SSFS Implementation for Oracle Database
SSFS Implementation for Oracle Database
Author(s): Nitesh Jain
Target readers
SAP Basis
Keywords
SAPUSER, ops$-User, ops$-Connect, SSFS, data protection, secure storage, Secure Connect
1. Introduction –
Prior to SSFS, the connection between the SAP system (AS ABAP) and the SAP tools that use the ABAP database interface (R3trans, R3load etc.) to the database via SQLNet (using the database alias name, for like configured in TNS) worked in such a way that an OPS$ connection (with the database user OPS$<SID>ADM) that was authorized by the operating system user sidadm was created first ( via “connect /@TNS”). With this approach access to the table OPS$<SID>ADM.SAPUSER, and to this table was only allowed. It contains the encrypted password for the actual database connection of the SAP database user (default name Schema User).
As of Oracle Release 11g, OPS$ remote connect (using the TNS alias name) is no longer supported by future Oracle versions. As of SAP Kernel release 7.20, SAP has now introduced a new method of securely storing the database password and for connecting to the database with mechanism called Secure Storage in File System (SSFS). The encrypted password for the SAP database user is then no longer stored in the database, but in the file system. With the implementation of Kernel 7.20 as a downward-compatible kernel, the new method is available in all SAP 7.x systems. Therefore it is recommended to use the new method for security reasons. For backwards compatibility, the conventional connect method continues to be supported up to Oracle version 11.2 for all SAP systems. All SAP systems as of Kernel 7.20, which use future Oracle versions after 11g, can be operated with the new method only.
The connect to the Oracle database using the OPS$ method contains a vulnerability that makes it possible for a malicious user to log on to the database as an OPS$ user without entering a password unless relevant measures are taken into consideration.
This document describes step by step procedure for implementation of SSFS (Secure Storage on File System) for Oracle Database with IBM AIX environment.
I hereby confirm that the Images/screenshots are created by me during the installation and there is no IP violation in this document.
2. Pre-Requisites –
· Following user accounts should exists:
|
User Accounts |
Generic name |
|
Operating system account with login |
unixacc |
|
Operating system account with root / admin privileges UNIX : without login |
saproot |
|
SAP admin account : |
sidadm |
|
Oracle DBA account : |
orasid |
|
SAP Administrator account : |
Administrator |
· Minimum kernel ( 7.20 EXT with PL210)
· Above kernel requires OS AIX 6.1 ( required for Kernel 7.20 PL300 compatibility)
· Take a backup of the env scripts of sidadm, and the Default & Instance profiles.
Download Directory: /download
3. Installation Procedure –
|
1 |
Check the minimum disk space in /tmp
df -g /tmp At least 5 MB free space |
|
2 |
Checking the OS version (Metalink 169706.1)
oslevel –s At least : 6100-07-03-1207 |
|
3 |
Check Java version (Metalink 169706.1)
lslpp -l| grep -i java Java version 6 installed : Java6_64.sdk 6.0.0.1 |
|
4 |
Check the Oracle Version
sqlplus / as sysdba Oracle version should be atleast 11.2.0.3 |
|
5 |
Check the Kernel Version
disp+work Kernel version should be atleast 720_EXT(300) |
|
6 |
Backup the database
brbackup -u / -c force -t online -m all -p initSID.sap -a -c force -p initSID.sap –sd |
|
7 |
Stop SAP and database and SMD agents and CCMS agents
stopsap ASCS00 psidcs00 stopsap DVEBMGS01 psiddi00
stopsap D01 psiddi01
stopsap SMDA97 psiddi00
stopsap SMDA97 psiddi01
sapccm4x –stop pf=SID_DVEBMGS00_psiddi00
sapccm4x –stop pf=SID_D01_psiddi01 |
|
8 |
Create necessary directories
cd /usr/sap/SID/SYS/global mkdir /usr/sap/SID/SYS/global/security mkdir /usr/sap/SID/SYS/global/security/rsecssfs mkdir /usr/sap/SID/SYS/global/security/rsecssfs/data mkdir /usr/sap/SID/SYS/global/security/rsecssfs/key |
|
9 |
Set authorizations on Directories
cd /usr/sap/SID/SYS/global chmod 700 security chmod 700 security/rsecssfs chmod 700 security/rsecssfs/data chmod 700 security/rsecssfs/key ls -alR security/rsecssfs | grep -E ‘data$|key$’ |
|
10 |
Set Profile parameters
****Take backup of DEFAULT.PFL**** In the default profile, add following parameter : rsec/ssfs_datapath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data rsec/ssfs_keypath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key rsdb/ssfs_connect = 1 |
|
11 |
Set environement Variables
