Preview only show first 10 pages with watermark. For full document please download

Sap Event Stream Processor: Security Guide Sap Event Stream Processor 5.1 Sp09

   EMBED


Share

Transcript

PUBLIC SAP Event Stream Processor 5.1 SP09 Document Version: 1.0 - 2014-11-26 SAP Event Stream Processor: Security Guide Table of Contents 1 Configuring Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Sandboxing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 1.2 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 User Authorization Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.1 SYS_STREAMING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 1.3.2 Enabling User Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.3.3 Granting Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.3.4 Revoking Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.3.5 Reviewing User Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.3.6 Creating a Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1.3.7 Removing a Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.4 Secure Sockets Layer (SSL) Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 1.5 Configuring SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 1.5.1 Enabling SSL at the Project Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 1.5.2 Disabling SSL at the Project Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 1.5.3 Enabling SSL at the Node Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 1.5.4 Disabling SSL at the Node Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 1.6 Generating an SSL Key in the Java KeyStore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 1.7 Generating PEM Format Private Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 1.8 Generating a TrustStore for a Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 1.9 Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 1.9.1 Encrypting Passwords for Cluster Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 1.9.2 Encrypting Passwords for Database Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 1.9.3 Encrypting Passwords for Projects and Adapters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 1.9.4 Encrypting Passwords for the Event Stream Processor Web Services Provider and ESP Studio. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2 1.9.5 Encrypting SSL Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 1.9.6 Encrypting Passwords for Java External Adapters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Table of Contents 1 Configuring Security Set up server authentication, user authorization, and SSL connections, and encrypt passwords in configuration files. Security in SAP® Event Stream Processor is managed centrally by the cluster manager. All projects running in a remote cluster are subject to the security rules defined for that cluster. For information on security for projects running in the local cluster, see the SAP Event Stream Processor: Studio Users Guide. 1.1 Sandboxing Sandboxing is a security feature that allows you to restrict access to data files for projects in a cluster. Running projects in a sandboxed environment limits the directory which adapters and log stores use for reading and writing. Thus, files cannot be overwritten. Within your operating system, a sandbox operates as a separate environment which does not disrupt other programs within your network. A sandbox limits the level of access its applications have, ensuring that adapters and ESP projects do not share data within the same workspace, which prevents overwriting important data files. You can configure adapters to read and write files within a sandboxed environment. The following Event Stream Processor adapters support sandboxing: ● File/Hadoop CSV Input and Output Adapter ● File/Hadoop JSON Input and Output Adapter ● File/Hadoop Event XML Input and Output Adapter ● File/Hadoop XML Input and Output Adapter ● File Fix Input and Output Adapter Adapters that do not support sandboxing will point files to the specified base directory regardless of the sandboxenabled setting. See the SAP Event Stream Processor: Adapters Guide for additional information on adapters. When sandboxing is enabled, log store paths, both relative and absolute, point to the sandbox base directory specified. See Creating a Log Store in the SAP Event Stream Processor: Studio Users Guide, and Creating a Log Store in the SAP Event Stream Processor: Developer Guide for additional information. Sandboxing is enabled or disabled by the system administrator through SAP ESP Cockpit. See Configuring Sandboxing for an Adapter in the SAP Event Stream Processor: Cockpit Guide for additional information.If sandboxing is disabled, Event Stream Processor behavior is unchanged. Related Information Authentication [page 4] SAP Event Stream Processor is designed to integrate with your existing authentication framework whether you are using Kerberos, RSA, LDAP, SAP BI, SAP HANA, or your operating system’s native credential management system. User Authorization Policies [page 6] SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 3 The operations that a user may perform when accessing SAP Event Stream Processor using a client interface such as SAP Event Stream Processor Studio, command line utilities, an SDK, or an adapter, are determined by the permissions that have been granted to that user. Secure Sockets Layer (SSL) Connections [page 18] SAP Event Stream Processor supports SSL connections over the network to ensure the privacy of communication between client applications and the SAP Event Stream Processor server. Configuring SSL [page 19] Enable or disable Secure Sockets Layer (SSL) at the node or project level using the SAP ESP Cockpit. Generating an SSL Key in the Java KeyStore [page 22] Java keystores provide a convenient mechanism for storing and deploying X.509 certificates and private and public keys. Use keystores with Secure Sockets Layer (SSL) to have the SAP Event Stream Processor server store and read the key, to encrypt passwords for external servers and applications (like databases) to avoid storing passwords as clear text in configuration file. Also use keystores for RSA authentication because it stores user certificates. Generating PEM Format Private Keys [page 24] Convert the Java keytool to generate private keys in privacy enhanced mail (PEM) format. Generating a TrustStore for a Client [page 26] As part of enabling server certificate verification in SSL communication, create a TrustStore for your client which contains a root certificate of the SSL key which is signed by the certificate authority. Encryption [page 27] SAP Event Stream Processor provides two utilities for encryption, streamingclusteradmin and streamingencrypt. These utilities support password encryption for internal adapter, service, cluster, and project configuration. SAP Event Stream Processor also provides the encrypt.sh and encrypt.bat scripts for encrypting passwords in external adapter configuration files. 1.2 Authentication SAP Event Stream Processor is designed to integrate with your existing authentication framework whether you are using Kerberos, RSA, LDAP, SAP BI, SAP HANA, or your operating system’s native credential management system. Note Linux provides finger print authentication, which ESP does not support. If this is enabled in the host and ESP is using native operating system authentication, ESP may shut down unexpectedly while authenticating users. When performing a typical installation, you are prompted to enter and confirm a password for the default cluster created by the installer. The password you enter is also used as the password for the system-created user SYS_STREAMING, which you use to log in to ESP Cockpit to assign roles and privileges for your users. When performing a custom installation, the type of server authentication you use is selected at install time. Options for server authentication include: ● Kerberos – ticket-based authentication ● RSA – requires a key alias, a keystore containing a private key, and the password of the keystore ● SAP HANA – requires host and port information for the SAP HANA indexserver. 