Skip to Content

Note 1622837 – Secure connection of AS ABAP to Oracle via SSFS

Note 1639578 – SSFS as password storage for primary database connect

Preparing and securing the file system

In general, we recommend storing the secure storage in the file system and the optional external encryption key on SAPGLOBALHOST under $(DIR_GLOBAL)/security/rsecssfs/data or $(DIR_GLOBAL)/security/rsecssfs/key, whereby these directories should be secured accordingly.

———————————————————————-
2.1 Creating the directories
———————————————————————-
Determine the value for DIR_GLOBAL (for example, from transaction AL11) on SAPGLOBALHOST. Replace $(DIR_GLOBAL) in the following description with the determined value <dir_global>. Create the required directories as described below if they do not already exist.

/wp-content/uploads/2013/09/ssf1_277195.png

———————————————————————-
2.2 Securing the directories created
———————————————————————-
In the following, make the directories that were created in step 2.1 available exclusively for the users of the SAP system <sid>.
On Linux and UNIX, this is the user <sid>adm. On Windows, all relevant users are merged into the groups SAP_<sid>_LocalAdmin and SAP_<sid>_GlobalAdmin.
In particular, cross-SAP system users and groups should not have any authorizations in these directories.

texadm@saptex:/usr/sap/TEX/SYS/global/security/rsecssfs>ls -lart /usr/sap/TEX/SYS/global/security/rsecssfs

total 16

drwx——. 5 texadm sapsys 4096 Sep  5 16:09 ..

drwx——. 2 texadm sapsys 4096 Sep  5 16:09 key

drwx——. 4 texadm sapsys 4096 Sep  5 16:09 .

drwx——. 2 texadm sapsys 4096 Sep  6 11:40 data

———————————————————————-
3.  Maintaining the SSFS profile parameters
———————————————————————-
Set the following profile parameters that point to the previously created directories as the location for the secure storage and the external key. We recommend that you add the parameters to the default profile DEFAULT.PFL. Otherwise, you must maintain all of the instance profiles. Add the following entries:
rsec/ssfs_datapath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data

           rsec/ssfs_keypath  = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key

/wp-content/uploads/2013/09/ssf2_277223.png

———————————————————————-
4.  Maintaining the SSFS environment variable
———————————————————————-
The profile parameters rsec/ssfs_datapath and rsec/ssfs_keypath are interpreted only by the SAP system. The do not apply to the SAP tools R3trans, R3load, and so on. For these, you must set a corresponding environment variable on each application server including the central instance. Depending on the operating system, proceed as follows:

———————————————————————-
Application server on UNIX and Linux
———————————————————————-
For this, first determine the value <dir_global> for DIR_GLOBAL on the relevant application server (for example, using transaction AL11). Then add the following lines to the logon script for <sid>adm on this application server:

  • For C shell scripts:

    setenv RSEC_SSFS_DATAPATH <dir_global>/security/rsecssfs/data
    setenv RSEC_SSFS_KEYPATH <dir_global>/security/rsecssfs/key

  • For Korn shell scripts:

    export RSEC_SSFS_DATAPATH=<dir_global>/security/rsecssfs/data
    export RSEC_SSFS_KEYPATH=<dir_global>/security/rsecssfs/key

  texadm@saptex:/usr/sap/texadm>grep RSEC $HOME/.profile 

export RSEC_SSFS_DATAPATH=/usr/sap/TEX/SYS/global/security/rsecssfs/data

export RSEC_SSFS_KEYPATH=/usr/sap/TEX/SYS/global/security/rsecssfs/key

———————————————————————-
5.  Setting up the SSFS data storage and checking the access rights
———————————————————————-

———————————————————————-
5.1 Setting up the SSFS storage
———————————————————————-
In the following, you must fill the secure storage in the file system with the required access information for the ABAP database user. This information consists at least of the name of the ABAP database user and the password of this user.
In some database types, you must also make specifications about the target database. In all other cases, this information is still derived from the SAP profile.

Note that storage differentiates between uppercase and lowercase characters.

  • DB_CONNECT/DEFAULT_DB_USER
    ABAP database connect user (usually “SAPSR3”)
    The storage in the secure storage should take place in an unencrypted manner for Support reasons.
  • DB_CONNECT/DEFAULT_DB_PASSWORD
    Password of the ABAP database user
    The storage in the secure storage takes place in an encrypted manner.
  • DB_CONNECT/DEFAULT_DB_CON_ENV
    Specifications about the ABAP target database
    The storage in the secure storage takes place in an unencrypted manner. This parameter is currently required for the SAP HANA database only.

