Symptom
Check the configuration of internal and system replication SAP HANA network communication channels for SAP HANA SPS 07 - SPS 11
Other Terms
HANA, encryption, system replication network, internode network,
hostname, listeninterface, internal_hostname_resolution, communication,
SAP HANA system replication, system_replication_hostname_resolution,
system_replication_communication
Reason and Prerequisites
If the internal SAP HANA network and/or the SAP HANA system
replication network is not configured correctly, internal SAP HANA
services could be unsecure.
The parameter listeninterface=.global / .internal in the section [communication] is required for communication between SAP HANA services (nameserver, indexserver, and so on) in a distributed system. As of SPS 07 it is not specific to SAP HANA system replication. The parameter listeninterface=.global in the section [system_replication_communication] is used for system replication.
The parameter listeninterface=.global / .internal in the section [communication] is required for communication between SAP HANA services (nameserver, indexserver, and so on) in a distributed system. As of SPS 07 it is not specific to SAP HANA system replication. The parameter listeninterface=.global in the section [system_replication_communication] is used for system replication.
Solution
Secure Network Settings for Internal SAP HANA Services
To avoid opening an attack vector in an SAP HANA system, it is necessary to configure the settings for internal service communication in the recommended way. Do not change the parameters manually but follow one of the procedures described in the SAP HANA Administration Guide, in the Lifecycle Management chapter ("Configuring SAP HANA Inter-Service Communication"). If root privileges or SSH are not available, you can still perform network configuration as of revision 82 but you will need to use a host-by-host approach, also known as decentralized execution. In this case, see SAP Note 2048681.
The following parameters in global.ini are important for a secure configuration:
SAP HANA Single-Host System
In single-host systems, the listeninterface parameter in section [communication] must be set to .local .
To check this setting, use the following SQL statement:
SELECT * FROM "PUBLIC"."M_INIFILE_CONTENTS" WHERE SECTION = 'communication' AND KEY = 'listeninterface';
For single-host installations, the default value is .local and must not be changed.
SAP HANA Multihost System
A multihost SAP HANA production system must have a separate network for internal communication. The parameter listeninterface in section [communication] must be set to .internal or contain a CIDR netmask.
If the parameter listeninterface in section [communication] is set to .internal, the section [internal_hostname_resolution] must list all hosts of the system. Otherwise, communication between hosts will not work. To enter the hosts in the section [internal_hostname_resolution] , you add a key value pair for every host. The key is an IP address and the value is the name of the host.
Figure 1: Example settings for section [internal_hostname_resolution] - see attachment
In the example, the pattern xx.xx.xx.* represents the IP address of the internal network.
The IP address xx.xx.xx.* must never be identical to the IP address with which the SAP HANA system is accessed from outside. See “Example of Hostname Resolution” below.
To list the IP address marked as public, use the following SQL statement:
SELECT * FROM "PUBLIC"."M_HOST_INFORMATION" WHERE KEY = 'net_publicname'
To check these settings, use the following SQL statements:
SELECT * FROM "PUBLIC"."M_INIFILE_CONTENTS" WHERE SECTION = 'communication' AND KEY = 'listeninterface';
For distributed (multihost) systems, the default value is .global . This is necessary for the initial installation and must be adjusted as described above.
To avoid opening an attack vector in an SAP HANA system, it is necessary to configure the settings for internal service communication in the recommended way. Do not change the parameters manually but follow one of the procedures described in the SAP HANA Administration Guide, in the Lifecycle Management chapter ("Configuring SAP HANA Inter-Service Communication"). If root privileges or SSH are not available, you can still perform network configuration as of revision 82 but you will need to use a host-by-host approach, also known as decentralized execution. In this case, see SAP Note 2048681.
The following parameters in global.ini are important for a secure configuration:
- [communication] listeninterface
- [internal_hostname_resolution]
SAP HANA Single-Host System
In single-host systems, the listeninterface parameter in section [communication] must be set to .local .
To check this setting, use the following SQL statement:
SELECT * FROM "PUBLIC"."M_INIFILE_CONTENTS" WHERE SECTION = 'communication' AND KEY = 'listeninterface';
For single-host installations, the default value is .local and must not be changed.
SAP HANA Multihost System
A multihost SAP HANA production system must have a separate network for internal communication. The parameter listeninterface in section [communication] must be set to .internal or contain a CIDR netmask.
If the parameter listeninterface in section [communication] is set to .internal, the section [internal_hostname_resolution] must list all hosts of the system. Otherwise, communication between hosts will not work. To enter the hosts in the section [internal_hostname_resolution] , you add a key value pair for every host. The key is an IP address and the value is the name of the host.
Figure 1: Example settings for section [internal_hostname_resolution] - see attachment
In the example, the pattern xx.xx.xx.* represents the IP address of the internal network.
The IP address xx.xx.xx.* must never be identical to the IP address with which the SAP HANA system is accessed from outside. See “Example of Hostname Resolution” below.
To list the IP address marked as public, use the following SQL statement:
SELECT * FROM "PUBLIC"."M_HOST_INFORMATION" WHERE KEY = 'net_publicname'
To check these settings, use the following SQL statements:
SELECT * FROM "PUBLIC"."M_INIFILE_CONTENTS" WHERE SECTION = 'communication' AND KEY = 'listeninterface';
For distributed (multihost) systems, the default value is .global . This is necessary for the initial installation and must be adjusted as described above.
SELECT * FROM "PUBLIC"."M_INIFILE_CONTENTS" WHERE SECTION = 'internal_hostname_resolution';
If no separate network has been configured
for internal communication, additional measures to secure the
communication channels like firewall, virtual private network and/or
SSL/TLS are necessary. Please be aware that a distributed SAP HANA
production system must always use a separate network for internal communication.
Information about changing the settings for a SAP HANA multihost system can be found in the SAP HANA Administration Guide,
in the Lifecycle Management chapter ("Configuring SAP HANA
Inter-Service Communication"). If root privileges or SSH are not
available, see SAP Note 2048681.
Further information about securing SAP HANA communication can be found in the SAP HANA Security Guide and the SAP HANA Master Guide.
Header Data
| Released On | 21.12.2015 10:29:15 |
| Release Status | Released for Customer |
| Component | HAN-DB SAP HANA Database |
| Priority | Recommendations / Additional Info |
| Category | Consulting |
No comments:
Post a Comment