4 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security ● Username/password, implemented using one of the following: ○ LDAP credentials ○ SAP BI credentials ○ Native operating system credentials (native OS) ○ Preconfigured username/password If you need to change the authentication type after installation, use the SAP ESP Cockpit to add a new authenticator. See Add an Authentication Type in the SAP Event Stream Processor: Cockpit Guide for additional information. When you connect to a cluster on the ESP server, your credentials are verified with the active security provider. If authentication succeeds, the server considers the user a valid client, and login is completed. You receive a session ID and, in subsequent communication, the client uses the session ID to verify itself. Note Do not confuse server authentication–enforced when users connect to remote clusters–with authentication on the local cluster–enforced when using the Run Project option within SAP Event Stream Processor Studio. Server authentication is enforced across your network and is designed for use in a production environment. Local cluster authentication is enforced only on a user's local machine and, like the local cluster itself, is intended for a test environment. Authentication on the local cluster is limited to username/password authentication and is based on the fixed username studio. Users can enter any password for this username to maintain a secure connection with the local cluster for the duration of the SAP Event Stream Processor Studio session. The password is maintained in memory and is not written to a disk. When the Studio session is terminated, the password is discarded from memory. When connecting to the local cluster in a subsequent SAP Event Stream Processor Studio session, users are once again required to provide a password for the fixed username studio. This password does not have to be the same password set during the previous SAP Event Stream Processor Studio session. Authentication on the local cluster is provided automatically; there is no additional configuration required. For details on the local cluster password, see the Studio Users Guide. Related Information Sandboxing [page 3] Sandboxing is a security feature that allows you to restrict access to data files for projects in a cluster. Running projects in a sandboxed environment limits the directory which adapters and log stores use for reading and writing. Thus, files cannot be overwritten. User Authorization Policies [page 6] The operations that a user may perform when accessing SAP Event Stream Processor using a client interface such as SAP Event Stream Processor Studio, command line utilities, an SDK, or an adapter, are determined by the permissions that have been granted to that user. Secure Sockets Layer (SSL) Connections [page 18] SAP Event Stream Processor supports SSL connections over the network to ensure the privacy of communication between client applications and the SAP Event Stream Processor server. Configuring SSL [page 19] Enable or disable Secure Sockets Layer (SSL) at the node or project level using the SAP ESP Cockpit. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 5 Generating an SSL Key in the Java KeyStore [page 22] Java keystores provide a convenient mechanism for storing and deploying X.509 certificates and private and public keys. Use keystores with Secure Sockets Layer (SSL) to have the SAP Event Stream Processor server store and read the key, to encrypt passwords for external servers and applications (like databases) to avoid storing passwords as clear text in configuration file. Also use keystores for RSA authentication because it stores user certificates. Generating PEM Format Private Keys [page 24] Convert the Java keytool to generate private keys in privacy enhanced mail (PEM) format. Generating a TrustStore for a Client [page 26] As part of enabling server certificate verification in SSL communication, create a TrustStore for your client which contains a root certificate of the SSL key which is signed by the certificate authority. Encryption [page 27] SAP Event Stream Processor provides two utilities for encryption, streamingclusteradmin and streamingencrypt. These utilities support password encryption for internal adapter, service, cluster, and project configuration. SAP Event Stream Processor also provides the encrypt.sh and encrypt.bat scripts for encrypting passwords in external adapter configuration files. 1.3 User Authorization Policies The operations that a user may perform when accessing SAP Event Stream Processor using a client interface such as SAP Event Stream Processor Studio, command line utilities, an SDK, or an adapter, are determined by the permissions that have been granted to that user. A permission consists of a privilege and privilege type, and a resource and resource type. The privilege specifies the action being permitted and the privilege type specifies the ESP elements for which that action is permitted. The resource type specifies the ESP elements on which the action is permitted, and the resource specifies a specific instance of the resource type. Note The user authorization policy framework completely replaces the previous access control features of ESP. There is no migration tool for converting from the previous access control system to the new user authorization policy framework. If you implemented access control in a previous release of ESP review your policy.xml file before starting to manually implement your new user authorization policy. The privilege portion of the permission can be any of the privileges in the table below. Privilege Description all Grants all privileges to a user, either for all resources or for a specific resource. admin Grants the user administrative privileges on the speci­ fied system elements, which can be any of config, pol­ icy, rsa, and cockpit 6 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security Privilege Description add Allows users to add resources of the specified privilege type (can be restricted by resource type and instance). For example, adding an application. remove Allows users to remove resources of the specified privi­ lege type (can be restricted by resource type and in­ stance). For example, removing a workspace. start Allows users to start resources of the specified privi­ lege type (can be restricted by resource type and in­ stance). For example, starting an application. stop Allows users to stop resources of the specified privi­ lege type (can be restricted by resource type and in­ stance). For example, stopping an application. control Gives users control over resources of the specified privilege type (can be restricted by resource type and instance). For example, providing runtime control over a project. execute Allows users to execute a specific service, or all serv­ ices. read Allows users read access to resources of the specified privilege type (can be restricted by resource type and instance). For example, reading a stream. view Allows users to view resources of the specified privi­ lege type (can be restricted by resource type and in­ stance). For example, viewing a project. write Allows users to write to, or modify, elements of the specified privilege type (can be restricted by resource type and instance). For example, a stream. Both the privilege type and the resource type can be any of the types in the table below. Type Description stream An element in a project for ESP that processes incom­ ing events and produces output events. adapter Connects ESP projects to external data sources and destinations, and handles any required data conver­ sion. project A set of event streams, data sources, and the continu­ ous queries that process incoming data to produce the desired information. application A project from the view of the host machine. dataservice A connection to a database for reading or writing data. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 7 Type Description workspace One of the subdirectories within the working directory for Studio. node A host machine, running ESP, belonging to a cluster. cluster A group of one or more nodes that are managed as a unit. service A stateless entity that is available to perform functions (such as discovery) for ESP. system Specifies a privilege/resource type for administering the cluster. all All of the items listed here. The resource can be whatever name you have given to an instance of a resource type. Permissions may be granted to users directly, or indirectly, through the creation of roles. A role is a set of permissions, which, once created, can be granted to either a user or another role. Usually, a role includes all of the permissions necessary to perform a particular task or function. Permissions are administered using the streamingclusteradmin utility in either command line mode or interactive mode to execute the following commands: ● grant permission ● revoke permission ● get permissions ● add role ● grant role ● remove role ● get roles ● get users For information on using the streamingclusteradmin utility, including examples of granting privileges, see the SAP Event Stream Processor: Utilities Guide. Related Information Sandboxing [page 3] Sandboxing is a security feature that allows you to restrict access to data files for projects in a cluster. Running projects in a sandboxed environment limits the directory which adapters and log stores use for reading and writing. Thus, files cannot be overwritten. Authentication [page 4] SAP Event Stream Processor is designed to integrate with your existing authentication framework whether you are using Kerberos, RSA, LDAP, SAP BI, SAP HANA, or your operating system’s native credential management system. Secure Sockets Layer (SSL) Connections [page 18] SAP Event Stream Processor supports SSL connections over the network to ensure the privacy of communication between client applications and the SAP Event Stream Processor server. 8 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security Configuring SSL [page 19] Enable or disable Secure Sockets Layer (SSL) at the node or project level using the SAP ESP Cockpit. Generating an SSL Key in the Java KeyStore [page 22] Java keystores provide a convenient mechanism for storing and deploying X.509 certificates and private and public keys. Use keystores with Secure Sockets Layer (SSL) to have the SAP Event Stream Processor server store and read the key, to encrypt passwords for external servers and applications (like databases) to avoid storing passwords as clear text in configuration file. Also use keystores for RSA authentication because it stores user certificates. Generating PEM Format Private Keys [page 24] Convert the Java keytool to generate private keys in privacy enhanced mail (PEM) format. Generating a TrustStore for a Client [page 26] As part of enabling server certificate verification in SSL communication, create a TrustStore for your client which contains a root certificate of the SSL key which is signed by the certificate authority. Encryption [page 27] SAP Event Stream Processor provides two utilities for encryption, streamingclusteradmin and streamingencrypt. These utilities support password encryption for internal adapter, service, cluster, and project configuration. SAP Event Stream Processor also provides the encrypt.sh and encrypt.bat scripts for encrypting passwords in external adapter configuration files. 