SSFS Implementation for Oracle Database

Former Member · ‎11-25-2013

SSFS Implementation for Oracle Database

Author(s): Nitesh Jain

Target readers

SAP Basis

Keywords

SAPUSER, ops$-User, ops$-Connect, SSFS, data protection, secure storage, Secure Connect

1. Introduction –

Prior to SSFS, the connection between the SAP system (AS ABAP) and the SAP tools that use the ABAP database interface (R3trans, R3load etc.) to the database via SQLNet (using the database alias name, for like configured in TNS) worked in such a way that an OPS$ connection (with the database user OPS$<SID>ADM) that was authorized by the operating system user sidadm was created first ( via "connect /@TNS"). With this approach access to the table OPS$<SID>ADM.SAPUSER, and to this table was only allowed. It contains the encrypted password for the actual database connection of the SAP database user (default name Schema User).

As of Oracle Release 11g, OPS$ remote connect (using the TNS alias name) is no longer supported by future Oracle versions. As of SAP Kernel release 7.20, SAP has now introduced a new method of securely storing the database password and for connecting to the database with mechanism called Secure Storage in File System (SSFS). The encrypted password for the SAP database user is then no longer stored in the database, but in the file system. With the implementation of Kernel 7.20 as a downward-compatible kernel, the new method is available in all SAP 7.x systems. Therefore it is recommended to use the new method for security reasons. For backwards compatibility, the conventional connect method continues to be supported up to Oracle version 11.2 for all SAP systems. All SAP systems as of Kernel 7.20, which use future Oracle versions after 11g, can be operated with the new method only.

The connect to the Oracle database using the OPS$ method contains a vulnerability that makes it possible for a malicious user to log on to the database as an OPS$ user without entering a password unless relevant measures are taken into consideration.

This document describes step by step procedure for implementation of SSFS (Secure Storage on File System) for Oracle Database with IBM AIX environment.

I hereby confirm that the Images/screenshots are created by me during the installation and there is no IP violation in this document.

2. Pre-Requisites –

· Following user accounts should exists:

User Accounts	Generic name
Operating system account with login (for Unix “su” command functionality)	unixacc
Operating system account with root / admin privileges UNIX : without login	saproot
SAP admin account :	sidadm
Oracle DBA account :	orasid
SAP Administrator account :	Administrator

· Minimum kernel ( 7.20 EXT with PL210)

· Above kernel requires OS AIX 6.1 ( required for Kernel 7.20 PL300 compatibility)

· Take a backup of the env scripts of sidadm, and the Default & Instance profiles.

