SAP different types of landscapes

 

Life cycle of SAP

 

Life cycle of SAP
Phases	Describtion of phase
Evalution	In the phase, SAP team will sits with product based company and Analysis their business.
Project prepartion	In this phase, Project planning will be done.Goals,scope,timeline,budget & establishing the project team.
Business blue print	Business processes mapping to corresponding SAP processes.
Realization	in this phase, actual configuration and customization of the system. only Development server will be designed here.
Testing	What ever the development they did in above, tests will be done.
Final preparation	Production server starts building.
Go-live	Few configurations where are specifically to production server can be done in this phase.
Sustain/support	To few errors in case of any and to adopt new features.
End of maintainence	SAP dont support for this versions.
Evalution	In the phase, SAP team will sits with product based company and Analysis their business.

External SAP HANA PSE File and Certificate Management

External SAP HANA PSE File and Certificate Management

Certificates can also be stored and managed within files located in the file system of the SAP HANA instance. 

By default, they’re stored in the following path:

/hana/shared/<SID>/HDB<instance number>/<host name>/sec

you’ll find several files with a .pse extension. For example:

sapsrv.pse

saplogon.pse

sapslcs.pse

sapsys.pse

sap_system_pki_instance.pse

sap_system_pki_internal.pse

sapsrv_internal.*.pse

Each file has an intended purpose,

1.authentication 

2.TLS secure communication.

There are two main ways to configure PSE files:

1. Command-line using SAPGENPSE tool

2. Web-based SAP Web Dispatcher Administration GUI

*using SAP web dispatcher tool, we can manage .pse certificates effectively.

To access the Web Dispatcher Admin GUI, the user must have the role:

sap.hana.xs.wdisp.admin::WebDispatcherAdmin

Access URL example:

http://<SAP_HANA_XS_HOST>:80(<instance #>)/sap/hana/xs/wdisp/admin/

Example:

http://w4-dh-hana19e-corp.root.internal.com:8000/sap/hana/xs/wdisp/admin

Authentication is required with SAP HANA internal user credentials.

the landing page will default to the SAP web dispatcher monitor.on the leftside,MENU -->PSE management-->just under the SSL and trust configuration.

The interface has a Manage PSE dropdown where you select the PSE file to manage.

With a PSE selected, the following actions are available:

Interface Option | Description

Recreate PSE

When selected, the active PSE file will be reset to a default state. All certificates will also be removed from the trust store.

Delete PSE

To delete a PSE from the file system, select the PSE file in the Manage PSE dropdown menu, then select this option.

Create New PSE

Used to create a new PSE. When clicked, a new window will appear, allowing you to define the PSE encryption algorithm, key length, distinguished name, and file name.

Export Own Certificate

When selected, a new window will appear containing the certificate of the selected PSE file.

Create CA Request

When selected, a new window will appear containing the certificate request text. Copy this text to a certificate authority to generate a new certificate response.

Import CA Response

When selected, a new window will appear containing a text entry block in which the certificate response text can be pasted or entered.

Import Certificate

When selected, a new window will appear containing a text entry block in which a trusted certificate’s text can be pasted or entered.

SAP HANA Security -cretificate management inside DB

Certificates in SAP HANA

SSL = Secure sockets layer (SSL) is communication protocol.

The goal of SSL protocols within SAP HANA is to secure the communication channel between a client and the SAP HANA Platform.

Client communications occurs via JDBC, ODBC or HTTP with in the SAP HANA platform.

Encryption: If we’re using SAP HANA studio to execute queries and return datasets, then enabling SSL in our system. Connection properties will ensure that the data sets 

are transmitted in an encrypted format. Then decrypted by the SAP HANA studio.

In SAP HANA DB certificates can be stored either in the

1.database itself

or

2.with in file system

************************************************************

1/4. Database certificate management:

* SAP HANA allows X.509 certifications to be stored with in DB itself.

* Certificate information can be directly imported in to the DB using SQL console and specific SQL commands.

Once imported, they are assigned to a certificate collection, also called an internal personal security environment (PSE).

In-database certificate management is accomplished using SQL commands.

There are 4 categories of commands to discuss:

1. Adding certificates to the system

2. Managing the certificate collection

3. Managing certificates in PSE

4. Defining the purpose of the certificate

---

1) Add a certificate to the In-Database Store:

→ To add a certificate to the in-database certificate store, use the

CREATE CERTIFICATE FROM SQL command.

