Symptom
While doing Tenant DB Backup, you face error like "backup could not be completed. Failed to check consistency during readContent: Inconsistent SSFS!"
And from indexserver trace, you will see below information:
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx w Crypto RootKeyStoreConsistencyChecker.cpp(00188) : SSFS with type/current version Persistence/0 is inconsistent (no keys could be found)
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx w Crypto RootKeyStoreConsistencyChecker.cpp(00188) : SSFS with type/current version DPAPI/0 is inconsistent (no keys could be found)
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx e Crypto EncryptionCallbackImpl.cpp(00383) : Failed to retrieve PERSISTENCE root key: exception 1: no.301103 (Crypto/RootKeyManager/RootKeyManagerSsfs.cpp:364) TID: 51777
exception 301103: RawRootKeyStoreReader::read: SSFS-4218: Record with key "HDB_SERVER/<NUM>/PERSISTENCE" not found in secure storage <-- SSFS-4215: Data file "/usr/sap/<SID>/SYS/global/hdb/security/ssfs/SSFS_<SID>.DAT" exists, but does not contain the requested entry
exception throw location:
1: 0x00007fb3f2e385f5 in Crypto::RootKeyManagerSsfs::getKeyDocForEncryption(Crypto::SecureStore::RootKeyAccess::SsfsKeyType) const [clone .cold]+0xe1 at RootKeyManagerSsfs.cpp:364 (libhdbbasement.so)
2: 0x00007fb3f25c34c1 in Crypto::RootKeyManagerSsfs::getKeyForEncryptionMetadata(Crypto::SecureStore::RootKeyAccess::SsfsKeyType) const+0x30 at RootKeyManagerSsfs.cpp:342 (libhdbbasement.so)
...
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx e PersistenceEncry EncryptionManagerImpl.cpp(01871) : Failed to update root key metadata: exception 1: no.301101 (Crypto/Services/PersistenceEncryption/EncryptionCallbackImpl.cpp:384) TID: 51777
Failed to retrieve PERSISTENCE root key
exception throw location:
1: 0x00007fb3f09d16b2 in DAEncryption::EncryptionManagerImpl::checkAndUpdateIsLatestRootKeyWithCurrent()+0x1a0 at EncryptionManagerImpl.cpp:1847 (libhdbdataaccess.so)
2: 0x00007fb3f0c46c47 in DataAccess::SavepointImpl::finishSavepoint(DataAccess::SavepointState&)+0x10e3 at SavepointImpl.cpp:2909 (libhdbdataaccess.so)
...
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx w Crypto RootKeyStoreConsistencyChecker.cpp(00188) : SSFS with type/current version Persistence/0 is inconsistent (no keys could be found)
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx w Crypto RootKeyStoreConsistencyChecker.cpp(00188) : SSFS with type/current version DPAPI/0 is inconsistent (no keys could be found)
[xxxx]{-x}[xx/xx] xxxx-xx-xx xx:xx:xx.xxxxxx e Crypto RootKeyStoreConsistencyChecker.cpp(00088) : SSFS inconsistent: PERSISTENCE DPAPI
And when you execute "select * from sys_databases.encryption_root_keys;" & "select * from sys_databases.m_securestore;" on the issued Tenant DB, the result shows empty, there are no root keys for the issued one.
OR
You just want to change or regenerate new root keys.
This KBA will guide you step by step on how to create new root keys for Tenant DB.
"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."
Read more...
Environment
- SAP HANA Platform Edition 1.0
- SAP HANA Platform Edition 2.0
Product
Keywords
HANA DB, tenant database, backup, PERSISTENCE root key, error, trace files, encryption, root keys, SYSTEMDB , KBA , HAN-DB-SEC , SAP HANA Security & User Management , HAN-DB-BAC , SAP HANA Backup & Recovery , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.