Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member

Note 1622837 - Secure connection of AS ABAP to Oracle via SSFS

Note 1639578 - SSFS as password storage for primary database connect

Preparing and securing the file system

In general, we recommend storing the secure storage in the file system and the optional external encryption key on SAPGLOBALHOST under $(DIR_GLOBAL)/security/rsecssfs/data or $(DIR_GLOBAL)/security/rsecssfs/key, whereby these directories should be secured accordingly.

----------------------------------------------------------------------
2.1 Creating the directories
----------------------------------------------------------------------
Determine the value for DIR_GLOBAL (for example, from transaction AL11) on SAPGLOBALHOST. Replace $(DIR_GLOBAL) in the following description with the determined value <dir_global>. Create the required directories as described below if they do not already exist.

----------------------------------------------------------------------
2.2 Securing the directories created
----------------------------------------------------------------------
In the following, make the directories that were created in step 2.1 available exclusively for the users of the SAP system <sid>.
On Linux and UNIX, this is the user <sid>adm. On Windows, all relevant users are merged into the groups SAP_<sid>_LocalAdmin and SAP_<sid>_GlobalAdmin.
In particular, cross-SAP system users and groups should not have any authorizations in these directories.

texadm@saptex:/usr/sap/TEX/SYS/global/security/rsecssfs>ls -lart /usr/sap/TEX/SYS/global/security/rsecssfs

total 16

drwx------. 5 texadm sapsys 4096 Sep  5 16:09 ..

drwx------. 2 texadm sapsys 4096 Sep  5 16:09 key

drwx------. 4 texadm sapsys 4096 Sep  5 16:09 .

drwx------. 2 texadm sapsys 4096 Sep  6 11:40 data

----------------------------------------------------------------------
3.  Maintaining the SSFS profile parameters
----------------------------------------------------------------------
Set the following profile parameters that point to the previously created directories as the location for the secure storage and the external key. We recommend that you add the parameters to the default profile DEFAULT.PFL. Otherwise, you must maintain all of the instance profiles. Add the following entries:
rsec/ssfs_datapath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data

           rsec/ssfs_keypath  = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key

----------------------------------------------------------------------
4.  Maintaining the SSFS environment variable
----------------------------------------------------------------------
The profile parameters rsec/ssfs_datapath and rsec/ssfs_keypath are interpreted only by the SAP system. The do not apply to the SAP tools R3trans, R3load, and so on. For these, you must set a corresponding environment variable on each application server including the central instance. Depending on the operating system, proceed as follows:

----------------------------------------------------------------------
Application server on UNIX and Linux
----------------------------------------------------------------------
For this, first determine the value <dir_global> for DIR_GLOBAL on the relevant application server (for example, using transaction AL11). Then add the following lines to the logon script for <sid>adm on this application server:

  • For C shell scripts:

    setenv RSEC_SSFS_DATAPATH <dir_global>/security/rsecssfs/data
    setenv RSEC_SSFS_KEYPATH <dir_global>/security/rsecssfs/key
  • For Korn shell scripts:

    export RSEC_SSFS_DATAPATH=<dir_global>/security/rsecssfs/data
    export RSEC_SSFS_KEYPATH=<dir_global>/security/rsecssfs/key

  texadm@saptex:/usr/sap/texadm>grep RSEC $HOME/.profile 

export RSEC_SSFS_DATAPATH=/usr/sap/TEX/SYS/global/security/rsecssfs/data

export RSEC_SSFS_KEYPATH=/usr/sap/TEX/SYS/global/security/rsecssfs/key

----------------------------------------------------------------------
5.  Setting up the SSFS data storage and checking the access rights
----------------------------------------------------------------------

----------------------------------------------------------------------
5.1 Setting up the SSFS storage
----------------------------------------------------------------------
In the following, you must fill the secure storage in the file system with the required access information for the ABAP database user. This information consists at least of the name of the ABAP database user and the password of this user.
In some database types, you must also make specifications about the target database. In all other cases, this information is still derived from the SAP profile.

Note that storage differentiates between uppercase and lowercase characters.

  • DB_CONNECT/DEFAULT_DB_USER
    ABAP database connect user (usually "SAPSR3")
    The storage in the secure storage should take place in an unencrypted manner for Support reasons.
  • DB_CONNECT/DEFAULT_DB_PASSWORD
    Password of the ABAP database user
    The storage in the secure storage takes place in an encrypted manner.
  • DB_CONNECT/DEFAULT_DB_CON_ENV
    Specifications about the ABAP target database
    The storage in the secure storage takes place in an unencrypted manner. This parameter is currently required for the SAP HANA database only.

