Skip to Content

SSFS (Secure Storage in File System) configuration in Oracle db for SAP

NOTES must be referred…

                           Note 1622837 – Secure connection of AS ABAP to Oracle via SSFS

                           Note 1639578 – SSFS as password storage for primary database connect

                            Note 1764043 – Support for secure storage in BR*Tools

  1. SSFS activation: Directories need to be created under $(DIR_GLOBAL)\security

         which is… usr\sap\<SID>\SYS\global\security\rsecssfs\data



  2.   DEFAULT.PFL values that need to be set…

          rsec/ssfs_datapath        $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data

          rsec/ssfs_keypath       $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key

3.  Environment variables need to be set for making SSFS accessible to SAP tools, like, R3trans, R3load etc. Use SETX command at windows command prompt for this.

          setx RSEC_SSFS_DATAPATH <drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\data

          setx RSEC_SSFS_KEYPATH <drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\key

4.  Defining db user name & passwords in Secure Storage: DB connectivity settings should be configured with RSECSSFX command at command prompt

          rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain

          rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_PASSWORD XXXXXXXX

  After the entries creation, check both data & key folders for the contents.

5.  Secure Store encryption key change…

This can be done if additional security is required, and can be defined with

RSECSSFX pf=<profile_path> changekey <key phrase>

6.  For changing the db connectivity to new method, define the below values…

Profile parameter : rsdb/ssfs_connect = 1

Environment variable:  rsdb_ssfs_connect 1

Now, reboot the instance and check the system status. Connection status can be monitored in the work process trace file.

7.  Now, old fashion connection pattern needs to be turned off. For this, SAPUSER table for the OPS$<SIDADM> schema needs to be deleted.

      Proceed as follows…

SQL> connect system/<pwd>

SQL> drop table ops$<sid>adm.sapuser;

8.  To make BR*tools use this SSFS feature instead of old fashion OPS$<USER> mechanism, create a BR*Tools database user (for example, BRT$ADM) and assign the SAPDBA role to it.

SQL> create user brt$adm identified by XXXXX;

SQL> grant to sapdba to brt$adm;

Now, the initial password shall be changed to the actual password using brconnect…

      brconnect -u / -c -f chpass -o BRT$ADM -p <password> -s brtools

That’s it.

Thanks… / Vamsi

You must be Logged on to comment or reply to a post.
    • Hi

      I found a little better method.

      Put the values mention to go in the DEFAULT.PFL into the .sap_hostname.csh file


      1. That file is read BEFORE the Oracle database starts, and SAP knows
      what to expect.

      We ran into issues where we put the data in the DEFAULT.PFL, but once we put them in the .sap_hostname.csh files it worked like a charm.

  • This is very useful and a little supplement:

    In step 5,the <key phrase>is specified in the hexadecimal format (48 characters from the range ‘0-9’ and ‘A-F’).

  • Hi Vamsi,

    Great work ..

    But little correction ..

    After restart SAP system and check whether the connect was successful. If the changeover was successful, the developer trace (SM50) should contain the following entry:

               B read_con_info_ssfs(): DBSL supports extended connect protocol

    B   ==> connect info for default DB will be read from ssfs

    Grant command should be ..

    SQL> grant sapdba to brt$adm;

    To change initial password

    brconnect -u / -c -f chpass -o ‘BRT$ADM’ -p <password> -s brtools

    After you have set up the BR*Tools database users, you can call all BR*Tools executables with the option “-u //” to connect to the database using the data that you have stored in the secure storage.

    Run brconnect -u // -c -f check

    Thanks ,


  • Good document!!!

    Once we perform a QA refresh (using backup/restore). So, for the post processing, do we need to execute the following to restore back the connection? Is there any other steps?

    rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain

    rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_PASSWORD XXXXXXXX

    Thanks in advance.


  • Very good summary of ops$-procedure!

    I have a problem when using “brconnect -u / -c -l E -f chpass -o SAPSR3DB -password XXXXX -s brtools” in a Java only 7.40 Environment.

    System tells me:

    BR0282E Directory ‘/oracle/SID/security/rsecssfs/data’ not found

    But profile parameters are set in DEFAULT.PFL to:



    “rsecssfx info” gives correct path to SSFS_SID.DAT:


    So where does the path /oracle/SID/security/rsecssfs/data comes from?



