Currently Being Moderated

Purpose:

This document discusses some potential issues around expiring database user passwords and how to recover from this when it occurs

 

Background:

Typically in your DBMS, there is a set expiration term for users created in the database.  This is a security consideration and any modification of this behavior needs to be discussed and approved by the Database Administrator and/or the Network Security team.  For SAP Sourcing to connect to the database a user and password is created for the empty schema.  If this password were to expire unknowingly, this would result in the system being unavailable as connectivity to the database will be lost.    If the Password is changed there are two locations where the database connection information needs to be maintained:

a.      In the fcisystem.properties file

b.      Within Netweaver properties.

Initially, when the system was created the Configure utility was used to construct the JDBC connection information. This includes DBMS host and port information as well as the Username, Password and Owner for the schema.  This information is then written to the fcisystem.properties file located in the <SOURCING_HOME>\config directory.    This information is used by the DBIMPORT utility to connect to the daytabase.  When the SCA file is deployed on Netweaver, the information is then written to Netweaver Properties for use on startup.

 

fig1.jpg

Figure 1.  Properties configuration information in fcisystem.properties filefig2.jpg

Figure 2. Properties in Netweaver for Database connection

 

An alternative to this Maintenance activity would be to use something other than the default profile and to allow this profile to have a non expiring password.  Please keep in mind this is not recommended as it is not a best practice in Database Security.   

 

In the Oracle case simply applying the following SQL command as a admin user will allow the specified profile (and users assigned to it) to have a non expiring password:

    SQL> ALTER PROFILE <profile name> PASSWORD_LIFE_TIME UNLIMITED;

Procedure:

In the event the SAP Sourcing user password has expired, the following would be detected in the system log:  (Oracle case)

attempted connection to System Database [jdbc:oracle:thin:@somehost:1527:ABC(source/source)]:0 failed. Reason: ORA-28001: the password has expired

To remedy this perform the following steps:

1)      1. Shutdown the SAP sourcing application.

2)      2. Using the pertinent DBMS admin tool, reset the SAP Sourcing user password.

3)      3. Verify the user is now able to log in to the DBMS.

4)      4.  In the <SOURCING_HOME>\bin directory, execute the configure.exe (Windows) or the appropriate configureXXXX.bin (various Unix/Linux versions) Selecting the database connection option, reset the password information and rebuild the SCA file.

5)      5. You can either undeploy and redeploy the Sourcing application or update the password directly in Netweaver using configtool.

6)      6. In Configtool navigate to:

7)      Instance-->applications-->sap.com-->E-Sourcing-Server

8)      7. Update the esodb.password value with the new password by setting a custom value.

9)      8. Save the changes and follow the indicated restart information. (typically a cluster restart).

10    9. Check the sourcing startup logs and verify the connection information was updated properly.

 

The application is now ready to be used.

Comments

Actions

Filter Blog

By author:
By date:
By tag: