This article is the beginning of a series of articles “SAP HANA for Dummies” devoted to the review of the main features and security issues of SAP HANA.
We will consider the key aspects of the system itself, its security and also we will pay attention to vulnerabilities of its several modules.
The main purpose of this series is to explain the main principles of SAP HANA in understandable terms, how it can be provided to the customer, for example, in the cloud-based form or on premise. We will also discuss the main features of the system, and security issues that can be found this system and its modules.
As distinct from other manuals and articles on the security of this system, we aim not only to focus on the protection, but also to give you an idea of this system’s features and the SAP strategy in the development of SAP HANA. We will see how this system can be used, what features and differences it has in comparison with other databases and, of course, discuss in detail about the features that are most interesting in terms of security.
In this article, we will consider SAP HANA in several ways:
- SAP HANA basics
- Interaction and delivery methods
- What SAP HANA can be
- Themes of the following articles
SAP HANA for Dummies: Highlights
SAP HANA is a database developed by SAP in order not to use a database by Oracle for its ERP systems.
SAP HANA is a high-performance platform for data storage and processing based on in-memory computing technology. It uses the principle of column-based data storage, which means that data is normally presented in the form of tables, but in fact these tables are a collection of columns, and each of them is a one-field table. Also, physically on the disk, the values of one field are stored consecutively one after another.
SAP HANA is used in many systems as a database or as a platform for in-memory computing. For example, it is a DBMS for a new ERP system SAP S/4 HANA, or for hosting custom applications for working with a database.
SAP S/4 HANA is a new generation of ERP systems for which only SAP HANA is used as a database and it is impossible to use another database.
For S/4 HANA, in addition to the use of the SAP HANA databases, SAP decided to imply SAP Fiori to run applications written on the UI5 engine for management and execution of business activities. Although the core of this ERP system is the SAP NetWeaver ABAP application server, many modules have been modified for better interaction with the SAP HANA database and for implementation of its analytical capabilities for the improvement of the productivity of these modules.
SAP Fiori is a new opportunity to manage and interact with the system. All the basic functions can be transferred to the web interface for easy interaction with the system or management of the ERP system. In addition, when modifying these modules, it was aimed to simplify interaction and working process while dealing with them. Therefore, some functions that used to be in different transactions, for ease of use, are now combined into one.
There are new authorization objects associated with the new modules and in particular for SAP Fiori.
You can use SAP HANA as a regular database, so to say as a single instance, so called “Singletenant”. It can also be used as a server with several databases, which allows not to create multiple servers with SAP HANA in order to work with several applications with the use of this database, so that these applications would run independently. This type of installation is called “Multitenant”.
In addition, it is possible to use several SAP HANA servers in a bundle, combining them into one system. This type of installation is called “Multihost”, but you should keep in mind that with this type of installation a system will always be a “Multitenant” one. “Multitenant” installation always implies a system database, which is main in terms of administration, and all the general settings for the whole system are operated with its help. In order to make individual settings for a certain database that is already created you need to connect to this database and configure all the settings there. We will discuss more details about the difference in settings and their priorities for each type of installation in some of the following articles.
Interaction and usage of SAP HANA
SAP HANA Studio is used to interact with the database – this is the standard client for working with SAP HANA. It is run both by administrators and developers, but this is not the only way to manage this system. In addition to being a database, SAP HANA has some special features, for example, SAP HANA is not just a database system, but also a separate application server built into the platform. It is called HANA XS Classic or HANA XS Advanced, which we will discuss further in this article. This very service has its own standard applications that allow solving administrative tasks in the SAP HANA database, even without using special software such as SAP HANA Studio.
Now, let’s have a closer look on the SAP HANA XS application server. In the past, SAP HANA used the XS Classic module to deploy clients’ applications, which made it possible to quickly and conveniently interact with the database and perform administrative tasks. Since it was part of the system, three level architecture was eliminated, which now allows you not to use additional systems to deploy your applications.
