MongoDB Service - SAP Help Portal

PUBLIC2017-10-26

MongoDB Service

© 2

018

SAP

SE o

r an

SAP affi

liate

com

pany

. All r

ight

s re

serv

ed.

THE BEST RUN

Content

1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Access the MongoDB Instance Using Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.3 Bind the Mongodb Instance to Application in Cockpit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.4 Build Applications with MongoDB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71.5 Export/Import Data from MongoDB Service Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Data import to new MongoDB instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.6 Restore Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Schedule Maintenance for MongoDB Service Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Major version upgrade from MongoDB 3.0 to 3.4. version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5 Data Encryption Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2 P U B L I CMongoDB Service

Content

1 Overview

MongoDB is a free and open-source cross-platform document-oriented database program. Classified as a NoSQL database, MongoDB uses JSON-like documents with flexible schemas. MongoDB is developed by MongoDB Inc., and is published under a combination of the GNU Affero General Public License and the Apache License.

Development is simplified as MongoDB documents map naturally to modern, object-oriented programming languages.

It is widely used DB among the developer community and has native drivers available for most programing languages, providing you the flexibility of choosing the language as per your application needs.

The MongoDB edition hosted on SAP CP is the open source community edition offering the features and enhancements contributed by the MongoDB community. New service plans with MongoDB 3.4 version have been introduced. The new 3.4 plans come with WiredTiger as the storage engine.

MongoDB on SAP CP is available on AWS cloud infrastructure for productive purposes and also as beta service on Azure and GCP. This provides the flexibility to choose a infrastructure according to your technical and legal requirements.

1.1 Features

High Availability

System or component operates continuously for a desirably long duration of time, as MongoDB is managed by SAP on the cloud, with new features and enhancements made available as rolling updates. So you can focus on your application development without having to worry about operating the database. MongoDB instances are replica sets that are deployed as a Highly Available cluster. With this HA cluster setup, in the event of individual node failures, the application can still function without disruption as an automatic failover will ensure reconnection to the other available nodes within the cluster.

Backup and Restore

SAP takes automated backups at periodic intervals and retains the backup data for 14 days. This reduces the chance of data loss allowing you to recover data.

You can restore the data of a service instance on to another instance within the same CF space. If your service instance is deleted by any chance, you can also restore the data from the deleted instance on to another instance. See Restore Data [page 11].

MongoDB ServiceOverview P U B L I C 3

Disk Space Handling

When the MongoDB database is filled to 98% disk usage, the application would run into the error “Not authorized to write data” thrown by the MongoDB driver.

This is to prevent a potential database crash that may occur when the disk space is completely used up. To prevent such a crash, the database does not allow writes beyond 98%.

In this situation, you must upgrade to a higher service plan to be able to write to the database again.

1.2 Access the MongoDB Instance Using Command Line

Use the cf command line interface (CLI) to access the MongoDB instance.

Prerequisites

● You have downloaded Cloud Foundry CLI available at Github .● You need to install cf cli.● You have an existing account on CF.

Context

You can access the MongoDB instance either by binding the instance with application or by creating a service key. By default the credentials provide you with the dbOwner role. However, you can generate credentials with clusterMonitor role by providing optional parameters.

Procedure

Bind the MongoDB Instance with Application1. Open Command line.2. Set the target API endpoint to the cloud controller of the Cloud Foundry instance depending on the region

in which your global account is hosted.

cf api https://api.cf.<host information>

If your global account is hosted in the US East (VA) region, enter the following endpoint:

cf api https://api.cf.us10.hana.ondemand.com

4 P U B L I CMongoDB Service

Overview

If your global account is hosted in the Europe (Frankfurt) region, enter the following endpoint:

cf api https://api.cf.eu10.hana.ondemand.com

NoteThere is no specific endpoint for trial accounts. Both enterprise and trial accounts use the same API endpoints.

3. Log on to the Cloud Foundry instance.

cf login

4. When prompted, enter your user credentials (email and password).5. In the command line, set your personal space as target. To do so, execute: cf target -o ORG -s

SPACE.

NoteIf you are assigned to only one Cloud Foundry organization and space, the system automatically targets you to the relevant Cloud Foundry organization and space once you have logged on.