 
Refer to the relevant platform note for the name of the database connect user, for the information about whether the parameter DB_CONNECT/DEFAULT_DB_CON_ENV is required, and its exact format, if required.

Proceed as follows: 

  • Log on to SAPGLOBALHOST as the <sid>adm user.
  • Make sure that the environment variables RSEC_SSFS_DATAPATH and RSEC_SSFS_KEYPATH are set.
texadm@saptex:/usr/sap/texadm>env | grep RSEC

RSEC_SSFS_DATAPATH=/usr/sap/TEX/SYS/global/security/rsecssfs/data

RSEC_SSFS_KEYPATH=/usr/sap/TEX/SYS/global/security/rsecssfs/key

  • Use the command line tool of the secure storage rsecssfx from the SAP kernel to add entries for the user <name> and the password <pwd>, and to add any information about the target database as follows:

    rsecssfx put DB_CONNECT/DEFAULT_DB_USER <name> -plain
    rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD <pwd>

texadm@saptex:/usr/sap/texadm>rsecssfx put DB_CONNECT/DEFAULT_DB_USER  SAPSR3 -plain

texadm@saptex:/usr/sap/texadm>rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD Kart0on1

           If required, also use:

           rsecssfx put DB_CONNECT/DEFAULT_DB_CON_ENV <con_env> -plain

           Note the following: In non-Unicode systems, only characters from the 7-bit ASCII area are permitted.

           To avoid code page problems, we generally recommend that you adhere to this rule. If you want to use other characters in Unicode systems, you must convert these using the ABAP report RSECSSFX_ESCAPE into characters that can be used by rsecssfx.

  • Check the content of the secure storage as follows:

    rsecssfx list

/wp-content/uploads/2013/09/ssf3_277224.png

   

texadm@saptex:/usr/sap/texadm>rsecssfx list

|———————————————————————————|

| Record Key                     | Status             | Timestamp of last Update  |

|———————————————————————————|

| DB_CONNECT/DEFAULT_DB_PASSWORD | Encrypted          | 2013-09-10  09:52:11 UTC |

| DB_CONNECT/DEFAULT_DB_USER     | Plaintext          | 2013-09-10  09:51:43 UTC |

|———————————————————————————|

Summary

——-

Active Records    : 2 (Encrypted : 1, Plain : 1, Wrong Key : 0, Error : 0)

Outdated Records  : 4 (occupied space can be released by the “compact” command)

Datafile Location : /usr/sap/TEX/SYS/global/security/rsecssfs/data/SSFS_TEX.DAT (when existing)

Keyfile Location  : /usr/sap/TEX/SYS/global/security/rsecssfs/key/SSFS_TEX.KEY (when existing)

           Refer to the command line help for further commands for the administration of the secure storage:

rsecssfx help


———————————————————————-
5.2 Setting and checking the authorization of the SSFS data storage
———————————————————————-
Due to the first call of “rsecssfx put”, the system also creates the data storage of the secure storage. The directory $(DIR_GLOBAL)/security/rsecssfs/data should now contain the file SSFS_<sid>.DAT.

texadm@saptex:/usr/sap/texadm>ls -lart /usr/sap/TEX/SYS/global/security/rsecssfs/*/

/usr/sap/TEX/SYS/global/security/rsecssfs/key/:

total 8

drwx——. 4 texadm sapsys 4096 Sep  5 16:09 ..

drwx——. 2 texadm sapsys 4096 Sep  5 16:09 .

/usr/sap/TEX/SYS/global/security/rsecssfs/data/:

total 12

drwx——. 4 texadm sapsys 4096 Sep  5 16:09 ..

-rw-r–r–. 1 texadm sapsys 1458 Sep 10 11:52 SSFS_TEX.DAT

drwx——. 2 texadm sapsys 4096 Sep 10 11:52 .


———————————————————————-
SAPGLOBALHOST on Windows
———————————————————————-
If your SAPGLOBALHOST runs on Windows, no action is required because the access rights are inherited from the directory when the file is created.

———————————————————————-
SAPGLOBALHOST on UNIX or Linux
———————————————————————-
Otherwise, you must correct the access rights for the file, in the same way as for step 2.2, so that only <sid>adm are authorized.

