Create the hdbuserstore Key for SAP HANA

Updated

To connect to the SAP HANA database by using the SAP HANA Secure User Store, create a hdbuserstore key. Use a hdbuserstore key instead of a user name and password so that users do not need to enter connection information.

Note: In a HANA replication setup, for example, if you have a replication system of HANA SID where the first two nodes—machine01 and machine 02—are master nodes, and the other two nodes—machine03 and machine04—are standby nodes, create the key on all nodes. When the master nodes are down and the standby nodes become the master nodes, the key will still remain valid and can connect to machine03 and machine04 when machine01 and machine02 are not available.

For information about the SAP Secure User Store, go to hdbuserstore on the SAP Help Portal.

Before You Begin

Verify that the user associated with the hdbuserstore key has the correct permissions:

  • Backup operations: The DBA COCKPIT privilege is required. For more information, go to the SAP Documentation site, DBA Cockpit for SAP HANA: Authorizations. In the Database Users section, look at the Customer-specific user row.

    To create a SAP HANA database user that has the required backup operation privileges, run the following SQL command:

    CREATE USER MY_BACKUP_USER PASSWORD BackupOnly01 NO FORCE_FIRST_PASSWORD_CHANGE; 

    GRANT BACKUP ADMIN, DATABASE BACKUP ADMIN, CATALOG READ, INIFILE ADMIN TO MY_BACKUP_USER;

    where MY_BACKUP_USER is the user name and BackupOnly1 is the password. The user must be created for the SYSTEMDB and all tenant databases, and the user must have the same password for each database.

  • Restore operations or clone operations: To run the CREATE or RENAME statements, the DATABASE_ADMIN privilege is required. For more information, see the SAP documentation site, System Privileges.

    To create a SAP HANA database user that has the required restore operation privileges, run the following SQL command:

    CREATE USER MY_RESTORE_USER PASSWORD RestoreOnly01 NO FORCE_FIRST_PASSWORD_CHANGE;

    GRANT BACKUP ADMIN, DATABASE BACKUP ADMIN, DATABASE RECOVERY OPERATOR, CATALOG READ, INIFILE ADMIN, DATABASE START, DATABASE STOP, TRACE ADMIN, SERVICE ADMIN TO MY_RESTORE_USER;

    Where MY_RESTORE_USER is the user name and RestoreOnly1 is the password. The user must be created for the SYSTEMDB and all tenant databases, and the user must have the same password for each database.

Note: The DATABASE BACKUP ADMIN and DATABASE RECOVERY OPERATOR privileges are supported on SAP HANA 2.0 SPS05 and more recent versions.

Procedure

  1. Log on as the <SID> admin in SAP HANA, and then, on the command line, type the following command:

    su - <SID>adm

    hdbuserstore -i set <key_name> <client_computer>:3NN13,<client_computer>:3NN15 <user_name> <password>

    where NN is the HANA SID number starting from 00 to 99.

  2. Type the following command to verify the key information:

    hdbuserstore LIST <KEY>

    where, KEY is the SAP HANA hdbuserstore key.

Examples

Creating the Key for SAP HANA with One Node

If you have HANA SID with one node (machine01 only) with the SID name X01 and instance number 10, use the following command:

su – x01adm

hdbuserstore -i set MYKEY machine01:31013,machine01:31015 SYSTEM Password@12

Creating the Key for SAP HANA with Four Nodes

If you have HANA SID with four nodes (machine01, machine02, machine03, and machine04) with SID name Y01 and instance number 99, then create the key only on the node that appears first in the SAP HANA database instance or on the node that the user has manually set to appear as the first node. You do not create the key on the other three nodes. To create the key, use the following command:

su – y01adm

hdbuserstore -i set MYKEY machine01:39913,machine01:39915,machine02:39913,machine02:39915,machine03:39913,machine03:39915,machine04:39913,machine04:39915 SYSTEM Password@12

Verifying the Key Information for SAP HANA with One Node

This command verifies the key information for HANA SID with one node machine01.

hdbuserstore list MYKEY

KEY MYKEY ENV : machine01:31013,machine01:31015 USER: SYSTEM

Verifying the Key Information for SAP HANA with Four Nodes

This command verifies the key information for HANA SID with four nodes machine01, machine02, machine03, and machine04.

hdbuserstore list MYKEY

KEY MYKEY ENV : machine01:39913,machine01:39915,machine02:39913,machine02:39915,machine03:39913,machine03:39915,machine04:39913,machine04:39915 USER: SYSTEM

Creating a Key for SAP HANA Replication System with Two Primary Nodes and Two Secondary Nodes with Active/Passive

If you have HANA SID with four nodes (primary nodes: machine01 and machine02; secondary nodes:machine03 and machine04) with SID Y01 and instance 99, create the key only on the node that is primary active site in primary nodes. You do not need to create the key on the other three nodes.

To create a key, run the following command:

su – y01adm

If machine01 is primary active site in primary nodes machine01 and machine02, create a key maintaining the site order.

hdbuserstore -i set MYKEY

machine01:39913,machine01:39915,machine02:39913,machine02:39915,machine03:39913,machine03:39915,machine04:39913,machine04:39915 SYSTEM Password@12

Note: Verify that machine01 is first node in SAP HANA database instance. After you perform the failover, verify to recreate the key because secondary nodes are primary nodes and must be in first node of the SAP HANA database instance.

To verify the key information for SAP HANA SID with four nodes machine01, machine02, machine03, and machine04, run the following command:

hdbuserstore list MYKEY

KEY MYKEY ENV : machine01:39913,machine01:39915,machine02:39913,machine02:39915,machine03:39913,machine03:39915,machine04:39913,machine04:39915

USER: SYSTEM

Creating the Key for SAP HANA Replication System with Two Primary Nodes and Two Secondary Nodes with Active/Active

If you have HANA SID with four nodes (primary nodes: machine01, machine02 and secondary nodes: machine03, machine04) with SID Y01 and instance 99, create the key only on the node that is primary active site in primary nodes. You do not create the key on the other three nodes.

To create the key, use the following command:

su – y01adm

If machine02 is primary active site in primary nodes machine01 and machine02, create a key maintaining the site order:

hdbuserstore -i set MYKEY

machine02:39913,machine02:39915,machine01:39913,machine01:39915,machine03:39913,machine03:39915,machine04:39913,machine04:39915 SYSTEM Password@12

Note: Verify that machine02 is first Node in SAP HANA database Instance. After you perform the failover, verify to recreate the key because secondary nodes will become primary nodes and must be in first node of the SAP HANA database instance.

To verifying the key information for SAP HANA with four nodes machine01, machine02, machine03, and machine04, run the following command:

hdbuserstore list MYKEY

KEY MYKEY ENV : machine02:39913,machine02:39915,machine01:39913,machine01:39915,machine03:39913,machine03:39915,machine04:39913,machine04:39915

USER: SYSTEM