‘SAP HANA Developer Guide This guide describes the complete application-development process for SAP HANA XS advanced, including aspects of application security, for example + Understanding user ide iy, authentication, and authorization Defining the authentication and authorization models, Protecting applications from Web-based attacks (Open the SAP HANA Developer Guide ‘SAP HANA References The following SAP HANA references contain essential information for administrators and developers witha security focus: ‘+ SAP HANA SQL Reference Guide for SAP HANA Platform + SAP HANA Data Anonymization Guide + SAP HANA Client Interface Programming Reference + SAP HANA Client-Side Data Encryption Guide ONote ‘The topics listed above for each guide are not intended to be exhaustive but representative. >Tip For 2 high-level overview of all security capabilites in the SAP HANA platform, as well as links to security: related blog posts, videos, and white papers, visit hitp://sap.com/hanasecurityA Target Audiences Document Content Type ‘SAP HANA Security Guide Concept and overview sultans, systom administrators SAP HANA Secunly Checklists and System administrators Relerence Recommendations ‘SAP HANA Adminstration Gude System administrators Concept and overview, task- and role oriented ‘SAP HANA Administration with SAP System administrators fase and role-oviented HANA Cockpit ‘SAP HANA Developer Guide forXS Ad- Database cevelopers,anplication ro- _Task- and rle-oviented vanced Modal igrammers and clent Ul developers ‘working in the SAP HANA XS advanced adel sing the SAP Wed IDE for SAP HANA ‘SAP HANA SQL and System Views Ret Technology consultants, security ean- Reference: erence sultant, system administrators ‘SAP HANA Data Anonymization Guide Developers Reference, task and role-orientedDocument Content Type ‘SAP HANA Client-Side Data Encryption System acministrators Concept and overview, task-and role Guide ented SAP HANA Client interface Programe Developers Reference jonal Documentation Resources Further SAP HANA Guides For more information about the SAP HANA landscape, including installation and administration, see SAP HANA, Platform on SAP Help Portal Important SAP Notes Important SAP Notes that apply to SAP HANA security are listed in the table below. In addition, SAP publishes information related to security corrections and improvements through SAP security notes. For more information about security notes, see the section on security patches, Note ‘SAP supports that customers install additional tools on the SAP HANA appliance within defined boundaries, Itis the responsibility of the customer to ensute that the network channels used by those tools are appropriately protected. For detailed information, see the SAP Notes listed below. For SAP HANA deployments that use the SAP HANA tailored data center integration model, the regulations are less restrictive compared to the appliance delivery model. The listed SAP notes can give guidance of the options available for securing SAP HANA. SAP Note Title 2280220%y SAP HANA 20, Contra No 1730928 Using external software in an SAP HANA applianceFor more information about speeti topies see the quick inks inthe table below. 1730825fh Using external tools nan SAP HANA appliance 1730820% Using ant irs software nan SAP HANA appliance 1730898 Non-recommended externalsofiware and salware versions 1730997Py ‘Non recommended versions of antivirus software 1720998 ‘Non-recorimended versions of Backup tools 1730990% Configuration changes SAP HANA appliance 1731000fe Non-recommended configuration changes Other InformationContent ‘SAP Service Marketplace or SDN Quick Link ‘SAP Notes: hitps//support sap.com/notestr tpv/support sap com/securitynotestl Released platforms https://apps support sap.com/sap/supporparflr bttps://go.sep.com/eommunity/topie/soltion-man: agerhtm Mr ‘SAP NetWeaver community hitps://go.sap.com/eormmunity/lopie/netweaver ht Ml ‘SAP HANA in-memory computing community itpsi/ge.sap.com/eommunity/tople7hana html Related Information ‘SAP HANA Security Patches [page 12) ‘SAP HANA Security Checklists and Recommendations SAP HANA Administration Guide ‘SAP HANA Developer Guide for XS Advanced Model (SAP Web IDE) ‘SAP HANA SQL Reference Guide for SAP HANA Platform ‘SAP HANA Client Interface Programming Reference3 SAP HANA Security Patches ‘To ensure the security of SAP HANA, i's important that you keep your systems up to date by installing the latest SAP HANA revision and monitoring SAP security notes, SAP HANA Revisions ‘Security-related code improvements and corrections for SAP HANA