Creating the SAP HANA HDBUSERSTORE Key

To connect to the SAP HANA database by using the SAP HANA Secure User Store, create a hdbuserstore key. Use a hdbuserstore key instead of a user name and password so that users do not need to enter connection information.

Note

In a HANA replication setup, for example, if you have a replication system of HANA SID where the first two nodes—machine01 and machine 02—are master nodes, and the other two nodes—machine03 and machine04—are standby nodes, create the key on all nodes. When the master nodes are down and the standby nodes become the master nodes, the key will still remain valid and can connect to machine03 and machine04 when machine01 and machine02 are not available.

For information about the SAP Secure User Store, go to "hdbuserstore" in the SAP Help Portal website.

Before You Begin

Verify that the user associated with the hdbuserstore key has the correct permissions:

  • Backup operations: The DBA COCKPIT privilege is required. For more information, go to the SAP Documentation site, DBA Cockpit for SAP HANA: Authorizations. In the Database Users section, look at the Customer-specific user row.

    To create a SAP HANA database user that has the required backup operation privileges, run the following SQL command:

    CREATE USER MY_BACKUP_USER PASSWORD BackupOnly01 NO FORCE_FIRST_PASSWORD_CHANGE; 
     GRANT BACKUP ADMIN, DATABASE BACKUP ADMIN, CATALOG READ, INIFILE ADMIN TO MY_BACKUP_USER;

    where MY_BACKUP_USER is the user name and BackupOnly1 is the password. The user must be created for the SYSTEMDB and all tenant databases, and the user must have the same password for each database.

  • Restore operations or clone operations: To run the CREATE or RENAME statements, the DATABASE_ADMIN privilege is required. For more information, see the SAP documentation site, System Privileges.

    To create a SAP HANA database user that has the required restore operation privileges, run the following SQL command:

    CREATE USER MY_RESTORE_USER PASSWORD RestoreOnly01 NO FORCE_FIRST_PASSWORD_CHANGE;
    GRANT BACKUP ADMIN, DATABASE BACKUP ADMIN, DATABASE RECOVERY OPERATOR, CATALOG READ, INIFILE ADMIN, DATABASE START, DATABASE STOP, TRACE ADMIN, SERVICE ADMIN TO MY_RESTORE_USER;

    Where MY_RESTORE_USER is the user name and RestoreOnly1 is the password. The user must be created for the SYSTEMDB and all tenant databases, and the user must have the same password for each database.

Note

The DATABASE BACKUP ADMIN and DATABASE RECOVERY OPERATOR privileges are supported on SAP HANA 2.0 SPS05 and more recent versions.

Procedure

  1. Log on as the <SID> admin in SAP HANA, and then, on the command line, type the following command:

    su - <SID>adm hdbuserstore -i set <key_name> <client_computer>:3NN13,<client_computer>:3NN15 <user_name> <password>

    where NN is the HANA SID number starting from 00 to 99.

  2. Type the following command to verify the key information:

    hdbuserstore LIST <KEY>

    where, KEY is the SAP HANA hdbuserstore key.

Examples

Creating the Key for SAP HANA with One Node

If you have HANA SID with one node (machine01 only) with the SID name X01 and instance number 10, use the following command:

su – x01adm
hdbuserstore -i set MYKEY machine01:31013,machine01:31015 SYSTEM Password@12

Creating the Key for SAP HANA with Four Nodes

If you have HANA SID with four nodes (machine01, machine02, machine03, and machine04) with SID name Y01 and instance number 99, then create the key only on the node that appears first in the SAP HANA database instance or on the node that the user has manually set to appear as the first node. You do not create the key on the other three nodes. To create the key, use the following command:

su – y01adm
hdbuserstore -i set MYKEY machine01:39913,machine01:39915,machine02:39913,machine02:39915,machine03:39913,machine03:39915,machine04:39913,machine04:39915 SYSTEM Password@12

Verifying the Key Information for SAP HANA with One Node

This command verifies the key information for HANA SID with one node machine01.

hdbuserstore list MYKEY
KEY MYKEY  ENV : machine01:31013,machine01:31015  USER: SYSTEM

Verifying the Key Information for SAP HANA with Four Nodes

This command verifies the key information for HANA SID with four nodes machine01, machine02, machine03, and machine04.

hdbuserstore list MYKEY
KEY MYKEY  ENV : machine01:39913,machine01:39915,machine02:39913,machine02:39915,machine03:39913,machine03:39915,machine04:39913,machine04:39915  USER: SYSTEM

Loading...