- SAP Community
- Products and Technology
- Additional Q&A
- Change password parameters of OS and DB will expir...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Change password parameters of OS and DB will expire system passwords
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 05-27-2010 7:58 AM
Dear Sir,
Our bussiness audit team is asking to apply following parameters. But,
we are not aware about consequences.
OS(Solaris)
1) Password parameter MAXWEEKS depicting maximum number of weeks a
password should be set to be 12 weeks.
2) Idle Session Time Out configuration should be enabled and the value
to be set at 300.
3) Configuration CONSOLE=/dev/console should be enabled.
DB(Oracle 10g)
PASSWORD_VERIFY_FUNCTION should be set enforcing password complexity.
PASSWORD_LIFE_TIME (frequency of forced password change) - 90 days.
FAILED_LOGIN_ATTEMPTS (number of unsuccessful log on attempts allowed
before lockout) - 3 -5.
PASSWORD_REUSE_MAX (number of password changes that must occur before a
password can be reused) - 4
PASSWORD_REUSE_TIME (number of days before a password can be reused) -
365
IDLE_TIME (determines the idle session time out) - 60
Change password of u2018OUTLNu2019 and u2018DBSNMPu2019
Note: We are having BIW system integrated with ECC.
Please let me know feasiablity, procedure, steps and recomandations.
Regards
DK
Accepted Solutions (0)
Answers (2)
Answers (2)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Your SAP system will function perfectly fine with the Oracle password params.
Note that you can define multiple profiles and each profile can have it's own set of password params. Query oracle table DBA_USER_PROFILES.
A user can have only one profile assigned to him as seen from DBA_USERS.
By having multiple profiles, you can for example have 90 day password expiry for system ids and 180 days for user ids (if any) etc.
On individual params:
PASSWORD_VERIFY_FUNCTION
You will need to create an Oracle function to enforce the rules. You will need to nail down the rules and have someone with PL/SQL experience to do that. It shouldn't be too difficult.
You can see sample PASSWORD_VERIFY_FUNCTION if you google it.
PASSWORD_LIFE_TIME
For SAP environments, one thing to note for this param is, you need to understand another param PASSWORD_GRACE_PERIOD.
The PASSWORD_GRACE_PERIOD is N number of days Oracle is going to send a warning saying your password will expire in X number of days.
SAP tools are not designed to handle the warnings gracefully and will consider it is an Oracle error causing lot of issues.
So the best thing to do is to change the Oracle passwords before you hit the warning. So change your passwords every PASSWORD_LIFE_TIME - PASSWORD_GRACE_PERIOD - 3 days.
Of course when you change passwords, use the brtool to sync it with SAP.
The PASSWORD_REUSE params may cause you trouble under certain circumstances such as system copies.
You may want to temporarily reassign system ids to another less stringent profile during such activity.
Regards,
Shan
Edited by: r.shanmu on May 28, 2010 2:38 PM
Edited by: r.shanmu on May 28, 2010 2:41 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi
For oracle DB below is the point 17 from SAP NOTE 700548. May be this info is helpful for you.
17. Can I restrict the authorizations of the default profile in the SAP environment?
All database users receive certain authorizations from the default profile as standard, for example:
* Logon authorizations: FAILED_LOGIN_ATTEMPTS, PASSWORD_LIFE_TIME, PASSWORD_REUSE_TIME, PASSWORD_REUSE_MAX, PASSWORD_VERIFY_FUNCTION, PASSWORD_LOCK_TIME, PASSWORD_GRACE_TIME
* Resource authorizations: COMPOSITE_LIMIT, SESSIONS_PER_USER, CPU_PER_SESSION, CPU_PER_CALL, LOGICAL_READS_PER_SESSION, LOGICAL_READS_PER_CALL, IDLE_TIME, CONNECT_TIME, PRIVATE_SGA
These values are usually set to UNLIMITED - that is, there are no restrictions. Refer to the DBA_PROFILES view for the current restrictions.
Changes to the default settings may result in logon problems or resource problems in the SAP environment. You should therefore keep the standard values.
As a result, it is also not worthwhile to set the RESOURCE_LIMIT Oracle parameter to TRUE, as this is what first activates the use of profiles of the type described above.You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- App to automatically configure a new ABAP Developer System in Technology Blogs by Members
- Python RAG sample for beginners using SAP HANA Cloud and SAP AI Core in Technology Blogs by SAP
- SAP IAS - Password Synchronisation with Active Directory in Technology Q&A
- Easy way to automate and configure the setup of a BTP account and Cloud Foundry using Terraform. in Technology Blogs by Members
- User password forgotten/reset in Enterprise Resource Planning Q&A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.