are shipped with SAP HANA revisions. ‘SAP publishes information related to security corrections and improvements through SAP security notes. In general, security notes contain information about both the affected SAP HANA application areas and specific measures that protect against the exploitation of potential weaknesses. Additional security measures are also documented here, SAP security notes are released as part of the monthly SAP Security Patch Day, We recommend that you regularly review new security notes for SAP HANA application areas and decide Whether they are relevantin the context of your systems and environment, For more information about SAP security notes and the SAP Security Patch Day, see SAP Support Portal at htip://supportsap.com/securitynotes fl. Note To get full access to SAP Support Portal, you need an authorized user ID, For alist of all SAP HANA application areas, see the SAP HANA Master Guide. For more information about updating SAP HANA to a new revision, see the SAP HANA Server Installation and Update Guide Operating System Patches Install security patches for your operating (OS) system as soon as they become available, Ifa security patch impacts SAP HANA operation, SAP will publish an SAP Note where this fact is stated. Ils up to you to decide whether to instal such patches. I1your SAP HANA system runs on SUSE Linux Enterprise Server 1944799, x for SAP Applications, see SAP Note It your SAP HANA system runs on Red Hal Enterprise Linux (RHEL) 6.x, see SAP Note 2009879, Related Information ‘SAP HANA Application AreasUpdating the SAP HANA System SAP Note 1944799Ay SAP Note 2009879%tr4 SAP HANA Overview ‘SAP HANA is an in-memory platform for doing real-time analytics and for developing and deploying real-time applications. For on-premise deployment. SAP HANA comes either pre-installed on certified hardware provided by an SAP hardware partner (appliance delivery model) or must be installed on certified hardware by a certified administrator (tailored data center integration model) However, SAP HANA is more than a database management system. tis also a comprehensive platform for the development and execution of native data-intensive applications that run efficiently in SAP HANA, taking, advantage ofits in-memory architecture and parallel execution capabilities. 4.1 The SAP HANA Database [At the core of SAP HANA is the high-performance, in-memory SAP HANA database. ‘SAP HANA is an in-memory platform that combines an ACID-compliant database with advanced data processing, application services, and flexible data integration services. The SAP HANA database can act asa standard SQL-based relational database, In this role, it can serve as either the data provider for classical transactional applications (OLTP) and/or as the data source for analytical requests (OLAP), Database functionality is accessed through an SQL interface. Standard Database Interfaces SAP HANA provides standard database interfaces such as JDBC and ODBC and supports standard SQL with SAP HANA-spectic extensions Data Provisioning Several data provisioning mechanisms are available for getting data from different sources into SAP HANA, For exemple, in 2 data mart or analytics scenario, data is replicated into SAP HANA from source systems using, cone of the supported replication technologies). For applications that use SAP HANA as their primary database (such as SAP S/4HANA), data is created directly in SAP HANA. Data Recovery Although the SAP HANA database holds the bulk ofits data in memory for maximum performance. it still uses persistent storage to support system restart and recovery. There's minimal delay and no loss of data in theevent of failure. For example, after a power failure, the database can be restarted like any disk-based database ‘and returned to its most recent consistent state, In addition, SAP HANA provides functions for backup and recovery, as well as high availability (disaster recovery and fault recovery). Related Information ‘Security for SAP HANA Replication Technologies [page 221] 4.2 SAP HANA XS and Development Infrastructure ‘SAP HANA includes the SAP HANA extended application services (SAP HANA XS), a layer on top of SAP HANA that provides the platform for running SAP HANA-based Web applications. SAP HANA XS, Advanced Model Available since SAP HANA 1.0 SPS 11, the SAP HANA XS advanced model represents an evolution of the application server architecture within SAP HANA by building upon the strengths (and expanding the scope) of SAP HANA extended application services (XS). classic model The SAP HANA XS