  • chmod 600 <dir_global>/security/rsecssfs/data/SSFS_<sid>.DAT


For security reasons, also check the access rights here using “ls -al”:
-rw——- <sid>adm  sapsys  SSFS_<sid>.DAT

texadm@saptex:/usr/sap/texadm>chmod 600 /usr/sap/TEX/SYS/global/security/rsecssfs/data/SSFS_TEX.DAT

texadm@saptex:/usr/sap/texadm>ls -lart /usr/sap/TEX/SYS/global/security/rsecssfs/data/

total 12

drwx——. 4 texadm sapsys 4096 Sep  5 16:09 ..

-rw——-. 1 texadm sapsys 1458 Sep 10 11:52 SSFS_TEX.DAT

drwx——. 2 texadm sapsys 4096 Sep 10 11:52 .

———————————————————————-
7.  Changing to the new connection method
———————————————————————-
———————————————————————-
7.1 Setting the required parameters
———————————————————————-
If you have executed all of the previous steps correctly, the SAP system should now be able to retrieve the password information that is required for the connection to the primary ABAP database from the secure storage in the file system. However, the conventional password storage is consulted by default.

The changeover to the new method now takes place due to a further profile parameter or a further environment variable. Proceed in the same way as described in step 3 and 4 to set the profile parameter (on SAPGLOBALHOST) and the environment variable (for all of the application servers).

  • Profile parameter : rsdb/ssfs_connect = 1

    /wp-content/uploads/2013/09/ssf4_277225.png

  • Environment variable: rsdb_ssfs_connect 1

texadm@saptex:/usr/sap/texadm>env |  grep rsdb

rsdb_ssfs_connect=1

texadm@saptex:/usr/sap/texadm>grep rsdb_ssfs_connect .*

.sapenv.csh:setenv rsdb_ssfs_connect 1

.sapenv_saptex.csh:setenv rsdb_ssfs_connect 1

.sapenv_saptex.sh:rsdb_ssfs_connect=1; export rsdb_ssfs_connect

.sapenv.sh:rsdb_ssfs_connect=1; export rsdb_ssfs_connect


(To use the conventional storage, you must set the values of the profile parameter and environment variable to the value ‘0’. This corresponds to the default.)

———————————————————————-
7.2 Checking the successful changeover
———————————————————————-
Restart the SAP system and check whether the connect was successful. If the changeover was successful, the developer trace (SM50) should contain the following entry:
B read_con_info_ssfs(): DBSL supports extended connect protocol
B   ==> connect info for default DB will be read from ssfs


Check this for all of the application servers.

In addition, make sure that the SAP tools are still able to connect to the database. To do this, perform an R3trans testconnect on the application servers as <sid>adm.
R3trans -d

If R3trans was able to connect to the database successfully, the message “R3trans finished (0000).” should be displayed. You must now also check trans.log in the current directory for the following entry:

B read_con_info_ssfs(): DBSL supports extended connect protocol
B   ==> connect info for default DB will be read from ssfs

———————————————————————-
8.  Removing the user data from the platform-specific storage
———————————————————————-
After you make sure that the SAP system and its tools are able to retrieve the password information that is required for the initial connect to the ABAP database from the secure storage, you should remove the old platform-specific password storage. Otherwise, you will not benefit from the potential security-relevant improvements in comparison with the old method.

To do this, follow the instructions in the relevant platform notes.

SQL> show parameter remote_os_authent

NAME                              TYPE   VALUE

———————————— ———– ——————————

remote_os_authent                 boolean        TRUE

SQL> alter system reset remote_os_authent scope=spfile ;

System altered.

R3trans –d

Cat trans.log :

4 ETW000  [     dev trc,00000]  RSecSSFs: Entering function “RSecSSFsGetRecord” [/bas/740_REL/src/krn/rsec/rsecssfs.c 874]

4 ETW000                                                                                                  83  0.021348

4 ETW000  [     dev trc,00000]  RSecSSFs: Configuration data read from environment parameters [/bas/740_REL/src/krn/rsec/rsecssfs.c 4448]

4 ETW000                                                                                               40479  0.061827

4 ETW000  [     dev trc,00000]  RSecSSFs: Data file “/usr/sap/TEX/SYS/global/security/rsecssfs/data/SSFS_TEX.DAT” opened for read [/bas/740_REL/src/krn/rsec/rsecssfs.c 2563]

