Skip to Content

SSFS Implementation for Oracle Database

Author(s): Nitesh Jain

Target readers

SAP Basis

Keywords

SAPUSER, ops$-User, ops$-Connect, SSFS, data protection, secure storage, Secure Connect

1.    Introduction –

Prior to SSFS, the connection between the SAP system (AS ABAP) and the SAP tools that use the ABAP database interface (R3trans, R3load etc.) to the database via SQLNet (using the database alias name, for like configured in TNS) worked in such a way that an OPS$ connection (with the database user OPS$<SID>ADM) that was authorized by the operating system user sidadm was created first ( via “connect /@TNS”).  With this approach access to the table OPS$<SID>ADM.SAPUSER, and to this table was only allowed. It contains the encrypted password for the actual database connection of the SAP database user (default name Schema User).

As of Oracle Release 11g, OPS$ remote connect (using the TNS alias name) is no longer supported by future Oracle versions. As of SAP Kernel release 7.20, SAP has now introduced a new method of securely storing the database password and for connecting to the database with mechanism called Secure Storage in File System (SSFS). The encrypted password for the SAP database user is then no longer stored in the database, but in the file system. With the implementation of Kernel 7.20 as a downward-compatible kernel, the new method is available in all SAP 7.x systems. Therefore it is recommended to use the new method for security reasons. For backwards compatibility, the conventional connect method continues to be supported up to Oracle version 11.2 for all SAP systems. All SAP systems as of Kernel 7.20, which use future Oracle versions after 11g, can be operated with the new method only.

The connect to the Oracle database using the OPS$ method contains a vulnerability that makes it possible for a malicious user to log on to the database as an OPS$ user without entering a password unless relevant measures are taken into consideration.

This document describes step by step procedure for implementation of SSFS (Secure Storage on File System) for Oracle Database with IBM AIX environment.

I hereby confirm that the Images/screenshots are created by me during the installation and there is no IP violation in this document.

2.    Pre-Requisites –

·         Following user accounts should exists:

User Accounts

Generic name

Operating system account with login
(for Unix  “su” command functionality)

unixacc

Operating system account with root / admin privileges UNIX : without login

saproot

SAP admin account :

sidadm

Oracle DBA account :

orasid

SAP Administrator account :

Administrator

·         Minimum kernel ( 7.20 EXT with PL210)

·         Above kernel requires OS AIX 6.1 ( required for Kernel 7.20 PL300 compatibility)

·         Take a backup of the env scripts of sidadm, and the Default & Instance profiles.

Download Directory: /download

3.    Installation Procedure –

1

Check the minimum disk space in /tmp

  1. K unixacc

df -g /tmp

At least 5 MB free space

2

Checking the OS version (Metalink 169706.1)

  1. K unixacc

oslevel –s

At least : 6100-07-03-1207

3

Check Java version (Metalink 169706.1)

  1. K unixacc

lslpp -l| grep -i java

Java version 6 installed :

Java6_64.sdk               6.0.0.1

4

Check the Oracle Version

  1. K orasid

sqlplus / as sysdba

Oracle version should be atleast 11.2.0.3

5

Check the Kernel Version

  1. K sidadm

disp+work

Kernel version should be atleast 720_EXT(300)

6

Backup the database

  1. K orasid

brbackup -u / -c force -t online -m all -p initSID.sap -a -c force -p initSID.sap –sd

7

Stop SAP and database and SMD agents and CCMS agents

  1. K sidadm on psiddi00

stopsap ASCS00 psidcs00

stopsap DVEBMGS01 psiddi00

  1. K sidadm on psiddi01

stopsap D01 psiddi01

  1. K daaadm on psiddi00

stopsap SMDA97 psiddi00

  1. K daaadm on psiddi01

stopsap SMDA97 psiddi01

  1. K sidadm on psiddi00

sapccm4x –stop pf=SID_DVEBMGS00_psiddi00

  1. K sidadm on psiddi01

sapccm4x –stop pf=SID_D01_psiddi01

8

Create necessary directories

  1. K sidadm

cd /usr/sap/SID/SYS/global

mkdir /usr/sap/SID/SYS/global/security

mkdir /usr/sap/SID/SYS/global/security/rsecssfs

mkdir /usr/sap/SID/SYS/global/security/rsecssfs/data

mkdir /usr/sap/SID/SYS/global/security/rsecssfs/key

9

Set authorizations on Directories

  1. sidadm

cd /usr/sap/SID/SYS/global

chmod 700 security

chmod 700 security/rsecssfs

chmod 700 security/rsecssfs/data

chmod 700 security/rsecssfs/key

ls -alR security/rsecssfs | grep -E ‘data$|key$’

10

Set Profile parameters

  1. Administrator / RZ10

****Take backup of DEFAULT.PFL****

In the default profile, add following parameter :

rsec/ssfs_datapath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data

rsec/ssfs_keypath  = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key

rsdb/ssfs_connect = 1

11

Set environement Variables

  1. sidadm

rm .*_p*.*sh

**** Take backup of .sapenv.sh and .sapenv.csh ****

vi .sapenv.sh

At the end of the file add lines :

export RSEC_SSFS_DATAPATH=/usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/data

export RSEC_SSFS_KEYPATH=/usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/key

rsdb_ssfs_connect=1

vi .sapenv.csh

At the end of the file add lines :

setenv RSEC_SSFS_DATAPATH /usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/data

setenv RSEC_SSFS_KEYPATH /usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/key

setenv rsdb_ssfs_connect 1

Logoff and logon again and check if parameters are activated

12

Setting up SSFS storage

  1. sidadm

rsecssfx put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain

rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD *****

13

Check SSFS storage

  1. sidadm

rsecssfx list

|———————————————————————————|

| Record Key                     | Status             | Timestamp of last Update  |

|———————————————————————————|

| DB_CONNECT/DEFAULT_DB_PASSWORD | Encrypted          | 2012-11-21  14:16:08  UTC |

| DB_CONNECT/DEFAULT_DB_USER     | Plaintext          | 2012-11-21  14:15:33  UTC |

|———————————————————————————|

Summary

Active Records    : 2 (Encrypted : 1, Plain : 1, Wrong Key : 0, Error : 0)