 
Refer to the relevant platform note for the name of the database connect user, for the information about whether the parameter DB_CONNECT/DEFAULT_DB_CON_ENV is required, and its exact format, if required.

Proceed as follows: 

  • Log on to SAPGLOBALHOST as the <sid>adm user.
  • Make sure that the environment variables RSEC_SSFS_DATAPATH and RSEC_SSFS_KEYPATH are set.
texadm@saptex:/usr/sap/texadm>env | grep RSEC

RSEC_SSFS_DATAPATH=/usr/sap/TEX/SYS/global/security/rsecssfs/data

RSEC_SSFS_KEYPATH=/usr/sap/TEX/SYS/global/security/rsecssfs/key

  • Use the command line tool of the secure storage rsecssfx from the SAP kernel to add entries for the user <name> and the password <pwd>, and to add any information about the target database as follows:

    rsecssfx put DB_CONNECT/DEFAULT_DB_USER <name> -plain
    rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD <pwd>

texadm@saptex:/usr/sap/texadm>rsecssfx put DB_CONNECT/DEFAULT_DB_USER  SAPSR3 -plain

texadm@saptex:/usr/sap/texadm>rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD Kart0on1

           If required, also use:

           rsecssfx put DB_CONNECT/DEFAULT_DB_CON_ENV <con_env> -plain

           Note the following: In non-Unicode systems, only characters from the 7-bit ASCII area are permitted.

           To avoid code page problems, we generally recommend that you adhere to this rule. If you want to use other characters in Unicode systems, you must convert these using the ABAP report RSECSSFX_ESCAPE into characters that can be used by rsecssfx.

  • Check the content of the secure storage as follows:

    rsecssfx list

   

texadm@saptex:/usr/sap/texadm>rsecssfx list

|---------------------------------------------------------------------------------|

| Record Key                     | Status             | Timestamp of last Update  |

|---------------------------------------------------------------------------------|

| DB_CONNECT/DEFAULT_DB_PASSWORD | Encrypted          | 2013-09-10  09:52:11 UTC |

| DB_CONNECT/DEFAULT_DB_USER     | Plaintext          | 2013-09-10  09:51:43 UTC |

|---------------------------------------------------------------------------------|

Summary

-------

Active Records    : 2 (Encrypted : 1, Plain : 1, Wrong Key : 0, Error : 0)

Outdated Records  : 4 (occupied space can be released by the "compact" command)

Datafile Location : /usr/sap/TEX/SYS/global/security/rsecssfs/data/SSFS_TEX.DAT (when existing)

Keyfile Location  : /usr/sap/TEX/SYS/global/security/rsecssfs/key/SSFS_TEX.KEY (when existing)

           Refer to the command line help for further commands for the administration of the secure storage:

rsecssfx help


----------------------------------------------------------------------
5.2 Setting and checking the authorization of the SSFS data storage
----------------------------------------------------------------------
Due to the first call of "rsecssfx put", the system also creates the data storage of the secure storage. The directory $(DIR_GLOBAL)/security/rsecssfs/data should now contain the file SSFS_<sid>.DAT.

texadm@saptex:/usr/sap/texadm>ls -lart /usr/sap/TEX/SYS/global/security/rsecssfs/*/

/usr/sap/TEX/SYS/global/security/rsecssfs/key/:

total 8

drwx------. 4 texadm sapsys 4096 Sep  5 16:09 ..

drwx------. 2 texadm sapsys 4096 Sep  5 16:09 .

/usr/sap/TEX/SYS/global/security/rsecssfs/data/:

total 12

drwx------. 4 texadm sapsys 4096 Sep  5 16:09 ..

-rw-r--r--. 1 texadm sapsys 1458 Sep 10 11:52 SSFS_TEX.DAT

drwx------. 2 texadm sapsys 4096 Sep 10 11:52 .


----------------------------------------------------------------------
SAPGLOBALHOST on Windows
----------------------------------------------------------------------
If your SAPGLOBALHOST runs on Windows, no action is required because the access rights are inherited from the directory when the file is created.

----------------------------------------------------------------------
SAPGLOBALHOST on UNIX or Linux
----------------------------------------------------------------------
Otherwise, you must correct the access rights for the file, in the same way as for step 2.2, so that only <sid>adm are authorized.

  • chmod 600 <dir_global>/security/rsecssfs/data/SSFS_<sid>.DAT


For security reasons, also check the access rights here using "ls -al":
-rw------- <sid>adm  sapsys  SSFS_<sid>.DAT

texadm@saptex:/usr/sap/texadm>chmod 600 /usr/sap/TEX/SYS/global/security/rsecssfs/data/SSFS_TEX.DAT

texadm@saptex:/usr/sap/texadm>ls -lart /usr/sap/TEX/SYS/global/security/rsecssfs/data/

total 12

drwx------. 4 texadm sapsys 4096 Sep  5 16:09 ..

