Skip to Content
avatar image
Former Member

REMOTE_OS_AUTHENT

Hi,

I'm an Oracle database security consultant, and I have a question regarding SAP installs on Oracle.

I've seen on a couple customers sites (who are running SAP) that they have the REMOTE_OS_AUTHENT parameter set to TRUE with an externally identified account "OPS$<sapsid>ADM".

Now this is a known Oracle security issue. It leaves all the data in the database vulnerable to query and update. I recommend to our clients that they change it, however they always respond with "but SAP requires it".

I've tried to googling for a solution, with little success. The only half solution I can find is from some SAP online documentation. See link below

http://help.sap.com/saphelp_nwmobile71/helpdata/en/8b/2488392020b625e10000000a114084/content.htm

The problem is that I don't know of many sites that would restrict database access by IP address as most sites run client software that accesses the database directly.

Has anyone seen a better solution to for this?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Apr 07, 2008 at 04:57 PM

    Hello Simon,

    your customers are right - the "REMOTE_OS_AUTHENT" is needed for running a sap system.

    The only solutions to "protect" your database is:

    • Restrict db access from the network

    • Enable TCP.VALIDNODE_CHECKING as you mentioned in the link

    But wait: Why protecting your database for OPS$ access?

    The user OPS$* has only restricted access by default (SAPDBA role and access to the table SAPUSER which includes the encrypted R/3 password for the sap schema user)

    I don't think that it is necessary to protect the database for the REMOTE_OS_AUTHENT access. You can not really do any bad things with that access.

    I can understand your point of view (from oracle security consultant), but these are the only solutions that you have.

    Regards

    Stefan

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 08, 2008 at 06:56 AM

    Hello Simon,

    Stefan is correct. To make the answer a little more complete, perhaps you can take a look at the SAP Note 700548 FAQ: Oracle authorizations.

    If I'm not wrong, any user of the SDN can access the notes using the search functionality, no need for access to SAP

    Add comment
    10|10000 characters needed characters exceeded