Initial Setup and Secure Configuration (GCP) – by ...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
In this blog, I will discuss the initial setup steps for the SAP HANA, express edition VM on GCP and provide some background information and suggestions for a secure configuration of your HXE system.
1. Initial Setup
Once the SAP HANA, express edition VM has been created by the GCP Cloud Launcher, you are presented with a number of suggested next steps.
Sudo su
Before you can get started using SAP HANA, express edition, you need to login first with the SAP HANA administration account: hxeadm. This is the software owner, the account that was used to install the software.
For the SAP HANA, express edition VM (the one you can run on your computer), a temporary password is provided but for the cloud version on GCP the approach is different, and to be fair, a bit more secure.
Spoiler alert! The HXEHana1 password is not valid on GCP. Message: password already used.
On GCP, you will be asked to set the password of the hxeadm user yourself. Now you may wonder, how do we connect as hxeadm if we do not have a (temporary) password in the first place? For this, a standard practice is used in Linux system administration: run the command as the superuser root.
So with the 'sudo su - hxeadm' command, we want the su (substitute user) command to open a login shell with all the environment variables of the hxeadm user (note the dash in 'su - hxeadm') and do this with the privileges of the superuser (sudo = superuser do). Without the sudo, su would still prompt us for the password of the hxeadm user.
So, after opening an SSH connection to the VM, enter the command:
Right after login, an initialization script prompts you to set the 'New HANA database master password':
The password policies of SUSE Linux and SAP HANA, of course, come both from a different source and do not exactly match. Characters that are allowed on the OS, are not allowed in the database, so, how can we set the passwords for both the operating system administration account hxeadm and the database super user SYSTEM at one fell swoop? By using a script to map the default SAP HANA database password policy to SUSE Linux.
Note that when you perform your own installation of an SAP HANA system (including express edition), the installer will prompt you to specify the passwords for both the operating system administration account and the database SYSTEM user separately. There is no single 'database master' password. For this reason, you will not find any reference to a 'database master' password in the SAP HANA platform documentation as the concept does not really exist. It is specific to the HANA express setup.
After you have set your master password, you are prompted to proceed:
If you decide to enter N at this point, nothing will have changed and the script will be launched again to prompt you to set the master password next time you connect.
If you do decide to proceed, as recommended, the initialization script will check if the SAP HANA system is up and then continues to change the SYSTEM password for both the SystemDB and the HXE tenant database.
SSFS Master Keys and Database Root Keys
Next, the initialization script will update both the SSFS master keys and all three root keys in both the SystemDB and in the HXE database, and make a backup. This is a critically important step. Unique SSFS master keys are generated when you install SAP HANA and unique encryption root keys are generated when you create a tenant database (for the system and default tenant this also happens during the installation).
For a cloned system, like express as VM (cloud or local), all keys are the same. It's a hacker's paradise and a security administrator's nightmare. So, this needs to fixed A-SAP.
In fact, this is the process that SAP recommends in the SAP HANA Administration Guide:
Immediately after system handover from your hardware or hosting partner, perform the following steps.
The way this is done by the initialization script on our express VM is by calling another script: change_key.sh (in $HOME/bin). You can run this script again for the green phase in the illustration above: 'Regularly during operation'
Below the section from the script where the new master key is generated. Note that the rsecssfx utility is used for this.
You can run the rsecssfx command as well (once the script is done) to query the key store with the 'info' parameter. As there can be more than one store, you need to specify where it is located and one way to do this, as in the script, is by setting the RSEC_SSFS_DATAPATH environment variable.
The tool and the concept of secure storage in the file system (SSFS) are not specific to SAP HANA and can also be found on SAP NetWeaver Application Server (AS) ABAP systems, see:
For those less familiar with SSFS and root keys, here is how the topic is illustrated in the SAP HANA Security Guide;
We have two secure stores, each protected by a master key, and then we also have, per database, four encryption root keys for data volume, redo log, application services (and backups, although this key is not configured by default for express edition).
Although the root keys are on the file system, SQL statements are used to create and activate them. Below the section from the script where this done.
New root keys are implemented in three stages, generate-backup-activate, and this is exactly what we see in the output:
Of course, for many reasons, you might not want to have a single password for both the operating system administration account hxeadm and the database super user SYSTEM. Now what?
No problem, you can easily change the password of the hxeadm user, once the script has finished. This does not impact the proper functioning of SAP HANA in any way.
For this, you can use the passwd command. This time, the default SUSE Linux password policy rules will apply and SUSE uses PAM (Pluggable Authentication Modules for Linux) for this. Configuring PAM is all command line, so not the most user-friendly part administration.
For more information about SUSE Linux password policy, see
Should you insist on using unsafe passwords and do not want to fiddle with the PAM configuration, you can simply use the command:
sudo passwd hxeadm
The passwd command will complain if the password does not comply with the rules but will execute the task as requested anyway. As Linux superuser, you can do anything. Even destroy the whole machine. (bold, red - that's a warning).
Setting the password to Password1
Database Passwords
To change the SAP HANA database passwords, we first need to discuss the SAP HANA interactive terminal tool, hdbsql, and SAP HANA password policy. This, we will do in the next blog.
Tutorial Video(s)
Pre-configuration Steps
In this tutorial video below shows you exactly how the initial setup process takes places and, as a bonus, also how you can configure a static (fixed) external IP for you VM instance.
The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.