Start of Content Area

Background documentation Data Storage Security  Locate the document in its SAP Library structure

The J2EE Engine provides a secure storage area where applications or service components on the J2EE Engine can store sensitive data such as passwords or communication destinations, in encrypted form. Data saved in this area is encrypted using a secret key that is created explicitly for the application or service component.

Secure Storage in the File System

By default, the J2EE Engine stores secure data in the file \usr\sap\<SID>\SYS\global\security\data\SecStore.properties in the file system. This file is created during installation and by default the J2EE Engine uses this file to store database connectivity information, such as the user SAP<SID>DB, its password, the database pool, as well as, information for the user Administrator and its password.

The J2EE Engine uses the SAP Java Cryptography Toolkit to encrypt the contents of the secure store with the triple DES algorithm. During the AS-Java installation, you specify a key phrase that the J2EE Engine installation uses to generate the key that is used to encrypt the secure store data. After the installation is complete, you can use the J2EE Engine Config Tool to change the key phrase and re-encrypt the secure store. For more information, see Managing Secure Storage in the File System in the Administration Manual.

Secure Storage for Application Specific Data

Applications or application components, deployed on the J2EE Engine, can save sensitive data in encrypted form in a secure storage area in the J2EE Engine’s configuration database. The data saved in this area is encrypted using a secret key that is created explicitly for the application or service. The J2EE Engine uses the triple DES algorithm to perform the encryption.

You can use two approaches for storing and maintaining the encrypted data for the individual applications or application components:

·        Centralized storage

With centralized storage, applications or application components use the Secure Storage service on the J2EE Engine to encrypt and decrypt the data. This data is also stored in the corresponding secure storage context on the J2EE Engine. You can control the parameters of this secure storage area from the properties of the Configuration Manager. For more information, see Configuration Manager in the Administration Manual.

·        Decentralized storage

With decentralized storage, the applications and application component maintain their own storage area for the encrypted data. They only uses the Secure Storage service on the J2EE Engine to retrieve the key, which is necessary to encrypt and decrypt the data.

Integration

Applications or services can use the J2EE Engine’s Secure Storage service to encrypt and store sensitive data such as passwords. To use the J2EE Engine secure store, applications or services are assigned a designated context area in the secure storage where the corresponding encrypted data is stored.

To receive a context area, J2EE Engine applications or services register with the secure storage service. The first time an application or service requests access to secure storage, the J2EE Engine registers the application or service, creates a context for the application or service, generates a secret key, and allows the application access to the context for future requests. For more information, see Secure Storage for Application-Specific Data in the Administration Manual.

Software Deployment Manager Password Security

The Software Deployment Manager (SDM) uses the database connection information, the J2EE Engine administrator user and password from the secure storage in the file system, to connect to the J2EE Engine and perform tasks such as software deployment and undeployment.

Caution

When you change the administrator’s password in other user stores, you also have to update the password in secure storage by using the Config Tool. Otherwise, functions that use the administrator user, for example SDM, will not be able to authenticate to the J2EE Engine and deploy software components.

In addition, the SDM server stores deployment and configuration information in the SDM repository file. By default, this file is located in the SDM directory folder \usr\sap\<SID>\<instance_number>\SDM\program\config in the file system.

Recommendation

The SDM repository stores the password for the SDM administrator user as an irreversible hash. We recommend that you control access to the SDM repository file by setting appropriate access control permissions and use only the SDM GUI and the provided SDM command line interface to change the SDM configuration and the password for the SDM administrator. For more information, see Working with the SDM and the SDM documentation in the SDM folder in the file system.

See also:

Administration Manual:

·        Changing the Administrator's Password and Updating it in Secure Storage

 

 

End of Content Area