NOTES must be referred...

                           Note 1622837 - Secure connection of AS ABAP to Oracle via SSFS

                           Note 1639578 - SSFS as password storage for primary database connect

                            Note 1764043 - Support for secure storage in BR*Tools

1. SSFS activation: Directories need to be created under $(DIR_GLOBAL)\security

         which is... usr\sap\<SID>\SYS\global\security\rsecssfs\data

                          usr\sap\<SID>\SYS\global\security\rsecssfs\key

  2.   DEFAULT.PFL values that need to be set…

          rsec/ssfs_datapath        $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data

          rsec/ssfs_keypath       $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key

3.  Environment variables need to be set for making SSFS accessible to SAP tools, like, R3trans, R3load etc. Use SETX command at windows command prompt for this.

          setx RSEC_SSFS_DATAPATH <drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\data

          setx RSEC_SSFS_KEYPATH <drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\key

4.  Defining db user name & passwords in Secure Storage: DB connectivity settings should be configured with RSECSSFX command at command prompt

          rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain

          rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_PASSWORD XXXXXXXX

  After the entries creation, check both data & key folders for the contents.

5.  Secure Store encryption key change…

This can be done if additional security is required, and can be defined with…

RSECSSFX pf=<profile_path> changekey <key phrase>

6.  For changing the db connectivity to new method, define the below values…

Profile parameter : rsdb/ssfs_connect = 1

Environment variable:  rsdb_ssfs_connect 1

Now, reboot the instance and check the system status. Connection status can be monitored in the work process trace file.

7.  Now, old fashion connection pattern needs to be turned off. For this, SAPUSER table for the OPS$<SIDADM> schema needs to be deleted.

      Proceed as follows…

SQL> connect system/<pwd>

SQL> drop table ops$<sid>adm.sapuser;

8.  To make BR*tools use this SSFS feature instead of old fashion OPS$<USER> mechanism, create a BR*Tools database user (for example, BRT$ADM) and assign the SAPDBA role to it.

SQL> create user brt$adm identified by XXXXX;

SQL> grant to sapdba to brt$adm;

Now, the initial password shall be changed to the actual password using brconnect...

      brconnect -u / -c -f chpass -o BRT$ADM -p <password> -s brtools

That's it.

Thanks... / Vamsi