1.3.1 SYS_STREAMING During installation Event Stream Processor creates a special user, SYS_STREAMING, to bootstrap the implementation of your user authorization policy. SYS_STREAMING The predefined permissions for SYS_STREAMING are equivalent to the following grants: grant permission view all to user SYS_STREAMING grant permission all system to user SYS_STREAMING SYS_STREAMING is able to perform policy administration functions such as granting and revoking privileges. The cluster password that you were prompted to create during the installation process is given to SYS_STREAMING when it is created. Because this user is intended to set up user authorization policy, the standard ESP user authorization commands do not work on SYS_STREAMING. For example, get users, which lists all users granted authorization to use ESP, will not list SYS_STREAMING because it was created at installation time with a predefined set of permissions. Note During installation, the technical user for the ESP Cockpit is configured to use the SYS_STREAMING login and password. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 9 1.3.2 Enabling User Authorization Before you begin implementing your Event Stream Processor user authorization policy, you must start the cluster database and the cluster node. Procedure 1. If this is your first session implementing your user authorization policy, go to the log directory underneath the directory where you installed ESP and verify that there are no errors in the init_cluster_db file. 2. Start the cluster database and the cluster node. At the command prompt on a Linux or Solaris machine, enter the following commands to start the database and node1 of the cluster: cd $STREAMING_HOME/cluster/config/esp1 ./start_db.sh ./start_node.sh node1 & To start a different node, substitute that node's name for node1. On a Windows machine, go to the %STREAMING_HOME%\cluster\config\esp1 folder, doubleclick start_db.bat, and doubleclick start_node.bat. 3. User Authorization is enabled by default in ESP, but it can be disabled. If it has been disabled, you will get a Policy service is not enabled error message when you try to administer your user authorization policy using streamingclusteradmin. To enable user authorization, log in to the SAP ESP Cockpit, and select 1.3.3 Security Enable Authorization Policy . Granting Permissions Control users' access to and control over Event Stream Processor by giving them only the permissions necessary to complete their assigned tasks. Context Permissions are granted using the grant perm command via the streamingclusteradmin utility. The syntax of the command is grant perm [] [on [any] | []] to user|role The optional privtype, resourcetype, and resource arguments enable you to make the permissions granted to each user or role as broad or narrow as desired. 10 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security Procedure 1. Decide what tasks this user needs to perform using ESP. For example, 2. ○ subscribe to a specific output stream to feed data into a dashboard ○ administer the hardware on which ESP runs ○ develop new projects ○ maintain one or more existing projects ○ run projects ○ configure the system ○ administer the authorization policy For each task, identify what actions need to be performed, and on which resources. There are three methods for granting permissions detailed in the following steps: 3. Use streamingclusteradmin in interactive mode to set one permission at a time. a. Start interactive mode. For example, a user named SYS_STREAMING with a cluster password Letmein! would enter the following to start streamingclusteradmin, in interactive mode, on the local machine: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=SYS_STREAMING --password=Letmein! b. Execute the grant perm command for each of the permissions needed by the user. The only required arguments are the priv (action you want to permit), whether you are granting it to a user or a role, and the name of that user or role. So, to grant permission to perform all actions, with no restrictions, to the user superuser, enter: grant perm all to user superuser c. The optional arguments , , and enable you to specify the type of element, the type of resource, or the specific resource for which the privilege is granted. For example, to grant the user developer1 permission to perform all actions, but only in workspace w1, enter: grant perm all on workspace w1 to user developer1 d. To grant the role manager permission to read all streams in any workspace, enter: grant perm read stream on any workspace to role manager e. To grant the role subscriber1 permission to read only the stream s3, in project p7 in workspace w2, enter: grant perm read stream on stream w1/p7/s3 to role subscriber1 f. 4. Close the interactive session of streamingclusteradmin. Enter exit or quit. Use streamingclusteradmin in command line mode to run the grant perm command. The ESP installer creates a user named SYS_STREAMING and assigns that user the cluster password entered during installation. For example, if you specified Letmein! as the cluster password during installation, to SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 11 grant a user named subscriber1 permission to read a single stream output2, in project p1, in workspace w1 using the command line mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=SYS_STREAMING --password=Letmein! --admin_policy --command "grant perm read stream on stream w1/p1/output2 to subscriber1" 5. Modify multiple user permissions in command line mode simultaneously using a single administration policy file. : a. Enter all desired commands granting permissions for users into a text file and save it to your machine. b. Using streamingclusteradmin --command_file to run all commands stored in that file, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysam --password=Letmein! --admin_policy --command_file=C:path/to/ command/file Note You can run separate command files to grant and revoke permissions and roles as needed. This may be useful in larger projects with tasks that vary over the course of time. 1.3.4 Revoking Permissions Maintain security of Event Stream Processor by taking back permissions that are no longer required. Context Permissions are taken back from a role or a user using the revoke perm command via the streamingclusteradmin utility. The syntax of the command is revoke perm [] [on [any] | []] to user|role As with the grant perm command, the optional privtype, resourcetype, and resource arguments enable you to precisely specify the scope of the permissions you revoke. Note However broadly or narrowly you specified a permission when you granted it, you must specify it exactly the same way when you revoke it. You cannot grant a broad permission, and then partially revoke it. 12 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security Procedure 1. See what permissions the user has been granted. For example, to see what permissions have been granted to user1 using the command line mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! --admin_policy --command "get perm for user user1" Or, to list the permissions granted to user1 in interactive mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! get perm for user user1 exit 2. Use streamingclusteradmin to run the revoke perm command. a. For example, to completely revoke the permission to read streams from user1 using the command line mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! --admin_policy --command "revoke perm read stream from user1" b. Or, to revoke the permission to read just the streams in workspace w1 and stream s3 in project p1, in workspace w2 from user1 using the interactive mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! revoke perm read stream on workspace w1 from user1 revoke perm read stream on stream w2/p1/s3 quit c. Or, modify multiple user permissions simultaneously using a single administration policy file. Enter all desired streamingclusteradmin commands that revoke permissions for users into a stored text file. To run all commands stored in that file using command line, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysam --password=Letmein! --admin_policy --command_file=C:path/to/ command/file The file used in the --command_file option is parsed, and each line in the file is interpreted as a single command. Note You can run separate command files to grant and revoke permissions and roles as needed. This may be useful in larger projects with tasks that vary over the course of time. