SSFS Implementation for Oracle Database
Author(s): Nitesh Jain
Target readers
SAP Basis
Keywords
SAPUSER, ops$-User, ops$-Connect, SSFS, data protection, secure storage, Secure Connect
Prior to SSFS, the connection between the SAP system (AS ABAP) and the SAP tools that use the ABAP database interface (R3trans, R3load etc.) to the database via SQLNet (using the database alias name, for like configured in TNS) worked in such a way that an OPS$ connection (with the database user OPS$<SID>ADM) that was authorized by the operating system user sidadm was created first ( via "connect /@TNS"). With this approach access to the table OPS$<SID>ADM.SAPUSER, and to this table was only allowed. It contains the encrypted password for the actual database connection of the SAP database user (default name Schema User).
As of Oracle Release 11g, OPS$ remote connect (using the TNS alias name) is no longer supported by future Oracle versions. As of SAP Kernel release 7.20, SAP has now introduced a new method of securely storing the database password and for connecting to the database with mechanism called Secure Storage in File System (SSFS). The encrypted password for the SAP database user is then no longer stored in the database, but in the file system. With the implementation of Kernel 7.20 as a downward-compatible kernel, the new method is available in all SAP 7.x systems. Therefore it is recommended to use the new method for security reasons. For backwards compatibility, the conventional connect method continues to be supported up to Oracle version 11.2 for all SAP systems. All SAP systems as of Kernel 7.20, which use future Oracle versions after 11g, can be operated with the new method only.
The connect to the Oracle database using the OPS$ method contains a vulnerability that makes it possible for a malicious user to log on to the database as an OPS$ user without entering a password unless relevant measures are taken into consideration.
This document describes step by step procedure for implementation of SSFS (Secure Storage on File System) for Oracle Database with IBM AIX environment.
I hereby confirm that the Images/screenshots are created by me during the installation and there is no IP violation in this document.
· Following user accounts should exists:
User Accounts | Generic name |
Operating system account with login | unixacc |
Operating system account with root / admin privileges UNIX : without login | saproot |
SAP admin account : | sidadm |
Oracle DBA account : | orasid |
SAP Administrator account : | Administrator |
· Minimum kernel ( 7.20 EXT with PL210)
· Above kernel requires OS AIX 6.1 ( required for Kernel 7.20 PL300 compatibility)
· Take a backup of the env scripts of sidadm, and the Default & Instance profiles.
Download Directory: /download
1 | Check the minimum disk space in /tmp
df -g /tmp At least 5 MB free space |
2 | Checking the OS version (Metalink 169706.1)
oslevel –s At least : 6100-07-03-1207 |
3 | Check Java version (Metalink 169706.1)
lslpp -l| grep -i java Java version 6 installed : Java6_64.sdk 6.0.0.1 |
4 | Check the Oracle Version
sqlplus / as sysdba Oracle version should be atleast 11.2.0.3 |
5 | Check the Kernel Version
disp+work Kernel version should be atleast 720_EXT(300) |
6 | Backup the database
brbackup -u / -c force -t online -m all -p initSID.sap -a -c force -p initSID.sap –sd |
7 | Stop SAP and database and SMD agents and CCMS agents
stopsap ASCS00 psidcs00 stopsap DVEBMGS01 psiddi00
stopsap D01 psiddi01
stopsap SMDA97 psiddi00
stopsap SMDA97 psiddi01
sapccm4x –stop pf=SID_DVEBMGS00_psiddi00
sapccm4x –stop pf=SID_D01_psiddi01 |
8 | Create necessary directories
cd /usr/sap/SID/SYS/global mkdir /usr/sap/SID/SYS/global/security mkdir /usr/sap/SID/SYS/global/security/rsecssfs mkdir /usr/sap/SID/SYS/global/security/rsecssfs/data mkdir /usr/sap/SID/SYS/global/security/rsecssfs/key |
9 | Set authorizations on Directories
cd /usr/sap/SID/SYS/global chmod 700 security chmod 700 security/rsecssfs chmod 700 security/rsecssfs/data chmod 700 security/rsecssfs/key ls -alR security/rsecssfs | grep -E 'data$|key$' |
10 | Set Profile parameters
****Take backup of DEFAULT.PFL**** In the default profile, add following parameter : rsec/ssfs_datapath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data rsec/ssfs_keypath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key rsdb/ssfs_connect = 1 |
11 | Set environement Variables
rm .*_p*.*sh **** Take backup of .sapenv.sh and .sapenv.csh **** vi .sapenv.sh At the end of the file add lines : export RSEC_SSFS_DATAPATH=/usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/data export RSEC_SSFS_KEYPATH=/usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/key rsdb_ssfs_connect=1 vi .sapenv.csh At the end of the file add lines : setenv RSEC_SSFS_DATAPATH /usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/data setenv RSEC_SSFS_KEYPATH /usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/key setenv rsdb_ssfs_connect 1 Logoff and logon again and check if parameters are activated |
12 | Setting up SSFS storage
rsecssfx put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD ***** |
13 | Check SSFS storage
rsecssfx list |---------------------------------------------------------------------------------| | Record Key | Status | Timestamp of last Update | |---------------------------------------------------------------------------------| | DB_CONNECT/DEFAULT_DB_PASSWORD | Encrypted | 2012-11-21 14:16:08 UTC | | DB_CONNECT/DEFAULT_DB_USER | Plaintext | 2012-11-21 14:15:33 UTC | |---------------------------------------------------------------------------------| Summary Active Records : 2 (Encrypted : 1, Plain : 1, Wrong Key : 0, Error : 0) Datafile Location : /usr/sap/SID/SYS/global/security/rsecssfs/data/SSFS_SID.DAT (when existing) Keyfile Location : /usr/sap/SID/SYS/global/security/rsecssfs/key/SSFS_SID.KEY (when existing) |
14 | Set and check authorizations of the SSFS storage
cd /usr/sap/SID/SYS/global/security/rsecssfs/data chmod 600 SSFS_SID.DAT |
15 | Start Database and Oracle listener
lsnrctl start sqlplus / as sysdba SQL> startup |
16 | Check connection
R3trans -d R3trans finished (0000). grep -E 'ssfs.*DBSL' trans.log Result : read_con_info_ssfs(): DBSL supports extended connect protocol |
17 | Exclude the standard SAP connect method
sqlplus system/**** drop table ops$sidadm.sapuser; |
18 | Exclude the oracle remote OPS$ connect
sqlplus / as sysdba alter system reset remote_os_authent scope=spfile; |
19 | Shutdown Database to reflect oracle parameter set in step 18
sqlplus / as sysdba SQL> startup |
20 | Start SAP and database and SMD agents and CCMS agents
startsap ASCS00 psidcd00 startsap DVEBMGS01 psiddi00
stopsap D01 psiddi01
startsap SMDA97 psiddi00
startsap SMDA97 psiddi01
|
21 | Check the connection method
Select DIA process and see the display trace file and search for ssfs Connection method checked in SM51 read_con_info_ssfs(): DBSL supports extended connect protocol ==> connect info for default DB will be read from ssfs |
22 | Backup the database
brbackup -u / -c force -t online -m all -p initSID.sap -a -c force -p initSID.sap –sd |
https://service.sap.com/notes
1611877 Support for ABAP SSFS during database connect
1622837 New connect method of AS ABAP to Oracle via SSFS
1623922 Connect to Oracle database
1639578 SSFS as password storage for primary database connect
1678336 RSecSSFs: UTF8 conversion failed with returncode 1
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
13 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 |