaning that clients can choose how to configure the connection. When the option is set to True, clients must enable the Connect Using SSL option. Instead of using SAP HANA cockpit’s INI file editor, you can also issue the following SQL statement to enable the option:
ALTER SYSTEM ALTER CONFIGURATION
('global.ini','SYSTEM')
SET ('communication','sslenforce') ='true' WITH RECONFIGURE;
Figure 13.14 Communication Setting for global.ini to Force SSL Client Connections
To disable the option, issue the following SQL statement:
ALTER SYSTEM ALTER CONFIGURATION
('global.ini','SYSTEM')
SET ('communication','sslenforce') ='false' WITH RECONFIGURE;
13.2.4 SAP HANA Cockpit
When registering systems in the SAP HANA cockpit, you can also choose to encrypt the communication. When registering the system, the option to use an encrypted connection are established in the Connection section. A series of checkboxes are available under the message Use of encryption (TLS/SSL) through an imported trusted certificate. Let’s review each checkbox, as follows:
-
Encrypt SAP Control connection
This option forces the SAP HANA cockpit to communicate with the SAP control subsystem over SSL. Selecting this checkbox is good practice because credentials communicated over this channel are that of a user on the operating system. -
Encrypt the database connection
This option forces the SAP HANA cockpit to communicate with the database over SSL. Again, database level credentials are communicated over this channel and encrypting that communication helps avoid man-in-the-middle attacks. -
Validate the certificate
Deselect this checkbox if you’re using the default installation certificate or a self-signed SSL certificate. Only select this option if the installed certificate is from a trusted certificate authority that the SAP HANA extended application services, advanced model engine (XSA engine), has been configured to trust. Otherwise, the connection will fail. -
Override hostname in certificate
Select this checkbox when using a trusted certificate and the certificate common name is different from the fully qualified SAP HANA server host name used in the definition of the connection. This mismatch sometimes occurs when using DNS aliases to support SAP HANA database connections. Place the certificate’s common name in the text box because the SAP HANA cockpit will assume that host name has been defined in the connection.
SAP HANA offers several options for managing certificates and encrypting communications between clients and the SAP HANA server. In the next section, we’ll review how to use encryption to secure SAP HANA persistent storage layers.