This blog contains experience gained over the years of implementing (and de-implementing) large scale IT applications/software.

SAP HANA – SSL Security Essential

The HeartBleed hack exposed the consequences of security holes in software designed to provide encryption of network traffic.
However, this doesn’t mean that all encryption software has holes and it’s certainly better to have some form of encryption than none at all.

I’ve watched numerous online demos, official training videos and worked on real life HANA instances.  All of these systems so far, have not enabled SSL (now called TLS)  between the HANA Studio and the SAP Host Agent or the HANA Studio to the HANA database.
This means that specific communication between the HANA Studio, the SAP Host Agent and the HANA database indexserver, is not encrypted.

The HTTP protocol has been around for a long time now (thanks Tim).
It is inherently insecure when using HTTP BASIC authentication, since the username and password which is passed over HTTP to a server that has requested authentication, is sent in the clear (unencrypted) but encoded in BASE64.
The BASIC authentication is used to authenticate the HANA Studio with the SAP Host Agent.

What does this mean with regards to SAP HANA and the SAP HANA Studio?
Well, it means that any user with a network packet sniffer (such as Wireshark) could intercept one vital password, that of the <sid>adm SUSE Linux user.

In a SAP HANA system, the software is installed and owned by the <sid>adm Linux user.  Usually <sid> is a unique identifier for each HANA system in a SAP landscape.  As an example, H10 or HAN or any other 3 alphanumeric combination (within certain SAP restrictions) can be used.
When the HANA Studio is used to control the HANA database instance (start up and shutdown), the HANA Studio user is prompted to enter the username and password for the <sid>adm user.
This username and password is then sent via HTTP to the SAP Host Agent installed on the HANA server.  The SAP Host Agent uses the username and password to start or stop the HANA database instance.
If the password for the <sid>adm user is obtained, it is possible for a malicious user to establish an SSH connection directly to the SUSE Linux server where the HANA instance is installed, then control the instance, or access the database directly using a command line interface for executing SQL statements.

Here’s a 6-step example which took me 10 minutes to setup, trace, collect the data and then login to the Linux server as an authorised user.

Step 1, Install and open Wireshark (on your PC) and start tracing for TCP connections to the HANA server on the Host Agent TCP port 5<xx>13.
Step 2, Launch HANA Studio (on your PC) and in the navigator right click and choose “Log On”:

HANA  Logon without SSL

Step 3, If you haven’t elected to save the username and password during previous use of the HANA Studio, you will be prompted.  Otherwise, the system will auto-logon to the Host Agent.
Step 4, Analyse the Wireshark capture.  You’re looking for the text “Authorization: Basic” in the TCP packets:

HANA Logon Wireshark trace

The actual string will look something like: 
Authorization: Basic aDEwYWRtOmhhbmFoYW5h
I’ve copied an example HTTP POST out to a text editor for easy viewing:

HANA SAPControl HTTP POST

POST /SAPControl HTTP/1.1
Accept: text/xml, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Authorization: Basic aDEwYWRtOmhhbmFoYW5h
Content-Type: text/xml; charset=utf-8
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.7.0_45
Host: hana01.fqdn.corp:51013
Connection: keep-alive
Content-Length: 248

Step 5, Decode the username and password in the BASIC authentication string using a base64 decoder.  It’s possible to use an online one:

HANA SAPControl HTTP POST BASE64 decoder

The output includes the username and password in the following format:
USERNAME:PASSWORD

Step 6, With our new found details, log onto the HANA server using an SSH terminal:

HANA Server Logon

From this point onward it’s possible to access any data in the HANA database using command line tools.

SUMMARY:
You MUST enable SSL (TLS) encryption of the HTTP communications between the HANA Studio and the SAP Host Agent.  Without this, you might as well put the password on a post-it note on your screen.
See https://service.sap.com/sap/support/notes/1718944

Another option would be to segregate the HANA Studio users on their own vLAN, or to firewall the SAP HANA Host Agent and HANA database indexserver ports, tying them to specific user PCs only.
Incidentally, the password for the SYSTEM user of the HANA database, is encrypted with SHA256.  The encrypted string is then compared with the already encrypted password in the HANA database in order to authenticate a user.
However, if you have not enabled SSL between the HANA Studio and the HANA database indexserver, then all the of data retrieved from the database is sent in the clear.  You don’t need to authenticate to the database if you can just read the network packets.  This is true of most database connections.

HANA Studio – Diagnosis Mode Connection Overload

Be careful when using HANA Studio in Diagnosis Mode with the refresh interval set to a low value.
When set to 5 seconds (the default), the number of connections opened to the HANA DB is one every 5 seconds:

HANA Diagnosis Mode refresh interval

If you check the number of connections with a tool such as TCPView or Process Monitor, you will see a very high number of ESTABLISHED connections over time:

 HANA client connections established

Note that the HANA DB SQL port is 3<xx>15.

