on 06-20-2015 12:18 AM
Hi Folks,
I have a question. Was going through the website wanted to understand if we are still facing an issue with the static encryption key where its same for all installations. Has anyone faced this issue?
https://threatpost.com/static-encryption-key-found-in-sap-hana-database/113393
Hi!
The Security Guide for HANA recommends to change the encryption key:
9.2.2 Secure User Store (hdbuserstore)
(....)
Encryption Key
All password information contained in the secure user store is encrypted using a default encryption key. We recommend changing the default encryption key and using an individual encryption key.
This is not a flaw in my opinion.
Regards
Ulf
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
See SAP Note 2183624 for more information.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks a ton Martin for the response. We had raised a message also for the same.
Product support was just informed by development (only hours ago) that
the
security and administration guide for SPS09 is incorrect.
The master key in
SPS09 is not randomly generated upon installation
and is still a static
key.
Additionally, note
http://service.sap.com/sap/support/notes/2183624 was released
late
yesterday with detailed steps on changing the SSFS master
key.
Apologies for the confusion and best regards,
I had recently went through the same discussion. I believe that there would be a vulnerability only if we use a DEFAULT(hdbuserstore) setup in the secure store . Please let me know if you have found any information.
Regards,
Pavan Gunda
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.