| Version / Date | 42 / 2006-07-05 |
| Priority | Recommendations/additional info |
| Category | Installation information |
| Primary Component | BC-DB-ORA Oracle |
| Secondary Components | BC-INS-NT Installation Windows |
| Summary |
|---|
| Symptom Creating OPS$ users on Windows NT/Oracle Other terms SQL*NetV2 SQL*NetV1 OPS$ ops$ Password change Changing the password OPS$ user Reason and Prerequisites OPS$ users should be created on the ORACLE database for R/3 users SAPService<SAPSID> and <SAPSID>ADM. Solution You can use the ORACLE OPS$ user mechanism to assign a password other than 'sap' to the user 'sapr3' in the SAP System. This prevents unauthorized access to the database, as only the operating system users of the SAP System (normally SAPService <SAPSID> and <SAPSID>ADM) have access to the password of user 'sapr3' in the database. Furthermore, the OPS$ mechanism is required for backup planning using transaction DB13 in CCMS. In Windows NT SQL*Net V1, this mechanism only works in central systems. With the ORACLE network protocol SQL*Net V2, you can use the OPS$ user mechanism in both central and distributed SAP Systems. However, if you use the OPS$ in distributed systems, the following parameter must be set in the file init<SAPSID>.ora. "remote_os_authent=TRUE" (not Oracle 8.*) To set up SQL*Net V2, refer to Note 48736. Contents Ia Creating OPS$ users (up to Release 4.0B) Ib Creating OPS$ users (as of Release 4.0B) Ic Creating OPS$ users (as of Oracle 8.1.6) Id Creating OPS$ users in mixed environments (as of 8.1.6) IIa Changing the password for user 'sapr3' (< Oracle 8.1.6) IIb Changing the password for user 'sapr3' (Oracle 8.1.6) IIc Changing the password for user 'SAP<SID>'(> Oracle 8.1.6) Ia Creating OPS$ users (up to Release 4.0B) The OPS$ user has to be created for the following users:
Note that you may need to adapt the commands given below (How to create user <SAPSID>ADM) to the user that you are using. This might be the case, for example, if you installed the latest R/3 Version by repeated upgrades starting from a very old R/3 Release. Please proceed as follows to create both OPS$ users (sample commands for user <SAPSID>ADM and SAPSERVICE<SAPSID>): How to create user <SAPSID>ADM
All the following actions have to be carried out on this host.
'create user OPS$<SAPSID>ADM default tablespace psapuser1d temporary tablespace psaptemp identified externally;' 'grant connect, resource to OPS$<SAPSID>ADM;' 'connect /' 'create table SAPUSER ( USERID VARCHAR2(256), PASSWD VARCHAR2 (256));' 'insert into SAPUSER values ('SAPR3', '<password>');' 'connect internal' 'alter user sapr3 identified by <password>;' How to create user SAPSERVICE<SAPSID>
'create user OPS$SAPSERVICE<SAPSID> default tablespace psapuser1d temporary tablespace psaptemp identified externally;' 'grant connect, resource to OPS$SAPSERVICE<SAPSID>;' 'create public synonym sapuser for OPS$<SAPSID>ADM.SAPUSER;' 'connect /' 'grant select on sapuser to OPS$SAPSERVICE<SAPSID>;' The R/3 processes can now log on with the new password after reading the password from table SAPUSER in the database. Ib Creating OPS$ users (as of Release 4.0B) For the creation and change of OPS$ users SQL scripts are available as of SAP R/3 Version 4.0B under Oracle 8.0.6. Oracle 8.0.6: Open a DOS BOX, and change to the directory \orant\orainst. Oracle 8.1.5: the scripts are no longer automatically copied to Orainst during the Oracle installation and must therefore be copied manually from the RDMBS CD (directory \SAP) to a writeable working directory. Execute the following command under user <SID>ADM: plus80 internal @sapuser.sql (Oracle 8.0.6) sqlplus internal @sapuser.sql (Oracle 8.1.5) You will be prompted for a new password for the database user sapr3. After successful completion of sapuser.sql the following line is displayed: | Script sapuser.sql successfully finished | If this line is not displayed, check the file sapuser.log in the same directory for possible error causes and consult your SAP Support center, if necessary. You can also use this procedure to change the password for the database user sapr3. Ic Creating OPS$ users (as of Oracle 8.1.6) On Oracle 8.1.6, security for OPS$ access has been enhanced by including the domain name in the OPS$ user names. Creating the OPS$ user is done using script oradbusr.sql. By mistake, there are two different scripts that share the same name but with a different number of parameters. With the older script, two parameters are used. With the new script, three parameters ('schemaowner' added) are used. The old version with two parameters is contained on the RDBMS CD, on earlier Kernel