{"id":1593,"date":"2024-07-04T21:44:02","date_gmt":"2024-07-04T16:14:02","guid":{"rendered":"https:\/\/adilfahim.com\/myblog\/?p=1593"},"modified":"2024-07-05T11:58:06","modified_gmt":"2024-07-05T06:28:06","slug":"oracle-brtools-ssfs-configuration","status":"publish","type":"post","link":"https:\/\/adilfahim.com\/myblog\/oracle-brtools-ssfs-configuration\/","title":{"rendered":"Oracle BRTOOLS SSFS Configuration"},"content":{"rendered":"

If you are still managing an SAP system with an Oracle database. If so, understanding how to configure\u00a0BRTOOLS SSFS\u00a0(Secure Storage in File System) is crucial. SSFS provides a secure way to store sensitive data such as database passwords. Let\u2019s dive into the key steps:<\/p>\n

Avoid using OPS$ mechanism, locking\/deleting OPS$ users<\/h3>\n

Reference \u2013<\/p>\n

1764043 – Support for secure storage in BR*Tools
\n1622837 – Secure connection of AS ABAP to Oracle via SSFS
\nClick for SAP Help Portal<\/a><\/b><\/p>\n

Validation before performing any change(BRTOOLS SSFS) with existing setup(OPS$) \u2013<\/p>\n

Validate SAP \u2013 DB13 jobs should be running fine.<\/p>\n

Trigger below command should be getting completed without any error.<\/p>\n

ora – brconnect -u \/ -c -f stats -t all<\/b><\/p>\n

OPS$ users in DB<\/b> \u2013<\/p>\n

select name, ctime, ptime from user$ where name like ‘%OPS$%’;<\/p>\n

OPS$ORA (On UNIX this user is responsible for BRTOOLS binaries and SAP DB13)<\/p>\n

OPS$ADM (windows user)<\/p>\n

OPS$SAPSERVICE (windows user)<\/p>\n

Login to OS level via ora and check the $SAPDATA_HOME variable.<\/p>\n

\"BRTOOLS<\/p>\n

create below directories via ora user by running this command<\/b> \u2013<\/p>\n

mkdir -p $SAPDATA_HOME\/security\/rsecssfs\/data<\/p>\n

mkdir -p $SAPDATA_HOME\/security\/rsecssfs\/key<\/p>\n

mkdir -p $SAPDATA_HOME\/security\/rsecssfs\/log<\/p>\n

mkdir -p $SAPDATA_HOME\/security\/rsecssfs\/temp<\/p>\n

Connect to Oracle<\/b><\/p>\n

SQL> connect \/ as sysdba<\/p>\n

SQL> create user brt$adm identified by ;<\/p>\n

SQL> grant sapdba, sysdba, sysoper to brt$adm;<\/p>\n

Updating the password in Secure Storage for BRTOOLS SSFS<\/b> \u2013<\/p>\n

Run below command to set the temporary variable for this present session.<\/p>\n

setenv RSEC_SSFS_DATAPATH \/oracle\/\/security\/rsecssfs\/data<\/p>\n

setenv RSEC_SSFS_KEYPATH \/oracle\/\/security\/rsecssfs\/key<\/p>\n

Run below command \u2013<\/p>\n

brconnect -u \/ -c -f chpass -o ‘BRT$ADM’ -p -s brtools<\/b><\/p>\n

this will generate below file at OS level and set the key also.<\/p>\n

\"BRTOOLS
\n\u00a0
\nTo stop the new password from\u00a0BRT$ADM\u00a0expiring, which leads to an oracle error (ORA-28001: the password has expired), we recommend allocating the\u00a0SAPUPROF\u00a0profile to the database user:<\/b><\/p>\n

SQL> connect \/ as sysdba<\/p>\n

SQL> alter user BRT$ADM profile SAPUPROF;<\/p>\n

Validate the new configuration is working fine \u2013<\/p>\n

brconnect -u \/\/ -c -f stats -t all<\/b><\/p>\n

the above command should be completed successfully without any error. If it\u2019s working then now it\u2019s not using OPS$ mechanism and working with brt$adm user(created in oracle).<\/p>\n

