NOTES must be referred...
Note 1622837 - Secure connection of AS ABAP to Oracle via SSFS
Note 1639578 - SSFS as password storage for primary database connect
Note 1764043 - Support for secure storage in BR*Tools
which is... usr\sap\<SID>\SYS\global\security\rsecssfs\data
usr\sap\<SID>\SYS\global\security\rsecssfs\key
2. DEFAULT.PFL values that need to be set…
rsec/ssfs_datapath $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data
rsec/ssfs_keypath $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key
3. Environment variables need to be set for making SSFS accessible to SAP tools, like, R3trans, R3load etc. Use SETX command at windows command prompt for this.
setx RSEC_SSFS_DATAPATH <drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\data
setx RSEC_SSFS_KEYPATH <drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\key
4. Defining db user name & passwords in Secure Storage: DB connectivity settings should be configured with RSECSSFX command at command prompt
rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain
rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_PASSWORD XXXXXXXX
After the entries creation, check both data & key folders for the contents.
5. Secure Store encryption key change…
This can be done if additional security is required, and can be defined with…
RSECSSFX pf=<profile_path> changekey <key phrase>
6. For changing the db connectivity to new method, define the below values…
Profile parameter : rsdb/ssfs_connect = 1
Environment variable: rsdb_ssfs_connect 1
Now, reboot the instance and check the system status. Connection status can be monitored in the work process trace file.
7. Now, old fashion connection pattern needs to be turned off. For this, SAPUSER table for the OPS$<SIDADM> schema needs to be deleted.
Proceed as follows…
SQL> connect system/<pwd>
SQL> drop table ops$<sid>adm.sapuser;
8. To make BR*tools use this SSFS feature instead of old fashion OPS$<USER> mechanism, create a BR*Tools database user (for example, BRT$ADM) and assign the SAPDBA role to it.
SQL> create user brt$adm identified by XXXXX;
SQL> grant to sapdba to brt$adm;
Now, the initial password shall be changed to the actual password using brconnect...
brconnect -u / -c -f chpass -o BRT$ADM -p <password> -s brtools
That's it.
Thanks... / Vamsi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
8 | |
5 | |
5 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
2 |