    • Hi Julia,

      I am facing the same issue after configuring SSFS in Oracle 12C, All Var. and Profile parameter are set as per the SAP Note 1639578.

      BR0282E Directory ‘/oracle/SID/security/rsecssfs/data’ not found

      Please help.


          • Hi Swalay,

            /oracle/SID/security/rsecssfs/data’ not found

            Could you check physical presence of data dir at the specified location on the system ? If not than use

            mkdir /usr/sap/SID/SYS/global/security/rsecssfs/data

            & retry.


          • Hi Gaurav,

            Yes, Even data file is created successfully in /usr/sap/SID/SYS/global/security/rsecssfs/data with name SSFS_ECQ.DAT (Size 1 KB),

            But why its looking this file in /oracle/SID/security/rsecssfs/data ?


          • I think you mix things up. In which step (SAP Note 1639578) do you get this error. As far as i can see there is no brconnect in  1639578.

            I could set up SSFS without brconnect.

          • Hi Robert,

            Thanks for quick reply, i have followed the same steps while configuring.

            see the below error i am getting.

            C:\Users\<SIDADM>>brconnect -u // -c -f stats -t system_stats

            BR0801I BRCONNECT 7.40 (15)

            BR0282E Directory ‘E:\oracle\SID\security\rsecssfs\data’ not found

            BR1529E Getting BR*Tools user name/password from secure storage failed

            BR0806I End of BRCONNECT processing: ceqtejlc.log 2015-06-17 12:29:00

            BR0280I BRCONNECT time stamp: 2015-06-17 12:29:00

            BR0804I BRCONNECT terminated with errors


          • Hi,

            If possible could you share the generated SCN thread by you for the issue.And suggest you to share brconnect.log file from the system.

          • Hi Robert,

            Its working fine

            BR0257I Your reply: ‘c’

            BR0259I Program execution will be continued…

            BR0280I BRCONNECT time stamp: 2015-06-17 13:09:09

            BR1526I Password set successfully for database user SAPSR3 in secure storage E:\


            BR0280I BRCONNECT time stamp: 2015-06-17 13:09:09

            BR0802I BRCONNECT completed successfully


    • Hi Vamsi/Elda,

      If we are doing a system copy on systems with Netweaver 7.4 where in by default SSFS is only supported so after copy of source system to target system(backup/restore), what are the post installation activities have to be done (usually we used to drop and recreate the OPS$user for SAP – Oracle DB connectivity right)

      Can you please share your thoughts on the actions to be taken while performing system copy of Netweaver ABAP 7.4 system on Oracle (AIX platform)

      Thanks in advance.

      • Hello Balaji,

        System copy guide should provide useful guidelines on this, I advise to go through that first clearly. After system db refresh, please check the SSFS overall configuration once and start the application, if the application start-up is normal then we are good if not errors anyway can be identified and resolved based on the error info / logs.


  • We have encountered SSFS connectivity to the DB issue while doing HCM EHP7 SP5 upg. Great summary. Also note 1639578 has the steps that need to be performed for SSFS setup.


    Chaitanya V

  • brconnect -u / -c -f chpass -o <USER> -p <PASSWORD> -s brtools
    BR0801I BRCONNECT 7.20 (41)

    BR0280I BRCONNECT time stamp: 2015-02-19 15.22.11
    BR0828I Changing password for database user <USER> …

    BR0280I BRCONNECT time stamp: 2015-02-19 15.22.11
    BR0829I Password changed successfully in database for user <USER>
    BR0282E Directory ‘/oracle/<SID>/security/rsecssfs/data’ not found
    BR1527E Setting password for user <USER> in secure storage failed
    BR0832E Changing password for user <USER> failed

    BR0280I BRCONNECT time stamp: 2015-02-19 15.22.11
    BR0804I BRCONNECT terminated with errors

    -> All OS env. and SAP parameters are correct. Where do this path come from?


    • Hi..

      Have you implemented SSFS for brtools.

      Please check that is the directory for storing password of brtools user

      1764043 Support for secure storage in BRTools

      Section 3. Storage of BR*Tools user/password in secure storage