Increase the System Isolation Level

Prerequisites Increase the System Isolation Level

You have root access to the SAP HANA system.

You are logged on to the system database in the SAP HANA cockpit.

You have the system privilege DATABASE ADMIN.

Internal SAP HANA communication has been appropriately configured for TLS/SSL.

[communication] ssl in the global.ini file must have the value false (default) or systemPKI.

For more information, see Secure Internal Communication and Server-Side TLS/SSL Configuration Properties for Internal Communication in the SAP HANA Security Guide.

If the system is running in an SAP HANA system replication configuration, the system PKI SSFS data file and key file have been copied from the primary system to the same location on the secondary system(s):

$DIR_INSTANCE/../global/security/rsecssfs/data/SSFS_<SID>.DAT

$DIR_INSTANCE/../global/security/rsecssfs/key/SSFS_<SID>.KEY

Procedure Increase the System Isolation Level

1             For every tenant database, create a dedicated OS user and group:

                A             As root user, log on to the server on which the name server of the system database is running.

                B             Create new groups for every tenant database:

                               groupadd <groupname>

                C             Create new users for every tenant database, specifying sapsys as the primary group:

                               useradd -g sapsys <username>

                D             Add every new user to the sidshm group and their own group as secondary groups:

                               usermod -G <sid>shm,<usergroup> <username>

                              

2             Stop all tenant databases in the system.

                               In the system database, execute the SQL statement ALTER SYSTEM STOP DATABASE <databasename>.

3             Configure the system for high isolation.

                               As the operating system user <sid>adm, log on to the server on which the master index server is running and run the following command:

                               python /usr/sap/<SID>/HDB<instance>/exe/python_support/convertMDC.py --change=databaseIsolation --isolation=high

               

                This command runs the following actions:

                               Stops the system

                               Changes the value of the [multidb] database_isolation property in the global.ini file to high

                               Starts the system

                              

4             Assign every database to their respective OS user and group.

                               In the system database, execute the SQL statement ALTER DATABASE <databasename> OS USER '<username>' OS GROUP '<groupname>'

                              

5             Start all tenant databases.

                               In the system database, execute the SQL statement ALTER SYSTEM START DATABASE <database_name>                       

                              

Results Increase the System Isolation Level

               

                The system is now running in high isolation mode. As a result:

                               The processes of individual tenant databases run under dedicated OS users belonging to dedicated OS groups and the processes of the system database run under the <sid>adm user.

                               Internal database communication is authenticated using X.509 client certificates. Depending on how SSL for internal communication is configured, data communication within databases may also be encrypted. For more information about secure internal communication, see the SAP HANA Security Guide.

                               Operations that require operating system access are restricted to users with the correct permissions. For more information, see the section on file and directory permissions with high isolation.

                               New tenant databases can only be created if a dedicated OS user and group exist.

Fuente