Loading...

Creating the SAP HANA HDBUSERSTORE Key

If you want to have the SAP HANA client computer communicate with the SAP HANA Secure User Store, create a SAP HANA HDBUSERSTORE key on the client computer.

Best Practice: Use a SAP HANA HDBUSERSTORE key instead of a user name and password.

Before You Begin

The user associated with the HDBUSERSTORE key must have DBA COCKPIT privileges to perform backup operations. For more information, go to the SAP Documentation site, DBA Cockpit for SAP HANA: Authorizations. In the Database Users section, look at the Customer-specific user row.

For streaming and snapshot restore or clone operations, to run the CREATE or RENAME statements, the user must have the DATABASE_ADMIN privilege. For more information, see the SAP documentation site, System Privileges.

You can create a SAP HANA database user that has the required backup operation privileges by using the following SQL commands:

CREATE USER MY_BACKUP_USER PASSWORD BackupOnly01 NO FORCE_FIRST_PASSWORD_CHANGE;
GRANT BACKUP ADMIN, CATALOG READ, INIFILE ADMIN TO MY_BACKUP_USER;

Where:

MY_BACKUP_USER is the user name and BackupOnly1 is the password. Make sure that the user is created for the SYSTEMDB and all tenant databases and the user must have the same password for each database.

You can create a SAP HANA database user that has the required restore operation privileges by using the following SQL commands:

CREATE USER MY_RESTORE_USER PASSWORD RestoreOnly01 NO FORCE_FIRST_PASSWORD_CHANGE;
GRANT BACKUP ADMIN, CATALOG READ, INIFILE ADMIN, DATABASE START, DATABASE STOP, TRACE ADMIN, SERVICE ADMIN TO MY_RESTORE_USER;

Where:

MY_RESTORE_USER is the user name and RestoreOnly1 is the password. Make sure that the user is created for the SYSTEMDB and all tenant databases and the user must have the same password for each database.

Procedure

  1. Log on as the <SID> admin in SAP HANA, on the command line, type the following command:

    su - <SID>adm
    hdbuserstore -i set <key_name> <client_computer>:3NN13,<client_computer>:3NN15 <user_name> <password>

    where NN is the HANA SID number starting from 00 to 99.

    Example:

    • If you have HANA SID with One Node (machine01 only) with the SID name X01 and instance number 10, use the following command:

      su – x01adm
      hdbuserstore -i set MYKEY machine01:31013,machine01:31015 SYSTEM Password@12

    • If you have HANA SID with four nodes (machine01 to machine04) with SID name Y01 and instance number 99, then create the key only on the node that appears first in the SAP HANA database instance or on the node that the user has manually set to appear as the first node. You do not create the KEY on the other three nodes. To create the key, use the following command:

      su – y01adm
      hdbuserstore -i set MYKEY machine01:39913,machine01:39915,machine02:39913,machine02:39915,machine03:39913,machine03:39915,machine04:39913,machine04:39915 SYSTEM Password@12

  2. On the command line, type the following command to verify the key information.

    hdbuserstore LIST <KEY>

    where, KEY is the SAP HANA HDBUSERSTORE key.

    Example:

    • To verify one node HANA SID machine01:

      hdbuserstore list MYKEY
      KEY MYKEY
        ENV : machine01:31013,machine01:31015
        USER: SYSTEM

    • To verify four node HANA SID machine01 to machine04:

      hdbuserstore list MYKEY
      KEY MYKEY
        ENV : machine01:39913,machine01:39915,machine02:39913,machine02:39915,machine03:39913,machine03:39915,machine04:39913,machine04:39915
        USER: SYSTEM

Note: In a HANA replication setup, for example, if you have a replication system of HANA SID where the first two nodes (machine01 and machine 02) are master nodes, and the other two nodes (machine03 and machine04) are standby nodes, then create the key on all nodes. When the master nodes are down and the standby nodes become the master nodes, the key will still remain valid and can connect to machine03 and machine04 when machine01 and machine02 are not available.

Last modified: 11/4/2019 4:42:58 PM