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 13 1.3.5 Reviewing User Authorizations Identify the users and roles you've created, along with the permissions granted to them using the streamingclusteradmin utility's get command. Context The monitoring commands shown here are actually independent of each other, so you can run any or all of them in the order you prefer. And, if you choose to use the interactive mode, you can enter all of the commands in one session, rather than exiting and restarting the streamingclusteradmin utility. Procedure 1. List all of the users who are authorized to perform tasks. For example, to list authorized users in command line mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! --admin_policy --command "get users" Or, to list authorized users in interactive mode, enter: $STREAMING_HOME/bin/streamingclusteradmin username=sysadm --password=Letmein! get users exit 2. --uri=esp[s]://localhost:19011 -- List all of the roles that have been created. For example, to list existing roles in command line mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! --admin_policy --command "get roles" Or, to list existing roles in interactive mode, enter: $STREAMING_HOME/bin/streamingclusteradmin username=sysadm --password=Letmein! get roles exit 3. --uri=esp[s]://localhost:19011 -- List all of the roles that have been assigned to each user. For example, to list existing roles assigned to user, user1, in command line mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! --admin_policy --command "get roles for user user1" Or, to list existing roles assigned to user1, user2, and user3 in interactive mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! 14 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security get roles for user user1 get roles for user user2 get roles for user user3 exit 4. List the permissions that have been assigned to each role. For example, to list permissions granted to role1, in command line mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! --admin_policy --admin_policy_cmd "get perm for role role1" Or, to list permissions granted to role1, role2, and role3 in interactive mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! get perm for role role1 get perm for role role2 get perm for role role3 exit 5. List the permissions that have been assigned to each user. For example, to list the permissions that have been granted to user1, in command line mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! --admin_policy --command "get perm for user user1" Or, to list the permissions granted to user1, user2, and user3 in interactive mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! get perm for user user1 get perm for user user2 get perm for user user3 exit 1.3.6 Creating a Role Define a set of privileges that enables a user to perform a particular task, which can then be granted to other users as needed. Context Roles are generally created to enable users to perform a particular task. As new tasks are identified, new roles can be created to enable users to perform them. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 15 Procedure 1. Use streamingclusteradmin to run the add role command. a. To add the role prod1 using the command line mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! --admin_policy --command "add role prod1" b. Or, to add the role using the interactive mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! add role prod1 exit 2. Grant the permissions required to perform the task to the role. a. Using command line mode to grant permission to read streams in any workspace to the role prod1, enter $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! --admin_policy --command "grant perm read stream on any workspace to prod1" b. Or, using interactive mode to grant permission to read streams in the w1, w4, and w5 workspaces to the role prod1, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! grant perm read stream on workspace w1 prod1 grant perm read stream on workspace w4 prod1 grant perm read stream on workspace w5 prod1 exit c. Or, modify multiple user roles simultaneously using a single administration policy file. Enter all desired streamingclusteradmin commands that grant roles and permissions for users into a stored text file. To run all commands stored in that file using command line, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysam --password=Letmein! --admin_policy --command_file=C:path/to/ command/file The file used in the --command_file option is parsed, and each line in the file is interpreted as a single command. Note You can run separate command files to add and remove roles and permissions as needed. This may be useful in larger projects with tasks that vary over the course of time. 16 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security 1.3.7 Removing a Role Get rid of a collection of privileges that is no longer required or not appropriate for the tasks that need to be done. Context Roles are generally created to enable users to perform a particular task. If a task no longer needs to be performed, the role enabling users to do it can be removed. Procedure 1. Use streamingclusteradmin to run the remove role command. a. To remove the role setup using the command line mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! --admin_policy --command "remove role setup" b. To remove the prod3 and prod7 roles using the interactive mode, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysadm --password=Letmein! remove role prod3 remove role prod7 quit c. Or, modify multiple user roles simultaneously using a single administration policy file. Enter all desired streamingclusteradmin commands that remove roles and permissions for users into a stored text file. To run all commands stored in that file using command line, enter: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://localhost:19011 -username=sysam --password=Letmein! --admin_policy --command_file=C:path/to/ command/file The file used in the --command_file option is parsed, and each line in the file is interpreted as a single command. Note You can run separate command files to add and remove permissions and roles as needed. This may be useful in larger projects with tasks that vary over the course of time SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 17 1.4 Secure Sockets Layer (SSL) Connections SAP Event Stream Processor supports SSL connections over the network to ensure the privacy of communication between client applications and the SAP Event Stream Processor server. If you install Event Stream Processor using a typical installation, SSL is enabled by default. If you install using a custom installation, you can choose whether to enable SSL. When SSL is enabled, gateway communication is encrypted, all incoming URLs must use HTTPS, and URIs must use ESPS. A node in the cluster can support either HTTP or HTTPS, but not both simultaneously. When SSL is enabled for a cluster, all components in the cluster are also enabled for SSL. To edit SSL configuration for new or existing nodes or clusters, use the SAP ESP Cockpit. For detailed instructions on how to enable or disable SSL using the SAP ESP Cockpit, see Configuring SSL [page 19]. Note SAP Event Stream Processor supports only the TLSv1.2 protocol. TLSv1, TLSv1.1, SSLv2, and SSLv3 are not supported. Related Information Sandboxing [page 3] Sandboxing is a security feature that allows you to restrict access to data files for projects in a cluster. Running projects in a sandboxed environment limits the directory which adapters and log stores use for reading and writing. Thus, files cannot be overwritten. Authentication [page 4] SAP Event Stream Processor is designed to integrate with your existing authentication framework whether you are using Kerberos, RSA, LDAP, SAP BI, SAP HANA, or your operating system’s native credential management system. User Authorization Policies [page 6] The operations that a user may perform when accessing SAP Event Stream Processor using a client interface such as SAP Event Stream Processor Studio, command line utilities, an SDK, or an adapter, are determined by the permissions that have been granted to that user. Configuring SSL [page 19] Enable or disable Secure Sockets Layer (SSL) at the node or project level using the SAP ESP Cockpit. Generating an SSL Key in the Java KeyStore [page 22] Java keystores provide a convenient mechanism for storing and deploying X.509 certificates and private and public keys. Use keystores with Secure Sockets Layer (SSL) to have the SAP Event Stream Processor server store and read the key, to encrypt passwords for external servers and applications (like databases) to avoid storing passwords as clear text in configuration file. Also use keystores for RSA authentication because it stores user certificates. Generating PEM Format Private Keys [page 24] Convert the Java keytool to generate private keys in privacy enhanced mail (PEM) format. 18 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security Generating a TrustStore for a Client [page 26] As part of enabling server certificate verification in SSL communication, create a TrustStore for your client which contains a root certificate of the SSL key which is signed by the certificate authority. Encryption [page 27] SAP Event Stream Processor provides two utilities for encryption, streamingclusteradmin and streamingencrypt. These utilities support password encryption for internal adapter, service, cluster, and project configuration. SAP Event Stream Processor also provides the encrypt.sh and encrypt.bat scripts for encrypting passwords in external adapter configuration files. 