SAP Note 1764043 Note Language: English
Support for secure storage in BR*Tools Version: 18 Validity:
Valid Since 09.04.2013
Summary Symptom To improve the security of database connections, SAP Kernel 7.20, Patch Level 100 introduces a new method for the secure saving of the SAP database user or SAP database password. This method stores the data for the connection to the database in a Secure Storage in File System, SSFS. For more information, see SAP Notes 1622837 and 1639578. Until now, you have used the the BRCONNECT function "chpass" to change the password of the SAP database user. This function changed the password of the ABAP schema simultaneously in the Oracle dictionary and in the SAP database password storage (table SAPUSER). After the introduction of the secure storage, the "chpass" function should be able to change the logon data in this new storage instead of SAPUSER. The password of the Java schema has always been saved in a separate secure storage. The BRCONNECT function was able to change the Java password in the database only. A relevant update of the Java secure storage was not available and had to be carried out separately using the SAP J2EE configuration tool.
Other terms BR*Tools, secure storage, Secure Storage in File System, SSFS
Reason and Prerequisites This is an advance development. The prerequisite for the use of the Secure Storage for the ABAP schema is described in the SAP Notes 1622837 and 1639578. The configuration and the maintenance of the secure storage for Java is explained in the SAP J2EE administration documentation.
Solution The new option "-s|-secstore" has been added to the BRCONNECT function "chpass". With this option, the specified password is stored to the secure storage.
-s|-secstore abap|abapshd|java|javashd|brtools|none Where:
abap abapshd java javashd brtools none
-
- for SAP ABAP users (ABAP schema) for SAP ABAP shadow users (ABAP upgrade schema) for SAP Java users (Java schema owners) for SAP Java shadow users (Java upgrade schema) for BR*Tools users (as a replacement for the OPS$ user) Secure storage is not used (exception)
You can now change the password in the secure storage of the SAP ABAP database user and the Java database user on one server, on which the SAP global directory is located.
Unix: /usr/sap/
/SYS/global Windows: X:\usr\sap\\SYS\global For Windows, you can also use the "sapmnt" share for the access. If the "sapmnt" share is not available, set the following environment variable:
set SAPMNT=\\\usr\sap Alternatively, you can set the SAPGLOBALHOST environment variable:
set SAPGLOBALHOST= In addition, the executing OS user must have the relevant authorizations to 19.06.2013
Page 1 of
8
SAP Note 1764043 -
Support for secure storage in BR*Tools
have write access to the secure storage directories or files that are located in the subdirectory "security" of the SAP global directory. As a default, this action must be started using the OS user adm because this user fulfills these requirements. 1. Changing the password of the SAP database schema --------------------------------------------------Example of a database server call:
brconnect -u / -c -f chpass -o SAPSR3 -p -s abap Example of a application server call:
brconnect -u system/ -c -f chpass -o SAPSR3 -p -s abap -RDB With this call, you change the password for the database user SAPSR3 (ABAP schema) both in the database and in the ABAP secure storage. On an application server, BRCONNECT must connect as DBA (for example, SYSTEM) with the database. In addition, you must set the special option "-RDB" (remote database). If you do not set the option "-s|-secstore", the following applies: - If the table SAPUSER exists in the database, the new database password is changed in the database and in the SAUPUSER table. - If the table SAPUSER exists in the database, the new database password is changed in the database and in the secure storage. This action must be executed with the OS user adm. 2. Changing the password of the SAP Java schema ---------------------------------------------Example of a database server call:
brconnect -u / -c -f chpass -o SAPSR3DB -p -s java Example of an application server call:
brconnect -u system/ -c -f chpass -o SAPSR3DB -p -s java -RDB With this call, you change the password for the database user SAPSR3DB (Java schema) both in the database and in the Java secure storage. On an application server, BRCONNECT must connect as DBA (for example, SYSTEM) with the database. In addition, you must set the special option "-RDB" (remote database). If you do not set the option "-s|-secstore", BRCONNECT still tries to change the password in the Java secure storage for the Java database user SAPDB. This action must be executed with the OS user adm.
Note: A password change for the Java schema is successful only if the following Java jar file exists: On Unix:
/usr/sap/ /SYS/global/sltools/sharedlib/checkKeyPhrase.jar On Windows:
X:\usr\sap\ \SYS\global\sltools\sharedlib\checkKeyPhrase.jar This is normally always the case on Java systems that are based on SAP NetWeaver 7.3X. Some (newer) 7.1X/7.2X systems also contain this file. However, 7.0X systems do not have it. A downport is planned for 2013.