Download Directory: /download

3. Installation Procedure –

1	Check the minimum disk space in /tmp K unixacc df -g /tmp At least 5 MB free space
2	Checking the OS version (Metalink 169706.1) K unixacc oslevel –s At least : 6100-07-03-1207
3	Check Java version (Metalink 169706.1) K unixacc lslpp -l\| grep -i java Java version 6 installed : Java6_64.sdk 6.0.0.1
4	Check the Oracle Version K orasid sqlplus / as sysdba Oracle version should be atleast 11.2.0.3
5	Check the Kernel Version K sidadm disp+work Kernel version should be atleast 720_EXT(300)
6	Backup the database K orasid brbackup -u / -c force -t online -m all -p initSID.sap -a -c force -p initSID.sap –sd
7	Stop SAP and database and SMD agents and CCMS agents K sidadm on psiddi00 stopsap ASCS00 psidcs00 stopsap DVEBMGS01 psiddi00 K sidadm on psiddi01 stopsap D01 psiddi01 K daaadm on psiddi00 stopsap SMDA97 psiddi00 K daaadm on psiddi01 stopsap SMDA97 psiddi01 K sidadm on psiddi00 sapccm4x –stop pf=SID_DVEBMGS00_psiddi00 K sidadm on psiddi01 sapccm4x –stop pf=SID_D01_psiddi01
8	Create necessary directories K sidadm cd /usr/sap/SID/SYS/global mkdir /usr/sap/SID/SYS/global/security mkdir /usr/sap/SID/SYS/global/security/rsecssfs mkdir /usr/sap/SID/SYS/global/security/rsecssfs/data mkdir /usr/sap/SID/SYS/global/security/rsecssfs/key
9	Set authorizations on Directories sidadm cd /usr/sap/SID/SYS/global chmod 700 security chmod 700 security/rsecssfs chmod 700 security/rsecssfs/data chmod 700 security/rsecssfs/key ls -alR security/rsecssfs \| grep -E 'data$\|key$'
10	Set Profile parameters Administrator / RZ10 **Take backup of DEFAULT.PFL** In the default profile, add following parameter : rsec/ssfs_datapath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data rsec/ssfs_keypath = $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key rsdb/ssfs_connect = 1
11	Set environement Variables sidadm rm ._p.sh * Take backup of .sapenv.sh and .sapenv.csh ** vi .sapenv.sh At the end of the file add lines : export RSEC_SSFS_DATAPATH=/usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/data export RSEC_SSFS_KEYPATH=/usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/key rsdb_ssfs_connect=1 vi .sapenv.csh At the end of the file add lines : setenv RSEC_SSFS_DATAPATH /usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/data setenv RSEC_SSFS_KEYPATH /usr/sap/$SAPSYSTEMNAME/SYS/global/security/rsecssfs/key setenv rsdb_ssfs_connect 1 Logoff and logon again and check if parameters are activated
12	Setting up SSFS storage sidadm rsecssfx put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD *****
13	Check SSFS storage sidadm rsecssfx list \|---------------------------------------------------------------------------------\| \| Record Key \| Status \| Timestamp of last Update \| \|---------------------------------------------------------------------------------\| \| DB_CONNECT/DEFAULT_DB_PASSWORD \| Encrypted \| 2012-11-21 14:16:08 UTC \| \| DB_CONNECT/DEFAULT_DB_USER \| Plaintext \| 2012-11-21 14:15:33 UTC \| \|---------------------------------------------------------------------------------\| Summary Active Records : 2 (Encrypted : 1, Plain : 1, Wrong Key : 0, Error : 0) Datafile Location : /usr/sap/SID/SYS/global/security/rsecssfs/data/SSFS_SID.DAT (when existing) Keyfile Location : /usr/sap/SID/SYS/global/security/rsecssfs/key/SSFS_SID.KEY (when existing)
14	Set and check authorizations of the SSFS storage sidadm cd /usr/sap/SID/SYS/global/security/rsecssfs/data chmod 600 SSFS_SID.DAT
15	Start Database and Oracle listener K orasid lsnrctl start sqlplus / as sysdba SQL> startup
16	Check connection sidadm R3trans -d R3trans finished (0000). grep -E 'ssfs.*DBSL' trans.log Result : read_con_info_ssfs(): DBSL supports extended connect protocol
17	Exclude the standard SAP connect method orasid sqlplus system/**** drop table ops$sidadm.sapuser;
18	Exclude the oracle remote OPS$ connect orasid sqlplus / as sysdba alter system reset remote_os_authent scope=spfile;
19	Shutdown Database to reflect oracle parameter set in step 18 K orasid sqlplus / as sysdba SQL> startup
20	Start SAP and database and SMD agents and CCMS agents K sidadm startsap ASCS00 psidcd00 startsap DVEBMGS01 psiddi00 K sidadm on psiddi01 stopsap D01 psiddi01 K daaadm on psiddi00 startsap SMDA97 psiddi00 K daaadm on psiddi01 startsap SMDA97 psiddi01 K sidadm on psiddi00 Fsapccm4x –DCMS pf=SID_DVEBMGS01_psiddi00 K sidadm on psiddi01 Fsapccm4x –DCMS pf=SID_D01_psiddi01
21	Check the connection method Administrator -> tcode SM50 Select DIA process and see the display trace file and search for ssfs Connection method checked in SM51 read_con_info_ssfs(): DBSL supports extended connect protocol ==> connect info for default DB will be read from ssfs
22	Backup the database K orasid brbackup -u / -c force -t online -m all -p initSID.sap -a -c force -p initSID.sap –sd

5. References

https://service.sap.com/notes

1611877 Support for ABAP SSFS during database connect

1622837 New connect method of AS ABAP to Oracle via SSFS

1623922 Connect to Oracle database

1639578 SSFS as password storage for primary database connect

1678336 RSecSSFs: UTF8 conversion failed with returncode 1