SSFS (Secure Storage in File System) configuration in Oracle db for SAP
NOTES must be referred…
Note 1622837 – Secure connection of AS ABAP to Oracle via SSFS
Note 1639578 – SSFS as password storage for primary database connect
Note 1764043 – Support for secure storage in BR*Tools
- SSFS activation: Directories need to be created under $(DIR_GLOBAL)\security
which is… usr\sap\<SID>\SYS\global\security\rsecssfs\data
usr\sap\<SID>\SYS\global\security\rsecssfs\key
2. DEFAULT.PFL values that need to be set…
rsec/ssfs_datapath $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data
rsec/ssfs_keypath $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key
3. Environment variables need to be set for making SSFS accessible to SAP tools, like, R3trans, R3load etc. Use SETX command at windows command prompt for this.
setx RSEC_SSFS_DATAPATH <drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\data
setx RSEC_SSFS_KEYPATH <drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\key
4. Defining db user name & passwords in Secure Storage: DB connectivity settings should be configured with RSECSSFX command at command prompt
rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain
rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_PASSWORD XXXXXXXX
After the entries creation, check both data & key folders for the contents.
5. Secure Store encryption key change…
This can be done if additional security is required, and can be defined with…
RSECSSFX pf=<profile_path> changekey <key phrase>
6. For changing the db connectivity to new method, define the below values…
Profile parameter : rsdb/ssfs_connect = 1
Environment variable: rsdb_ssfs_connect 1
Now, reboot the instance and check the system status. Connection status can be monitored in the work process trace file.
7. Now, old fashion connection pattern needs to be turned off. For this, SAPUSER table for the OPS$<SIDADM> schema needs to be deleted.
Proceed as follows…
SQL> connect system/<pwd>
SQL> drop table ops$<sid>adm.sapuser;
8. To make BR*tools use this SSFS feature instead of old fashion OPS$<USER> mechanism, create a BR*Tools database user (for example, BRT$ADM) and assign the SAPDBA role to it.
SQL> create user brt$adm identified by XXXXX;
SQL> grant to sapdba to brt$adm;
Now, the initial password shall be changed to the actual password using brconnect…
brconnect -u / -c -f chpass -o BRT$ADM -p <password> -s brtools
That’s it.
Thanks… / Vamsi
Great summary and steps description. 🙂
Thanks Janos
Hi
I found a little better method.
Put the values mention to go in the DEFAULT.PFL into the .sap_hostname.csh file
Why:
1. That file is read BEFORE the Oracle database starts, and SAP knows
what to expect.
We ran into issues where we put the data in the DEFAULT.PFL, but once we put them in the .sap_hostname.csh files it worked like a charm.
This is very useful and a little supplement:
In step 5,the <key phrase>is specified in the hexadecimal format (48 characters from the range '0-9' and 'A-F').
Thank you for your feedback Susan 🙂
Hi Vamsi,
Great work ..
But little correction ..
After restart SAP system and check whether the connect was successful. If the changeover was successful, the developer trace (SM50) should contain the following entry:
B read_con_info_ssfs(): DBSL supports extended connect protocol
B ==> connect info for default DB will be read from ssfs
Grant command should be ..
SQL> grant sapdba to brt$adm;
To change initial password
brconnect -u / -c -f chpass -o 'BRT$ADM' -p <password> -s brtools
After you have set up the BR*Tools database users, you can call all BR*Tools executables with the option "-u //" to connect to the database using the data that you have stored in the secure storage.
Run brconnect -u // -c -f check
Thanks ,
Neel
Thanks 🙂
Good document!!!
Once we perform a QA refresh (using backup/restore). So, for the post processing, do we need to execute the following to restore back the connection? Is there any other steps?
rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain
rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_PASSWORD XXXXXXXX
Thanks in advance.
Dafi
Very good summary of ops$-procedure!
I have a problem when using "brconnect -u / -c -l E -f chpass -o SAPSR3DB -password XXXXX -s brtools" in a Java only 7.40 Environment.
System tells me:
BR0282E Directory '/oracle/SID/security/rsecssfs/data' not found
But profile parameters are set in DEFAULT.PFL to:
rsec/ssfs_datapath=$(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data
rsec/ssfs_keypath=$(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key
"rsecssfx info" gives correct path to SSFS_SID.DAT:
/usr/sap/SID/SYS/global/security/rsecssfs/data/SSFS_SID.DAT
So where does the path /oracle/SID/security/rsecssfs/data comes from?
Regards,
Julia
Hi Julia,
I am facing the same issue after configuring SSFS in Oracle 12C, All Var. and Profile parameter are set as per the SAP Note 1639578.
BR0282E Directory '/oracle/SID/security/rsecssfs/data' not found
Please help.
