SSFS (Secure Storage in File System) configuration...

former_member184017 · ‎07-23-2013

NOTES must be referred...

Note 1622837 - Secure connection of AS ABAP to Oracle via SSFS

Note 1639578 - SSFS as password storage for primary database connect

Note 1764043 - Support for secure storage in BR*Tools

SSFS activation: Directories need to be created under $(DIR_GLOBAL)\security

which is... usr\sap\<SID>\SYS\global\security\rsecssfs\data

usr\sap\<SID>\SYS\global\security\rsecssfs\key

2. DEFAULT.PFL values that need to be set…

rsec/ssfs_datapath $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data

rsec/ssfs_keypath $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key

3. Environment variables need to be set for making SSFS accessible to SAP tools, like, R3trans, R3load etc. Use SETX command at windows command prompt for this.

setx RSEC_SSFS_DATAPATH <drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\data

setx RSEC_SSFS_KEYPATH <drive>:\usr\sap\<SID>\SYS\global\security\rsecssfs\key

4. Defining db user name & passwords in Secure Storage: DB connectivity settings should be configured with RSECSSFX command at command prompt

rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain

rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_PASSWORD XXXXXXXX

After the entries creation, check both data & key folders for the contents.

5. Secure Store encryption key change…

This can be done if additional security is required, and can be defined with…

RSECSSFX pf=<profile_path> changekey <key phrase>

6. For changing the db connectivity to new method, define the below values…

Profile parameter : rsdb/ssfs_connect = 1

Environment variable: rsdb_ssfs_connect 1

Now, reboot the instance and check the system status. Connection status can be monitored in the work process trace file.

7. Now, old fashion connection pattern needs to be turned off. For this, SAPUSER table for the OPS$<SIDADM> schema needs to be deleted.

Proceed as follows…

SQL> connect system/<pwd>

SQL> drop table ops$<sid>adm.sapuser;

8. To make BR*tools use this SSFS feature instead of old fashion OPS$<USER> mechanism, create a BR*Tools database user (for example, BRT$ADM) and assign the SAPDBA role to it.

SQL> create user brt$adm identified by XXXXX;

SQL> grant to sapdba to brt$adm;

Now, the initial password shall be changed to the actual password using brconnect...

brconnect -u / -c -f chpass -o BRT$ADM -p <password> -s brtools

That's it.

Thanks... / Vamsi

janos_mucsi-besze · ‎10-04-2013

Great summary and steps description. :smile:

former_member184017 · ‎10-04-2013

Thanks Janos

susansun01 · ‎10-15-2013

This is very useful and a little supplement:

In step 5,the <key phrase>is specified in the hexadecimal format (48 characters from the range '0-9' and 'A-F').

former_member184017 · ‎10-16-2013

Thank you for your feedback Susan :smile:

Former Member · ‎07-07-2014

Hi Vamsi,

Great work ..

But little correction ..

After restart SAP system and check whether the connect was successful. If the changeover was successful, the developer trace (SM50) should contain the following entry:

B read_con_info_ssfs(): DBSL supports extended connect protocol

B ==> connect info for default DB will be read from ssfs

Grant command should be ..

SQL> grant sapdba to brt$adm;

To change initial password

brconnect -u / -c -f chpass -o 'BRT$ADM' -p <password> -s brtools

After you have set up the BR*Tools database users, you can call all BR*Tools executables with the option "-u //" to connect to the database using the data that you have stored in the secure storage.

Run brconnect -u // -c -f check

Thanks ,

Neel

former_member184017 · ‎07-07-2014

Thanks :smile:

eidahanafiahahmad · ‎08-28-2014

Good document!!!

Once we perform a QA refresh (using backup/restore). So, for the post processing, do we need to execute the following to restore back the connection? Is there any other steps?

rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_USER SAPSR3 -plain

rsecssfx pf=<drive>:\usr\sap\<SID>\SYS\profile\DEFAULT.PFL put DB_CONNECT/DEFAULT_DB_PASSWORD XXXXXXXX

Thanks in advance.

Dafi

j_bayrhammer · ‎08-28-2014

Very good summary of ops$-procedure!

I have a problem when using "brconnect -u / -c -l E -f chpass -o SAPSR3DB -password XXXXX -s brtools" in a Java only 7.40 Environment.

System tells me:

BR0282E Directory '/oracle/SID/security/rsecssfs/data' not found

But profile parameters are set in DEFAULT.PFL to:

rsec/ssfs_datapath=$(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)data

rsec/ssfs_keypath=$(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)rsecssfs$(DIR_SEP)key

"rsecssfx info" gives correct path to SSFS_SID.DAT:

/usr/sap/SID/SYS/global/security/rsecssfs/data/SSFS_SID.DAT

So where does the path /oracle/SID/security/rsecssfs/data comes from?

Regards,

Julia

eidahanafiahahmad · ‎09-11-2014

Nice document. There is a missing steps for the oracle parameter "remote_os_authent"

Regards,
Dafi

Former Member · ‎09-23-2014

Hi Vamsi/Elda,

If we are doing a system copy on systems with Netweaver 7.4 where in by default SSFS is only supported so after copy of source system to target system(backup/restore), what are the post installation activities have to be done (usually we used to drop and recreate the OPS$user for SAP - Oracle DB connectivity right)

Can you please share your thoughts on the actions to be taken while performing system copy of Netweaver ABAP 7.4 system on Oracle (AIX platform)

Thanks in advance.

former_member184017 · ‎09-23-2014

Hello Balaji,

System copy guide should provide useful guidelines on this, I advise to go through that first clearly. After system db refresh, please check the SSFS overall configuration once and start the application, if the application start-up is normal then we are good if not errors anyway can be identified and resolved based on the error info / logs.