1.5 Configuring SSL Enable or disable Secure Sockets Layer (SSL) at the node or project level using the SAP ESP Cockpit. Related Information Sandboxing [page 3] Sandboxing is a security feature that allows you to restrict access to data files for projects in a cluster. Running projects in a sandboxed environment limits the directory which adapters and log stores use for reading and writing. Thus, files cannot be overwritten. Authentication [page 4] SAP Event Stream Processor is designed to integrate with your existing authentication framework whether you are using Kerberos, RSA, LDAP, SAP BI, SAP HANA, or your operating system’s native credential management system. User Authorization Policies [page 6] The operations that a user may perform when accessing SAP Event Stream Processor using a client interface such as SAP Event Stream Processor Studio, command line utilities, an SDK, or an adapter, are determined by the permissions that have been granted to that user. Secure Sockets Layer (SSL) Connections [page 18] SAP Event Stream Processor supports SSL connections over the network to ensure the privacy of communication between client applications and the SAP Event Stream Processor server. Generating an SSL Key in the Java KeyStore [page 22] Java keystores provide a convenient mechanism for storing and deploying X.509 certificates and private and public keys. Use keystores with Secure Sockets Layer (SSL) to have the SAP Event Stream Processor server store and read the key, to encrypt passwords for external servers and applications (like databases) to avoid storing passwords as clear text in configuration file. Also use keystores for RSA authentication because it stores user certificates. Generating PEM Format Private Keys [page 24] Convert the Java keytool to generate private keys in privacy enhanced mail (PEM) format. Generating a TrustStore for a Client [page 26] As part of enabling server certificate verification in SSL communication, create a TrustStore for your client which contains a root certificate of the SSL key which is signed by the certificate authority. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 19 Encryption [page 27] SAP Event Stream Processor provides two utilities for encryption, streamingclusteradmin and streamingencrypt. These utilities support password encryption for internal adapter, service, cluster, and project configuration. SAP Event Stream Processor also provides the encrypt.sh and encrypt.bat scripts for encrypting passwords in external adapter configuration files. 1.5.1 Enabling SSL at the Project Level Enable SSL at the project level using SAP ESP Cockpit. Prerequisites Your user account has the required read and admin permissions in ESP. Context When you run a typical installation, SSL is enabled by default. When SSL is enabled at the project level, gateway communication is encrypted. Project-level SSL imposes no user requirements. Procedure 1. Select the EXPLORE workset, then select 2. Expand the Applications folder and select either ha_project or project. Actions Configure Cluster . 3. Click Add Property. 4. Specify ssl-key-file for the property name, and in the value column point to the directory that holds the SSL files. For example, ${STREAMING_HOME}/cluster/keys/${STREAMING_CLUSTER_NAME}. 5. Click Add Property. 6. Specify ssl-key-file-encrypted, and set the value to true. The SSL files generated during the installation of ESP are encrypted. If you set ssl-key-file-encrypted to true when the SSL files are not encrypted, the project fails to run. 7. 20 Click Apply. PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security 1.5.2 Disabling SSL at the Project Level Disable SSL at the project level using SAP ESP Cockpit. Prerequisites Your user account has the required read and admin permissions in ESP. Context When you run a typical installation, SSL is enabled by default. When SSL is enabled at the project level, gateway communication is encrypted. Project-level SSL imposes no user requirements. Procedure 1. Select the EXPLORE workset, then select Actions Configure Cluster . 2. Expand the Applications folder and select either ha_project or project. 3. Remove the ssl-key-file property or leave its value empty. 4. Remove the ssl-key-file-encrypted property or set its value to false. 5. Click Apply. 1.5.3 Enabling SSL at the Node Level Enable SSL at the node level using SAP ESP Cockpit. Prerequisites Your user account has the required read and admin permissions in ESP. Context When you run a typical installation, SSL is enabled by default. When SSL is enabled at the node level, all incoming URLs must use HTTPS and URIs must use ESPS. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 21 Procedure 1. Select the EXPLORE workset, then select 2. Expand the Nodes folder and select a node. 3. Select the Connectivity tab. 4. Click the check box for SSL. 5. Click Apply. 1.5.4 Actions Configure Cluster . Disabling SSL at the Node Level Disable SSL at the node level using SAP ESP Cockpit. Prerequisites Your user account has the required read and admin permissions in ESP. Context When you run a typical installation, SSL is enabled by default. When SSL is disabled at the node level, all incoming URLs must use HTTP and URIs must use ESP. Procedure 1. Select the EXPLORE workset, then select 2. Expand the Nodes folder and select a node. 3. Select the Connectivity tab. 4. Uncheck the check box for SSL. 5. Click Apply. 1.6 Actions Configure Cluster . Generating an SSL Key in the Java KeyStore Java keystores provide a convenient mechanism for storing and deploying X.509 certificates and private and public keys. Use keystores with Secure Sockets Layer (SSL) to have the SAP Event Stream Processor server store and read the key, to encrypt passwords for external servers and applications (like databases) to avoid storing 22 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security passwords as clear text in configuration file. Also use keystores for RSA authentication because it stores user certificates. Procedure 1. To generate an SSL key which includes the server domain name, run: $JAVA_HOME/bin/keytool -genkey -validity 3650 -keypass -keystore $STREAMING_HOME/cluster/examples/cluster_example.jks -alias storepass -keyalg RSA -keysize 2048 -dname "CN=myhostname, OU=myunit, O=myorganizatio, L=mylocation, S=mystate, C=mycountry" -ext SAN=dns:localhost,ip: Note that the values provided in this example are for demonstrative purposes only. ○ where CN is the hostname of the ESP server to which you want to connect. For example, if the hostname of the SAP Event Stream Processor server to which you are connecting is myserver.sap.com, then CN would be myserver.sap.com. If you have a multinode cluster, use a wild card for the domain name in the CN value. For example, if the domain name was sap.com, then the value for CN should be *.sap.com. ○ where OU is your organizational unit. ○ where O is the name of the organization. ○ where L is the name of your city or locality. ○ where S is the name of your state or province. ○ where C is your two-letter country code. ○ where SAN is any additional host that you want included in the certificate. You can specify either a fully qualified domain name, a localhost, or an IP address. An SSL key is created and placed in the KeyStore. If a KeyStore is not available, one is created. Related Information Sandboxing [page 3] Sandboxing is a security feature that allows you to restrict access to data files for projects in a cluster. Running projects in a sandboxed environment limits the directory which adapters and log stores use for reading and writing. Thus, files cannot be overwritten. Authentication [page 4] SAP Event Stream Processor is designed to integrate with your existing authentication framework whether you are using Kerberos, RSA, LDAP, SAP BI, SAP HANA, or your operating system’s native credential management system. User Authorization Policies [page 6] The operations that a user may perform when accessing SAP Event Stream Processor using a client interface such as SAP Event Stream Processor Studio, command line utilities, an SDK, or an adapter, are determined by the permissions that have been granted to that user. Secure Sockets Layer (SSL) Connections [page 18] SAP Event Stream Processor supports SSL connections over the network to ensure the privacy of communication between client applications and the SAP Event Stream Processor server. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 23 Configuring SSL [page 19] Enable or disable Secure Sockets Layer (SSL) at the node or project level using the SAP ESP Cockpit. Generating PEM Format Private Keys [page 24] Convert the Java keytool to generate private keys in privacy enhanced mail (PEM) format. Generating a TrustStore for a Client [page 26] As part of enabling server certificate verification in SSL communication, create a TrustStore for your client which contains a root certificate of the SSL key which is signed by the certificate authority. Encryption [page 27] SAP Event Stream Processor provides two utilities for encryption, streamingclusteradmin and streamingencrypt. These utilities support password encryption for internal adapter, service, cluster, and project configuration. SAP Event Stream Processor also provides the encrypt.sh and encrypt.bat scripts for encrypting passwords in external adapter configuration files. 