Embed Size (px)
Citation preview
8/12/2019 0000050088
http://slidepdf.com/reader/full/0000050088 1/5
SAP Note
Header Data
Symptom
Creating OPS$ users on Windows NT/Oracle
Other Terms
SQL*NetV2
SQL*NetV1OPS$ops$Password changeChanging the passwordOPS$ user
Reason and Prerequisites
OPS$ users should be created on the ORACLE database for R/3 users SAPService<SAPSID> and<SAPSID>ADM.
Solution
You can use the ORACLE OPS$ user mechanism to assign a password other than 'sap' to the user 'sapr3'in the SAP System. This prevents unauthorized access to the database, as only the operating systemusers of the SAP System (normally SAPService <SAPSID> and <SAPSID>ADM) have access to the passwordof user 'sapr3' in the database.
Furthermore, the OPS$ mechanism is required for backup planning using transaction DB13 in CCMS.
In Windows NT SQL*Net V1, this mechanism only works in central systems.With the ORACLE network protocol SQL*Net V2, you can use the OPS$ user mechanism in both central anddistributed SAP Systems. However, if you use the OPS$ in distributed systems, the followingparameter must be set in the file init<SAPSID>.ora."remote_os_authent=TRUE" (not Oracle 8.*)
To set up SQL*Net V2, refer to Note 48736.
Contents
Ia Creating OPS$ users (up to Release 4.0B) Ib Creating OPS$ users (as of Release 4.0B) Ic Creating OPS$ users (as of Oracle 8.1.6) Id Creating OPS$ users in mixed environments (as of 8.1.6) IIa Changing the password for user 'sapr3' (< Oracle 8.1.6)IIb Changing the password for user 'sapr3' (Oracle 8.1.6)IIc Changing the password for user 'SAP<SID>'(> Oracle 8.1.6)
Ia Creating OPS$ users (up to Release 4.0B)
The OPS$ user has to be created for the following users:
1. A user who logs on to the database outside of the SAP system.
If you call programs which make a connection to the database via another user (forexample, program "tp"), then you must create an OPS$ user for this user. In general, this is user
<SAPSID>ADM.
2. A user under which the SAP System is started.
You can find this specified user under "Control Panel" -> "Administrative Tools" ->"Services".
a) Select the service SAP<SAPSID>_<Instance_ID> from the service list.
b) Choose "Startup". The specified user, under which the SAP system is started, is shown in
50088 - Creating OPS$ users on Windows NT/Oracle
Version 42 Validity: 06.06.2008 - active Language English
Released On 05.07.2006 14:52:07
Release Status Released for Customer
Component BC-DB-ORA Oracle
BC-INS-NT Installation WindowsPriority Recommendations / Additional Info
Category Installation information
Other Components
8/12/2019 0000050088
http://slidepdf.com/reader/full/0000050088 2/5
the field "Log on As".
In general, the SAP System is started under user SAPService<SAPSID>.
Note that you may need to adapt the commands given below (How to create user<SAPSID>ADM) to the user that you are using. This might be the case, for example, if you installedthe latest R/3 Version by repeated upgrades starting from a very old R/3 Release.
Please proceed as follows to create both OPS$ users (sample commands for user <SAPSID>ADM andSAPSERVICE<SAPSID>):
How to create user <SAPSID>ADM
1. Stop the SAP System.
2. Log on as user <SAPSID>ADM to the host on which the R/3 database for the SAP System isrunning.All the following actions have to be carried out on this host.
3. Start sqldba72 (or svrmgr23, svrmgr30) and log on to the database with 'connect internal'.
4. Execute the following commands in the database one after the other. Replace <SAPSID> with thecorresponding SAP system ID for your system:
'create user OPS$<SAPSID>ADM default tablespace psapuser1dtemporary tablespace psaptemp identified externally;'
'grant connect, resource to OPS$<SAPSID>ADM;'
'connect /'
'create table SAPUSER( USERID VARCHAR2(256), PASSWD VARCHAR2 (256));'
'insert into SAPUSER values ('SAPR3', '<password>');'
'connect internal'
'alter user sapr3 identified by <password>;'
How to create user SAPSERVICE<SAPSID>
1. Log on as user <SAPSID>ADM to the host on which the R/3 database for the SAP System isrunning.
2. Start sqldba72 (or svrmgr23, svrmgr30) and log on to the database with 'connect internal'.
3. Execute the following commands in the database one after the other: Replace <SAPSID> with thecorresponding SAP system ID for your system:
'create user OPS$SAPSERVICE<SAPSID> default tablespace psapuser1dtemporary tablespace psaptemp identified externally;'
'grant connect, resource to OPS$SAPSERVICE<SAPSID>;'
'create public synonym sapuser for OPS$<SAPSID>ADM.SAPUSER;'
'connect /'
'grant select on sapuser to OPS$SAPSERVICE<SAPSID>;'
The R/3 processes can now log on with the new password after reading the password from table SAPUSER
in the database.
Ib Creating OPS$ users (as of Release 4.0B)
For the creation and change of OPS$ users SQL scripts are available as of SAP R/3 Version 4.0B underOracle 8.0.6.Oracle 8.0.6: Open a DOS BOX, and change to the directory \orant\orainst. Oracle 8.1.5: the scripts are no longer automatically copied to Orainst during the Oracleinstallation and must therefore be copied manually from the RDMBS CD (directory \SAP) to a writeableworking directory.
Execute the following command under user <SID>ADM:
plus80 internal @sapuser.sql (Oracle 8.0.6) sqlplus internal @sapuser.sql (Oracle 8.1.5)
You will be prompted for a new password for the database user sapr3. After successful completion ofsapuser.sql the following line is displayed:
| Script sapuser.sql successfully finished |
If this line is not displayed, check the file sapuser.log in the same directory for possible errorcauses and consult your SAP Support center, if necessary.You can also use this procedure to change the password for the database user sapr3.
Ic Creating OPS$ users (as of Oracle 8.1.6)
On Oracle 8.1.6, security for OPS$ access has been enhanced by including the domain name in the OPS$
8/12/2019 0000050088
http://slidepdf.com/reader/full/0000050088 3/5
user names.Creating the OPS$ user is done using script oradbusr.sql.By mistake, there are two different scripts that share the same name but with a different number ofparameters. With the older script, two parameters are used. With the new script, three parameters('schemaowner' added) are used.The old version with two parameters is contained on the RDBMS CD, on earlier Kernel CDs, and in theinstallation directory. A current version has also been appended to this note.The new version with three parameters is contained in the new installation kits. The new versionmust be used as of Version 6.10 and in MCOD systems as of 4.6.As of Oracle Version 10 use the script contained in archive oradbusr10.zip.You can find out whether you have the new script or the old script installed as follows:Open script 'oradbusr.sql' using a text editor.If 'oradbusrSD.sql' is listed under 'Usage', you have the new version.If 'oradbusr.sql' is listed, you have the old version.Execute the following command to set up the OPS$ user:
New script:sqlplus /NOLOG @oradbusr.sql <schemaowner> NT <userdomain>
Old script:sqlplus /NOLOG @oradbusr.sql NT <userdomain>
Set the domain name of the domain for <userdomain> in which the user <SID>ADM was created. Thisusually corresponds to the value of the environment variable USERDOMAIN if you have logged on as<SID>ADM. You can find out what the current value of the environment variable is
set USER in a command prompt.For <schemaowner>, you may need to set a different value if you use the new oradbusr.sql script:Up to Version 4.6D, use 'SAPR3' for 'schemaowner'.As of Version 6.10, use 'SAP<SID>' for 'schemaowner'.You can also use the environment variable to check which value you need to set for 'schemaowner':If the environment variable was set to DBS_ORA_SCHEMA, use the value specified there (SAPR3 orSAP<SID>).If DBS_ORA_SCHEMA was not set, use 'SAPR3'.
Now you need to set the password for user sapr3 acc. to IIb or IIc.
Id Creating OPS$ users in mixed environments (as of 8.1.6)
This section describes the creation of the OPS$ access in mixed environments, i.e. the Oracle client(R/3 Application Server) and the Oracle database are operated on different platforms (Unix /Windows).
1. Log on to the database server as user <SID>adm.
2. Start sqlplus:sqlplus /nolog sqlplus> connect / as sysdba
l If the database server runs on a Unix computer:
sqlplus> create user "OPS$<DOMAIN>\SAPSERVICE<SID>" identified externally; sqlplus> grant connect, resource to
"OPS$<DOMAIN>\SAPSERVICE<SID>"; sqlplus> connect / sqlplus> grant select, insert, update on sapuser to
"OPS$<DOMAIN>\SAPSERVICE<SID>" sqlplus> exit
l If the database server runs on a Windows computer:sqlplus> create user OPS$<SID>ADM identified externally; sqlplus> grant connect, resource to OPS$<SID>ADM; sqlplus> connect / sqlplus> grant select, insert, update on sapuser to
OPS$<SID>ADM;
Note:
As a general rule, the user name and the domain of the Windows user, under which the SAP service wasstarted on the NT computer, must be used. If the service is started with a local user, use the hostname of the Application Server as the domain name.Some Unix derivatives can only manage users with a user name length of 8 characters. In this case,unlike with the SAP standard, user <SID>adm was entered as service user. Likewise, user"OPS$<DOMAIN>\<SID>ADM" must be registered in the Oracle database.The OPS$ user names for the Windows users must be delimited by double quotes, since the characterstring contains the "\" character. In this case, the user name must be written in uppercase lettersas the case is observed when inserting character strings that are limited by quotes!
IIa Changing the password for the user 'sapr3'
If the OPS$ user has already been created as described above, the password for the 'sapr3' user canbe changed at any time. As user <SAPSID>ADM, you must follow two steps (replace <new password> withthe new password for the user 'sapr3'):
1. Stop the SAP System.
2. Log on as user <SAPSID>ADM to the host on which the R/3 database for the SAP System isrunning.All the following actions have to be carried out on this host.
3. Change the entry for the user 'sapr3' in table SAPUSER.
a) Start sqldba72 (or svrmgr23, svrmgr30) and log on to the database with 'connectinternal'.
8/12/2019 0000050088
http://slidepdf.com/reader/full/0000050088 4/5
b) Execute an update on the table SAPUSER.'update OPS$<SAPSID>ADM.SAPUSER set PASSWD='<new password>'where USERID='SAPR3';'
4. Change the password for the 'sapr3' user the database with the following commands:
'connect internal'
'alter user sapr3 identified by <new password>;'
IIb Changing the password for user 'sapr3' (Oracle 8.1.6)
To do this, call BRCONNECT as follows:
brconnect -u system/<syst_pwd> -f chpass -o sapr3 -p <new_sap_pwd>
You do not need to carry out the steps under IIa.
IIc Changing the password for user 'schemaowner>' (as of Oracle 8.1.7)
Applies to MCOD systems or installations with kernel version > 4.6D
brconnect -u system/<syst_pwd> -f chpass -o sap<sid> -p <new_sap_pwd>
You do not need to carry out the steps under IIa.
Other Attributes
Validity
References
This document refers to:
SAP Notes
DB13
MCOD
NT/ALPHA
NT/ALPHA3.5.1
NT/INTEL
NT/INTEL3.5.1
NT/INTEL4.0
ORACLE
ORACLE 7.2
Software Component From Rel. To Rel. And Subsequent
SAP_APPL 30D 31I 40A 40A 45B 45B 46A 46B 46C 46C 470 470
134592 Importing the SAPDBA role (sapdba_role.sql)
186119 Restricting DB access to specific hosts
1868094 Overview: Oracle Security SAP Notes
1911785 Password expiration date shown for OPS$ users in DBA_USERS
201874 Additions for upgrade to 4.6C/4.6C SR1/4.6C SR2 Oracle
303461 Additions to Upgrade to Basis 4.6D Oracle
357194 ORA-00900 when importing SQL scripts
400241 Problems with ops$ or sapr3 connect to Oracle
401721 on upgrading to SAPWeb AS 6.10 ORACLE
437648 DB13: External program terminated with exit code 1/2
491598 Additional info on upgrading to SAP Web AS 6.20 ORACLE 8.1.x
575280 Add info about upgrade to SAP Web AS 6.20 ORACLE 9.2.0
8523 DB backups using CCMS do not work
Transaction codes
Operating system
Database System
8/12/2019 0000050088
http://slidepdf.com/reader/full/0000050088 5/5
This document is referenced by:
SAP Notes (3)
Attachments
89655 ORA-1004:"default username feature not supported"
93292 Additional Info: Upgrading to 4.0A ORACLE
95719 SAPDBA/BRBACKUP: ORA-1031 after migration to Oracle8
361641 Creating OPS$ users on UNIX
1868094 Overview: Oracle Security SAP Notes
1911785 Password expiration date shown for OPS$ users in DBA_USERS
File Name File Size (KB) Mime Type
oradbusr10.ZIP 3 application/x-zip-compressed
ORADBUSR.TXT 14 text/plain