As we can see in the picture, XS Classic directly forms a part of the system, which allows the applications located there to have quick access to the database, which increases the speed of these applications. Still, this module has several disadvantages. A significant drawback is the fact that it supports a small number of development languages applied for making these applications, namely XSJS (one of Server-Sedejavascrit implementations) and ODATA technology.
The more serious issue is that the applications that are located there are in the same service XS Classic instance, so that the access to all the applications can be got via one port, and in case of denial or failure of one of the applications, the entire service will stop working, which will lead to the termination of the remaining applications, although they are serviceable. After several years of using this concept, SAP decided to change it and released such component for SAP HANA as HANA XS Advanced.
XS Advanced is a new improved version of XS Classic, which is now a separate service, still supporting a three level architecture.
XS Advanced is not only an application server, but it also allows you to perform administrative tasks both in SAP HANA and your own ones. This led to the creation of new roles giving rights to work in some particular application of XS Advanced, which directly relates to the management of SAP HANA.
Also for the convenience of using this module, the ability to work with SAP HANA without using SAP HANA Studio has been improved. It became possible to develop applications directly in the browser.
The main feature is the presence of containers for applications. This means that each application runs independently from the others and a separate service process is started especially for each of them in order to run these applications. It also became possible to install not only the applications written in XSJS, but also the JAVA, C ++, Node.js, HTML5 ones. That is it for now, but in the future the number of supported languages will increase.
Types of SAP HANA
At the moment, there are two main versions of SAP HANA, these are SAP HANA 1.0 and SAP HANA 2.0. For each one, there are individual updates that come out in the form of Support Package Stacks (SPS) and Patch Levels. Every version has a separate Support Package Stack, which is released with a frequency about once in every six months. Patches for each SPS are updated about once in every 2 months, but it can be more frequent if critical vulnerabilities or bugs are found.
There are no significant differences between these systems, but in the second version, the number of possible actions for tracking in audit policies was increased, and instead of the old XS Classic only XS Advanced was supported. Since version SPS 01, SAP HANA 2.0 has become only a “Multitenant” system, which makes it more extensive, that is, if you need to add an application from a separate database, you don’t have to re-install this system You can simply create another database independent from the current one. In order for users to use SAP HANA without deploying it on their servers, the SAP HANA Cloud service was developed. There are several ways how SAP HANA can be delivered, in particular:
- Infrastructure as a Service (IaaS) – in this case, the vendor provides the only server on which the system will be located and the user has to install, configure and update the system.
- Also there is Platform as a Service (PaaS) – in this case, the vendor provides the user with not only the server on which the system will be hosted,but with the system itself and the user only configures and updates thesystem for its use.
- The last view is Software as a Service (SaaS) – with this usage, the user only works with the system, the configuration and updating tasks remain on the vendor’s side and the user doesn’t have to care about them.
Besides the differences in the provisioning, such systems have different functionality, because if it is IaaS, then such SAP HANA will not be different from what you can put on your server. To work with it, you don’t need to use additional software, just specify the IP address of the server and connect both to the common SAP HANA. PaaS and SaaS demand other actions to be made. For example, there is a wide range of applications that can be deployed on the basis of SAP HANA, much more than is supported with the standard services XS Classic and XS Advanced. In addition, towork with these views, you have to use such software as SAP HANA Cloud Connector.
SAP HANA Cloud Connector is a special server software that allows you to get the access to the SAP HANA Cloud from your local applications. It is better to be installed on a separate server for ease of interaction and configuration. We will cover the details of its possible installation and usage options later in one of our articles.
In the following articles of SAP HANA for dummies
In the future, we will tell you about the features of SAP HANA installations, such as “Multitenant” and “Singletenant”, and discuss their main differences and features. We will separately study the logging in the system and logging settings that are necessary for secure configuration. Also, we will consider how to interact with SAP HANA Cloud. And, of course, we will cover the most critical vulnerabilities of SAP HANA, such as remote execution of the operating system command via SAP HANA TrexNET, and others.
This is a Security Bloggers Network syndicated blog post authored by Research Team. Read the original post at: Blog – ERPScan