1.7 Generating PEM Format Private Keys Convert the Java keytool to generate private keys in privacy enhanced mail (PEM) format. Prerequisites Ensure that you have JDK 1.6 installed on your machine. Context Several Event Stream Processor utilities require PEM-format private keys, including: streamingprojectclient streamingconvert streamingupload streamingsubscribe streamingcnc streamingquery The keystore tool is located in the $JAVA_HOME/bin directory. 24 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security Procedure 1. From the command line, run this script to export the Java keystore to a PKCS12 format keystore, which is used by OpenSSL: keytool -importkeystore -srckeystore .jks .p12 -deststoretype PKCS12 -destkeystore Note The file name and export file name required in this command are variable. Press Return. 2. Run this command to convert the PKCS12 format keystore to a PEM-format private key: openssl pkcs12 -in .p12 -out .private.pem -nodes Note The file name and user name required in this command are variable. Related Information Sandboxing [page 3] Sandboxing is a security feature that allows you to restrict access to data files for projects in a cluster. Running projects in a sandboxed environment limits the directory which adapters and log stores use for reading and writing. Thus, files cannot be overwritten. Authentication [page 4] SAP Event Stream Processor is designed to integrate with your existing authentication framework whether you are using Kerberos, RSA, LDAP, SAP BI, SAP HANA, or your operating system’s native credential management system. User Authorization Policies [page 6] The operations that a user may perform when accessing SAP Event Stream Processor using a client interface such as SAP Event Stream Processor Studio, command line utilities, an SDK, or an adapter, are determined by the permissions that have been granted to that user. Secure Sockets Layer (SSL) Connections [page 18] SAP Event Stream Processor supports SSL connections over the network to ensure the privacy of communication between client applications and the SAP Event Stream Processor server. Configuring SSL [page 19] Enable or disable Secure Sockets Layer (SSL) at the node or project level using the SAP ESP Cockpit. Generating an SSL Key in the Java KeyStore [page 22] Java keystores provide a convenient mechanism for storing and deploying X.509 certificates and private and public keys. Use keystores with Secure Sockets Layer (SSL) to have the SAP Event Stream Processor server store and read the key, to encrypt passwords for external servers and applications (like databases) to avoid storing passwords as clear text in configuration file. Also use keystores for RSA authentication because it stores user certificates. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 25 Generating a TrustStore for a Client [page 26] As part of enabling server certificate verification in SSL communication, create a TrustStore for your client which contains a root certificate of the SSL key which is signed by the certificate authority. Encryption [page 27] SAP Event Stream Processor provides two utilities for encryption, streamingclusteradmin and streamingencrypt. These utilities support password encryption for internal adapter, service, cluster, and project configuration. SAP Event Stream Processor also provides the encrypt.sh and encrypt.bat scripts for encrypting passwords in external adapter configuration files. 1.8 Generating a TrustStore for a Client As part of enabling server certificate verification in SSL communication, create a TrustStore for your client which contains a root certificate of the SSL key which is signed by the certificate authority. Context In this example, the SSL key is self signed. Extract the root certificate for your client from the SSL key and use it as the TrustStore for the client. Copy the TrustStore and PEM formatted certificate to the client side for the client to use when it connects to the Event Stream Processor server. Procedure 1. (C/C++ and .NET SDK client) Extract the root certificate in PEM format (cert.pem) and use it as the C/C++ and .NET SDK TrustStore: $JAVA_HOME/bin/keytool -exportcert -keystore $STREAMING_HOME/cluster/examples/ cluster_example.jks -file cert.pem -alias -storepass –rfc 2. (Java SDK) Extract the root certificate from the SSL key and place it in the Java TrustStore: $STREAMING_HOME/lib/jre/bin/keytool -exportcert -keystore $STREAMING_HOME/ cluster/examples/cluster_example.jks -file cert.cer -alias storepass $STREAMING_HOME/lib/jre/bin/keytool -importcert -trustcacerts -alias ca -file cert.cer -storepass -storetype jks -keystore truststore.jks You can delete the cert.cer file once you import it into the TrustStore as there is no further need for it. 26 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security Related Information Sandboxing [page 3] Sandboxing is a security feature that allows you to restrict access to data files for projects in a cluster. Running projects in a sandboxed environment limits the directory which adapters and log stores use for reading and writing. Thus, files cannot be overwritten. Authentication [page 4] SAP Event Stream Processor is designed to integrate with your existing authentication framework whether you are using Kerberos, RSA, LDAP, SAP BI, SAP HANA, or your operating system’s native credential management system. User Authorization Policies [page 6] The operations that a user may perform when accessing SAP Event Stream Processor using a client interface such as SAP Event Stream Processor Studio, command line utilities, an SDK, or an adapter, are determined by the permissions that have been granted to that user. Secure Sockets Layer (SSL) Connections [page 18] SAP Event Stream Processor supports SSL connections over the network to ensure the privacy of communication between client applications and the SAP Event Stream Processor server. Configuring SSL [page 19] Enable or disable Secure Sockets Layer (SSL) at the node or project level using the SAP ESP Cockpit. Generating an SSL Key in the Java KeyStore [page 22] Java keystores provide a convenient mechanism for storing and deploying X.509 certificates and private and public keys. Use keystores with Secure Sockets Layer (SSL) to have the SAP Event Stream Processor server store and read the key, to encrypt passwords for external servers and applications (like databases) to avoid storing passwords as clear text in configuration file. Also use keystores for RSA authentication because it stores user certificates. Generating PEM Format Private Keys [page 24] Convert the Java keytool to generate private keys in privacy enhanced mail (PEM) format. Encryption [page 27] SAP Event Stream Processor provides two utilities for encryption, streamingclusteradmin and streamingencrypt. These utilities support password encryption for internal adapter, service, cluster, and project configuration. SAP Event Stream Processor also provides the encrypt.sh and encrypt.bat scripts for encrypting passwords in external adapter configuration files. 1.9 Encryption SAP Event Stream Processor provides two utilities for encryption, streamingclusteradmin and streamingencrypt. These utilities support password encryption for internal adapter, service, cluster, and project configuration. SAP Event Stream Processor also provides the encrypt.sh and encrypt.bat scripts for encrypting passwords in external adapter configuration files. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 27 Utilities The streamingclusteradmin utility encrypts passwords for project configuration, internal adapter configuration, and database service connections. Call it from a command line: $STREAMING_HOME/bin/streamingclusteradmin --uri=esp[s]://: -username= --password= The streamingencrypt utility encrypts passwords in cluster configuration, passwords for the web services provider, and cluster SSL files. Call it from a command line: $STREAMING_HOME/bin/streamingencrypt [options...] For more information on the utilities and their supported commands, see the SAP Event Stream Processor: Utilities Guide. Scripts SAP Event Stream Processor provides a pair of scripts useful for encrypting external adapter configuration values and testing decryption of the encrypted values. The encrypt.sh/bat and decrypt.sh/bat are available at $STREAMING_HOME/adapters. These are independent utilities that can encrypt or decrypt using any independent keystore. Values you need to supply include keystore, alias, and the keystore password. The script or utility you use for encryption depends on the element you're encrypting, as described in this table. Encrypt... Located in... Using the utility or script... SAP Event Stream Processor Studio studio.xml keystore password streamingencrypt Cluster configuration passwords ESP Cockpit settings streamingencrypt Project configuration file (CCR) password .ccr streamingclusteradmin Adapter CNXML file password .cnxml streamingclusteradmin Database service configuration password SAP Event Stream Processor Stu­ dio properties view for a data serv­ ice streamingclusteradmin SSL files (server.key and server.crt) ESP Cockpit settings (referenced only) streamingencrypt Java external adapter configuration file password Custom external configuration file encrypt.sh or encrypt.bat Adapter configuration files adapter.xml; encrypt.sh or encrypt.bat adapter_config.xml 28 