6. Create a service instance using the command cf create-service <Mongodb Service Name> <Mongodb Service Plan> <Mongodb Instance Name>.

7. Bind the service instance with the application using the command cf bind-service <application name> <Mongodb Instance Name>.

8. To cross check the binding, there are two options:○ Run cf services → summary for all the services in your SPACE.○ Run cf service <Serviceinstance instance name> to list the details of the service instance.

NoteTo view the help for the CLI, execute cf help, which lists the most common CLI commands with a short description, or cf help -a, which lists all commands. To get help for a specific command, execute cf help <command>

Create a Service Key1. To generate credentials for a service instance, use the cf create-service-key command:

$ cf create-service-key MY-SERVICE MY-KEY Creating service key MY-KEY for service instance MY-SERVICE as [email protected]... OK

2. Use the -c flag to generate credentials with the clusterMonitor role.3. To provide the JSON object in-line, use the following format:

cf create-service-key <your service instance name> <your service key name> -c '{"role":"clusterMonitor"}'

MongoDB ServiceOverview P U B L I C 5

1.3 Bind the Mongodb Instance to Application in Cockpit

Prerequisites

Sign up for a CF global account and receive your logon data.

Context

For Cloud Foundry, you use one of the region links supplied in the Home screen of the cockpit.

Procedure

1. On the SAP Cloud Platform web page, choose Login and enter your credentials.2. To navigate to the Regions overview page, choose Home.3. Select the cloud foundry region nearest to you.4. Create a subaccount inside your global account.5. Select the tile of your new subaccount and choose Enable Cloud Foundry. This creates an org that maps to

your subaccount.6. Enter a name for the organization or leave the default organization name, then choose Create.7. Choose New Space.8. Enter a space name and choose the permissions you'd like to assign to your ID, then choose Ok.

9. Click on your Subaccount Space Service Marketplace .10. Choose the MongoDB Service.11. To create an instance for Mongodb, select Instances from the left navigation pane and click New Instance.12. Choose a service plan, then choose Next.13. (Optional) In Specify Parameters, provide a JSON file or enter details in JSON format.14. Choose Next.15. Choose an application.

If you have not yet deployed the application, skip the screen to choose the application and choose Next. You can upload the application later and revisit the instance to bind the instance with the application. For more information about deploying, see http://docs.cloudfoundry.org/devguide/deploy-apps/deploy-app.html .

16. Enter a name for the instance.17. Choose Finish.

6 P U B L I CMongoDB Service

Overview

1.4 Build Applications with MongoDB

Prerequisites

● You hav installed a JDK 1.8 available on the Oracle Download page .● You have downloaded Maven 3.0 available on the Apache Maven Project Download page .● You have downloaded Git available on the Git Download page .

Procedure

1. Clone the project from github.

git clone https://github.com/SAP/hcp-cloud-foundry-tutorials.git

2. To create the java maven project first, run the following command.

mvn archetype:generate -DgroupId=hcp-cf-mongodb-tutorial -DartifactId=hcp-cf-mongodb-tutorial -DinteractiveMode=false

3. Create a service instance.

cf create-service mongodb v3.0-container mongo-service

TipThe version of the MongoDB service changes on a regular basis. To check the version, use the cf marketplace command.

4. Build the sample project.

cd hcp-cloud-foundry-tutorials/hcp-cf-mongodb-tutorial mvn package

5. Modify the manifest.yml, change the host to something unique so that the application push does not fail, and then push the project..

cf push

It is possible that the application push might fail with the following error: Server error, status code: 400, error code: 210003, message: The host is taken:

Just change the host value in the manifest.yml file to something unique. Now the push should work.6. Run the project in your Web browser using the URL that was created after you pushed the application.7. Once the project has been created, edit your pom.xml file to put all the relevant dependencies. It should

look similar to this pom.xml sample file.

MongoDB ServiceOverview P U B L I C 7

8. Create a manifest.yml file, which contains the cf configuration details and looks similar to this manifest.xml sample file. To prevent an application push from failing because the host has already been assigned, make sure that your host value is unique.