Workaround: In the meantime, you can download the "checkKeyPhrase.jar" file, which is attached to this SAP Note, and copy it to the relevant "sharedlib" directory. However, the Java classes in the "checkKeyPhrase.jar" file require the Java runtime version 5 or higher that is not included in SAP 7.0X systems. On the database server with Oracle 11g, it is automatically 19.06.2013
Page 2 of
8
SAP Note 1764043 -
Support for secure storage in BR*Tools
included in Oracle Home. On application servers (if you start BRCONNECT there), it must first be installed manually. In both cases, you set the environment variable BR_JAVA_HOME to the new Java Home before you start BRCONNECT, for example:
setenv BR_JAVA_HOME = $ORACLE_HOME/jdk In addition, you must set the special option "-OJS" (old Java system) for the BRCONNECT call, for example:
brconnect -u / -c -f chpass -o SAPSR3DB -p -s java -OJS 3. Storage of BR*Tools user/password in secure storage -----------------------------------------------------To be able to completely avoid using the OPS$ database users, you can store the BR*Tools connection data for the database in a BR*Tools-specific secure storage as of Patch 27 for BR*Tools 7.20. The BR*Tools secure storage files are located in the following directories: $SAPDATA_HOME/security/rsecssfs/data $SAPDATA_HOME/security/rsecssfs/key These directories must be created manually before the first BRCONNECT call and must have restrictive authorizations (in accordance with SAP Note 1639578). They belong to the OS user ora (or Oracle), such as: > > ls -al $SAPDATA_HOME/security/rsecssfs
drwx-----drwx-----drwx-----drwx------
5 3 2 2
oraprd oraprd oraprd oraprd
dba dba dba dba
512 512 512 512
Feb Feb Feb Feb
19 19 19 19
10:52 10:50 10:56 10:56
. .. data key
This also applies to the subdirectories $SAPDATA_HOME/security/rsecssfs and $SAPDATA_HOME/security. You then create a BR*Tools database user (for example, BRT$ADM) and assign the SAPDBA role to it:
SQL> connect / as sysdba SQL> create user brt$adm identified by ; SQL> grant sapdba to brt$adm; Instead of the initial password, you can now set the "correct" password for the BR*Tools user in the database and the secure storage: On Unix:
brconnect -u / -c -f chpass -o 'BRT$ADM' -p -s brtools You can carry out this call using the adm or the ora OS user on the database server. On Windows:
brconnect -u / -c -f chpass -o BRT$ADM -p -s brtools Note: BR*Tools automatically recognizes database users that have a name starting with "BRT$" as BR*Tools database users. For these, you can omit the option "-s brtools". After you have set up the BR*Tools database users, you can call all BR*Tools executables with the option "-u //" to connect to the database using the data that you have stored in the secure storage.
brconnect -u // -c -f check You can also use the new connection method for BR*Tools calls in the CCMS transaction DBACOCKPIT/DB13. For this, you must replace the option "-u /" manually (for example with transaction SE16) with the option "-u //" in the SAP table SDBAC in the field PSTRING. If you switch the SAP system to the new connection method using SSFS and delete the SAPUSER table at the same time, all OPS$ database users may be deleted. The following Support Packages are required for this change: 19.06.2013
Page 3 of
8
SAP Note 1764043 SAP SAP SAP SAP SAP SAP SAP
Basis Basis Basis Basis Basis Basis Basis
Release Release Release Release Release Release Release
7.00: 7.01: 7.02: 7.10: 7.11: 7.30: 7.31:
Support for secure storage in BR*Tools SAPKB70026 SAPKB70111 SAPKB70210 SAPKB71013 SAPKB71108 SAPKB73004 SAPKB73101
If you want to manage remote databases that are not addressed via an RFC destination (such as Java databases or other non-ABAP databases) with DBACOCKPIT/DB13, you must import the following Support Packages instead:
SAP SAP SAP SAP SAP SAP SAP
Basis Basis Basis Basis Basis Basis Basis
Release Release Release Release Release Release Release
7.00: 7.01: 7.02: 7.10: 7.11: 7.30: 7.31:
SAPKB70029 SAPKB70114 SAPKB70214 SAPKB71017 SAPKB71112 SAPKB73009 SAPKB73107
Alternatively, you can implement the attached correction instructions. Lower SAP release levels are not supported here. Caution: The change in the table SDBAC affects all databases that you manage using DBACOCKPIT/DB13 and that are not addressed via an RFC destination. Therefore, they all must have the BR*Tools-specific secure storage activated. 4. Storage of user/password for Oracle Fail Safe in secure storage -----------------------------------------------------------------(as of Patch 29 of BR*Tools 7.20) Up to now, the user name and the password for Oracle Fail Safe had to be saved in the BRBACKUP environment transparently (see SAP Note 378648). It is now possible to store this sensitive data in the BR*Tools-specific secure storage (see point 3). You call BRCONNECT for this as follows:
brconnect -u / -c -f chpass -o -p -s failsafe With: - Oracle Fail Safe User name - Oracle Fail Safe User Password You then change the following BRBACKUP environment variables:
set BR_OFS_USER=SEC$STORE set BR_OFS_PWD= The BR_OFS_PWD environment variable is then deleted. Note: You must first create the directories required for the BR*Tools-specific secure storage manually (see point 3). 5. Role-based storage of BR*Tools user/password in secure storage --------------------------------------------------------------------(as of Patch 30 of BR*Tools 7.20) Comment: This configuration affects mainly Unix platforms. There are two main roles in the area of the Oracle database management: - DBA role: Execution of all DBA tasks inclusively restore/recovery. - OPER role: Execution of the routine tasks such as backup and check. Two Oracle system privileges correspond with these roles: - SYSDBA for the DBA role - SYSOPER for the OPER role and two standard OS groups of which Oracle derives the system privileges: - "dba" from which the SYSDBA privilege is automatically derived. - "oper" from which the SYSOPER privilege is automatically derived. The aim of the role-base storage of BR*Tools user and BR*Tools password in the secure storage is the assignment of the DBA and OPER roles to OS users 19.06.2013
Page 4 of
8
SAP Note 1764043 -
Support for secure storage in BR*Tools
without the OS users having to belong to the Oracle-relevant OS groups "dba" and/or "oper". In addition, the OS users that are configured like this must execute the DBA action only with the BR*Tools. Generally, OS users can call all BR programs with the DBA role. OS users with the OPER role can call only BRARCHIVE, BRBACKUP, and BRCONNECT. Caution: For backups with RMAN you need the SYSDBA privilege. This is to change with Oracle 12c. 5.1. Required configuration in the Oracle database To fulfill the aim described above, the following configuration actions must be executed in the Oracle database: - The Oracle password file must be created and active. UNIX:
orapwd file=$ORACLE_HOME/dbs/orapw password= entries=10 Windows:
orapwd file=%ORACLE_HOME%\database\PWD.ORA password= entries=10 Caution: For RAC installations, omit from the name of the password file. The file name is restricted to "orpaw" in Unix and to "PWD.ORA" in Windows. - The following init.sap parameter must be set:
remote_login_passwordfile = exclusive - Two database users that represent the two roles are created and receive the relevant authorizations. For example the user ORADBA for the DBA role and ORAOPER for the OPER role.
SQL> SQL> SQL> SQL> SQL>
connect / sysdba create user oradba identified by ; grant sysdba, sysoper, sapdba to oradba; create user oraoper identified by ; grant sysoper, sapdba to oradba;
5.2. Required configuration at OS level (under "root"). Assumption: - the OS user "dbauser" is to receive the DBA role and the "operuser" is to receive the OPER role. - the OS group "dbagroup" represents all OS users with the DBA role. - the OS group "opergroup" represents all OS users with the OPER role. - the OS group "dbstaff" represents all OS users with the DBA role and/or the OPER role. In this case, these users must be configured as follows: - the OS user "dbauser" is part of the OS groups "dbagroup", "opergroup", and "dbstaff" - the OS user "operuser" is part of the OS groups "opergroup" and "dbstaff" - these OS users do not belong to the Oracle-relevant OS groups "dba" and/or "oper" - the BR executables have the following permissions:
-rwsr-xr-brarchive -rwsr-xr-brbackup -rwsr-xr-brconnect -rwsr-xr-brrecover 19.06.2013
1 ora
dbstaff
15852744 Feb
4 13:41
1 ora
dbstaff
16235320 Feb
4 13:41
1 ora
dbstaff
20176232 Feb
4 13:41
1 ora
dbstaff
17120056 Feb
4 13:41
Page 5 of
8
SAP Note 1764043 -rwxr-xr-x brrestore -rwsr-xr-brspace -rwxr-xr-x brtools - The OS users
Support for secure storage in BR*Tools
1 adm
dbstaff
6627408 Feb
4 13:41
1 ora
dbstaff
21655416 Feb
4 13:41
1 adm
dbstaff
7828152 Feb
4 13:41
"dbauser" and "operuser" must have set at least the following Oracle- or BR*Tools-specific environment variables: ORACLE_SID - Oracle system ID ORACLE_HOME - Oracle home directory SAPDATA_HOME - Sapdate home directory (/oracle/) SAPEXE - BR*Tools directory with BR executables 5.3. Required configurations in secure storage (under "ora") - delete the old BR*Tools secure storage file, if it exists:
> rm $SAPDATA_HOME/security/rsecssfs/data/* - store the logon data for the DBA role in secure storage:
> brconnect -u / -c -f chpass -o oradba -p -s brtools/dbagroup - store the logon data for the OPER role in secure storage:
> brconnect -u / -c -f chpass -o oraoper -p -s brtools/opergroup 5.4. Call of the BR programs using the OS users "dbauser" and "operuser". - The OS user "dbauser" can now call the BR programs as follows:
brarchive -u //dbagroup ... brbackup -u //dbagroup ... brconnect -u //dbagroup ... brrecover -u //dbagroup ... brspace -u //dbagroup ... - The OS user "operuser" can now call the BR programs as follows:
brarchive -u //opergroup ... brbackup -u //opergroup ... brconnect -u //opergroup ... - You can also call these programs using the BRTOOLS/BRGUI menus. In the menu entry field "Database user/password (user)", you correspondingly enter "//dbagroup" or "//opergroup". - You must not call the BRRESTORE, only use BRRECOVER. 6. Strict secure storage database connection --------------------------------------------(as of Patch 30 of BR*Tools 7.20) Comment: This configuration affects mainly Unix platforms. The strict secure storage database connection is to ensure that the DBA actions are executed using the BR*Tools only and that the BR*Tools action logs cannot subsequently be manipulated. This configuration is to comply with the strict audit requirements, among other things. The BR*Tools automatically switch to this operation mode if the following prerequisite is fulfilled: - the database connection is made via the role-base secure storage entries (see point 5) - the names of the database users that are stored in secure storage start with the character string "BRT$" (Example: "BRT$DBA", "BRT$OPER"). - the BR*Tools profile is located in the directory $ORACLE_HOME/dbs or /oracle//sapprof - the profile and the underlying directory must have restrictive permissions (for example, -rw------- / -rwx------). - the BR*Tools log directory (saparch, sapbackup, sapcheck, and sapreorg) 19.06.2013
Page 6 of
8
SAP Note 1764043 -
Support for secure storage in BR*Tools
are located in /oracle/ and must have restrictive permissions (for example -rwx------). In addition, we recommend to create the directory $SAPDATA_HOME/security/rsecssfs/temp with the restrictive permissions "-rwx------". In this directory, BR*Tools places temporary files that contain critical logon data. In addition you can use a new init.sap special parameter "_file_mask" to restrict the permissions to backup files on disks or on new database files. A typical setting could be: _file_mask = 077 You would restrict the data permissions to "-rw-------" or "-rwx------" (for directories). The leading number "0" is important in this case because the value normally is specified in octal display (corresponds with the UNIX "unmask" command). ======================================================================= Points 1 and 4: BR*Tools 7.20 Patch 27 and 28 provide an enhancement. Points 5 and 6: The enhanced functions are provided in BR*Tools 7.20 patch 30. For more information about downloading patches, see SAP Notes 12741 and 19466.
Header Data Release Status: Released on: Master Language: Priority: Category: Primary Component: Oracle
Released for Customer 09.04.2013 12:43:36 German Recommendations/additional info Advance development BC-DB-ORA-DBA Database Administration with
Valid Releases Software Component
Release
KRNL32NUC KRNL32NUC KRNL32UC KRNL32UC KRNL64NUC KRNL64NUC KRNL64UC KRNL64UC KERNEL
7.10 7.20EXT 7.10 7.20EXT 7.10 7.20EXT 7.10 7.20EXT 72
From Release 7.20 7.20EXT 7.20 7.20EXT 7.20 7.20EXT 7.20 7.20EXT 7.20
To Release 7.20 7.20EXT 7.20 7.20EXT 7.20 7.20EXT 7.20 7.20EXT 7.20
and Subsequent
Related Notes
19.06.2013
Page 7 of
8
SAP Note 1764043 Number 1868094 1838850 1829584 1780057 1639578 1622837 1428529 378648
Support for secure storage in BR*Tools
Short Text Overview: Oracle Security SAP Notes Corrections in BR*Tools Version 7.40 Potential information disclosure related to BRBACKUP Corrections in BR*Tools 7.20 patch 28 SSFS as password storage for primary database connect Secure connection of AS ABAP to Oracle via SSFS Corrections in BR*Tools Version 7.20 Offline backup support with Oracle Fail Safe
Attachments File Type JAR
File Name
Language
Size
checkKeyPhrase.jar
E
21
KB
SP Patch Level Software Component Version
Support Package
SAP KERNEL 7.20 32-BIT
SP000
SP Patch Level 000027
Correction Instructions Correcti on Instruct ions 1165890
Valid from
Valid to
Software Component
Typ e *)
Reference Correction
700
730
SAP_BASIS
C
YI3K059276
Last Changed
19.10.2012 14:27:34 1542326 700 702 SAP_BASIS C YI3K121902 18.12.2012 16:04:40 1542392 702 731 SAP_BASIS C YI3K121902 18.12.2012 16:04:26 1542964 730 730 SAP_BASIS C YI3K121902 18.12.2012 16:03:29 *) C Correction, B Preprocessing, A Postprocessing, M Undefined Work
19.06.2013
Page 8 of
8