→ To execute this statement, grantees will need the

certificate admin system privilege.

---

CREATE CERTIFICATE FROM  

-----BEGIN CERTIFICATE-----  

ERSJK  

-----END CERTIFICATE-----

COMMENT 'E-Corp Certificate CA Client Communications';

Drop a certificate that hasn't already been added to a Certificate collection

→ Use the DROP CERTIFICATE SQL Statement.

→ For example, execute the following SQL statement to drop a certificate with certificate ID of 123456:

DROP CERTIFICATE 123456;

To determine the certificate ID of a previously imported certificate,

SELECT * FROM SYS.CERTIFICATES;

→ Next, we need to assign the certificate to a Certificate collection

 2.create/delete a certificate collection or PSE.

Certificates must be associated with a PSE, so we need to create one before we can assign the purpose of the certificate.

To create a PSE, execute the CREATE PSE SQL command. To execute this SQL command, the grantee must have the TRUST ADMIN system privilege.

---

The following statements provide the general syntax and an example:

CREATE PSE <PSE_NAME>;  

CREATE PSE "BI-SSO-SAM-CERT";

→ To view a list of certificates by PSE, we can query the PSE_CERTIFICATES system view. For example, to view all the certificate collections or PSEs within an SAP HANA system, use the following SQL query:

SELECT * FROM PSE_CERTIFICATES;

→ To view a list of PSEs defined in the system, execute the following SQL statement:

SELECT * FROM PSES;

→ To delete a PSE,

DROP PSE <PSE_NAME>;  

DROP PSE "BI-SSO-SAM-CERT";

Next, we need to assign a certificate to a PSE.

3) Manage certificates within the PSE:

We can use SQL commands to add and remove certificates from a PSE.

To add a certificate to the PSE, use the ALTER PSE SQL command.

To alter the PSE, you must be the owner of the PSE. Also, the grantee must have the ALTER object privilege on the certificate collection or PSE.

The following SQL will grant access to a PSE:

GRANT ALTER ON PSE "BI-SSO-SAM-CERT" TO SECURITY_ADMIN;

To add an existing certificate to the PSE:

ALTER PSE <PSE> ADD CERTIFICATE <certificate-ID>;

Replace <PSE> with the name of your PSE

<certificate-ID> = ID no.

To remove a certificate from a PSE, use the following SQL command:

ALTER PSE <PSE> DROP CERTIFICATE <certificate-ID>;

---

4) Define the purpose of the PSE:

The final step in in-database certificate management is to define the purpose of the PSE and its certificates.

2 types

→ In both cases, grantee must have access to the PSE

Authentication

USER ADMIN – system privilege

TLS (Transport Security Layer)

SSL ADMIN – system privilege

Supported PSE purposes for in-database certificate management:

Purpose Use

SAML → If the PSE is used for SAML SSO authentication.

SAPLOGON → If the PSE is used for SAP assertion ticket authentication.

X509 → If the PSE is used for X.509 certificate-based authentication.

SSL/TLS → If the PSE is used to secure communication using JDBC, ODBC, or SAP HANA-specific clients.

DATABASE REPLICATION → If the PSE is used to secure the network data packets communicated during system replication.

JWT → If the PSE is used for JSON Web Token authentication.

---

If a grantee doesn't have access to the PSE or isn't the owner of the PSE, the REFERENCES object privilege must be assigned to the grantee.

For example, the following SQL command will grant REFERENCES to the CERT_ADMINS role:

GRANT REFERENCES ON PSE "BI-SSO-SAM-CERT" TO CERT_ADMINS;

→ Role name

To define the purpose of the PSE, execute the SET PSE SQL command:

SET PSE <PSE Name> PURPOSE <Purpose>;

SET PSE "BI-SSO-SAM-CERT" PURPOSE SAML;

→ In the first example, replace the <PSE Name> variable with the name of the PSE. Replace the <Purpose> variable with the name of the purpose listed in the above list or table.

→ To remove the purpose, use the UNSET PSE SQL command:

UNSET PSE "BI-SSO-SAM-CERT" PURPOSE SAML;

→ here BI-SSO-SAM-CERT is Certificate

---

The internal certificate store doesn’t include all possible certificates.

Let’s look at how we can also use files within the OS to store certificates.

GRC add ons List #2

* NOTA Fiscal Electronica - for

 

environment

health and safety

use add on - SLL-NFE

can customise standard GRC configuration.

changes from dev to qad to prd. can push using TMS

satillite system:

add -on list