advanced platform supports several programming languages and exec such as Java, and Nodes. The SAP HANA XS advanced application runtimes are invoked over HTTP and ‘communicate with the SAP HANA database via SQL jon environments, ‘The database part of an SAP HANA XS advanced application (for example the definitions of tables, views, ‘and procedures) is deployed using the SAP HANA deployment infrastructure (SAP HANA DI, or HDI). HDIis @ sorvice layer of the SAP HANA database that simplifies the consistent deployment of SAP HANA database objects. t supports isolated deployment containers, which can be used, for example, to deploy several instances of the same application on the same SAP HANA database, ‘SAP Web IDE for SAP HANA is the browser-based development environment for SAP HANA-based applications. It can be used to develop all layers of an application, including UI, XS advanced se applications, and SAP HANA database content. It's based on SAP HANA XS advanced and HOI, and uses Git for source code management. > Recommendation SAP recommends that customers and partners who want to develop new applications use SAP HANA XS ‘advanced model. It you want to migrate existing XS classic applications to run in the new XS advanced run-time environment, SAP recommends that you first check the features available with the installed version of XS advanced: if the XS advanced features match the requirements of the XS classic application {you want to migrate, then you can start the migration process. For more information, see the SAP HANA XS ‘Advanced Migration Guide.Downloading XS Advanced from SAP Marketplace ‘SAP HANA Extended Application Services, advanced model, is available not only on the SAP HANA media but also as a separate component on SAP Marketplace. Users with the required S-User ID can download the latest version of XS advanced componentin the package SAP EXTENDED APP SERVICES 1 trom the following location: \p Service Marketplace > Software Downloads [Downloads] > SUPPORT PACKAGES & PATCHES > By Alphabetical Index (AZ) > H > SAP HANA PLATFORM EDITION 3 + |p SAP HANA PLATFORM EDITION 2.0 > SAP EXTENDED APP SERVICES 1 3 >Tip ‘SAP HANA Extended Application Services, advanced model, is backwards compatible; you can provide access lo new features by installing the latest version of the XS advanced component even on older versions of SAP HANA. To download the package SAP EXTENDED APP SERVICES 1, see SAP Software Download Center in Related Information below. SAP HANA XS, Classic Model ‘SAP HANA XS classic is the original implementation of SAP HANA XS. The classic XS server is fully Integrated into the SAP HANA database and provides application server functions. Accessible through HTTP. the XS server can deliver data through Open Data Protocol (OData) calls and HTML user interfaces. For creating new structures and programs. for example modeling database structures, analytical queries, reports and procedures, as well as developing applications, SAP HANA provides a development environment, This development environment is integrated into the SAP HANA studio and the SAP HANA Web-based Development Workbench, Designrtime artifacts, such as custom applications, roles, and application content, are managed in SAP HANA's built-in repository. Design-time objects can be transported from development systems to test and production systems, ONote SAP HANA XS, classic and the SAP HANA repository are deprecated as of SAP HANA 2.0 SPS 02. For more information, see SAP Note 2465027. Related Information ‘SAP HANA as Technical Infrastructure for Native Application Development [page 20] Security for SAP HANA Extended Application Services, Advanced Model [page 224] ‘Security Aspects of SAP Web IDE for SAP HANA [page 292] ‘SAP HANA XS Advanced Migration Guide SAP Note 2465027Ar ‘SAP Software Download Center (Logon required)4.3 Technical System Landscape ‘An SAP HANA system comprises multiple isolated databases and may consist of one host or a cluster of several hosts (scale-out system) ‘An SAP HANA system, identified by a single system ID (SID), contains one or more tenant databases and cone system database. Databases are identified by a SID and a database name. From the administration perspective, there isa distinction between tasks performed at system level and those performed at database level. Database clients, such as the SAP HANA cockpit, connect to specific databases. Allthe databases ina system share the same installation of database system software, the same computing resources, and the same system administration. However, each