17.6    Handover from Hardware Vendors

Under the SAP HANA appliance or Tailored Datacenter Integration (TDI) delivery models, SAP HANA is often deployed by a hardware vendor or certified individual. Because individuals outside your organization often deploy the SAP HANA system, several key user account passwords and encryption keys must be changed after the appliance has been handed over to your organization, such as the following:

• Operating system users
  During the installation of SAP HANA, the operating system user root (sapadm) and <sid>adm are created. The <sid> portion of the <sid>adm account will be the three-character SAP System Identification (SID) chosen during the installation. For example, if the instance SID is HDB, then the operating system user will be named hdbadm. More than one SID can exist on an SAP HANA operating system, and each SID will have a dedicated user account.

  Once the system has been handed over from the vendor, the password for each of these accounts should be changed. In addition, any additional vendor accounts created should be disabled or deleted from the system.

• Database accounts
  During installation, the vendor must establish a password for the SYSTEM user account. Once handover is complete, the SYSTEM account password should be changed. As noted in Section 17.4, this account also should be disabled once the system is in full operation. If the vendor created any additional accounts, those accounts should also be disabled or dropped from the system.

• Encryption root keys
  Hardware vendors often use a disk image when deploying SAP HANA. Because this image might be used at multiple client sites, all encryption root keys must be changed. Even if the vendor doesn’t use a disk image, they have access to copy the encryption root keys, and therefore, all encryption root should be changed.