Note \u2013 above environment variable are temporary for configuration. Post configuration, there is no requirement of temporary environment variables hence log out and login again to ora user and run the below command, it should be completed successfully.<\/p>\n

brconnect -u \/\/ -c -f stats -t all<\/b><\/p>\n

Locking the OPS$ users in Oracle post BRTOOLS SSFS Configuration<\/b><\/p>\n

sqlplus \/ as sysdba<\/p>\n

alter user OPS$ORA account lock;<\/p>\n

alter user OPS$ADM account lock;<\/p>\n

alter user OPS$SAPSERVICE account lock;<\/p>\n

Post locking these users command – brconnect -u \/ -c -f stats -t all will start failing with error \u201cAccount is Locked\u201d.<\/p>\n

As we now change from OPS$ to SSFS brconnect -u \/\/ -c -f stats -t all should be running fine without any error hence it means our configuration is successfully completed.<\/p>\n

These users can be deleted post configuration changes and validations at SAP level.<\/p>\n

Changes in SAP Systems to run successfully DB13 jobs<\/h3>\n

(Take table backup of both tables before performing any changes)<\/p>\n

New connection method for BR*Tools calls in the CCMS transaction DBACOCKPIT\/DB13. To do this, the content of the SAP table SDBAC_DATA (SAP_BASIS Releases 7.10, 7.11, 7.20, and 7.30) or SDBAC (other SAP_BASIS releases)\u00a0must be modified.\u00a0Use the SQL script db13secd.sql or db13sec.sql for this see attachment of note 1764043.<\/p>\n

In SAP_BASIS releases 7.10, 7.11, 7.20, and 7.30:<\/b><\/p>\n

sqlplus \/ as sysdba
\nRun the script<\/p>\n

In other SAP_BASIS releases:
\nsqlplus \/ as sysdba
\nRun the script<\/p>\n

The following Support Packages are required for this change:<\/p>\n

SAP Basis Release 7.00: SAPKB70026
\nSAP Basis Release 7.01: SAPKB70111
\nSAP Basis Release 7.02: SAPKB70210
\nSAP Basis Release 7.10: SAPKB71013
\nSAP Basis Release 7.11: SAPKB71108
\nSAP Basis Release 7.30: SAPKB73004
\nSAP Basis Release 7.31: SAPKB73101<\/p>\n

If you want to manage remote databases that are not addressed via an RFC destination (such as Java databases or other non-ABAP databases) with DBACOCKPIT\/DB13, you must import the following Support Packages instead:<\/p>\n

SAP Basis Release 7.00: SAPKB70029
\nSAP Basis Release 7.01: SAPKB70114
\nSAP Basis Release 7.02: SAPKB70214
\nSAP Basis Release 7.10: SAPKB71017
\nSAP Basis Release 7.11: SAPKB71112
\nSAP Basis Release 7.30: SAPKB73009
\nSAP Basis Release 7.31: SAPKB73107<\/p>\n

Alternatively, you can implement the attached correction instructions.
\nLower SAP release levels are not supported here.<\/b><\/p>\n

Download the respective file and run on the system, as is NW 7.01 hence (db13sec) file is supported.<\/p>\n

Trigger the file with below command \u2013<\/p>\n

sqlplus \/ as sysdba<\/p>\n

\/tmp\/db13.sql<\/p>\n

\"BRTOOLS<\/p>\n

Validate SDBAC table in SAP system.<\/b><\/p>\n

Now \/\/ entry is there in the table.<\/p>\n

\"BRTOOLS<\/p>\n

Schedule DB13 jobs in SAP post above changes to validate, it should be getting completed.<\/b><\/p>\n