database is self-contained and fully isolated with its own set of database users, database catalog, persistence, and so on. The System Database ‘The system database, which is created during installation, is used for central system administration, for exemple the creation of tenant databases and glabal system configuration. The system database stores overall system landscape information, including knowledge of the tenant databases that exist in the system. However, it doesn't own database-related topology information, that's, information about the location of tables and table partitions in databases, Database-related topology information is stored in the relevant tenant database catalog. Server Architecture ‘An example of the basic architecture ofa single-host SAP HANA system with three tenant databases is shown below, For more information about system architecture, see the SAP HANA Administration Guide.K "er x Tome ee oo ee oS cee IL e feel lel —_— [Application Application Application oi EE {TJ 0p ] [ace] [Aor2] [aco] | Sam] Sener Ta Tame Same Same] | Prepocessa] 38 e goces ‘Serves ‘Series ‘Series Index Server Index Server ‘Mutipte-Container SAP MANA System (Single Host ‘SAP HANA Systom with Tenant Databases Related Information ‘SAP HANA System Architecture Overview 4.3.1 Overview of SAP HANA Security Functions ‘SAP HANA provides arange of security features and functions at the database and system level to ensure secure access control and secure system setup and configuration. Security Features of the SAP HANA Database he following table provides an overview of standard security features in the SAP HANA database. For more etalled information, sea the relevant section in this guide.Security Feature Description User and role management Every tenant database has its own database users and roles including tenant database-specifc superuser SYSTEM. ‘Depencing onthe isolation level ofthe system, there may be only one operating system (05) user (the default adn user), or one OS user for each tenant database, whicn must be created. Authentication and SSO ‘The SAP HANA database supports a numberof authentication nechaisms, in cluding database user name/pessword, SAML bearer tokens, JSON Web tokens. Kerberas, and LDAP directory server name and password, Whether a per-data- ‘base configuration is possible depends on the authentication mechanism and the user client: + Authentication by database user name and password is database specie ‘+ For Kerberos-based authentication a per-database configuration isnot pos sible. Databases users in all databases must be mapped to usersin the same Koy Distriaution Genter. For SAML and JWT-based authentication, a per-database convigurationis ‘possible for JDBC/ODBC client access. Different trust stores (containing diferent certificates) can be configured for individual databases, For this purpose, we recommend using certificates and certificate collections (also referred to as personal security environments or PSEs) stared in the data base as opposed to the filesystem. For LDAP based authentication, a per-database configuration is possible, Connections to different LDAP directory servers can be set up by creating ‘separate LDAP providers in each database. o secure communication be ‘ween the SAP HANA catabase anc the LDAP server including the transmis ‘sion of passwords), diferent trust stores (containing diferent cert ficates) ‘can be configured for individual databases using in-memory certificates and certificate callections. ONote LLDAP-based authentication is only possible for users itauthentication Using their local SAP HANA password is disabled Database-specttc trust stores cannot be configured for HTTP client access, through SAP HANA Extended Services, classic mocel (SAP HANA XS clas sic). Therefore, user authantiation based on SAML assertions and X508 certificates cannot be database specific ‘Authorization ‘SAP HANA's standard authorization mechanisms are applied to users at the database level with the following adstions: + Inthe system database the system privilege DATABASE ADMIN exists to alow system adm nistrators to perform certain tasks on tenant databases (lor example, stop a tenant database of back up a tenant database), /Across-datatase authorization mechanism exists to support read-only {queries between tenant databases, Tisis made possible through the asso- lation ofa user in one tenant database with auser in anther database. Cross-database access is disabled by dotault anc must be enabled and con figured by a system adminstratorbelore such user mappings can be setup