Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Impact of Security Config Hardening in Oracle Database to SAP

Former Member

‎12-16-2013 10:44 AM

0 Kudos

Hi All,

The IT Auditor recommended us to update the the following password security settings in our SAP database (Oracle 11g):

PROFILE: SAPUPROF & DEFAULT

- FAILED_LOGIN_ATTEMPTS

- PASSWORD_LIFE_TIME

- PASSWORD_REUSE_TIME

- PASSWORD_REUSE_MAX

- PASSWORD_VERIFY_FUNCTION

- PASSWORD_LOCK_TIME

All of them are assigned with NULL or UNLIMITED or DEFAULT value.

The auditor recommended to update the configuration based on recommended practice below:

- FAILED_LOGIN_ATTEMPTS     between 3 to 5

- PASSWORD_LIFE_TIME         90 days or less

- PASSWORD_REUSE_TIME     365 days or higher

- PASSWORD_REUSE_MAX     4 or higher

- PASSWORD_VERIFY_FUNCTION ENABLED

- PASSWORD_LOCK_TIME     5 days or higher

My question is:

Is there any negative impact to the SAP server functionality if we upgrade the password security based on the recommended practice?

Please advise.

Thank you.

Aiven.

1 REPLY 1

ACE-SAP
Active Contributor

‎12-16-2013 12:38 PM

0 Kudos

Hello

The impact will be that you will need to update sapsr3 password in table SAPUSER every time you will change it at Oracle level (using brconnect -f chpass -o sapr3 -p <new_password>).

If you forget (to change the password at Oracle level or to update it in SAPUSER) your SAP system won't be able to connect on the DB and thus won't work (not starting or suspended).

Even if you use SSF instead of OPS$ you will have the same problem.

So it is feasible but it will generate extra work and create a risk for your system.

It's a matter of finding a good balance between security requirements / extra admin work / system availability.

SAP considers that as the SAPSR3 account is not used by human and is then not subject to password disclosure so enforcing password change is not required.

1519872 - SAP Database User Profile SAPUPROF

There is no need for a database administrator to connect to the database as the user of the SAP application (except some rare support situations).

SQL scripts or shell scripts should never contain hardcoded passwords of the SAP application user.

Processes of the SAP application - and certain SAP tools like R3Load that belong to the SAP application-  are the only programs that should connect to the database with the SAP application user.

By the way did you setup option "tcp.validnode_checking" in sqlnet.ora file ?

This is a far more important/efficient option for Oracle security than forcing password expiration.

( 186119 - Restricting DB access to specific hosts )

Regards

1622837 - Secure connection of AS ABAP to Oracle via SSFS

562863 - FAQ: Logon mechanisms

1627312 - ORA-28001: the password has expired - during system startup