9. You also need a Spring Boot starter class, which starts the application and should look similar to this HCPWebApplication.java sample file. For more information about Spring Boot, see the Spring Boot page

.

The other important class is the controller class, which is responsible for HTTP request mapping. The class should look like this RootController.java sample file.

10. Now let's have a look at some important aspect of this controller class. The codeblock shows the class structure that includes an important part of the database connection from the bound service. The annotation @Controller tells you that it is a controller class. @RequestMapping("/") tells you that this class is called when the root URL of the app is hit. onRootAccess() is the method that handles the GET request, which is pointed to by the @RequestMapping(method = RequestMethod.GET) annotation. We have a mongoTemplate field that is @Autowired. Therefore, a MongoDB connection can be created when parsing the service instance bound to this application. The tutorial uses the mongoTemplate field to access MongoDB directly.

package com.sap.hcp.cf.tutorials.mongodb;import java.util.ArrayList;import java.util.List;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.data.mongodb.core.MongoTemplate;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RequestMethod;import org.springframework.web.bind.annotation.ResponseBody;import com.mongodb.BasicDBObject;import com.mongodb.DBCollection;import com.mongodb.DBCursor;import com.sap.hcp.cf.tutorials.mongodb.model.DBObject;import com.sap.hcp.cf.tutorials.mongodb.model.Result;@Controller@RequestMapping("/")public class RootController { private static final Logger log = LoggerFactory.getLogger(RootController.class); @Autowired MongoTemplate mongoTemplate; @RequestMapping(method = RequestMethod.GET) public @ResponseBody Result onRootAccess() { DBCollection collection = mongoTemplate.getCollection("test"); long count = collection.getCount(); log.info("Object count in 'test' collection before insert: " + count + "<br/> Inserting one object.<br/>"); BasicDBObject dBObject = new BasicDBObject(); dBObject.put("hello", "world"); collection.insert(dBObject); count = collection.count(); log.info("Object count in test collection after insert:" + count); Result result = new Result(); List<DBObject> dbObjects = new ArrayList<DBObject>(); DBCursor cursor = collection.find(); while (cursor.hasNext()) { com.mongodb.DBObject obj = cursor.next(); final String value = (String) obj.get("hello"); DBObject object = new DBObject(); object.setKey("hello"); object.setValue(value);

8 P U B L I CMongoDB Service

Overview

dbObjects.add(object); } result.setDbObjects(dbObjects); result.setStatus( "Successfully accessed Mongodb service. Retrieving the data object inserted in test collection."); collection.drop(); return result; }}

Now this application is ready to be deployed.

1.5 Export/Import Data from MongoDB Service Instance

This procedure explains how to gain direct command line access to your deployed MongoDB service instance to export/import data from database.

Prerequisites

● Install cf cli on your local machine. For more information, https://docs.cloudfoundry.org/cf-cli/install-go-cli.html

● Ensure that you have access to the MongoDB tool - mongodump/mongorestore on your local machine.

Context

To establish direct command line access to a service, you need to deploy a host app and use its SSH and port forwarding features to communicate with the service instance through the app container. The technique is outlined below.

Procedure

1. Push an app that will act as the host for the SSH tunnel. Push any app that will successfully deploy to Cloud Foundry.

$ cf login $ cf target -o <org> -s <space>// Org and space where postgres service instance is there $ cf push YOUR-HOST-APP

2. Enable SSH for your app.

$ cf enable-ssh YOUR-HOST-APP

MongoDB ServiceOverview P U B L I C 9

NoteTo enable SSH access to your app, SSH access must be allowed for the space that contains the app. (The Space Manager needs to allow SSH access for applications running in spaces; cf allow-space-ssh SPACE_NAME). Also, you must be a Space Developer or Space Manager to be able to execute the cf ssh command successfully.