Thanks.
Hello Mohomad Swalay,
there is no need to configure this in an JAVA only stack.
Regards,
Julia
Hi,
Oh, but i am configuring it in AS ABAP.
Thanks
Hi Swalay,
Could you check physical presence of data dir at the specified location on the system ? If not than use
& retry.
Thanks,
Hi Gaurav,
Yes, Even data file is created successfully in /usr/sap/SID/SYS/global/security/rsecssfs/data with name SSFS_ECQ.DAT (Size 1 KB),
But why its looking this file in /oracle/SID/security/rsecssfs/data ?
Thanks
I think you mix things up. In which step (SAP Note 1639578) do you get this error. As far as i can see there is no brconnect in 1639578.
I could set up SSFS without brconnect.
Hi Robert,
Thanks for quick reply, i have followed the same steps while configuring.
see the below error i am getting.
C:\Users\<SIDADM>>brconnect -u // -c -f stats -t system_stats
BR0801I BRCONNECT 7.40 (15)
BR0282E Directory 'E:\oracle\SID\security\rsecssfs\data' not found
BR1529E Getting BR*Tools user name/password from secure storage failed
BR0806I End of BRCONNECT processing: ceqtejlc.log 2015-06-17 12:29:00
BR0280I BRCONNECT time stamp: 2015-06-17 12:29:00
BR0804I BRCONNECT terminated with errors
Thanks.
Hi,
If possible could you share the generated SCN thread by you for the issue.And suggest you to share brconnect.log file from the system.
Try this one: brconnect -u / -f chpass -o sapsr3 -p <pwd>
Hi Robert,
Its working fine
BR0257I Your reply: 'c'
BR0259I Program execution will be continued...
BR0280I BRCONNECT time stamp: 2015-06-17 13:09:09
BR1526I Password set successfully for database user SAPSR3 in secure storage E:\
usr\sap\SID\SYS\global\security\rsecssfs\data\SSFS_ECQ.DAT
BR0280I BRCONNECT time stamp: 2015-06-17 13:09:09
BR0802I BRCONNECT completed successfully
Rgds/Swalay
Nice document. There is a missing steps for the oracle parameter "remote_os_authent"
Regards,
Dafi
Hi Vamsi/Elda,
If we are doing a system copy on systems with Netweaver 7.4 where in by default SSFS is only supported so after copy of source system to target system(backup/restore), what are the post installation activities have to be done (usually we used to drop and recreate the OPS$user for SAP - Oracle DB connectivity right)
Can you please share your thoughts on the actions to be taken while performing system copy of Netweaver ABAP 7.4 system on Oracle (AIX platform)
Thanks in advance.
Hello Balaji,
System copy guide should provide useful guidelines on this, I advise to go through that first clearly. After system db refresh, please check the SSFS overall configuration once and start the application, if the application start-up is normal then we are good if not errors anyway can be identified and resolved based on the error info / logs.
Thanks,
Ok thank you. I already had a look on to the System copy guide.
I am just eager to know your experience.
We have encountered SSFS connectivity to the DB issue while doing HCM EHP7 SP5 upg. Great summary. Also note 1639578 has the steps that need to be performed for SSFS setup.
Thanks,
Chaitanya V
Hi all ,
Very nice and precise write up but can we change password of SAPSR3 user as well using brtools after implementing SSFS??
yes, it is in one of the comments. Check them
Reboot of instance is not needed, when I set environment variable rsdb/ssf_connect = 1 of sidadm user before starting SUM. Right?
brconnect -u / -c -f chpass -o <USER> -p <PASSWORD> -s brtools
BR0801I BRCONNECT 7.20 (41)
BR0280I BRCONNECT time stamp: 2015-02-19 15.22.11
BR0828I Changing password for database user <USER> ...
BR0280I BRCONNECT time stamp: 2015-02-19 15.22.11
BR0829I Password changed successfully in database for user <USER>
BR0282E Directory '/oracle/<SID>/security/rsecssfs/data' not found
BR1527E Setting password for user <USER> in secure storage failed
BR0832E Changing password for user <USER> failed
BR0280I BRCONNECT time stamp: 2015-02-19 15.22.11
BR0804I BRCONNECT terminated with errors
-> All OS env. and SAP parameters are correct. Where do this path come from?
'/oracle/<SID>/security/rsecssfs/data'?
Hi..
Have you implemented SSFS for brtools.
Please check that is the directory for storing password of brtools user
1764043 Support for secure storage in BRTools
Section 3. Storage of BR*Tools user/password in secure storage
Hi,
Could you share parameter value for RSEC_SSFS_DATAPATH.
Regards,
Great summary and very usesul...Thanks
Great summary and very useful! Tons of thanks!!!