Securing the Activation of Traffic Traces in SAP HANA Cloud connector 1.3.2
Securing the Activation of Traffic Traces
The Cloud connector provides the possibility to trace all network traffic going through it (HTTP/RFC requests and responses) for support purposes. This traffic data may contain business critical information or security sensitive data, that is usernames, passwords, address data, credit card numbers, and so on. Thus, by activating the corresponding trace level, a Cloud connector administrator could see business data that he is not supposed to see. If you want to prevent this behavior from occurring, you need to implement the following four-eyes principle, which is supported starting with SAP HANA Cloud connector release 1.3.2. Once this four-eyes principle is in place, activating a trace level that dumps traffic data will require two separate users: an operating system user on the machine where the SAP HANA Cloud connector is installed and an Administrator user of the Cloud Connector user interface. By assigning these two users to two different persons, it can be ensured that both persons are needed to activate a traffic dump - e.g. when a certain problem needs to be trouble-shooted - but not one of them alone can do so.
- Here is how to set up the four-eyes principle:
- In the directory /usr/local/vl/base/cfg (Cloud Connector 1.x) create a file with the name writeHexDump. The owner of that file needs to be different from the scctunnel user (i.e. the operating system user of the tunnel processes) and not a member of the operating system user group sccgroup.
- Only the owner of the file, but no other user shall have write permission for this file.
- The scctunnel user needs to have read permission for this file.
- Initially the file should contain a line like
Once this file is in place, the SAP HANA Cloud connector will refuse any attempt to set the trace level higher than
Runtime. In order to set a higher trace level, which includes traffic Hex-dumps, first the owner of the above file needs to change the file content from
allowed=true, and then the Administrator user can activate one of the higher trace levels from the SAP HANA Cloud connector administration screens.