Active and configure audit in SAP HANA

 Auditing: To Track the record of changes in roles of SAP HANA database.

why do we need to setup auditing:

1. Accountability - User are responsibile for the actions they do.

2.Discourage unauthorized access.

3.Monitoring any suspicious activities.

4.To find the source of breach.

To configure Audits in SAP HANA:

* Need AUDIT ADMIN - system privilege is required.

1. Select the target system, where we need to configure Aduit policy --> 1.expand -->2.Security --> 3.Security as highlighted below.

2.Choose the Auditing table as shown below.                                                                                                       

Result of audit logs can be seen by queries in SYS.Audit

#3. Authorization in GRC SYSTEM.

Authorization in GRC SYSTEM. 

* SAP_GRAC_BASE is the base authorization role.

* SAP_GRAC_NWBC is for base authorization for launching NWBC.

* In GRC system, Access T-code - PFCG

         role:  SAP_GRAC*

         Copy all standard SAP given roles in to customize name space --> then use them for operations.

* To view list of authorization objects of GRC --> SU24(T-code) --> Authorization objects tab --> Authorization objects --> GRAC*

Understanding Authorization Risks:

* Segregation of Duties(SOD) is a concept of separating "incompatible duties".
     Example one person doesn't have all three duties.

1. Authorization = approving.

2.Safe keeping = holding the asset (or) Access to the asset.

3.Record keeping = keeping track of the asset /liability.

                                               👇

Then more men power is needed for SOD.

                                                👇

However many stakeholders, did not accept SOD segregation. Which may leads to cost increase.

                                                👇

Conclusion is without increase the cost, need to maintain best risk avoid protocols.

 

SAP different types of landscapes

 

Life cycle of SAP

 

Life cycle of SAP
Phases	Describtion of phase
Evalution	In the phase, SAP team will sits with product based company and Analysis their business.
Project prepartion	In this phase, Project planning will be done.Goals,scope,timeline,budget & establishing the project team.
Business blue print	Business processes mapping to corresponding SAP processes.
Realization	in this phase, actual configuration and customization of the system. only Development server will be designed here.
Testing	What ever the development they did in above, tests will be done.
Final preparation	Production server starts building.
Go-live	Few configurations where are specifically to production server can be done in this phase.
Sustain/support	To few errors in case of any and to adopt new features.
End of maintainence	SAP dont support for this versions.
Evalution	In the phase, SAP team will sits with product based company and Analysis their business.

External SAP HANA PSE File and Certificate Management

External SAP HANA PSE File and Certificate Management

Certificates can also be stored and managed within files located in the file system of the SAP HANA instance. 

By default, they’re stored in the following path:

/hana/shared/<SID>/HDB<instance number>/<host name>/sec

you’ll find several files with a .pse extension. For example:

sapsrv.pse

saplogon.pse

sapslcs.pse

sapsys.pse

sap_system_pki_instance.pse

sap_system_pki_internal.pse

sapsrv_internal.*.pse

Each file has an intended purpose,

1.authentication 

2.TLS secure communication.

There are two main ways to configure PSE files:

1. Command-line using SAPGENPSE tool

2. Web-based SAP Web Dispatcher Administration GUI

*using SAP web dispatcher tool, we can manage .pse certificates effectively.

To access the Web Dispatcher Admin GUI, the user must have the role:

sap.hana.xs.wdisp.admin::WebDispatcherAdmin

Access URL example:

http://<SAP_HANA_XS_HOST>:80(<instance #>)/sap/hana/xs/wdisp/admin/

Example:

http://w4-dh-hana19e-corp.root.internal.com:8000/sap/hana/xs/wdisp/admin

Authentication is required with SAP HANA internal user credentials.

the landing page will default to the SAP web dispatcher monitor.on the leftside,MENU -->PSE management-->just under the SSL and trust configuration.

The interface has a Manage PSE dropdown where you select the PSE file to manage.

With a PSE selected, the following actions are available:

Interface Option | Description

Recreate PSE

When selected, the active PSE file will be reset to a default state. All certificates will also be removed from the trust store.

Delete PSE

To delete a PSE from the file system, select the PSE file in the Manage PSE dropdown menu, then select this option.

Create New PSE

Used to create a new PSE. When clicked, a new window will appear, allowing you to define the PSE encryption algorithm, key length, distinguished name, and file name.

Export Own Certificate

When selected, a new window will appear containing the certificate of the selected PSE file.

Create CA Request

When selected, a new window will appear containing the certificate request text. Copy this text to a certificate authority to generate a new certificate response.

Import CA Response

When selected, a new window will appear containing a text entry block in which the certificate response text can be pasted or entered.

Import Certificate

When selected, a new window will appear containing a text entry block in which a trusted certificate’s text can be pasted or entered.