Return to site

Secure Storage Key Generation Sap

broken image

 

 

 

Data stored in secure storage is encrypted with a key that includes the installation number and system ID. If one of these numbers changes, the data in secure storage must be migrated. For more information migrating secure storage data, see SAP Note 816861. Mar 13, 2019 2097613 - Database is running with inconsistent Secure Storage File System (SSFS) 2134846 - HANA encryption key handling during system cloning. 2183624 - Potential information leakage using default SSFS master key in HANA. 2193235 - SAP HANA system replication is not working after a change of the master key.6 min read

SAP NetWeaver ABAP is the application server running most of SAP’s software. Version 7.4 comes with Gateway and the option to run Fiori on top of it. The installation of a NetWeaver ABAP system is not overly complex for a developer system: basically it is just installing the software. This installation process is composed of three steps:

*Perform the actual installation

After executing all three steps, you have a fully functional SAP NetWeaver ABAP system.

To install a SAP system, you need to check first the hard ware requirements. You also need to ensure that a correct user/group is set up. This depends normally on the SID of your SAP system.Software packages you’ll need

*Database: Files to install the underlying database. Here I will use MaxDB.

*Kernel. The kernel files, depend on your operating system and if you want to use unicode (UC) or not. I’ll use Linux x64 and a UC kernel.

*SAP Installer: SWPM. This is the sapinst program. Be careful, as two version of SWPM exist. One is for installing NW AS and products; the other is for installing BS, SolMan and NW 7.0.

With SWPM10SPxx_PL.SAR:

Products based on SAP NetWeaver 7.1x

SAP Composition Environment 7.1x

SAP Composition Environment 7.2

Products based on SAP NetWeaver 7.3x

Products based on SAP NetWeaver 7.4 SR1*, SR2

With 70SWPM10SPxx_PL.SAR:

SAP NetWeaver 7.0, including Enhancement Package 1, 2, 3

SAP Business Suite 7i 2011, 2010, 7 SR1, 2005 SR3 based on SAP NetWeaver 7.0, including Enhancement Package 1, 2, and 3

SAP Solution Manager 7.0 including EHP1 SR1

SAP Solution Manager 7.1 SR1

*Application Server: ABAP

All files are delivered as ZIP, except SWPM. You’ll have to un-SAR this one. Copy all unziped/unsared file to a common location on your server, like /install.User

For each SAP system you’ll need to have one corresponding administration user. The user ID is determined by the SAP system Id (SID). The user id follows the schema: <sid>adm. For instance, when your SAP system is going to use the SID GWD, the user will be gwdadm. The group can be anything, but normally you use sapsys as group name. Creating a user in Linux is easy as it is just one command, and with SuSE you even get a wizard that aids you through the process.UserGroup

To start the installation, just run sapinst from the SWPM package.

There are two executables: sapinst and sapinstgui. Sapinst will start the local server and the local GUI, while sapinstgui needs to connect to an already started sapinst server. As long as you do not have to do a remote installation, sapinst is the executable you want to run.

The initial screen shows the install optionsPre-requisites check

I am going to install SAP NetWeaver 7.4 Support Release 2 ABAP for MaxDB. First thing to run is the preparations step.

Select what sapinst should test. If nothing is selected, sapinst will check a basic set of requirements. This does not mean that after the check is done your system really meets all the requirements. So make sure you select what you are going to install to have a meaningful test result. As I am going to install NetWeaver ABAP, I selected the ABAP related checks.

Provide the database type.

Confirm that a UC system will be installed.

SAPinst will ask for the location of the Kernel files.

Inform the location of the files. In my case, they are located at /sap/inst

Confirm the prerequisites data. If everything is OK, you can start the process.

The requisites are being verified.

After the check is done, sapinst presents you a screen with the results.

Go through the list. Everything needs to be OK.

The final dialog confirms that everything is OK and that a report was saved to a local file.

Now we are good to go: sapinst checked the system and gave it a quality stamp. Nothing impedes the installation of NetWeaver ABAP 7.4 SR2 with MaxDB.Installation

The NW ABAP 7.4 SR2 system is going to be a standalone system, with everything on the same host.Installation typeInstallation mode

Chose mode. Typical is enough, you’ll see still more than enough input dialogs.

In case the mode of the files is not correct, do not worry. Sapinst will take care of that (thank you sapinst!).Sap Secure AreaSAP system id

Specify the SID (here: GWD) and the mount directory (here: /sapmnt).Set DNS name

The 2nd input field is to set the domain name of the server. Do not enter the FQDN or the name of the server here, just the DNS name (here: tobias.de). If you server is nwgw74.tobias.de, only the tobias.de part.Kernel filesStandard password for all usersDatabase SIDDB files

Inform where the DB files are locatedABAP files

Inform location of ABAP filesSLD

Let’s do not add the system to a SLDSecure Storage Key Generation

Let the installer create a secure keyReview parametersStart installation

Lean back and relax, this will take a whileEnd of installation

After all steps are executed successfully and marked with a green check, the installation is done.Install SAP license

Log on to the new SAP system is done via SAPGui. User is SAP* and the password is the standard password given during installation.