Thanks,

Former Member · ‎09-24-2014

Ok thank you. I already had a look on to the System copy guide.

I am just eager to know your experience.

Former Member · ‎11-05-2014

We have encountered SSFS connectivity to the DB issue while doing HCM EHP7 SP5 upg. Great summary. Also note 1639578 has the steps that need to be performed for SSFS setup.

Thanks,

Chaitanya V

former_member215168 · ‎12-04-2014

Hi all ,

Very nice and precise write up but can we change password of SAPSR3 user as well using brtools after implementing SSFS??

fidel_vales · ‎12-04-2014

yes, it is in one of the comments. Check them

Former Member · ‎02-11-2015

Reboot of instance is not needed, when I set environment variable rsdb/ssf_connect = 1 of sidadm user before starting SUM. Right?

former_member202835 · ‎02-19-2015

brconnect -u / -c -f chpass -o <USER> -p <PASSWORD> -s brtools
BR0801I BRCONNECT 7.20 (41)

BR0280I BRCONNECT time stamp: 2015-02-19 15.22.11
BR0828I Changing password for database user <USER> ...

BR0280I BRCONNECT time stamp: 2015-02-19 15.22.11
BR0829I Password changed successfully in database for user <USER>
BR0282E Directory '/oracle/<SID>/security/rsecssfs/data' not found
BR1527E Setting password for user <USER> in secure storage failed
BR0832E Changing password for user <USER> failed

BR0280I BRCONNECT time stamp: 2015-02-19 15.22.11
BR0804I BRCONNECT terminated with errors

-> All OS env. and SAP parameters are correct. Where do this path come from?

'/oracle/<SID>/security/rsecssfs/data'?

Former Member · ‎02-20-2015

Hi..

Have you implemented SSFS for brtools.

Please check that is the directory for storing password of brtools user

1764043 Support for secure storage in BRTools

Section 3. Storage of BR*Tools user/password in secure storage

Former Member · ‎06-17-2015

Hi Julia,

I am facing the same issue after configuring SSFS in Oracle 12C, All Var. and Profile parameter are set as per the SAP Note 1639578.

BR0282E Directory '/oracle/SID/security/rsecssfs/data' not found

Please help.

Thanks.

j_bayrhammer · ‎06-17-2015

Hello Mohomad Swalay,

there is no need to configure this in an JAVA only stack.

Regards,

Julia

Former Member · ‎06-17-2015

Hi,

Oh, but i am configuring it in AS ABAP.

Thanks

former_member182657 · ‎06-17-2015

Hi Swalay,

/oracle/SID/security/rsecssfs/data' not found

Could you check physical presence of data dir at the specified location on the system ? If not than use

mkdir /usr/sap/SID/SYS/global/security/rsecssfs/data

& retry.

Thanks,

Former Member · ‎06-17-2015

Hi Gaurav,

Yes, Even data file is created successfully in /usr/sap/SID/SYS/global/security/rsecssfs/data with name SSFS_ECQ.DAT (Size 1 KB),

But why its looking this file in /oracle/SID/security/rsecssfs/data ?

Thanks

former_member202835 · ‎06-17-2015

I think you mix things up. In which step (SAP Note 1639578) do you get this error. As far as i can see there is no brconnect in 1639578.

I could set up SSFS without brconnect.

Former Member · ‎06-17-2015

Hi Robert,

Thanks for quick reply, i have followed the same steps while configuring.

see the below error i am getting.

C:\Users\<SIDADM>>brconnect -u // -c -f stats -t system_stats

BR0801I BRCONNECT 7.40 (15)

BR0282E Directory 'E:\oracle\SID\security\rsecssfs\data' not found

BR1529E Getting BR*Tools user name/password from secure storage failed

BR0806I End of BRCONNECT processing: ceqtejlc.log 2015-06-17 12:29:00

BR0280I BRCONNECT time stamp: 2015-06-17 12:29:00

BR0804I BRCONNECT terminated with errors

Thanks.

former_member182657 · ‎06-17-2015

Hi,

If possible could you share the generated SCN thread by you for the issue.And suggest you to share brconnect.log file from the system.

former_member182657 · ‎06-17-2015

Hi,

Could you share parameter value for RSEC_SSFS_DATAPATH.

Regards,

former_member202835 · ‎06-17-2015

Try this one: brconnect -u / -f chpass -o sapsr3 -p <pwd>

Former Member · ‎06-17-2015

Hi Robert,

Its working fine

BR0257I Your reply: 'c'

BR0259I Program execution will be continued...

BR0280I BRCONNECT time stamp: 2015-06-17 13:09:09

BR1526I Password set successfully for database user SAPSR3 in secure storage E:\

usr\sap\SID\SYS\global\security\rsecssfs\data\SSFS_ECQ.DAT

BR0280I BRCONNECT time stamp: 2015-06-17 13:09:09

BR0802I BRCONNECT completed successfully

Rgds/Swalay

Former Member · ‎08-16-2015

Great summary and very usesul...Thanks

Former Member · ‎10-19-2015

Great summary and very useful! Tons of thanks!!!

Former Member · ‎07-29-2016

Hi

I found a little better method.

Put the values mention to go in the DEFAULT.PFL into the .sap_hostname.csh file

Why:

1. That file is read BEFORE the Oracle database starts, and SAP knows
what to expect.

We ran into issues where we put the data in the DEFAULT.PFL, but once we put them in the .sap_hostname.csh files it worked like a charm.

SSFS (Secure Storage in File System) configuration in Oracle db for SAP

SAP PI for Beginners

ABAP 7.40 Quick Reference

Fiori: technical installation and configuration of one app from A - Z