Datafile Location : /usr/sap/SID/SYS/global/security/rsecssfs/data/SSFS_SID.DAT (when existing)

Keyfile Location  : /usr/sap/SID/SYS/global/security/rsecssfs/key/SSFS_SID.KEY (when existing)

14

Set and check authorizations of the SSFS storage

  1. sidadm

cd /usr/sap/SID/SYS/global/security/rsecssfs/data

chmod 600 SSFS_SID.DAT

15

Start Database and Oracle listener

  1. K orasid

lsnrctl start

sqlplus / as sysdba

SQL> startup

16

Check connection

  1. sidadm

R3trans -d

R3trans finished (0000).

grep -E ‘ssfs.*DBSL’ trans.log

Result : read_con_info_ssfs(): DBSL supports extended connect protocol

17

Exclude the standard SAP connect method

  1. orasid

sqlplus system/****

drop table ops$sidadm.sapuser;

18

Exclude the oracle remote OPS$ connect

  1. orasid

sqlplus / as sysdba

alter system reset remote_os_authent scope=spfile;

19

Shutdown Database to reflect oracle parameter set in step 18

  1. K orasid

sqlplus / as sysdba

SQL> startup

20

Start SAP and database and SMD agents and CCMS agents

  1. K sidadm

startsap ASCS00 psidcd00

startsap DVEBMGS01 psiddi00

  1. K sidadm on psiddi01

stopsap D01 psiddi01

  1. K daaadm on psiddi00

startsap SMDA97 psiddi00

  1. K daaadm on psiddi01

startsap SMDA97 psiddi01

  1. K sidadm on psiddi00
  2. Fsapccm4x –DCMS pf=SID_DVEBMGS01_psiddi00
  3. K sidadm on psiddi01
  4. Fsapccm4x –DCMS pf=SID_D01_psiddi01

21

Check the connection method

  1. Administrator -> tcode SM50

Select DIA process and see the display trace file and search for ssfs

Connection method checked in SM51

read_con_info_ssfs(): DBSL supports extended connect protocol

  ==> connect info for default DB will be read from ssfs

22

Backup the database

  1. K orasid

brbackup -u / -c force -t online -m all -p initSID.sap -a -c force -p initSID.sap –sd

5.    References

https://service.sap.com/notes

1611877                Support for ABAP SSFS during database connect

1622837                New connect method of AS ABAP to Oracle via SSFS

1623922                Connect to Oracle database

1639578                SSFS as password storage for primary database connect

1678336                RSecSSFs: UTF8 conversion failed with returncode 1

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Shaun Wimpory

    Hi Nitesh,

     

    How about the other OPS$ users that are installed by default?

    For example is the OPS$ORA<SID> user still required in the database?

     

    Regards

    Shaun

    (0) 
  2. Martin Grunewald

    Nitesh, good summary.

    Shaun, as this type of db connect should close some security issues around the OPS$ mechanism I assume it makes no sense to keep the OPS$ORASID user.

    (0) 
    1. Nitesh Jain Post author

      Hello Shefan,

      SSFS is applicable for ABAP systems only, for JAVA system we don’t have any OPS$ tables as we achive this with secure storage.

       

      Regards,

      Nitesh Jain

      (0) 
    2. Shaun Wimpory

      Hi Stefan,

       

      Java schema credentials are already stored in the secure store, thus you don’t need to worry about SSFS for Java.

       

      Cheers

      Shaun

      (0) 
  3. Norbert Toronsky

    Dear all,

     

    What about in dual-stack NW 7.31 PI . I try to set SSFS for this scenario, but when I add db user (abap) to ssfs then Java won’t come up, abap yes.. When I add db user for Java, then abap won’t come up.

     

    What do you recommend here ?

    Thanks in advance.

    Best regards

    Norbert Toronsky

    (0) 
      1. Norbert Toronsky

        Hi Stefan,

         

        thank you for quick response,

         

        I tried , but with command rsecssfx put DB_CONNECT/DEFAULT_DB_USER you just replace the user.

         

        Thanks in advance.

        (0) 
        1. Nitesh Jain Post author

          Hello Norbert,

          You don’t need to add both SAPSR3 & SAPSR3DB user(or whatever schema you have), you only have to add SAPSR3 user to SSFS storage. You have to disable parameter remote_os_authent and that should work. There is no reason we have to maintain Java user. In case issue still occurs please post the trans.log here & I will be able to help.

           

          Regards,

          Nitesh

          (0) 
  4. Balaji Shelke

    Hi Nitesh,

    Your blog is very informative.

    I have a query. If we have additional application servers also installed along with central instance, do we need to set environment variables in additional application server as well.

    Best Regards,

     

    (0) 

Leave a Reply