Show TOC

Procedure documentationProtecting the SAP Database User

Procedure

Take the following precautions to protect SAPR3 / SAP<SAPSID> and prevent unauthorized access to the database:

  • The password for SAPR3 / SAP<SAPSID> is stored in the SAPUSER table. Therefore, protect access to this table by regularly changing the password for <sapsid>adm.

  • To prevent someone from working around the OPS$ mechanism by using an .rhosts file, deactivate the UNIX service rlogin in the inetd.conf file.

    Caution Caution

    In a distributed system, the client is responsible for the authorization checks for the operating system user <sapsid>adm. Therefore, make sure that only authorized persons have access to PC clients that directly access the database server.

    End of the caution.

    Note Note

    Do not change the value of the Oracle parameter REMOTE_OS_AUTHENT to FALSE. The OPS$ mechanism needs to be able to work from remote clients - for example, SAP System work processes need to be able to log on to the application servers as the user OPS$<sapsid>adm. Therefore, keep this parameter set to TRUE.

    End of the note.

  • With the Oracle network protocol SQL*Net, you can also use the file sqlnet.ora to restrict access to the database using IP addresses. In this file, you specify invited and excluded IP addresses.

    Example Example

    tcp.validnode_checking = yes tcp.invited_nodes = (139.185.5.73, ...)

    tcp.excluded_nodes = (139.185.6.71, ...)

    End of the example.

    In this way, you can make sure that only specific hosts (for example, only the application server host) are capable of accessing the database.