Take the following precautions to protect SAPR3
/ SAP<SAPSID>
and prevent unauthorized access to the database:
The password for SAPR3
/ SAP<SAPSID>
is stored in the SAPUSER
table. Therefore, protect access to this table by regularly changing the password for <sapsid>adm
.
To prevent someone from working around the OPS$ mechanism by using an .rhosts
file, deactivate the UNIX service rlogin
in the inetd.conf
file.
Caution
In a distributed system, the client is responsible for the authorization checks for the operating system user <sapsid>adm
. Therefore, make sure that only authorized persons have access to PC clients that directly access the database server.
Note
Do not change the value of the Oracle parameter REMOTE_OS_AUTHENT
to FALSE
. The OPS$ mechanism needs to be able to work from remote clients - for example, SAP System work processes need to be able to log on to
the application servers as the user OPS$<sapsid>adm
. Therefore, keep this parameter set to TRUE
.
With the Oracle network protocol SQL*Net, you can also use the file sqlnet.ora
to restrict access to the database using IP addresses. In this file, you specify invited
and excluded
IP addresses.
Example
tcp.validnode_checking = yes tcp.invited_nodes = (139.185.5.73, ...)
tcp.excluded_nodes = (139.185.6.71, ...)
In this way, you can make sure that only specific hosts (for example, only the application server host) are capable of accessing the database.