3480723 - Information on mandatory Security Parameters & Hardening requirements for SAP HANA databases in SAP Enterprise Cloud Services (ECS)

Symptom

This document is regarding information on standard security parameters and configuration settings for SAP HANA systems in SAP Enterprise Cloud Services.

As per SAP Global Security Policy implementing compliant Account & Password policy is the MINIMUM & MUST requirement for securing HANA Systems in Enterprise Cloud Services.

Other Items

ECS, HANA, RISE, Compliance, Security, Audits, Password, Communication, Encryption, Database, Parameter, Protocol, SSL, TLS, Auditing, SYSLOG

Reason and Prerequisites

Mandatory Security Parameters & Hardening requirements for SAP HANA databases in SAP Enterprise Cloud Services (ECS)

Please note that the below list shows all security compliant settings for systems of ECS managed (including CDC), premium suppliers and RISE partners based on security hardening requirements and best practices. All these parameters/configuration settings are implemented as part of ECS HANA system builds.

It is mandatory for all ECS customers to adhere to below parameters/configuration settings in all AS HANA systems. The security parameters must be set in at DATABASE level.

In case of questions please contact your ECS Client Delivery Manager (CDM) / Technical Service Manager (TSM) / Cloud Architecture & Advisory (CAA) / digital Customer Engagement Manager (dCEM).

Information given in this note is subject to change based on security hardening requirements.

Solution

Minimal Password Hardening requirement that must be configured over all HANA systems without exceptions

Parameter Name	ECS Standard Value	Allowed Range	Description
force_first_password_change	true	NA	Forces change of administrator-given passwords: If set to true, a user is forced to change his administrator-given password before being allowed to work any further.
last_used_passwords	15	=>15 (Not = 0)	Number of recently used passwords of one user, this user is not allowed to re-use: The configured number of last used passwords is stored for each user and a user is not allowed to re-use one of his list.
maximum_invalid_connect_attempts	6	<= 6 (Not = 0)	Maximum number of invalid connect attempts before user is locked: After maximum_invalid_connect_attempts subsequent invalid connect attempts the user is locked for password_lock_time minutes
maximum_unsued_initial_password_lifetime	7	<= 7 (Not = 0)	Number of days an unused user-given password stays valid: If users did not connect using the password they changed for themselves within this number of days the password becomes invalid and users have to ask for a new one.
maximum_password_lifetime	90	<=90 (Not = 0)	Number of days a password stays valid: After the configured number of days a password becomes invalid. The user is able to connect, but is forced to change his password before being allowed to work any further.
minimal_password_length	15	=>15	Minimal number of characters a password has to consist of: A new or changed password has to consist of at least minimal_password_length characters. Existing passwords stay valid even after increasing of this value.
password_layout	A1a or A1! or1a! or Aa!	(Must contain chracter from at least 3 of categories Uppercase letter, Lowerase letter, Numeric, Non-alphanumeric Symbols ? ! #) Note: Special characters like "! ,-._, etc" can be adjusted only under customer request.	Describes the kind(s) of character the password has to consist of: With the parameter password_layout it can be specified which of the 4 classes of characters (upper-case-ASCII, lower-case-ASCII, digits, special character) and how many characters of each class have to be part of the password.
password_lock_time	-1	NA	Number of minutes the user is locked after too many invalid connect attempts: After the configured number of invalid connect attempts the user is not able to connect for password_lock_time minutes. If -1 is specified, the user is locked forever.
password_lock_for_system_user	true	NA	Forces locking even for SYSTEM user after too many invalid connect attempts: If set to true, then even user SYSTEM will be locked for password_lock_time if more than maximum_invalid_connect_attempts had been done subsequently.
detailed_error_on_connect	false	NA	Forces detailed info about reason of authentication failure: If set to true, different error codes and additional info is provided for the reason of not succeeding connect try. Per default it is set to false to avoid exposing of info about existing user in case of them being locked/deactivated/...
maximum_unused_productive_password_lifetime	90	<=90 (Not =0)	Number of days an unused user-given password stays valid: If users did not connect using the password they changed for themselves within this number of days the password becomes invalid and users have to ask for a new one.