3. To establish SSH access to your service instance, you must create a service key that contains information for configuring your SSH tunnel.

cf service-key MY-DB EXTERNAL-ACCESS-KEY {"dbname": "be836664983e8fa3","password": "**********************","port": "27017","replicaset": "038b88c331069584fdab34dd661931a7","uri": "mongodb://1f86ebe5e4b0d98c10df7d0685e91bed:[email protected]:27017,10.11.31.121:27017,10.11.31.122:27017/be836664983e8fa3?replicaSet=038b88c331069584fdab34dd661931a7","username": "1f86ebe5e4b0d98c10df7d0685e91bed" }

4. Configure an SSH tunnel to your service instance using cf ssh

$ cf ssh -L 63306:<hostname>:<port> YOUR-HOST-APP

○ Use any available local port for port forwarding. For example, 63306.○ <hostname>: Replace with the hostname provided under URI in the service key retrieved above.

From the sample service key above, the hostname is 10.11.31.120○ <port>: Replace with the port provided under port above.○ Replace YOUR-HOST-APP with the name of your host app.○ After you enter the command, open another terminal window and perform the steps in below section.

5. Run the following command to export the data from the database to a location in your local system:

mongodump -h localhost --authenticationDatabase <db name> -u <user name> -p <password> -d <db name> --port 63306

○ Replace the user name, password and dbName with the details provided from the service key.○ Provide the pathToLocalDirectory where you want to export the data.○ Port 63306 (or whatever port number you specified earlier).

Data import to new MongoDB instance

If you need to reconstruct the database using the datadump to some new MongoDB instance then follow the instructions below:

1. Create a service key for this new mongodb instance:

$ cf create-service-key MY-NEW-DB MY-ACCESS-KEY $ cf service-key MY-NEW-DB MY-ACCESS-KEY

10 P U B L I CMongoDB Service

Overview

2. Use the credentials (dbname, username, password) in above service key to reload the data to new mongodb instance:

mongorestore -h localhost --authenticationDatabase <db-name> -d <db-name> -u <user name> -p <password> <path to the dump> --port <local opened port>

NoteYour ssh IP should point to the primary node in a replica set cluster. The local port number should be different for mongodump and mongorestore.

1.6 Restore Data

Restoring data from one instance to another instance

Procedure

1. Log on to the Cloud Foundry instance using the command cf login.

2. Execute cf list-backup <service_instance_name> command to display a list of backups that are specific to the service instance within a space.

3. Execute cf start-restore <service_instance_name> <backup_id> command to restore data from the service instance from the specified instance name and backup ID.

Note

To know more about the CF CLI commands, see CLI Plugin .

Restoring data from a deleted instance

Procedure

1. Log on to the Cloud Foundry instance using the command cf login.

2. Execute cf instance-events --delete command to list all deleted service instance events in the space.

3. Execute cf list-backup<service_instance_name> --deleted to display the list of all backups for a deleted service instance.

4. Execute cf start-restore <service_instance_name> <backup_id> command to restore data from the service instance from the specified instance name and backup ID.

MongoDB ServiceOverview P U B L I C 11

NoteInstance will be unavailable for connections during the restore operation; existing connections will be lost.

12 P U B L I CMongoDB Service

Overview

2 Schedule Maintenance for MongoDB Service Instance

SAP performs periodic maintenance updates to the MongoDB instance’s operating system or processes in a predefined schedule by default. Updates to the operating system are often critical security patches and should be applied as soon as possible.

Context

Maintenance updates can potentially make the instance unavailable for a short period of time. To address this issue, SAP allows you to set a maintenance schedule for the instances from the Cloud Cockpit and perform updates. To schedule maintenance for an instance, follow the steps below:

Procedure

1. On the SAP Cloud Platform cockpit, choose Login and enter your credentials.2. To navigate to the Regions overview page, choose Home.

3. Choose your Global Account name Subaccount Spaces Space Name Service Instances Service Instance name

4. To set a custom maintenance schedule, click Maintenance Schedules.5. Enter a maintenance schedule by selecting a day and time.6. Choose Save.

NoteSAP does not allow users to postpone maintenance updates indefinitely to avoid missing critical updates.

MongoDB ServiceSchedule Maintenance for MongoDB Service Instance P U B L I C 13

3 Major version upgrade from MongoDB 3.0 to 3.4. version

On the SAP Cloud platform, MongoDB 3.0 version will reach end of life by September 13th 2018.