-rw-------. 1 texadm sapsys 1458 Sep 10 11:52 SSFS_TEX.DAT

drwx------. 2 texadm sapsys 4096 Sep 10 11:52 .

----------------------------------------------------------------------
7.  Changing to the new connection method
----------------------------------------------------------------------
----------------------------------------------------------------------
7.1 Setting the required parameters
----------------------------------------------------------------------
If you have executed all of the previous steps correctly, the SAP system should now be able to retrieve the password information that is required for the connection to the primary ABAP database from the secure storage in the file system. However, the conventional password storage is consulted by default.

The changeover to the new method now takes place due to a further profile parameter or a further environment variable. Proceed in the same way as described in step 3 and 4 to set the profile parameter (on SAPGLOBALHOST) and the environment variable (for all of the application servers).

  • Profile parameter : rsdb/ssfs_connect = 1

   

  • Environment variable: rsdb_ssfs_connect 1

texadm@saptex:/usr/sap/texadm>env |  grep rsdb

rsdb_ssfs_connect=1

texadm@saptex:/usr/sap/texadm>grep rsdb_ssfs_connect .*

.sapenv.csh:setenv rsdb_ssfs_connect 1

.sapenv_saptex.csh:setenv rsdb_ssfs_connect 1

.sapenv_saptex.sh:rsdb_ssfs_connect=1; export rsdb_ssfs_connect

.sapenv.sh:rsdb_ssfs_connect=1; export rsdb_ssfs_connect


(To use the conventional storage, you must set the values of the profile parameter and environment variable to the value '0'. This corresponds to the default.)


----------------------------------------------------------------------
7.2 Checking the successful changeover
----------------------------------------------------------------------
Restart the SAP system and check whether the connect was successful. If the changeover was successful, the developer trace (SM50) should contain the following entry:
B read_con_info_ssfs(): DBSL supports extended connect protocol
B   ==> connect info for default DB will be read from ssfs


Check this for all of the application servers.

In addition, make sure that the SAP tools are still able to connect to the database. To do this, perform an R3trans testconnect on the application servers as <sid>adm.
R3trans -d

If R3trans was able to connect to the database successfully, the message "R3trans finished (0000)." should be displayed. You must now also check trans.log in the current directory for the following entry:

B read_con_info_ssfs(): DBSL supports extended connect protocol
B   ==> connect info for default DB will be read from ssfs



----------------------------------------------------------------------
8.  Removing the user data from the platform-specific storage
----------------------------------------------------------------------
After you make sure that the SAP system and its tools are able to retrieve the password information that is required for the initial connect to the ABAP database from the secure storage, you should remove the old platform-specific password storage. Otherwise, you will not benefit from the potential security-relevant improvements in comparison with the old method.

To do this, follow the instructions in the relevant platform notes.

SQL> show parameter remote_os_authent

NAME                              TYPE   VALUE

------------------------------------ ----------- ------------------------------

remote_os_authent                 boolean        TRUE

SQL> alter system reset remote_os_authent scope=spfile ;

System altered.

R3trans –d

Cat trans.log :

4 ETW000  [     dev trc,00000]  RSecSSFs: Entering function "RSecSSFsGetRecord" [/bas/740_REL/src/krn/rsec/rsecssfs.c 874]

4 ETW000                                                                                                  83  0.021348

4 ETW000  [     dev trc,00000]  RSecSSFs: Configuration data read from environment parameters [/bas/740_REL/src/krn/rsec/rsecssfs.c 4448]

4 ETW000                                                                                               40479  0.061827

4 ETW000  [     dev trc,00000]  RSecSSFs: Data file "/usr/sap/TEX/SYS/global/security/rsecssfs/data/SSFS_TEX.DAT" opened for read [/bas/740_REL/src/krn/rsec/rsecssfs.c 2563]

4 ETW000 83  0.061910

4 ETW000  [     dev trc,00000]  RSecSSFs: Key file "/usr/sap/TEX/SYS/global/security/rsecssfs/key/SSFS_TEX.KEY" not found, using default key [/bas/740_REL/src/krn/rsec/rsecssfs.c 1426]

4 ETW000 36  0.061946

4 ETW000  [     dev trc,00000]  RSecSSFs: Exiting function "RSecSSFsGetRecord" with return code 0 (message: <No message available>) [/bas/740_REL/src/krn/rsec/rsecssfs.c 942]

4 ETW000 354  0.062300

4 ETW000  [     dev trc,00000]  read_ssfs_record(): DB_CONNECT/DEFAULT_DB_USER read successfully from ssfs

10 Comments
Labels in this area