4 ETW000 83  0.061910

4 ETW000  [     dev trc,00000]  RSecSSFs: Key file “/usr/sap/TEX/SYS/global/security/rsecssfs/key/SSFS_TEX.KEY” not found, using default key [/bas/740_REL/src/krn/rsec/rsecssfs.c 1426]

4 ETW000 36  0.061946

4 ETW000  [     dev trc,00000]  RSecSSFs: Exiting function “RSecSSFsGetRecord” with return code 0 (message: <No message available>) [/bas/740_REL/src/krn/rsec/rsecssfs.c 942]

4 ETW000 354  0.062300

4 ETW000  [     dev trc,00000]  read_ssfs_record(): DB_CONNECT/DEFAULT_DB_USER read successfully from ssfs

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

    1. Mathieu GRAVIL Post author

      Thank you! Secure storage in File system is quite new for me. And as several oracle 10G database need to be upgraded, we need to have a look on this 😉

      (0) 
  1. Blair Towe

    Hello Mathieu – This is a good summary of the steps.

    I am wondering if you have tried to setup DBACOCKPIT in Solution Manager to connect to one of the systems that you have changed over to use the Secure Storage in File System yet? We are getting errors in SM21 when Solution Manager tries to connect to a system where we have removed the OPS$<SID>ADM user after the changeover to SSFS. We see errors like the following:

    Database error 1017 at CON

    > con=2(xs-bhm-ssm-2:1527/TDM): ORA-01017: invalid

    > username/password; logon denied

    Database error 1017

    In Solution Manager’s DBACOCKPIT for this database, we have the correct SCHEMA (SAPSR3) and password.

    Regards,

    Blair Towe

    (0) 
  2. Chris Hoggarth

    Best document I’ve found for SSFS setup & configuration.

    But note there is one error.  After R3trans -d trans.log shows not

    read_con_info_ssfs(): DBSL supports extended connect protocol

    but

    con_info_ext_support(): DBSL supports extended connect protocol

    I raised this with SAP & they confirmed that note 1639578 is in error.

    Otherwise very useful document

    Thanks

    (0) 
  3. david nguyen

    Hello there, I am getting an errors below which lead me to this blog. I am running solman 7.2 Java stack, does this configuration apply to Java stack or just for ABAP? Thanks for your time in advance!

     
    sce4happ:smjadm 52> view ./trans.log
    4 ETW000 R3trans version 6.25 (release 745 – 27.11.15 – 20:15:12).
    4 ETW000 unicode enabled version
    4 ETW000 ===============================================
    4 ETW000
    4 ETW000 date&time : 30.06.2017 – 10:59:36
    4 ETW000 control file: <no ctrlfile>
    4 ETW000 R3trans was called as follows: R3trans -x
    4 ETW000 trace at level 1 opened for a given file pointer
    4 ETW000 [ dev trc,00000] Fri Jun 30 10:59:36 2017
    4 ETW000 [ dev trc,00000] Loading DB library ‘/usr/sap/SMJ/SYS/exe/run/dboraslib.so’ …
    4 ETW000 [ dev trc,00000] Library ‘/usr/sap/SMJ/SYS/exe/run/dboraslib.so’ loaded
    4 ETW000 [ dev trc,00000] Version of ‘/usr/sap/SMJ/SYS/exe/run/dboraslib.so’ is “745.04”, patchlevel (0.100)
    4 ETW000 [ dev trc,00000] read_con_info_ssfs(): DBSL supports extended connect protocol
    4 ETW000 ==> connect info for default DB will be read from ssfs
    4 ETW000 [dbcon.c ,00000] *** ERROR => read_ssfs_record(): RSecSSFsGetRecord(DB_CONNECT/DEFAULT_DB_USER)=1 : SSFS-4218: Record with key “DB_CONNECT/DEFAULT_DB_USER” not found in secure storage <– SSFS-4215: Data file “/usr/sap/SMJ/SYS/global/security/rsecssfs/data/SSFS_SMJ.DAT” exists, but does not contain the requested entry
    4 ETW000 [dbcon.c ,00000] *** ERROR => Connect to R/3 failed. USERID and/or PASSWD could not be retrieved from SSFS
    2EETW169 no connect possible: “DBMS = ORACLE — dbs_ora_tnsname = ‘SMJ'”

     

     

    (0) 

Leave a Reply