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security Encrypt... Located in... Using the utility or script... Web services provider keystore password wsp.xml streamingencrypt Related Information Sandboxing [page 3] Sandboxing is a security feature that allows you to restrict access to data files for projects in a cluster. Running projects in a sandboxed environment limits the directory which adapters and log stores use for reading and writing. Thus, files cannot be overwritten. Authentication [page 4] SAP Event Stream Processor is designed to integrate with your existing authentication framework whether you are using Kerberos, RSA, LDAP, SAP BI, SAP HANA, or your operating system’s native credential management system. User Authorization Policies [page 6] The operations that a user may perform when accessing SAP Event Stream Processor using a client interface such as SAP Event Stream Processor Studio, command line utilities, an SDK, or an adapter, are determined by the permissions that have been granted to that user. Secure Sockets Layer (SSL) Connections [page 18] SAP Event Stream Processor supports SSL connections over the network to ensure the privacy of communication between client applications and the SAP Event Stream Processor server. Configuring SSL [page 19] Enable or disable Secure Sockets Layer (SSL) at the node or project level using the SAP ESP Cockpit. Generating an SSL Key in the Java KeyStore [page 22] Java keystores provide a convenient mechanism for storing and deploying X.509 certificates and private and public keys. Use keystores with Secure Sockets Layer (SSL) to have the SAP Event Stream Processor server store and read the key, to encrypt passwords for external servers and applications (like databases) to avoid storing passwords as clear text in configuration file. Also use keystores for RSA authentication because it stores user certificates. Generating PEM Format Private Keys [page 24] Convert the Java keytool to generate private keys in privacy enhanced mail (PEM) format. Generating a TrustStore for a Client [page 26] As part of enabling server certificate verification in SSL communication, create a TrustStore for your client which contains a root certificate of the SSL key which is signed by the certificate authority. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 29 1.9.1 Encrypting Passwords for Cluster Configuration Use the streamingencrypt executable to encrypt passwords for new nodes, or to re-encrypt existing values. Context During installation, ESP encrypts passwords for the cluster cache, keystore, and key elements. Manually encrypt cluster passwords only when you configure a new node or cluster (before you start it), or when you need to reencrypt a password or property using a new key file. The key password element is optional. While the keystore password locks the entire keystore, the key password only locks a specific key within the store. If the key password is not specified, ESP uses the same password for both elements. Use SAP ESP Cockpit to update cluster configuration files. If you do not have ESP Cockpit installed, or if it cannot start due to errors in configuration, see Cannot Start ESP Cockpit Due to Configuration Errors in the SAP Event Stream Processor: Configuration and Administration Guide. Procedure 1. Shut down the affected node or, in some cases, the entire cluster: Before you... Shut down... Encrypt a password in the cluster configuration that has not changed (pass­ word value is already in the file). The node Change and encrypt a password or key password in the cluster cache or key­ store section. All nodes in the cluster Note If you choose to encrypt passwords in the Keystore element of a new node, first configure the Keystore. The Type, File, and Password elements in Keystore require values. A default value is provided for Type, but you must fill in File and Password values. 2. (Optional) If you are re-encrypting an encrypted password, create a new cluster key. a. From a command line, navigate to STREAMING_HOME/bin and launch the streamingencrypt executable using the --create-key option: streamingencrypt --create-key cluster.key The command writes a new key to the file cluster.key. 3. From a command line, navigate to STREAMING_HOME/bin and launch the streamingencrypt utility using the --encrypt option, where is the password you are encrypting: streamingencrypt --encrypt cluster.key --text 30 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security If you enter the --text value successfully, the streamingencrypt utility writes the encrypted text to the display. 4. Open ESP Cockpit. Select the EXPLORE workset, then select 5. In the left pane, select 6. Copy the encrypted text from the utility, and replace the original value in the Key Store Password or Key Password field with the encrypted text. 7. Ensure that the Encrypted box is checked for each password that receives encrypted text. Security Actions Configure Cluster . Keystore . This attribute ensures that the server recognizes the password as encrypted text and decrypts it at runtime. If the attribute is not set to true, the server does not recognize the password as encrypted text and tries to process the password without decrypting it, resulting in errors. 8. Click Apply to save changes. 1.9.2 Encrypting Passwords for Database Services Encrypt passwords for database service connections using the streamingclusteradmin utility to avoid displaying sensitive data in plain text. Prerequisites Set up a database service connection. Procedure 1. Open Studio. 2. In the SAP ESP Authoring perspective, open the Data Services view and select a data service. 3. In the Properties view, copy the password you want to encrypt. 4. From a command line, navigate to STREAMING_HOME/bin and launch the streamingclusteradmin utility using the --encrypt_text command. This command requires host and port information as well as credentials for the ESP server. For example, where is the password you want to encrypt, the syntax is: streamingclusteradmin --uri=esp[s]://: --username= -password= --encrypt_text --text= Note If you omit the password parameter when you call the streamingclusteradmin tool, Event Stream Processor prompts you for the password and hides it as you type, which improves security. The streamingclusteradmin utility writes the encrypted password to the display. 5. Copy the encrypted text and return to Studio. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 31 6. In the Properties view, paste the encrypted text into the password field. Click anywhere outside of the view to save. 1.9.3 Encrypting Passwords for Projects and Adapters Encrypt passwords within project configuration (CCR) files and adapter CNXML files using the streamingclusteradmin utility to avoid displaying sensitive data in plain text. Prerequisites Configure and start your cluster. Context Modify the adapter .cnxml only during project environment setup. Procedure 1. Use a text editor to open the desired configuration file: In the local (Studio) cluster: /SybaseESP/5.1/workspace// .ccr STREAMING_HOME/lib/adapters/.cnxml 2. Within the configuration file, copy the password text you want to encrypt. 3. From a command line, navigate to STREAMING_HOME/bin and launch the streamingclusteradmin utility using the --encrypt_text command. This command requires host and port information as well as credentials for the ESP server. For example, where is the password you want to encrypt, the syntax is: streamingclusteradmin --uri=esp[s]://: --username= -password= --encrypt_text --text= Note If you omit the password parameter when you call the streamingclusteradmin tool, Event Stream Processor prompts you for the password and hides it as you type, which improves security. The streamingclusteradmin utility writes the encrypted password to the display. 4. 32 Copy and paste the encrypted text from the utility into the configuration file you opened in step 1 [page 32]. Replace the original password in the Password parameter with the encrypted text. PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security 5. Change the encrypted="false" attribute for the Password parameter to encrypted="true". The encrypted attribute ensures that the server recognizes the password as encrypted text and decrypts it at runtime. If the attribute is set to false, the server does not recognize the password as encrypted text and tries to process the password without decrypting it, resulting in errors. 6. Save and close the configuration file. 1.9.4 Encrypting Passwords for the Event Stream Processor Web Services Provider and ESP Studio Use the streamingencrypt utility to encrypt the keystore password for the ESP Web Services Provider, or reecnrypt SAP Event Stream Processor Studio passwords. Context During installation, ESP encrypts the keystore passwords in wsp.xml and studio.xml. Encrypt the keystore password only when you need to re-encrypt a password using a new key file. Procedure 1. Use a text editor to open the necessary configuration file: STREAMING_HOME/wsp/wsp.xml STREAMING_HOME/studio/clustercfg/studio.xml 2. Copy the keystore password. If the keystore password is not in the configuration file, add the password parameter to the keystore element and set it to "true". In the following section of a sample Web Services Provider configuration file, the keystore password is "Pass1234". JKS keystore.jks Pass1234 STREAMING_HOME/wsp/wsp.key 3. Note the value in the Cipher element. This is the cluster key file required to encrypt passwords. If the Cipher element does not exist: SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 33 a. Create a cluster key. From a command line, navigate to STREAMING_HOME/bin and launch the streamingencrypt executable using the --create-key option: streamingencrypt --create-key wsp.key The command writes a new key to the file wsp.key. Enter studio.key to create a new studio key file. b. 4. Add the Cipher element to the required configuration file using the format in step 2 [page 33]. From a command line, navigate to STREAMING_HOME/bin and launch the streamingencrypt utility using the --encrypt option, where is the password you are encrypting: streamingencrypt --encrypt --text If you enter the --text value successfully, the streamingencrypt utility writes the encrypted text to the display. 