\"BRTOOLS<\/p>\n

\"BRTOOLS<\/p>\n

\u00a0
\nDifference of OPS$ and User mechanism working<\/b> \u2013<\/p>\n

Ans – By Default any brtools library run command as below when OPS$ mechanism is configured.<\/p>\n

brconnect -u \/ -c -f stats -t all<\/b><\/p>\n

But once you configured user mechanism to avoid OPS$ by locking or deleting the database which is a secure method. You need to run command as below \u2013<\/p>\n

brconnect -u \/\/ -c -f stats -t all<\/b><\/p>\n

\/\/ means \u2013 it\u2019s now running with SSFS method avoiding OPS$ mechanism.<\/p>\n

Running BRTOOLS post above configuration \u2013<\/p>\n

There is a slight change for running brtools after above user configuration(avoid OPS$ mechanism), as BRTOOLS is configured with OPS$ user with (\/), it will start failing hence need to change (\/) to (\/\/) in the command as below \u2013<\/p>\n

For example \u2013 Default Value of \/
\nNew Change Value \u2013 Database user\/password (user ) \u2026\u2026\u2026\u2026\u2026\u2026.. [\/\/]<\/b><\/p>\n

\"BRTOOLS<\/p>\n

Click to Read – Oracle 19c Automatic Indexing<\/a><\/p>\n

Commvault Configuration post BRTOOLS SSFS Changes<\/h3>\n

As Commvault use the default behavior while running the Oracle DB and Log backup by using \/ function hence this also need to be updated at Commvault side.<\/p>\n

Login to Commvault Configuration and select the impacted Oracle Database and select SSFS Connectivity.<\/p>\n

Recommendations<\/b><\/p>\n

For Cluster Databases<\/b><\/p>\n

Directory structure should be copied\u00a0$SAPDATA_HOME\/security\u00a0together with the files it contains from the primary server to secondary and DR server where BR*Tools is called.<\/p>\n

Caution 5<\/b>
\nIf SAP Host Agent is active for the affected system. following the deletion of the OPS$ database users, it will attempt to connect to the database with the SYSDBA authorization. This can result in the extremely frequent creation of Oracle audit trace files (see SAP Note 2146596). These audit trace files are deleted by the BRCONNECT function “cleanup”. This should be executed regularly (for example, once a week) in this case. However, if you want to generally avoid the creation of Oracle audit trace files, the OPS$ database users should not be deleted.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you are still managing an SAP system with an Oracle database. If so, understanding how to configure\u00a0BRTOOLS SSFS\u00a0(Secure Storage in File System) is crucial. SSFS provides a secure way to store sensitive data such as database passwords. Let\u2019s dive into the key steps: Avoid using OPS$ mechanism, locking\/deleting OPS$ users Reference \u2013 1764043 – […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[8],"tags":[47,1109,1107,1110,1108,1111],"class_list":["post-1593","post","type-post","status-publish","format-standard","hentry","category-sap-updates","tag-brconnect","tag-brtadm","tag-brtools-ssfs","tag-ops-mechanism","tag-oracle-ssfs","tag-rsecssfs"],"_links":{"self":[{"href":"https:\/\/adilfahim.com\/myblog\/wp-json\/wp\/v2\/posts\/1593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adilfahim.com\/myblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adilfahim.com\/myblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adilfahim.com\/myblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/adilfahim.com\/myblog\/wp-json\/wp\/v2\/comments?post=1593"}],"version-history":[{"count":10,"href":"https:\/\/adilfahim.com\/myblog\/wp-json\/wp\/v2\/posts\/1593\/revisions"}],"predecessor-version":[{"id":1628,"href":"https:\/\/adilfahim.com\/myblog\/wp-json\/wp\/v2\/posts\/1593\/revisions\/1628"}],"wp:attachment":[{"href":"https:\/\/adilfahim.com\/myblog\/wp-json\/wp\/v2\/media?parent=1593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adilfahim.com\/myblog\/wp-json\/wp\/v2\/categories?post=1593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adilfahim.com\/myblog\/wp-json\/wp\/v2\/tags?post=1593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}