Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
thomas_drescher
Participant
3,769
SAP systems on an IBM Db2 for LUW database use a connect user and its password in the operating system to connect to the database of the application server ABAP. Most SAP executables use the DBSL to open such connections (for example. disp+work, R3trans, tp, and so on), but there are also some standalone tools like db6util. These programs need a way to retrieve the operating system password from a secure location.

So far, the password was stored in the file dscdb6.conf, which you could update using the command-line tool dscdb6up. Now, let me show you how you can now use the secure storage in the file system for password storage and what its benefits are.

Secure Storage in the File System


The secure storage in the file system (also referred to as secure storage) is part of the SAP application server ABAP and can be used to securely store the password of the connect user. The secure storage replaces the old password storage in the dscdb6.conf file. When the secure storage is used, you maintain passwords using the tool rsecssfx instead of the old tool dscdb6up. rsecssfx is a command-line tool that is delivered as part of the kernel executable archive. With rsecssfx you can create a new secure storage in the file system or maintain entries in an existing secure storage in the file system.

What’s New?


SL Toolset 1.0 SP 36 (and as part of it, software provisioning manager 1.0 SP 36) is available now. When you install SAP systems or perform a system copy using software provisioning manager 1.0 SP 36, secure storage in the file system is the new default password storage. This applies to SAP systems based on SAP NetWeaver 7.5 and higher. The minimum requirement for SAP kernel is 7.49 or higher.

Previously installed SAP systems also running on the minimum kernel level 7.49 can be manually changed from using dscdb6.conf to the secure storage.

Advantages of the Secure Storage Compared to the Old Password Store


With the old password store in dscdb6.conf using the old tool dscdb6up, the lengths of operating system passwords were limited to 16 characters. This was an unfortunate limitation because the DBSL layer can work with passwords of up to 64 characters in length, provided that the underlying operating system supports passwords of this length. Now that the secure storage supports longer passwords, defining passwords of up to 64 characters is possible.

Entries in the Secure Storage


Let’s investigate the secure storage and its entries in more detail: There are two database-relevant entries in the secure storage. The name of the connect user is stored in the record key DB_CONNECT/DEFAULT_DB_USER and the password of the connect user is stored in the record key DB_CONNECT/DEFAULT_DB_PASSWORD:
rsecssfx list
|---------------------------------------------------------------------------------|
| Record Key | Status | Time Stamp of Last Update |
|---------------------------------------------------------------------------------|
| DB_CONNECT/DEFAULT_DB_PASSWORD | Encrypted | 2022-09-26 23:54:55 UTC |
|---------------------------------------------------------------------------------|
| DB_CONNECT/DEFAULT_DB_USER | Plaintext | 2022-09-26 23:54:50 UTC |
|---------------------------------------------------------------------------------|
| SYSTEM_PKI/PIN | Encrypted | 2022-09-27 01:21:42 UTC |
|---------------------------------------------------------------------------------|
| SYSTEM_PKI/PSE | Encrypted (binary) | 2022-09-27 01:21:44 UTC |

 

The name is stored as plaintext and the value of the key can be retrieved from command line:
rsecssfx get DB_CONNECT/DEFAULT_DB_USER
Record Key : DB_CONNECT/DEFAULT_DB_USER
Record Value : sap<sapsid>
Time Stamp : 2022-09-26 23:54:50 UTC
Host Name : <hostname>
OS-User : <sapsid>adm

 

When the key for the password is retrieved the value isn't shown:
rsecssfx get DB_CONNECT/DEFAULT_DB_PASSWORD
Record Key : DB_CONNECT/DEFAULT_DB_PASSWORD
Record Value : <Encrypted text>
Time Stamp : 2022-09-26 23:54:55 UTC
Host Name : <hostname>
OS-User : <sapsid>adm

 

Managing passwords


When you update the operating system password of the connect user, you must also update the stored password in the secure storage in the file system using the command-line tool rsecssfx.

  1. Log on to the database server as user <sapsid>adm.

  2. On the command line, enter the following command:
    rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD <password>​

    rsecssfx updates the content of the secure storage in the file system with the new passwords in encrypted format. The operating system passwords are not changed by rsecssfx

  3. Update the operating system password on the database server accordingly using operating system tools.


Converting Password Storage to the Secure Storage in the File System


A previously installed SAP system with the dscdb6.conf password storage can be manually converted to the secure storage in the file system.

  1. Log on to the database server as user <sapsid>adm.

  2. Make sure the following environment variables are set:
    SAPSYSTEMNAME = <SAPSID>​

    UNIX/Linux:
    RSEC_SSFS_DATAPATH = /usr/sap/<SAPSID>/SYS/global/security/rsecssfs/data
    RSEC_SSFS_KEYPATH = /usr/sap/<SAPSID>/global/security/rsecssfs/key​

    Windows:
    RSEC_SSFS_DATAPATH=\\<global host>\sapmnt\<SAPSID>\SYS\global\security\rsecssfs\data
    RSEC_SSFS_KEYPATH=\\<global host>\sapmnt\<SAPSID>\SYS\global\security\rsecssfs\key


  3. In the login environment of the <sapsid>adm user, change the value of the environment variable rsdb_ssfs_connet from 0 to 1:
    rsdb_ssfs_connect = 1​

    On UNIX/Linux you can find the environment variable in the .sapenv* login scripts.

  4. Create the two mandatory entries in the secure storage:
    rsecssfx put DB_CONNECT/DEFAULT_DB_USER sap<dbsid> -plain
    rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD <password>​


  5. Edit the default profile and change rsdb/ssfs_connect from 0 to 1:
    rsdb/ssfs_connect = 1​


  6. Remove or rename the dscdb6.conf file in the global directory.

  7. Log out and log in again as user <sapsid>adm.

  8. Check the connection:
    R3trans -x​



Conclusion


The secure storage in the file system is used with all new installations and system copies. If you would like to take advantage of the ability of the secure storage in the file system to use passwords longer than 16 characters for existing SAP systems, you can easily convert them to the new password storage if they use SAP kernel 7.49 or higher.
Check the Database Administration Guide for SAP on IBM Db2 for Linux, UNIX, and Windows for more information.