Secure Storage in File System (SSFS) for SAP

As of SAP Kernel 7.20 Patch 98 we have to use SSFS connection method for ORACLE database systems and old method is invalid as of SAP Kernel 7.40

To activate SSFS connection method please use the following steps ;

1 – Create the directories which are needed for the SSFS

Create the directories under $(DIR_GLOBAL)\Security

for our example system they are ;

usr\sap\<SID>\SYS\global\security\rsecssfs\data

usr\sap\<SID>\SYS\global\security\rsecssfs\key

Secure Storage in File System (SSFS) for SAP

2 – Configure DEFAULT Profile

Add following lines to DEFAULT.PFL file

rsec/ssfs_datapath     $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data

rsec/ssfs_keypath       $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key

rsdb/ssfs_connect       1

Secure Storage in File System (SSFS) for SAP

3 – Configure ENVIRONMENT VARIABLES

Add following variables via CMD and over Windows Environment Variable defination area for permanent assigment

setx RSEC_SSFS_DATAPATH=<drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\data

setx RSEC_SSFS_KEYPATH=<drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\key

setx rsdb_ssfs_connect=1

Secure Storage in File System (SSFS) for SAP

4 – Define Username and Password in “Secure Storage” via command RSECSSFX command at OS level

Execute the following commands at OS level

rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_USER <OWNER> -plain

rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_PASSWORD XXX

Entries will be created under related directories

Secure Storage in File System (SSFS) for SAP

Secure Storage in File System (SSFS) for SAP

5 – Turn off old connection method with deleting the OPS$<SIDADM> schema and Create a BR*Tools database user for new method

Deleting the SAPUSER table for the OPS$<SIDADM> schema like below ;

SQL> connect system/<pwd>

SQL> drop table ops$<sid>adm.sapuser;

Secure Storage in File System (SSFS) for SAP

Create BR*Tools database user with SAPDBA role like below ;

SQL> create user SID$ADM identified by XXX;

SQL> grant sapdba to SID$ADM;

Secure Storage in File System (SSFS) for SAP

6 – Last step , assigning the permanent password via BRCONNECT tool

Change SID$ADM’s initial password via BRTOOLS

C:\brconnect -u / -c -f chpass -o SID$ADM -p <PASSWORD> -s brtools 

Secure Storage in File System (SSFS) for SAP

@ If you want additional security then you can change “Secure Store Encryption Key” with following syntax ;

RSECSSFX pf=<profile_path> changekey <key phrase>

 

 

 

 

Leave a Reply


eight × 4 =

Blogroll