SAP HANA SPS 07: Security
What´s New? SAP HANA SPS 07
Security
(Delta from SPS 06 to SPS 07)
SAP HANA Product Management
November, 2013
Agenda
Authentication
User/role management
Authorization
Encryption
Audit logging
Documentation
© 2013 SAP AG. All rights reserved.
Public
2
Authentication
What’s New in SAP HANA SPS 07: Security
SPNEGO support for SAP HANA XS
SPNEGO (Kerberos with Simple and Protected GSSAPI Negotiation Mechanism) is now available as an authentication option for SAP HANA XS
Configuration
1. In Microsoft Active Directory, for each host and alias register new service principal names and map them to the
(potentially already existing) SAP HANA service user
2. On the SAP HANA server, add the keys for the new service principal names to the keytab
3. In SAP HANA, configure the Kerberos user mapping for the user
Note: If the user mapping has already been set up for Kerberos authentication for SQL access, you do not have to change anything here
4. Using the SAP HANA XS Administration Tool (http://<host>:80<sysno>/sap/hana/xs/admin/), select SPNEGO as authentication method for the user
© 2013 SAP AG. All rights reserved.
Public
4
What’s New in SAP HANA SPS 07: Security
SAP Logon Ticket and SAP Assertion Ticket support
SAP Logon Tickets and SAP Assertion Tickets are now supported for both SQL and XS access
Prerequisites
A separate trust store for SAP Logon and Assertion tickets has been configured
System privilege USER ADMIN
Configuration
1. In the Systems view in SAP HANA studio, choose Security
2. Create a new user by right-clicking on Users and choosing
New User
3. Select the authentication method(s) and choose the
(Deploy) button
Notes
Prior to SPS 07, SAP HANA implicitly selected both user name/password and SAP Logon Tickets as authentication methods for new users. Now you have to explicitly set authentication options for new users
To re-enable the old behavior for SAP Logon Tickets, a new configuration parameter has been introduced
(Indexserver.ini ->
Security
(Delta from SPS 06 to SPS 07)
SAP HANA Product Management
November, 2013
Agenda
Authentication
User/role management
Authorization
Encryption
Audit logging
Documentation
© 2013 SAP AG. All rights reserved.
Public
2
Authentication
What’s New in SAP HANA SPS 07: Security
SPNEGO support for SAP HANA XS
SPNEGO (Kerberos with Simple and Protected GSSAPI Negotiation Mechanism) is now available as an authentication option for SAP HANA XS
Configuration
1. In Microsoft Active Directory, for each host and alias register new service principal names and map them to the
(potentially already existing) SAP HANA service user
2. On the SAP HANA server, add the keys for the new service principal names to the keytab
3. In SAP HANA, configure the Kerberos user mapping for the user
Note: If the user mapping has already been set up for Kerberos authentication for SQL access, you do not have to change anything here
4. Using the SAP HANA XS Administration Tool (http://<host>:80<sysno>/sap/hana/xs/admin/), select SPNEGO as authentication method for the user
© 2013 SAP AG. All rights reserved.
Public
4
What’s New in SAP HANA SPS 07: Security
SAP Logon Ticket and SAP Assertion Ticket support
SAP Logon Tickets and SAP Assertion Tickets are now supported for both SQL and XS access
Prerequisites
A separate trust store for SAP Logon and Assertion tickets has been configured
System privilege USER ADMIN
Configuration
1. In the Systems view in SAP HANA studio, choose Security
2. Create a new user by right-clicking on Users and choosing
New User
3. Select the authentication method(s) and choose the
(Deploy) button
Notes
Prior to SPS 07, SAP HANA implicitly selected both user name/password and SAP Logon Tickets as authentication methods for new users. Now you have to explicitly set authentication options for new users
To re-enable the old behavior for SAP Logon Tickets, a new configuration parameter has been introduced
(Indexserver.ini ->