CDs, and in the installation directory. A current version has also been appended to this note. The new version with three parameters is contained in the new installation kits. The new version must be used as of Version 6.10 and in MCOD systems as of 4.6. As of Oracle Version 10 use the script contained in archive oradbusr10.zip. You can find out whether you have the new script or the old script installed as follows: Open script 'oradbusr.sql' using a text editor. If 'oradbusrSD.sql' is listed under 'Usage', you have the new version. If 'oradbusr.sql' is listed, you have the old version. Execute the following command to set up the OPS$ user: New script: sqlplus /NOLOG @oradbusr.sql <schemaowner> NT <userdomain> Old script: sqlplus /NOLOG @oradbusr.sql NT <userdomain> Set the domain name of the domain for <userdomain> in which the user <SID>ADM was created. This usually corresponds to the value of the environment variable USERDOMAIN if you have logged on as <SID>ADM. You can find out what the current value of the environment variable is set USER in a command prompt. For <schemaowner>, you may need to set a different value if you use the new oradbusr.sql script: Up to Version 4.6D, use 'SAPR3' for 'schemaowner'. As of Version 6.10, use 'SAP<SID>' for 'schemaowner'. You can also use the environment variable to check which value you need to set for 'schemaowner': If the environment variable was set to DBS_ORA_SCHEMA, use the value specified there (SAPR3 or SAP<SID>). If DBS_ORA_SCHEMA was not set, use 'SAPR3'. Now you need to set the password for user sapr3 acc. to IIb or IIc. Id Creating OPS$ users in mixed environments (as of 8.1.6) This section describes the creation of the OPS$ access in mixed environments, i.e. the Oracle client (R/3 Application Server) and the Oracle database are operated on different platforms (Unix / Windows).
sqlplus /nolog sqlplus> connect / as sysdba
As a general rule, the user name and the domain of the Windows user, under which the SAP service was started on the NT computer, must be used. If the service is started with a local user, use the host name of the Application Server as the domain name. Some Unix derivatives can only manage users with a user name length of 8 characters. In this case, unlike with the SAP standard, user <SID>adm was entered as service user. Likewise, user "OPS$<DOMAIN>\<SID>ADM" must be registered in the Oracle database. The OPS$ user names for the Windows users must be delimited by double quotes, since the character string contains the "\" character. In this case, the user name must be written in uppercase letters as the case is observed when inserting character strings that are limited by quotes! IIa Changing the password for the user 'sapr3' If the OPS$ user has already been created as described above, the password for the 'sapr3' user can be changed at any time. As user <SAPSID>ADM, you must follow two steps (replace <new password> with the new password for the user 'sapr3'):
All the following actions have to be carried out on this host.
'update OPS$<SAPSID>ADM.SAPUSER set PASSWD='<new password>' where USERID='SAPR3';'
'connect internal' 'alter user sapr3 identified by <new password>;' IIb Changing the password for user 'sapr3' (Oracle 8.1.6) To do this, call BRCONNECT as follows: brconnect -u system/<syst_pwd> -f chpass -o sapr3 -p <new_sap_pwd> You do not need to carry out the steps under IIa. IIc Changing the password for user 'schemaowner>' (as of Oracle 8.1.7) Applies to MCOD systems or installations with kernel version > 4.6D brconnect -u system/<syst_pwd> -f chpass -o sap<sid> -p <new_sap_pwd> You do not need to carry out the steps under IIa. |
| Affected Releases | ||||
|---|---|---|---|---|
| Software Component | Release | From Release | To Release | And subsequent |
| SAP_APPL | 30 | 30D | 31I | |
| SAP_APPL | 40 | 40A | 40A | |
| SAP_APPL | 45 | 45B | 45B | |
| SAP_APPL | 46 | 46A | 46B | X |
| SAP_APPL | 46C | 46C | 46C | |
| SAP_APPL | 470 | 470 | 470 | |
| Related Notes | |
|---|---|
| 575280 | Add info about upgrade to SAP Web AS 6.20 ORACLE 9.2.0 |
| 491598 | Additional info on upgrading to SAP Web AS 6.20 ORACLE 8.1.x |
| 437648 | DB13: External program terminated with exit code 1/2 |
| 401721 | on upgrading to SAPWeb AS 6.10 ORACLE |
| 400241 | Problems with ops$ or sapr3 connect to Oracle |
| 357194 | ORA-00900 when importing SQL scripts |
| 303461 | Additions to Upgrade to Basis 4.6D Oracle |
| 201874 | Additions for upgrade to 4.6C/4.6C SR1/4.6C SR2 Oracle |
| 186119 | Restricting DB access to specific hosts |
| 134592 | Importing the SAPDBA role (sapdba_role.sql) |
No comments:
Post a Comment