Under certain heavy network load, you could be causing more strain on your PC, the network and the HANA server.

Simply decrease the refresh time and this will allow your PC to close off the un-wanted connections in time to create the new ones, reducing your CPU consumption.

HowTo: Check HANA LM Is Running

Scenario: You want to check if the SAP HANA Lifecycle Manager is running/installed.

The SAP HANA Lifecycle Manager is installed separately the HANA DB and runs in its own Java VM.
It’s installed by default into the “/usr/sap/hlm_bootstraps” directory and occupies ~700MB of disk space.

By default the HLM is not usually started with the instance.  It gets started when you call it from the HANA Studio, or if you manually start it from the Linux command line using the bootstrap-hlm.sh script located in “/usr/sap/hlm_bootstraps/<SID>/HLM”.

From HANA Studio, right click the HANA instance as SYSTEM, then select “Lifecycle Management“:

image

From the command line on the Linux server, as the <sid>adm Linux user:

> cd /usr/sap/hlm_bootstraps/H10/HLM
> ./bootstrap-hlm.sh

You will be dropped into the OSGI (Open Service Gateway Interface, see here: https://www.osgi.org/) command line.

Why SAP Learning Hub Is Great Value

I run my own company and I am primarily a BASIS guy, secondarily a DBA.
With the launch of SAP HANA, the new In-Memory DB platform from SAP, I decided that I needed to prove my skills with this popular new technology before it takes off mainstream.

Being in control of my own training plan means that I can see the issues large companies have.
Budget!
Training is not cheap when you factor in the cost of the training, the overnight hotel stays, breakfasts, evening meals and car fuel, plus you have to pay the employee for the day.
Advances in technology mean you can now complete some training online.  This is obviously sacrificing the usual face-to-face interaction and dynamism you get in a classroom, but if you are a capable learner (you need a specific technique), then you can benefit from the flexibility of online learning.

SAP launched the Learning Hub primarily to provide a method of easily selecting and following a training plan or certification path.
Secondly, the Learning Hub provides the perfect place to manage and distribute online training content.

Let’s get to the point:
How does it compare cost-wise with classroom based training?  Well here’s how I worked it out:
(Certification C_HANATEC131 proposes that courses HA100 and HA200 should be completed.)

– SAP HANA HA100 classroom cost:  £1040.
– SAP HANA HA200 classroom cost:  £2600.
– Travel & overnight stay costs (for me): £120 per night = ~ £840
– C_HANATEC131 certificate exam: £350

TOTAL for classroom training & certification exam: £4830.

Compare the above total to the Learning Hub method that I used:

– 12 months subscription to SAP Learning Hub:  £2400.
(Courses HA100E and HA200R are in the catalogue)
– Travel & overnight stay costs (for me) one night: £120
– C_HANATEC131 certificate exam: £350

TOTAL for SAP Learning Hub online training & certification exam:  £2870.

As you can see, the Learning Hub route gave me much better value.

And the best is still to come…
With the 12 months subscription, I get access to ALL of SAP eLearning courses.
Not only can I now choose another set of courses, but should I decide to certify on another topic, I just need to pay for the exam and I’ve saved money yet again.

There must be a downside?
Not necessarily.  It does mean that you have to be a certain type of learner.  You need a learning technique that suits you and a method of time control that stops learning overload.
Being my own boss means I can take time to train in-between contracts, but you could also perform your training online in the evenings.

My method:
– Find the certification exam you want to complete, on https://training.sap.com

HANA Training - Find the certification exam on training.sap.com

– Expand the “Topic Areas” section on the page and you will see the topic course recommendations on the right.


HANA Training - Expand the topic areas

– Print the page with the areas expanded, so you can see the “%” of relevance to the certification exam.

– Use the Learning Hub to access the online version of the required/recommended training courses.
These usually also include a PDF document with the course content.
Don’t forget to include the install and upgrade guides if relevant.

– Upload the PDF(s) to your tablet for a little easy reading when lounging (or when you have some dead time).

– Write key concepts on Post-It Notes and stick them somewhere you look at regularly (a wall maybe).

Don’t move them once stuck, because this helps you visualise them in your mind whilst learning.
You’ll come to know exactly on the wall where certain notes are.  That’s because you’ve remembered them with the associated place on the wall.

– Write notes in a book or notepad as you go through the learning material.
Don’t write long paragraphs and definitely copy down diagrams, it helps reinforce the picture contents.

– Review and revise often.
You don’t need long, maybe 20 minutes.
Sometimes, just staring and going through the Post-It Notes will help them stick.

– Look up any acronyms you don’t know.

– Don’t be too concerned with the test exams, they are not very accurate or good quality.
When you think you’re ready, book your exam.  You can always re-take it if you have been unsuccessful.

Good luck.