NOTE: MUST be ensured that non-technical accounts have updated their password and the password is not set to 'never expire'

HANA Security Configuration list (Mandatory)

Secure configuration	Settings
HANA Auditing	The auditing state must be enabled on both SYSTEMDB and tenant databases. The audit trail must be configured to SYSLOGPROTOCOL SYSLOG The syslog is a secure storage location for the audit trail because not even the database administrator can access or change it. There are also numerous storage possibilities for the syslog, including storing it on other systems. In addition, the syslog is the default log daemon in UNIX systems. The syslog therefore provides a high degree of flexibility and security, as well as integration into a larger system landscape. For data protection and privacy the SAP HANA audit log uses the authpriv facility with the prefix HDB. By default, the below actions are audited (Actions Audited by Default Audit Policy) Creation, modification, or deletion of audit policies. Deletion of audit entries from the audit trail (applies only when the audit trail is an internal database table) Changes to auditing and authentication configuration Enabling or disabling auditing Changing the audit trail target Changing the location of the audit trail target if it is a CSV text file Changing the maximum length of a statement that is audited completely Changing enabled authentication methods Audit Log Retention 201 days Additional policies can be requested. Customer-requested policies SHOULD BE named "CUST Audit - <Policy Name>" Audited Actions ALL ACTION audit policy shouldn't be configured or enabled in any case. Non-standard configuration. Capturing DML (Data Manipulation Language) operations has multiple downsides that need to be evaluated, and an agreement must be made between SAP & Customer NOTE : at the bottom of this SAP NOTE you will find out the ECS_StandardAuditPolicies.pdf files that contain the standard audit policies.
HANA Data/Volume Encryption	Data-at-Rest Encryption To protect data saved to disk from unauthorized access at operating system level, the SAP HANA database supports data encryption in the persistence layer for the following types of data: Data volumes Redo log volumes Data and log backups (HANA backups are encrypted at long term storage) Starting with SPS07 SAP HANA by default has persistence encryption enabled during installation, which is also the ECS standard. Data volume encryption All pages that reside in the data area on disk are encrypted using the AES-256-CBC algorithm. Pages are transparently decrypted as part of the load process into memory. Therefore, when pages reside in memory they are not encrypted and there is no performance overhead for in-memory page accesses. When changes to data are persisted to disk, the relevant pages are automatically encrypted as part of the write operation. Page keys are valid for a certain range of savepoints and can be changed by executing SQL statements. After data volume encryption has been enabled, an initial page key is automatically generated. Page keys are never readable in plain text, but are encrypted themselves using a dedicated data volume encryption root key. Redo log encryption Log entries are encrypted using the AES-256-CBC algorithm before they are written to disk. Log entries are encrypted and decrypted using a 256-bit long root key NOTE In a system-replication configuration, enable (or disable) encryption in the primary system only. The setting will be propagated to all secondary systems. The secondary systems must be running and replicating.
TLS protocol	global.ini [communication] sslminprotocolversion = TLS12 (For Revisions < SPS 06, not required for higher versions as default value is correct value) tcp_backlog = 2048 (For Revisions <= 053, not required for higher versions as default value is correct value) ssl = systempki (lower case for Revisions SPS >=04) [ldap] sslminprotocolversion = TLS12 (For Revisions < SPS 06, not required for higher versions as default value is correct value) global.ini Validate the following details: Parameters must be set at SYSTEMDB level, not Tenant Level. If parameters are set are already set at Tenant Level then they need to be removed. For Revisions < SPS 06, sslminprotocolversion needs to be TLS12 (UPPER CASE) For Revisions >= SPS 06, sslminprotocolversion needs to be unset as tls12 (lower case) is already the default value TLS/SSL Internal database communication is secured with the same mechanism used for securing other internal SAP HANA communication channels. Once high isolation has been configured, authenticated communication within databases is enabled without any change required to the default TLS/SSL configuration for internal communication. However, encryption of data communication may need to be configured explicitly.
System Replication	Global.ini [communication] ssl=systemPKI [system_replication_communication] enable_ssl = on listeninterface=.global (expected value .internal ) Single Node:.local Multi Node: .internal For '.internal' value, interfaces must be listed in [internal_hostname_resolution] The following communication channels will be secured between primary and secondary systems: Metadata channel used to transmit metadata (for example, topology information) between the sites Data channel used to transmit data between the sites
Communication	global.ini [communication] sslCreateSelfSignedCertificate = true (ECS DEFAULT) false (IF IT IS REQUESTED )
Communication	sslminprotocolversion = TLS12 (UPPER CASE) for Revisions < SPS 06 tls12 (lower case) for Revisions >= SPS 06 * For new builds on SPS06 and beyond the default is tls12 and does not need to be explicitly set again

Product

SAP HANA, platform edition 2.0

Keywords

GTAGMCD_DB_HANA, ECS, HANA, RISE, Compliance, Security, Audits, Password, Communication, Encryption, Database, Parameter, Protocol, SSL, TLS, Auditing, SYSLOG , KBA , XX-HEC-OPS , Hana Enterprise Cloud Operations , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.