Lisa, we will be doing this in the next few weeks.  Have you tried and experienced issues?  I'd be interested in any feedback from your efforts.

For all, we have a working CyberArk plug-in that will use a <sid>adm login account to execute a brconnect command to change the password for BRT$ADM on the SAP databases.  The CyberArk setup requires a couple of vault entries to make this work.

We are working on setup today for SAP dialog user.  I will let the group know our results.

For all, we are working with CyberArk to get the following scenarios for password change configured

- SAP application accounts for system, dialog, and communication users

- linux - <sid>adm

- database accounts (oracle and hana)

Lisa,  definitely would be good to hear your progress.

Of your three setups, we have the last 2 already working in our environment -- with the exception of some automated change, versus manual change.  We leverage Redwood Scheduler, and it executes some OS-level scripts as the <sid>adm account.  As a result, the Redwood system needs to know the <sid>adm password in order to launch those OS scripts.  Automatically changing the OS password doesn't update Redwood's configs.

This is one of our more problematic items.

As for the DB changes, we have a plug-in and setup that is working really well for that -- but we haven't attempted for HANA DB, only Oracle 11 and Oracle 12 DB's.

Do you have any MaxDB databases that you will be managing with CyberArk?

Linda, I am working with Lance on our current implementation and we were hoping others had gone down the trail were trying to blaze ourselves.

About 1 year back, our proof-of-concept activity with CyberArk Professional Services was not geared towards anything in the HANA environment.  However, we were able to successfully demo CyberArk control of a regular application login (via SAPGUI) by launching the GUI by executing the sapshcut.exe program with parameters; access a system/OS-level (<sid>adm )account for tracking administrative work; automate use of a <sid>adm account and issuing a brconnect command line with parameters to change the SAP DB passwords; change a password in SAP automatically; and lastly --- dynamically have an OS script call into CyberArk and retrieve a password for a replaceable parameter in an OS script that did a remote connection/file transfer to a non-SAP server.

Not being familiar with the HANA setup, is it really necessary to create DB-level accounts?  is there no similar "higher-level" interface like there is for the other SAP systems (ERP for example) to create user accounts?  How are you managing privileges/authorizations to the data in the HANA db?  I would imagine that not every user should have the ability to extract content directly from the database.

Hi David,

I'm not familiar with any higher-level interface or the SAP ERP account management side of it.  I can tell you how to create users directly in HANA studio and at the command line which is where we are trying to work with Cyberark to automate the password resets.  We can store passwords for HANA users including SYSTEM user within Cyberark and have it manually change the password.  We are just trying to automate this.

I'm stumped at the moment as to why this is difficult for Cyberark to do since the process manually works the same way in HANA as it does for Oracle at the command line.  Cyberark just hasn't grasped this process yet so we continue to work with them on it.

Linda

Linda, thanks for the update. 

We are having CyberArk build a custom CLI process for automating (via the SAP BRTOOLS utility, the SAP Application DB user passwords.  I would suspect, that if you can sketch out the sequence of SQL commands to be applied, they can build a custom plug-in for it.

Above being said, don't know much about HANA and users, but if the BRTOOLS capability is available, you could probably leverage what we're getting since essentially we're already passing in the account to change, except in our case we're hardcoding to the user SAP expects for SYSTEM->DB access.

Are you currently using CyberArk to manage any standard SAP system application accounts?  Something like SAP* or DDIC, or even a generic user account like you'd have for an external RFC connection?

I'll keep you posted on our progress with the custom plug in -- for now, the command line is pretty simple for us with BRTOOLS:

ssh {SIDADMUSER}@{SAPSERVERNAME}

brconnect -u / -f chpass -o 'BRT$ADM' -p {PASSWORD} -s brtools

Variables:

{SIDADMUSER} = the SAP administrative user account on the specific SAP server.
For example:  for the PRODUCTION SAP ERP System, the user is 'prdadm'.

{SAPSERVERNAME} = the virtual or physical server name for the SAP environment where the SAP Application user password has to be updated.

{PASSWORD} = the new password to be assigned     Example:  N3wPa$$W0rd!

You could replace 'BRT$ADM' with the HANA user account name, and eliminate the trailing -s brtools parameter.