cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HANA static encryption key vuneralibility

Go to solution
Former Member

on ‎06-20-2015 12:18 AM

0 Kudos

Hi Folks,

I have a question. Was going through the website wanted to understand if we are still facing an issue with the static encryption key where its same for all installations. Has anyone faced this issue?

https://threatpost.com/static-encryption-key-found-in-sap-hana-database/113393

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-23-2015 9:52 AM
0 Kudos

Hi!

The Security Guide for HANA recommends to change the encryption key:



9.2.2 Secure User Store (hdbuserstore)


(....)


Encryption Key


All password information contained in the secure user store is encrypted using a default encryption key. We recommend changing the default encryption key and using an individual encryption key.

This is not a flaw in my opinion.

Regards

Ulf

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎06-23-2015 3:06 PM
0 Kudos

See SAP Note 2183624 for more information.

Show replies
Show replies
Former Member
‎06-24-2015 6:25 PM
0 Kudos

Thanks a ton Martin for the response. We had raised a message also for the same.

Product support was just informed by development (only hours ago) that

the

security and administration guide for SPS09 is incorrect.

The master key in

SPS09 is not randomly generated upon installation

and is still a static

key.

Additionally, note

http://service.sap.com/sap/support/notes/2183624 was released

late

yesterday with detailed steps on changing the SSFS master

key.

Apologies for the confusion and best regards,

Former Member
‎07-02-2015 12:20 AM
0 Kudos

Martin,

There is one more problem we dont how to identify whether the new  key is in use or not.

M_SECURESTORE view is not there in the SYS schema.

Former Member
‎07-02-2015 10:10 AM
0 Kudos

If you implemented all steps properly, the new master key will be used.

M_SECURESTORE is not view, it's a monitoring view. You can find it via:

select * from m_monitors where view_name = 'M_SECURESTORE'

Former Member
‎07-02-2015 4:35 PM
0 Kudos

Hi Martin,

Thats what i was trying to say. Its not there.

hdbsql SID=> select * from m_monitors where view_name = 'M_SECURESTORE'

SCHEMA_NAME,VIEW_NAME,DESCRIPTION,RESETTABLE

0 rows selected (overall time 18.856 msec; server time 1372 usec)

Former Member
‎07-02-2015 4:58 PM
0 Kudos

It may be that you have to check the internal view (with trailing underscore) with older revisions:

SELECT * FROM SYS.M_SECURESTORE_

Former Member
‎07-02-2015 5:00 PM
0 Kudos

Hi Martin,

I checked using HANA studio catalog--> SYS--> Views

i just cannot find it.

hdbsql UD3=> SELECT * FROM SYS.M_SECURESTORE_

* 259: invalid table name:  Could not find table/view M_SECURESTORE_ in schema SYS: line 1 col 19 (at pos 18) SQLSTATE: HY000

Former Member
‎07-02-2015 5:13 PM
0 Kudos

I checked and M_SECURESTORE was introduced with SPS 09, so if you use SPS 08 or below, you can't find it.

Former Member
‎07-02-2015 5:31 PM
0 Kudos

Martin,

We are on SPS08.

What can we do ?

Former Member
‎07-02-2015 5:36 PM
0 Kudos

That's beyond my knowledge - probably just rely that it worked fine or upgrade to SPS 09.

Former Member
‎06-23-2015 9:59 AM
0 Kudos

I had recently went through the same discussion. I believe that there would be a vulnerability only if we use a DEFAULT(hdbuserstore) setup in the secure store . Please let me know if you have found any information.

Regards,

Pavan Gunda

Show replies
Show replies
Ask a Question