SAP Knowledge Base Article - Preview

3557353 - How to create ENCRYPTION ROOT KEYS for Tenant DB using SQL statement

Symptom

While doing Tenant DB Backup, you face error like "backup could not be completed. Failed to check consistency during readContent: Inconsistent SSFS!"

And from indexserver trace, you will see below information:
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx w Crypto           RootKeyStoreConsistencyChecker.cpp(00188) : SSFS with type/current version Persistence/0 is inconsistent (no keys could be found)
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx w Crypto           RootKeyStoreConsistencyChecker.cpp(00188) : SSFS with type/current version DPAPI/0 is inconsistent (no keys could be found)
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx e Crypto           EncryptionCallbackImpl.cpp(00383) : Failed to retrieve PERSISTENCE root key: exception  1: no.301103  (Crypto/RootKeyManager/RootKeyManagerSsfs.cpp:364) TID: 51777
    exception 301103: RawRootKeyStoreReader::read: SSFS-4218: Record with key "HDB_SERVER/<NUM>/PERSISTENCE" not found in secure storage <-- SSFS-4215: Data file "/usr/sap/<SID>/SYS/global/hdb/security/ssfs/SSFS_<SID>.DAT" exists, but does not contain the requested entry
exception throw location:
 1: 0x00007fb3f2e385f5 in Crypto::RootKeyManagerSsfs::getKeyDocForEncryption(Crypto::SecureStore::RootKeyAccess::SsfsKeyType) const [clone .cold]+0xe1 at RootKeyManagerSsfs.cpp:364 (libhdbbasement.so)
 2: 0x00007fb3f25c34c1 in Crypto::RootKeyManagerSsfs::getKeyForEncryptionMetadata(Crypto::SecureStore::RootKeyAccess::SsfsKeyType) const+0x30 at RootKeyManagerSsfs.cpp:342 (libhdbbasement.so)
 ...
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx e PersistenceEncry EncryptionManagerImpl.cpp(01871) : Failed to update root key metadata: exception  1: no.301101  (Crypto/Services/PersistenceEncryption/EncryptionCallbackImpl.cpp:384) TID: 51777
    Failed to retrieve PERSISTENCE root key
exception throw location:
 1: 0x00007fb3f09d16b2 in DAEncryption::EncryptionManagerImpl::checkAndUpdateIsLatestRootKeyWithCurrent()+0x1a0 at EncryptionManagerImpl.cpp:1847 (libhdbdataaccess.so)
 2: 0x00007fb3f0c46c47 in DataAccess::SavepointImpl::finishSavepoint(DataAccess::SavepointState&)+0x10e3 at SavepointImpl.cpp:2909 (libhdbdataaccess.so)
 ...
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx w Crypto           RootKeyStoreConsistencyChecker.cpp(00188) : SSFS with type/current version Persistence/0 is inconsistent (no keys could be found)
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx w Crypto           RootKeyStoreConsistencyChecker.cpp(00188) : SSFS with type/current version DPAPI/0 is inconsistent (no keys could be found)
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx e Crypto           RootKeyStoreConsistencyChecker.cpp(00088) : SSFS inconsistent: PERSISTENCE DPAPI

And when you execute "select * from sys_databases.encryption_root_keys;" & "select * from sys_databases.m_securestore;" on the issued Tenant DB, the result shows empty, there are no root keys for the issued one.

OR

You just want to change or regenerate new root keys.

This KBA will guide you step by step on how to create new root keys for Tenant DB.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."


Read more...

Environment

  • SAP HANA Platform Edition 1.0
  • SAP HANA Platform Edition 2.0

Product

SAP HANA 1.0, platform edition ; SAP HANA, platform edition 2.0

Keywords

HANA DB, tenant database, backup, PERSISTENCE root key, error, trace files, encryption, root keys, SYSTEMDB , KBA , HAN-DB-SEC , SAP HANA Security & User Management , HAN-DB-BAC , SAP HANA Backup & Recovery , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.