Transaction: slicense

Automatically, a temporary license is installed.

Click the install button and select the license file. If everything is OK, a popup will confirm the installation of the license(s).

Last check is to verify that the new license is installed and active.

If the installation goes through without any error: congratulations. Many users will run into some errors, just do a search on SCN for installation problems. Here are some common problems and their solution:R3load connect errorSap Secure Storage Key Generation

Step: Import ABAP:

Problem: R3load –testconnect fails

Analysis:

Log file:

*File exists in sapdb folder

Cause: Library not loaded

How to add the MaxDB library to the LD path? Configuration is stored in directory /etc/ld.so.conf

The last line is a include parameter. To add the Max DB libraries, it is just to create a conf file maxdb.conf in /etc/ld.so.conf.d/ and add the lib path to the new file.

Running the ld command from above:

Sapinst: retryStrange errors

SAPinst should be run as the admin user of the instance: <sid>adm. SCN is full of errors from users that had the problem to run the Import ABAP step. That error is caused by running the installation as root and not as <sid>adm. For instance, to configure the DB, R3load is called. With user <sid>adm the program connects flawlessly to the DB, as user root not. This is given by the simple fact that the environment variables are set for <sid>adm, and not for user root.SAPUXUSERCHECK

In case sapinst isn’t capable of setting the right permissions to the file sapuxusercheck, follow SAP Note 1563660.-->

A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of your data. With a SAS, you have granular control over how a client can access your data. You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.Types of shared access signatures

Azure Storage supports three types of shared access signatures:

*

User delegation SAS. A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.

For more information about the user delegation SAS, see Create a user delegation SAS (REST API).

*

Service SAS. A service SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

For more information about the service SAS, see Create a service SAS (REST API).

*

Account SAS. An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS. Additionally, with the account SAS, you can delegate access to operations that apply at the level of the service, such as Get/Set Service Properties and Get Service Stats operations. You can also delegate access to read, write, and delete operations on blob containers, tables, queues, and file shares that are not permitted with a service SAS.

For more information about the account SAS, Create an account SAS (REST API).

Note

Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation SAS when possible for superior security.

A shared access signature can take one of two forms:

*Ad hoc SAS: When you create an ad hoc SAS, the start time, expiry time, and permissions for the SAS are all specified in the SAS URI (or implied, if start time is omitted). Any type of SAS can be an ad hoc SAS.

*Service SAS with stored access policy: A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. The stored access policy can be used to manage constraints for one or more service shared access signatures. When you associate a service SAS with a stored access policy, the SAS inherits the constraints—the start time, expiry time, and permissions—defined for the stored access policy.

Note

A user delegation SAS or an account SAS must be an ad hoc SAS. Stored access policies are not supported for the user delegation SAS or the account SAS.How a shared access signature worksSecure Storage Key Generation Sap Center

A shared access signature is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters. The token indicates how the resources may be accessed by the client. One of the query parameters, the signature, is constructed from the SAS parameters and signed with the key that was used to create the SAS. This signature is used by Azure Storage to authorize access to the storage resource.SAS signature

You can sign a SAS in one of two ways:

*

With a user delegation key that was created using Azure Active Directory (Azure AD) credentials. A user delegation SAS is signed with the user delegation key.

To get the user delegation key and create the SAS, an Azure AD security principal must be assigned a role-based access control (RBAC) role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. For detailed information about RBAC roles with permissions to get the user delegation key, see Create a user delegation SAS (REST API).

*

With the storage account key. Both a service SAS and an account SAS are signed with the storage account key. To create a SAS that is signed with the account key, an application must have access to the account key.SAS token

The SAS token is a string that you generate on the client side, for example by using one of the Azure Storage client libraries. The SAS token is not tracked by Azure Storage in any way. You can create an unlimited number of SAS tokens on the client side. After you create a SAS, you can distribute it to client applications that require access to resources in your storage account.

When a client application provides a SAS URI to Azure Storage as part of a request, the service checks the SAS parameters and signature to verify that it is valid for authorizing the request. If the service verifies that the signature is valid, then the request is authorized. Otherwise, the request is declined with error code 403 (Forbidden).

Here's an example of a service SAS URI, showing the resource URI and the SAS token:When to use a shared access signature

Use a SAS when you want to provide secure access to resources in your storage account to any client who does not otherwise have permissions to those resources.

A common scenario where a SAS is useful is a service where users read and write their own data to your storage account. In a scenario where a storage account stores user data, there are two typical design patterns:

*

Clients upload and download data via a front-end proxy service, which performs authentication. This front-end proxy service has the advantage of allowing validation of business rules, but for large amounts of data or high-volume transactions, creating a service that can scale to match demand may be expensive or difficult.

*

A lightweight service authenticates the client as needed and then generates a SAS. Once the client application receives the SAS, they can access storage account resources directly with the permissions defined by the SAS and for the interval allowed by the SAS. The SAS mitigates the need for routing all data through the front-end proxy service.

