Symptom :
We were performing the system refresh activity and production HANA Database version is HANA 2.0 SPS07 with this version encryption is enabled by default. Hence recovery is failed with below error.
RECOVER DATA finished with error:
recovery could not be completed,
Backup rootkey xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is required for decryption of backup files, but not found in key store. Please make sure you have provided the necessary keys before recovery., No root key matching hash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Resolution :
Please follow below mentioned step by step procedure to complete with recovery with encrypted backup files. We have performed this procedure in terms of system refresh hence the terms source database is Production and Target is Pre-Prod DB.
1. First we need to get the DBID of source and Target Database. Run below sql query in systemdb from hana studio to get the Database ID of Tenant Database.
SELECT DATABASE_NAME,
CASE WHEN (DBID = ” AND
DATABASE_NAME = ‘SYSTEMDB’)
THEN 1
WHEN (DBID = ” AND
DATABASE_NAME <> ‘SYSTEMDB’)
THEN 3
ELSE TO_INT(DBID)
END DATABASE_ID
FROM (SELECT DISTINCT DATABASE_NAME, SUBSTR_AFTER (SUBPATH,’.’) AS DBID FROM SYS_DATABASES.M_VOLUMES);
Make a note of source and target DBID. e.g DBID of source and Target Tenant is 3.
2. The keys can be seen at HANA DB OS level using below command with SIDADM user.
hdbnsutil -printHashedRootKeys –dbid=3 –verbose
3. Now we need to take the backup of target (Pre-Prod System) backup keys before changing/replacing it from source system.
First we need set the password for keys before taking the backup, this can be set in HANA Cockpit From the Database Overview, with the Security and User Management or All view selected, choose the Data Encryption card. In the Data Encryption app, choose Manage Keys. On the Manage Keys page, click Set Root Key Backup Password and specify the password in tenant database. or can be using below SQL statement – ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD <passphrase>The backup encryption keys backup can be taken from HANA DB OS level using below command with SIDADM user
hdbnsutil -backupRootKeys target_backup.rkb –dbid=3 –type=’BACKUP’
The file <target_backup.rkb> will generate at same location with backup of encryption keys
This backup can be validated with previously set password using below command
hdbnsutil -validateRootKeysBackup target_backup.rkb
This command will ask for password which we had set for keys in HANA cockpit, If it matches it gives successful validation result.
4. Now we have the backup of Target backup encryption keys, The goal of this procedure is to replace the backup encryption keys of target DB with keys from source DB.
Take the keys screenshot of source DB from HANA DB OS level using below command
hdbnsutil -printHashedRootKeys –dbid=3 –verbose
5. Set the password for keys in source database. Take key backup and validate as per the steps mentioned in point 3. The keys backup taken in this step has to move to target database server to import
6. Stop the target DB and import the keys using below OS level command with SIDADM user.
hdbnsutil -recoverRootKeys source_backup.rkb –dbid=3 –type=’BACKUP’
This will change only backup keys as per the source database other keys should remain unchanged, this can be validated using the screenshot taken in step 4.
Now source and target is having same backup encryption keys. Start the DB again and resume the recovery in HANA Studio, It should work.
Reference:
https://me.sap.com/notes/0003425722
Requesting all readers to drop your feedback or thoughts in comments, also post your questions, if you have any, I will try to answer to the best of my knowledge and research.
Do follow my profile to see more useful contents related to SAP BASIS and HANA topics in near future.
Symptom :We were performing the system refresh activity and production HANA Database version is HANA 2.0 SPS07 with this version encryption is enabled by default. Hence recovery is failed with below error.RECOVER DATA finished with error: recovery could not be completed, Backup rootkey xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is required for decryption of backup files, but not found in key store. Please make sure you have provided the necessary keys before recovery., No root key matching hash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxResolution :Please follow below mentioned step by step procedure to complete with recovery with encrypted backup files. We have performed this procedure in terms of system refresh hence the terms source database is Production and Target is Pre-Prod DB.1. First we need to get the DBID of source and Target Database. Run below sql query in systemdb from hana studio to get the Database ID of Tenant Database.SELECT DATABASE_NAME,CASE WHEN (DBID = ” ANDDATABASE_NAME = ‘SYSTEMDB’)THEN 1WHEN (DBID = ” ANDDATABASE_NAME <> ‘SYSTEMDB’)THEN 3ELSE TO_INT(DBID)END DATABASE_IDFROM (SELECT DISTINCT DATABASE_NAME, SUBSTR_AFTER (SUBPATH,’.’) AS DBID FROM SYS_DATABASES.M_VOLUMES);Make a note of source and target DBID. e.g DBID of source and Target Tenant is 3. 2. The keys can be seen at HANA DB OS level using below command with SIDADM user.hdbnsutil -printHashedRootKeys –dbid=3 –verbose3. Now we need to take the backup of target (Pre-Prod System) backup keys before changing/replacing it from source system.First we need set the password for keys before taking the backup, this can be set in HANA Cockpit From the Database Overview, with the Security and User Management or All view selected, choose the Data Encryption card. In the Data Encryption app, choose Manage Keys. On the Manage Keys page, click Set Root Key Backup Password and specify the password in tenant database. or can be using below SQL statement – ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD <passphrase>The backup encryption keys backup can be taken from HANA DB OS level using below command with SIDADM userhdbnsutil -backupRootKeys target_backup.rkb –dbid=3 –type=’BACKUP’The file <target_backup.rkb> will generate at same location with backup of encryption keys This backup can be validated with previously set password using below command hdbnsutil -validateRootKeysBackup target_backup.rkbThis command will ask for password which we had set for keys in HANA cockpit, If it matches it gives successful validation result.4. Now we have the backup of Target backup encryption keys, The goal of this procedure is to replace the backup encryption keys of target DB with keys from source DB. Take the keys screenshot of source DB from HANA DB OS level using below command hdbnsutil -printHashedRootKeys –dbid=3 –verbose5. Set the password for keys in source database. Take key backup and validate as per the steps mentioned in point 3. The keys backup taken in this step has to move to target database server to import 6. Stop the target DB and import the keys using below OS level command with SIDADM user.hdbnsutil -recoverRootKeys source_backup.rkb –dbid=3 –type=’BACKUP’This will change only backup keys as per the source database other keys should remain unchanged, this can be validated using the screenshot taken in step 4.Now source and target is having same backup encryption keys. Start the DB again and resume the recovery in HANA Studio, It should work.Reference:https://me.sap.com/notes/0003425722https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/7def3297f93842a6b04f4d3f77ae07f6.htmlRequesting all readers to drop your feedback or thoughts in comments, also post your questions, if you have any, I will try to answer to the best of my knowledge and research.Do follow my profile to see more useful contents related to SAP BASIS and HANA topics in near future. Read More Technology Blogs by Members articles
#SAP
#SAPTechnologyblog