rm .*_p*.*sh **** Take backup of .sapenv.sh and .sapenv.csh **** vi .sapenv.sh At the end of the file add lines : export RSEC_SSFS_DATAPATH=/usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/data export RSEC_SSFS_KEYPATH=/usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/key rsdb_ssfs_connect=1 vi .sapenv.csh At the end of the file add lines : setenv RSEC_SSFS_DATAPATH /usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/data setenv RSEC_SSFS_KEYPATH /usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/key setenv rsdb_ssfs_connect 1 Logoff and logon again and check if parameters are activated |
|
12 |
Setting up SSFS storage
rsecssfx put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD ***** |
|
13 |
Check SSFS storage
rsecssfx list |———————————————————————————| | Record Key | Status | Timestamp of last Update | |———————————————————————————| | DB_CONNECT/DEFAULT_DB_PASSWORD | Encrypted | 2012-11-21 14:16:08 UTC | | DB_CONNECT/DEFAULT_DB_USER | Plaintext | 2012-11-21 14:15:33 UTC | |———————————————————————————| Summary Active Records : 2 (Encrypted : 1, Plain : 1, Wrong Key : 0, Error : 0) Datafile Location : /usr/sap/SID/SYS/global/security/rsecssfs/data/SSFS_SID.DAT (when existing) Keyfile Location : /usr/sap/SID/SYS/global/security/rsecssfs/key/SSFS_SID.KEY (when existing) |
|
14 |
Set and check authorizations of the SSFS storage
cd /usr/sap/SID/SYS/global/security/rsecssfs/data chmod 600 SSFS_SID.DAT |
|
15 |
Start Database and Oracle listener
lsnrctl start sqlplus / as sysdba SQL> startup |
|
16 |
Check connection
R3trans -d R3trans finished (0000). grep -E ‘ssfs.*DBSL’ trans.log Result : read_con_info_ssfs(): DBSL supports extended connect protocol |
|
17 |
Exclude the standard SAP connect method
sqlplus system/**** drop table ops$sidadm.sapuser; |
|
18 |
Exclude the oracle remote OPS$ connect
sqlplus / as sysdba alter system reset remote_os_authent scope=spfile; |
|
19 |
Shutdown Database to reflect oracle parameter set in step 18
sqlplus / as sysdba SQL> startup |
|
20 |
Start SAP and database and SMD agents and CCMS agents
startsap ASCS00 psidcd00 startsap DVEBMGS01 psiddi00
stopsap D01 psiddi01
startsap SMDA97 psiddi00
startsap SMDA97 psiddi01
|
|
21 |
Check the connection method
Select DIA process and see the display trace file and search for ssfs Connection method checked in SM51 read_con_info_ssfs(): DBSL supports extended connect protocol ==> connect info for default DB will be read from ssfs |
|
22 |
Backup the database
brbackup -u / -c force -t online -m all -p initSID.sap -a -c force -p initSID.sap –sd |
5. References
https://service.sap.com/notes
1611877 Support for ABAP SSFS during database connect
1622837 New connect method of AS ABAP to Oracle via SSFS
1623922 Connect to Oracle database
1639578 SSFS as password storage for primary database connect
1678336 RSecSSFs: UTF8 conversion failed with returncode 1
Hi Nitesh,
How about the other OPS$ users that are installed by default?
For example is the OPS$ORA<SID> user still required in the database?
Regards
Shaun
Nitesh, good summary.
Shaun, as this type of db connect should close some security issues around the OPS$ mechanism I assume it makes no sense to keep the OPS$ORASID user.
Hi Nitesh
One question. Do we need the SSFS database conect for JAVA?
I read only for abap in the notes!
Regards Stefan
Hello Shefan,
SSFS is applicable for ABAP systems only, for JAVA system we don't have any OPS$ tables as we achive this with secure storage.
Regards,
Nitesh Jain
Hi Stefan,
Java schema credentials are already stored in the secure store, thus you don't need to worry about SSFS for Java.
Cheers
Shaun
Dear all,
What about in dual-stack NW 7.31 PI . I try to set SSFS for this scenario, but when I add db user (abap) to ssfs then Java won't come up, abap yes.. When I add db user for Java, then abap won't come up.
What do you recommend here ?
Thanks in advance.
Best regards
Norbert Toronsky
Hi Norbert
I thiny you musst add both db user. then i should be running.
Regards Stefan
Hi Stefan,
thank you for quick response,
I tried , but with command rsecssfx put DB_CONNECT/DEFAULT_DB_USER you just replace the user.
Thanks in advance.
Hello Norbert,
You don't need to add both SAPSR3 & SAPSR3DB user(or whatever schema you have), you only have to add SAPSR3 user to SSFS storage. You have to disable parameter remote_os_authent and that should work. There is no reason we have to maintain Java user. In case issue still occurs please post the trans.log here & I will be able to help.
Regards,
Nitesh
I did an oracle upgrade to 12 but the java part still is down. so what i the right connection for the java part
Hi Nitesh,
just for information, your blog worked like a charm 🙂
thanks a lot
Best regards
robert
Hi Nitesh,
Your blog is very informative.
I have a query. If we have additional application servers also installed along with central instance, do we need to set environment variables in additional application server as well.
Best Regards,