Many real-world services may use a hybrid of these two approaches. For example, some data might be processed and validated via the front-end proxy, while other data is saved and/or read directly using SAS.

Additionally, a SAS is required to authorize access to the source object in a copy operation in certain scenarios:

*When you copy a blob to another blob that resides in a different storage account, you must use a SAS to authorize access to the source blob. You can optionally use a SAS to authorize access to the destination blob as well.

*When you copy a file to another file that resides in a different storage account, you must use a SAS to authorize access to the source file. You can optionally use a SAS to authorize access to the destination file as well.

*When you copy a blob to a file, or a file to a blob, you must use a SAS to authorize access to the source object, even if the source and destination objects reside within the same storage account.Best practices when using SAS

When you use shared access signatures in your applications, you need to be aware of two potential risks:

*If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.

*If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.

The following recommendations for using shared access signatures can help mitigate these risks:

*Always use HTTPS to create or distribute a SAS. If a SAS is passed over HTTP and intercepted, an attacker performing a man-in-the-middle attack is able to read the SAS and then use it just as the intended user could have, potentially compromising sensitive data or allowing for data corruption by the malicious user.

*Use a user delegation SAS when possible. A user delegation SAS provides superior security to a service SAS or an account SAS. A user delegation SAS is secured with Azure AD credentials, so that you do not need to store your account key with your code.

*Have a revocation plan in place for a SAS. Make sure you are prepared to respond if a SAS is compromised.

*Define a stored access policy for a service SAS. Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. Set the expiration on these very far in the future (or infinite) and make sure it's regularly updated to move it farther into the future.

*Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.

*Have clients automatically renew the SAS if necessary. Clients should renew the SAS well before the expiration, in order to allow time for retries if the service providing the SAS is unavailable. If your SAS is meant to be used for a small number of immediate, short-lived operations that are expected to be completed within the expiration period, then this may be unnecessary as the SAS is not expected to be renewed. However, if you have client that is routinely making requests via SAS, then the possibility of expiration comes into play. The key consideration is to balance the need for the SAS to be short-lived (as previously stated) with the need to ensure that the client is requesting renewal early enough (to avoid disruption due to the SAS expiring prior to successful renewal).

*Be careful with SAS start time. If you set the start time for a SAS to now, then due to clock skew (differences in current time according to different machines), failures may be observed intermittently for the first few minutes. In general, set the start time to be at least 15 minutes in the past. Or, don't set it at all, which will make it valid immediately in all cases. The same generally applies to expiry time as well--remember that you may observe up to 15 minutes of clock skew in either direction on any request. For clients using a REST version prior to 2012-02-12, the maximum duration for a SAS that does not reference a stored access policy is 1 hour, and any policies specifying longer term than that will fail.

*Be careful with SAS datetime format. If you set the start time and/or expiry for a SAS, for some utilities (for example for the command-line utility AzCopy) you need the datetime format to be '+%Y-%m-%dT%H:%M:%SZ', specifically including the seconds in order for it to work using the SAS token.

*Be specific with the resource to be accessed. A security best practice is to provide a user with the minimum required privileges. If a user only needs read access to a single entity, then grant them read access to that single entity, and not read/write/delete access to all entities. This also helps lessen the damage if a SAS is compromised because the SAS has less power in the hands of an attacker.

*Understand that your account will be billed for any usage, including via a SAS. If you provide write access to a blob, a user may choose to upload a 200 GB blob. If you've given them read access as well, they may choose to download it 10 times, incurring 2 TB in egress costs for you. Again, provide limited permissions to help mitigate the potential actions of malicious users. Use short-lived SAS to reduce this threat (but be mindful of clock skew on the end time).

*Validate data written using a SAS. When a client application writes data to your storage account, keep in mind that there can be problems with that data. If your application requires that data be validated or authorized before it is ready to use, you should perform this validation after the data is written and before it is used by your application. This practice also protects against corrupt or malicious data being written to your account, either by a user who properly acquired the SAS, or by a user exploiting a leaked SAS.

*Know when not to use a SAS. Sometimes the risks associated with a particular operation against your storage account outweigh the benefits of using a SAS. For such operations, create a middle-tier service that writes to your storage account after performing business rule validation, authentication, and auditing. Also, sometimes it's simpler to manage access in other ways. For example, if you want to make all blobs in a container publicly readable, you can make the container Public, rather than providing a SAS to every client for access.

*Use Azure Monitor and Azure Storage logs to monitor your application. You can use Azure Monitor and storage analytics logging to observe any spike in authorization failures due to an outage in your SAS provider service or to the inadvertent removal of a stored access policy. For more information, see Azure Storage metrics in Azure Monitor and Azure Storage Analytics logging.Get started with SASSap Secure Storage Key Generation

To get started with shared access signatures, see the following articles for each SAS type.User delegation SASService SASAccount SASSap Secure ProNext steps

 

 

 

 

broken image