During an EHP7 upgrade of ERP6.0 system (Windows 2008 – Oracle 11G), an error occured during preparation phase (PREP_INPUT):

*** ERROR => Connect via SAPUSER not supported for kernel >= 740

According to the note 1904826 – Upgrade error “Connect via SAPUSER not supported for kernel >= 740” we’ve configured Oracle with the new securiyt concept. As described in that note, the reason is changing SAPUSER mechanism to SSFS.

Other useful notes for the troubleshooting:

1622837 – Secure connection of AS ABAP to Oracle via SSFS

1639578 – SSFS as password storage for primary database connect

Here are the steps for this configuration:

1) Create rsecssfs directory with 2 subdirectories data and key, with user <sid>adm:

F:\usr\sap\<SID>\SYS\global\security>mkdir rsecssfs

F:\usr\sap\<SID>\SYS\global\security>cd rsecssfs

F:\usr\sap\<SID>\SYS\global\security\rsecssfs>mkdir data

F:\usr\sap\<SID>\SYS\global\security\rsecssfs>mkdir key

2) Directoy authorizations should look like:

Unbenanntes Bild.png

3) Those parameters are entered in DEFAULT.PFL profile file:

############1639578 – SSFS as password storage for primary database connect#######

rsec/ssfs_datapath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data

rsec/ssfs_keypath  = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key

rsdb/ssfs_connect = 1

############1639578 – SSFS as password storage for primary database connect#######

4) As <sid>adm, create these environment variables.

F:\usr\sap\<SID>\SYS\global\security\rsecssfs>setx RSEC_SSFS_DATAPATH F:\usr\sap\<SID>\SYS\global\security\rsecssfs\data

SUCCESS: Specified value was saved.

F:\usr\sap\<SID>\SYS\global\security\rsecssfs>setx RSEC_SSFS_KEYPATH F:\usr\sap\<SID>\SYS\global\security\rsecssfs\key

SUCCESS: Specified value was saved.

/wp-content/uploads/2015/01/2_622135.png

5) Create SSFS_<SID>.DAT file should be created under “data” folder, with these rsecssfx commands:

F:\usr\sap\<SID>\SYS\global\security\rsecssfs>rsecssfx put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain pf=F:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL

F:\usr\sap\<SID>\SYS\global\security\rsecssfs>rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD ***** pf=F:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL


6) Optionally, this extra security option can be activated as well. This ext_key encrypts the file.

rsecssfx changekey <ext_key> pf=F:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL

7) Activate new SSFS securiyt concept as <sid>adm:

F:\usr\sap\<SID>\SYS\global\security\rsecssfs>setx rsdb_ssfs_connect 1

SUCCESS: Specified value was saved.

8) Reboot Windows and of course SAP. Then you can test DB connection with “R3trans -d” command.

9) After being sure that SAP connects to DB with SSFS concept, you would delete old concept username and password with Brtools per note 1622837 (3rd step in that note).

Thank you.

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply