Upload File

sap database user profile sapuprof

5
Based on 1519872 - SAP Database User Profile SAPUPROF Symptom Database User Profile SAPUPROF for SAP Schema This note describes the configuration of an SAP installation with the SAP-pecific database user profile SAPUPROF. Symptom: The SAP system does not start any more. SAP workprocesses can not connect to the database any more. SAP trace files contain errors similar to the following: TRACE-INFO: 101: [ dbsloci.,00000] *** ERROR => CONNECT failed with sql error '28001' TRACE-INFO: 102: [ dev trc,00000] set_ocica() -> SQL error code 28001 TRACE-INFO: 103: [ dev trc,00000] >oci_get_errmsg (con_hdl=0,rc=28001) TRACE-INFO: 104: [ dev trc,00000] OCIErrorGet -> SQL error code: 28001 TRACE-INFO: 105: [ dev trc,00000] ORA-28001: the password has expired 'R3trans -d' shows 'ORA-28001: the password has expired' error in the log file trans.log. [ dev trc,00000] OCISessionBegin(OCI_DEFAULT) failed with -1=OCI_ERROR [ dev trc,00000] OCISessionBegin(OCI_DEFAULT) failed with SQL error 28001: [ dev trc,00000] ORA-28001: the password has expired [ dev trc,00000] Deallocating server context handle 0x1110e05e0 from con=0 [ dbsloci.,00000] *** ERROR => CONNECT failed with sql error '28001' [ dev trc,00000] set_ocica() -> SQL error code 28001 [ dev trc,00000] -->oci_get_errmsg (con=0, rc=28001) [ dev trc,00000] OCIErrorGet -> SQL error code: 28001 [ dev trc,00000] ORA-28001: the password has expired [ dblink ,00433] ***LOG BY2=>sql error 28001 performing CON [dblink#8 @ 433] [ dblink ,00433] ***LOG BY0=>ORA-28001: the password has expired [dblink#8 @ 433] Other related symptoms: You get ORA-28000 or ORA-28001 or ORA-28002 errors when you try to connect to the database with other database users (i.e. as database user SYSTEM). Reason: The password of the SAP schema user has expired. ORA-28001: the password has expired The account status of the user is 'EXPIRED'. Example for SAP schema users SAPSR3 / SAPSR3DB:

Upload: martin-english

Post on 15-Sep-2015

987 views

Category:

Documents


9 download

Report

DESCRIPTION

1519872 - SAP Database User Profile SAPUPROF

TRANSCRIPT

Based on 1519872 - SAP Database User Profile SAPUPROFSymptomDatabase User Profile SAPUPROF for SAP Schema

This note describes the configuration of an SAP installation with the SAP-pecific database user profile SAPUPROF.

Symptom:

The SAP system does not start any more. SAP workprocesses can not connect to the database any more.

SAP trace files contain errors similar to the following:TRACE-INFO: 101:[dbsloci.,00000]*** ERROR => CONNECT failed with sql error '28001'TRACE-INFO: 102:[ dev trc,00000] set_ocica() -> SQL error code 28001TRACE-INFO: 103:[ dev trc,00000]>oci_get_errmsg (con_hdl=0,rc=28001)TRACE-INFO: 104:[ dev trc,00000] OCIErrorGet -> SQL error code: 28001TRACE-INFO: 105:[ dev trc,00000] ORA-28001: the password has expired

'R3trans -d' shows 'ORA-28001: the password has expired' error in the log file trans.log.

[ dev trc,00000] OCISessionBegin(OCI_DEFAULT) failed with -1=OCI_ERROR[ dev trc,00000] OCISessionBegin(OCI_DEFAULT) failed with SQL error 28001:[ dev trc,00000] ORA-28001: the password has expired[ dev trc,00000]Deallocating server context handle 0x1110e05e0 from con=0[dbsloci.,00000]*** ERROR => CONNECT failed with sql error '28001'[ dev trc,00000] set_ocica() -> SQL error code 28001[ dev trc,00000]-->oci_get_errmsg (con=0, rc=28001)[ dev trc,00000] OCIErrorGet -> SQL error code: 28001[ dev trc,00000] ORA-28001: the password has expired[dblink,00433]***LOG BY2=>sql error 28001performing CON [dblink#8 @ 433][dblink,00433]***LOG BY0=>ORA-28001: the password has expired [dblink#8 @ 433]

Other related symptoms:You get ORA-28000 or ORA-28001 or ORA-28002 errors when you try to connect to the database with other database users (i.e. as database user SYSTEM).

Reason: The password of the SAP schema user has expired.ORA-28001: the password has expired

The account status of the user is 'EXPIRED'. Example for SAP schema users SAPSR3 / SAPSR3DB:SQL> select username, account_status from dba_users where username in ('SAPSR3', 'SAPSR3DB');

Cause:

With Oracle release 11g, passwords of database users with DEFAULT user profile expire after 180 days (PASSWORD_LIFE_TIME).

Every database user has a user profile that is assigned when the user is created or altered. The lifetime of the user password (PASSWORD_LIFE_TIME) is one property of a user profile.

If the database user profile SAPUPROF is not configured and the SAP schema user (i.e. SAPSR3, SAPSR3DB) still has the DEFAULT user profile assigned with PASSWORD_LIFE_TIME=180, then this is probably the source of this issue.

You can check which user profile is assigned:SQL> select username, profile from dba_users where username in ('SAPSR3', 'SAPSR3DB');

Solution:1. The password has expired. Therefore you must set a new password for the SAP schema user to change the account status to 'OPEN' again.

OS> brconnect -u / -f chpass -o

When finished, check the account status:

SQL> select username, account_status from dba_users where username in ('SAPSR3', 'SAPSR3DB');2. To avoid that you have to set a new password for the SAP schema user every 180 days, you can install the database user profile SAPUPROF and assign this profile to the SAP schema user as described below.

Note: the account status 'EXPIRED' does not change to 'OPEN' when you assign a new user profile. If the password has already expired, you must set a new password.

Other Terms

Database SecurityDBA_PROFILESSAPUPROFsecconf.sqlDBA_USERS_WITH_DEFPWD

ORA-28000: the account is lockedORA-28001: the password has expiredORA-28002: the password will expire within string days

Reason and PrerequisitesSecure by Default

As of Oracle Database 10g Release 2 (10.2), the limit for FAILED_LOGIN_ATTEMPTS for the DEFAULT user profile is 10. Prior to Oracle Database 10g Release 2 (10.2), the default was UNLIMITED.

As a consequence of this change, the SAP application account was automatically locked after 10 failed login attempts i.e. a cron-job trying to log into the database as SAP application user with an invalid password. After the account was locked, SAP application work processes could no longer log on to the database (error ORA-28000: the account is lockedSAP system downtime) which could result in SAP system downtime.

To avoid the risk of SAP system downtime, the new Oracle limit '10' for FAILED_LOGIN_ATTEMPTS for the DEFAULT user profile was reverted to the -less secure- limit 'UNLIMITED' (see SAP note 951167).

As of Oracle Database 11g Release 2 (11.2), the default limit for PASSWORD_LIFE_TIME for the DEFAULT profile is 180 days. Prior to Oracle Database 11g Release 2 (11.2), the default was UNLIMITED.

Forcing a new password makes sense from a database security perspective for normal database users, but not necessarily for an application account.

Configuring a dedicated database user profile SAPUPROF for SAP application user(s) has the following advantages: Dedicated user profile SAPUPROF Adapted to the SAP application Allows further customization such as password verify function (see SAP note 1522952) No modification of the DEFAULT user profile as described in SAP note 951167. More secure -> Oracle's 'Secure by Default' configuration is not relaxed.Recommendations and Prerequisites User profile SAPUPROF should be configured as of release 11.2.

During database upgrades to 11.2.0.2 or higher, it is automatically configured (see SAP note 1431793). For Oracle release 10.2, you can configure SAPUPROF.

SolutionSetting Password for SAP Schema User

If you need to set a new password (i.e. to solve an ORA-28001), use BRCONNECT.

OS> brconnect -u / -f chpass -o

Manual Configuration of User Profile SAPUPROF

Download sapuprof_profile.zip (See note 1519872), extract the file sapuprof_profile.sql and run it as the appropriate DBA user:OS> unzip sapuprof_profile.zipOS> sqlplus / as sysdba @sapuprof_profile

Running this script performs all the following configuration steps:1. Creating the new database user profile SAPUPROF:

SQL> CREATE PROFILE SAPUPROF LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED PASSWORD_LIFE_TIMEUNLIMITED;2. Assigning of the user profile SAPUPROF to SAP application account(s):

SQL> ALTER USER PROFILE SAPUPROF;

Run this command for all SAP application users (SAPSR3, SAPSR3DB, SAP, SAPR3).3. Reverting changes to DEFAULT user profile

If the DEFAULT user profile was modified earlier as recommended in SAP Note 951167, this change is reverted to Oracle secure-by-default settings:

SQL> ALTER PROFILE DEFAULT LIMITFAILED_LOGIN_ATTEMPTS 10 PASSWORD_LIFE_TIME180;Security Recommendations

There is no need for a database administrator to connect to the database as the user of the SAP application (except some rare support situations).

SQL scripts or shell scripts should never contain hardcoded passwords of the SAP application user.

Processes of the SAP application - and certain SAP tools like R3Load that belong to the SAP application-are the only programs that should connect to the database with the SAP application user.


SAP on Sybase ASE Database

sap hana|sap hana database| Introduction to sap hana

SAP AG Profile

SAP-Connect to Other Database

Cross Database Comparison - SAP

SAP HANA Database

Oracle Database 12c for SAP: Latest Database Technology and

SAP Installation and Database Copy

Oracle Database for SAP Roadmap

Short Presentation Title - SAP MaxDB: The SAP Database

SAP BCDBORADBA Database Administration SAPDBA

Oracle Database: The Database of Choice for Deploying SAP ... · PDF fileOracle Database: the Database of Choice for Deploying SAP Solutions . Executive Overview . SAP and Oracle would

SAP MaxDB: The SAP Database - Home

SAP NetWeaver ’04 Database Administration Guide · PDF fileSAP NetWeaver ’04 Database Administration Guide SAP ... upgrade and database tools. ... 12 1.3 End of Support of SAP

In memory database management con SAP HANA · In memory database management con SAP HANA 4 Introduzione Il seguente elaborato dal titolo In memory database management con SAP HANA,

Oracle Database: The Database of Choice for Deploying SAP

Oracle Database for SAP

SAP Database Administration with Oracle

Database Administration: SAP Business Suite on SAP ... … · Database Administration: SAP Business Suite on SAP Adaptive Server ... IO Subsystem Tuning ... Database Administration:

Database AdminGuide v1.5 SAP Business Suite on SAP ASE

SAP MaxDB Database Parameter

sap hana|sap hana database| Intraoduction to sap hana

Sap(STRATEGIC ADVANTAGE PROFILE.)

SAP Database Administration for Oracle

Proceed SAP HANA Database Monitoring Toolsetproceedgroup.com/...sap-hana-database-monitoring... · > Powerful memory monitoring optimized for the SAP HANA in-memory database. > More

SAP HANA Database - Client Installation and Update Guide HANA Database - Client... · PUBLIC SAP HANA Appliance Software SPS 05 Document Version: 1.0 - 2012-11-29 SAP HANA Database

SAP Database Administration for Oracle.pdf

SAP Database Administration with IBM DB2 - SAP PRESS

SAP EWM database training - SAP EWM Training - SAP EWM

Monitoring SAP HANA Database Server

SAP Fieldglass Worker Profile Management · 2020-06-30 · Title: SAP Fieldglass Worker Profile Management Author: SAP Fieldglass Subject: The SAP Fieldglass Worker Profile Management

SAP DataBase Concepts New

SAP Database referesh

Database Migration Option: Target Database SAP ASE

SAP B1 Database Table Reference