5. Copy and paste the encrypted text from the utility into the configuration file. Replace the original password in the Password parameter for the Keystore element with the encrypted text. 6. Ensure that the encrypted attribute in the password parameter is set to encrypted="true". This attribute ensures that the Web Services Provider, or SAP Event Stream Processor Studio, recognizes the password as encrypted text and decrypts it at runtime. If the attribute is not set to true, the Web Services Provider, or SAP Event Stream Processor Studio, does not recognize the password as encrypted text and tries to process the password without decrypting it, resulting in errors. 7. Save and close the configuration file. 1.9.5 Encrypting SSL Files Use the streamingencrypt executable to encrypt secure sockets layer (SSL) files (server.key and server.crt) for new nodes, or to re-encrypt existing files. Context During installation, ESP encrypts SSL files. To indicate that they are encrypted, the files gain the .enc extension, becoming server.key.enc and server.crt.enc. Encrypt SSL files only when you configure a new node or cluster (before you start it), or when you need to re-encrypt SSL files using a new key file. By default, ESP looks for encrypted and unencrypted SSL files in STREAMING_HOME/cluster/keys/. The ESP installer provides only encrypted SSL files. To configure SSL files for a new cluster, either: ● Use OpenSSL or a similar toolkit to generate your own server.key and server.crt in privacy enhanced mail (PEM) format, or; ● 34 Copy existing SSL files to the new cluster, then use a new cluster key file to re-encrypt the files. PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security Procedure 1. Shut down all nodes in the cluster. 2. (Optional) If you are re-encrypting an encrypted SSL file, create a new cluster key. a. From a command line, navigate to STREAMING_HOME/bin and launch the streamingencrypt executable using the --create-key option: streamingencrypt --create-key cluster.key The command writes a new key to the file cluster.key. 3. From a command line, navigate to STREAMING_HOME/bin and launch the streamingencrypt executable. Do one of the following to encrypt either the server.key file or the server.crt file: a. To encrypt an SSL file for the first time, use the --encrypt option with the cluster key file: streamingencrypt --encrypt --file b. To re-encrypt an SSL file, create a new cluster.key file (see step 2). Then, use the --re-encrypt option with the cluster key file: streamingencrypt --re-encrypt --file Note streamingencrypt works on a file with any name, allowing you to keep multiple copies of your SSL files. At runtime, however, ESP looks for SSL files with these names: server.key server.crt server.key.enc server.crt.enc The setting of the ssl-key-file-encrypted property (see step 6) determines whether ESP looks for SSL files with or without the .enc extension. The SSL files gain the .enc extension, marking them as encrypted. 4. Open ESP Cockpit. Select the EXPLORE tab, then select Actions 5. In the left pane, select Applications, then choose the application type. 6. Ensure that the ssl-key-file-encrypted property is set to true. Configure Cluster . This attribute ensures that the server recognizes the file as encrypted and decrypts it at runtime. If the attribute is not set to true, the server does not recognize the file as encrypted and tries to process the file without decrypting it, resulting in errors. 7. Ensure that the ssl-key-file property points to the location of the encrypted SSL files: STREAMING_HOME/cluster/keys/ 8. Click Apply to save changes. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 35 1.9.6 Encrypting Passwords for Java External Adapters Use an independent keystore to encrypt passwords in external adapter configuration files, and to tell Event Stream Processor to decrypt encrypted values at runtime. Prerequisites Set the JAVA_HOME environment variable. SAP Event Stream Processor supports SAP JVM 7.1.011. Context Java external adapter configuration files contain an encryption algorithm that Event Stream Processor uses to authorize decryption. Procedure 1. Use any text editor to open the desired external adapter configuration file. 2. Call the encrypt.sh (UNIX) or the encrypt.bat (Windows) script: $JAVA_HOME/bin/java -cp jar/adapterapi.jar:jar/commons-codec-1.3.jar com.sybase.esp.adapter.api.CryptUtils encrypt RSA /keystore.jks a. Copy the password string from the external adapter configuration file and paste it in the position of the variable in the script. b. Replace the variable with the store key-alias (user name). c. Provide the name of the authentication method the external adapter is using. The default is RSA. d. Replace the variable with the filepath to the keystore.jks file. e. Replace the variable with the keystore password. f. Run the script. The action produces a string of encrypted text that contains your hidden password: ilNkDIv7MK99CvRHkVmDunuAvErHEyNdGZ+VTe63PBMEbyZ2CfZf6iHhCtDXD6fR9jPYIT/ 3FcyHmX2VL5xEeDL29KJP4xPS6d9/ TUIozJvJb9YhA8yyHUGv9iGUmtJdcN4vvQ1XJPSGHD84vIKSHQOfz8UlZKl07uJl54b47JXi +hIt1X3hZtGAaKuNt9BDo3KIgD4McehJFH2eT0vYmLHjWAL +JoO4V0/+e9ZlgF4hzjpVkYaO5zik7WyWbvVzLcv4sT4A77CGq4/uo+ZsJlGdBQ/ qlSXDBUKBacHhmYBV1j5xZgxLPu2feEl1OGP/+27126/Lz0M/JVeShDOw== Note Use the decrypt.sh (UNIX) or decrypt.bat (Windows) script to validate encrypted text. To run the decrypt command against the encrypted text, call the decrypt script and provide the same credentials you provided for the encrypt script. 36 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Configuring Security g. Copy and paste the encrypted text from the script to the text editor containing the configuration file. Replace the original password under the espPassword parameter with the encrypted text, then create and set the encrypted attribute for the parameter to true. If set to true, this attribute ensures that Event Stream Processor recognizes the password as encrypted text and is able to decrypt the password at runtime. If the attribute is set to false, ESP does not recognize the password as encrypted text and tries to process the password without decrypting it, resulting in errors. ilNkDIv7MK99CvRHkVmDunuAvErHEyNdGZ +VTe63PBMEbyZ2CfZf6iHhCtDXD6fR9jPYIT/3FcyHmX2VL5xEeDL29KJP4xPS6d9/ TUIozJvJb9YhA8yyHUGv9iGUmtJdcN4vvQ1XJPSGHD84vIKSHQOfz8UlZKl07uJl54b47JXi +hIt1X3hZtGAaKuNt9BDo3KIgD4McehJFH2eT0vYmLHjWAL +JoO4V0/+e9ZlgF4hzjpVkYaO5zik7WyWbvVzLcv4sT4A77CGq4/uo+ZsJlGdBQ/ qlSXDBUKBacHhmYBV1j5xZgxLPu2feEl1OGP/+27126/Lz0M/JVeShDOw== 3. The external adapter configuration file contains a section that includes the parameters needed to connect to streamingproject. Provide values for espHost and espPort, and in the case of a cluster, supply the cluster URI under espConnection. localhost 22000 esp[s]://localhost:19011/ws1/p1 --> 4. The section contains parameters required to enable authentication for the external adapter, such as user name and password. Specify an authentication type for espAuthTypeSpecify the user name and password authentication for espAuthType. Authentication Type Required Value Kerberos user_password LDAP user_password keystore, keystore password server_rsa Native OS (user name/password) user_password Example using the Kerberos authentication value: user_password 5. Provide values for other required fields, based on the chosen authentication type. Regardless of authentication type, if the password is encrypted, you must define values for espRSAKeyStore and espRSAKeyStorePassword. 6. Modify the authentication type specified for espEncryptionAlgorithm as needed. The default value is RSA. 7. Save the configuration file. Your other option is DSA. SAP Event Stream Processor: Security Guide Configuring Security PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 37 Important Disclaimers and Legal Information Coding Samples Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence. Accessibility The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP. Gender-Neutral Language As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer). 38 PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Event Stream Processor: Security Guide Important Disclaimers and Legal Information SAP Event Stream Processor: Security Guide Important Disclaimers and Legal Information PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved. 39 www.sap.com/contactsap © 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see http://www.sap.com/corporate-en/legal/copyright/ index.epx for additional trademark information and notices.