Support for upgrading existing 3.0 instances to 3.4 is now available. When the upgrade is triggered, existing 3.0 instances are upgraded from 3.0 to 3.4 version (with an intermediate upgrade to 3.2) and the underlying storage engine is switched from MMAP to WiredTiger .

Important Timeliness:

June 14th 2018 Self-service major version upgrade available

July 19th 2018 Creation of new MongoDB 3.0 instances is disabled

Sep 13th 2018 All remaining MongoDB 3.0 instances are upgraded perma­nently to MongoDB 3.4 by SAP.

Note: This could potentially disrupt business applications if any incompatible features are being used.

Upgrade recommendations

Prerequisites:

1. Refer to the MongoDB release notes 3.2 and 3.4 for changes that are incompatible with MongoDB 3.0 version. Check if there are any database features used in your applications that have been deprecated.

2. Refer to the Driver Comparability Reference to know the driver versions that are compatible with MongoDB 3.4 version.

Procedure

The upgrade is performed via cf update-service command. On a MongoDB 3.0 instance, trigger an update using the command:

cf update-service <service_instance_name> -p <3.4_plan_name> For example: cf update-service my-mongodb-instance -p v3.4-xsmall

If you have any test instances, it is recommended that you perform upgrade on test instances first to verify that the upgrade is successful and your applications work as expected.

14 P U B L I CMongoDB Service

Major version upgrade from MongoDB 3.0 to 3.4. version

How long will the upgrade take to finish?

The actual time taken for the upgrade depends on the plan used and amount of data stored in the database. As the underlying storage engine is also migrated from MMAP to WiredTiger, it adds to the overall upgrade time.

Given below are approximate times taken per plan with disks filled up to capacity:

Plan Size Time taken

xsmall 40 GB 1 hour, 15 minutes

small 100 GB 2 hours

medium 400 GB 5 hours, 30 minutes

large 800 GB 4 hours, 15 minutes

Is there a downtime involved?

No, the major version upgrade is performed as a rolling update on the MongoDB replica set cluster.

MongoDB replica sets provide high availability using automatic failover that allows a secondary member to become primary if the primary is unavailable. During a failover it may take 5-30 seconds for a primary to be elected. As long as your application has been configured to use a replica set connection by passing in replica set connection URI to the driver, it will gracefully handle failover events.

However, it is still recommended that you plan the upgrade of your production instances within a maintenance window to avoid any potential issues.

For any issues that you face during upgrades, create a ticket on the component BC-NEO-BS-MONGO.

MongoDB ServiceMajor version upgrade from MongoDB 3.0 to 3.4. version P U B L I C 15

4 Data Protection and Privacy

Governments place legal requirements on industry to protect data and privacy. We provide features and functions to help you meet these requirements.

NoteSAP does not provide legal advice in any form. SAP software supports data protection compliance by providing security features and data protection-relevant functions, such as blocking and deletion of personal data. In many cases, compliance with applicable data protection and privacy laws is not covered by a product feature. Furthermore, this information should not be taken as advice or a recommendation regarding additional features that would be required in specific IT environments. Decisions related to data protection must be made on a case-by-case basis, taking into consideration the given system landscape and the applicable legal requirements. Definitions and other terms used in this documentation are not taken from a specific legal source.

The following sections provide information about the MongoDB service. For the central data protection and privacy statement for SAP Cloud Platform, see Data Protection and Privacy

User Consent

We assume that software operators, such as SAP customers, collect and store the consent of data subjects, before collecting personal data from data subjects. A data privacy specialist can later determine whether data subjects have granted, withdrawn, or denied consent.

The MongoDB service does not provide any support for collecting and storing the consent of data subjects for applications built on SAP Cloud Platform. It is the responsibility of your applications to provide such support.

Information Report

An information report is a collection of data relating to a data subject. A data privacy specialist may be required to provide such a report or an application may offer a self-service.

To enable data subjects to obtain information about their data in the MongoDB service, you can export your data. For more information, see Export/Import Data from MongoDB Service Instance [page 9]

Read-Access Logging and Change Log

Read-access logging (RAL) is used to monitor and log read access to sensitive data. Data may be categorized as sensitive by law, by external company policy, or by internal company policy. Read-access logging enables you to answer questions about who accessed certain data within a specified time frame.

