SSFS Configuration
OPS$: (Till version Oracle 11g and SAP Kernel 7.20)
- SAP connects to DB using OPS$ user
- OPS$ users can connect to database without passwords
- OPS$ users owns the table SAPUSER
- SAPUSER table contains SCHEMA owner and password (SAPSR3 user)
SAP Work processes connects to DB using OPS$ reads schema user id and password and connects to tables owned by SAPSR3 user.
Parameter: ????
SSFS: (Avaialble from Oracle 11g Release 2, mandatory from SAP Kernel 7.20+)
sidadm> connect “as /sysdba”
- Read from OS file at location: $(DIR_GLOBAL)/security/rsecssfs/data/SSFS_<SID> .DAT
- This path is accessible only by the user “sidadm”
- Get SAPSR3 password from file at OS level
- Connect to DB as SAPSR3
Parameter: rsdb / ssfs_connect = 1
SSFS Configuration
SSFS replaces OP$ mechanism as of SAP Kernel 7.20
- Create required directories
- Change permission for the directories created
- Update profile parameters
- Set environment variables
- Set up SSFS
- Update profile parameters
- Check SSFS configuration
mkdir <dir_global> / security
mkdir <dir_global> / security /rsecssfs
mkdir <dir_global> / security / rsecssfs / data
mkdir <dir_global> / security /rsecssfs / key
Change permission for the directories created
Log on as <sid>adm
Chmod 700 <dir_global> / security and other subdirectories created above
Update profile parameters
rsec /ssfs_datapath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data
rsec / ssfs_keypath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key
Set environment variables
setenv RSEC_SSFS_DATAPATH <dir_global>/ security /rsecssfs /data
setenv RSEC_SSFS_KEYPATH <dir_global>/ security /rsecssfs /key
Set up SSFS
Login as <SID>ADM
rsecssfx put DB_CONNECT/DEFAULT_DB_USER <name> -plain
rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD <password>
chmod 600 $(DIR_GLOBAL)/security/rsecssfs/data has file SSFS_<SID> .DAT
Update profile parameters
Profile parameter: rsdb / ssfs_connect = 1
Environment variable: rsbd_ssfs_connect = 1
Check SSFS configuration
- To check contents in secure store: rsecssfx list
- File at the path: $(DIR_GLOBAL)/security/rsecssfs/data has file SSFS_<SID> .DAT
- R3trans –d (connection should be 0000), else check trans.log (created on current directory where R3trans is executed)
0 Comments