16 P U B L I CMongoDB Service

Data Protection and Privacy

For auditing purposes or for legal requirements, changes made to personal data should be logged, enabling the monitoring of what changes were made and when. The audit log entries are forwarded to the Audit Log service and stored there for a defined period of time.

For more information on retrieving your audit logs, see Audit Log Retrieval API Usage for the Cloud Foundry Environment.

For more information on retaining audit logs, see Audit Log Retention for the Cloud Foundry Environment.

For information on Audit log viewer, see Audit Log Viewer for the Cloud Foundry Environment

Erasure

When handling personal data, consider the legislation in the different countries where your organization operates. After the data has passed the end of purpose, regulations may require you to delete the data. However, additional regulations may require you to keep the data longer. During this period you must block access to the data by unauthorized persons until the end of the retention period, when the data is finally deleted.

You can delete your MongoDB service instance and therefore, all the data stored in your databases. To do so, navigate to your sub account using the procedure

Navigate to Global Accounts, Subaccounts, Orgs, and Spaces in the Cockpit and delete the service from the Overview page.

After you delete your data, we may have this data in our backup system for the length of our backup retention period. SAP keeps backups of your databases for a retention period of 14 days. Backups are deleted afterwards.

Glossary

Term Definition

Consent The action of the data subject confirming that the usage of his or her personal data shall be allowed for a given purpose. A consent functionality allows the storage of a consent re­cord in relation to a specific purpose and shows if a data subject has granted, withdrawn, or denied consent.

Deletion Deletion of personal data so that the data is no longer avail­able.

MongoDB ServiceData Protection and Privacy P U B L I C 17

Term Definition

Personal data Any information relating to an identified or identifiable natu­ral person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, men­tal, economic, cultural, or social identity of that natural per­son

Retention period The period of time between the end of the last business ac­tivity involving a specific object (for example, a business partner) and the deletion of the corresponding data, subject to applicable laws. The retention period is a combination of the residence period and the blocking period.

Sensitive personal data A category of personal data that usually includes the follow­ing type of information:

● Special categories of personal data, such as data reveal­ing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation, or personal data concerning bank and credit accounts.

● Personal data subject to professional secrecy● Personal data relating to criminal or administrative of­

fenses● Personal data concerning insurances and bank or credit

card accounts

18 P U B L I CMongoDB Service

Data Protection and Privacy

5 Data Encryption Strategy

Your crucial information stored in the database is maintained in a highly secure manner as we at SAP use the encryption capabilities provided by the underlying IaaS providers AWS, Azure, GCP and SAP DC. Encryption details for each of the IaaS provides are described below:

Data Center Data stored on persistent disk Backup data Reference

Amazon Web Service

Data is stored on encrypted Elastic Block Store (EBS) volumes.

EBS uses Amazon Key Management Serv­ice (AWS KMS) customer master keys (CMKs) to encrypt volumes/disks.

AWS manages the key per account and this key is used for all encryptions in that ac­count.

Encrypted EBS volume snapshots stored on AWS S3.

EBS uses Amazon Key Manage­ment Service (AWS KMS) cus­tomer master keys (CMKs) to en­crypt snapshots.

EBS Encryption

Microsoft Azure

Data is stored on encrypted Managed Disks.

Azure SSE (Storage Service Encryption) provides encryption-at-rest for managed disks.

Encrypted managed disk snap­shots stored on Azure Zone Re­dundant Storage (ZRS).

Azure Manage Disks

GCP Data is stored on encrypted Persistent Disks.

Persistent disk is encrypted with system-defined keys (managed by GCP).

Encrypted persistent disk snap­shots are taken.

Create Snapshots

SAP DC Data is stored on persistent volume/disks. Encrypted backups are uploaded to SAP Swift storage.

SAP controls the keys for SAP Cloud Platform in SAP data cen­ters.

MongoDB ServiceData Encryption Strategy P U B L I C 19

Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related LanguageWe try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

20 P U B L I CMongoDB Service

Important Disclaimers and Legal Information

MongoDB ServiceImportant Disclaimers and Legal Information P U B L I C 21

www.sap.com/contactsap

© 2018 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN