cancel
Showing results for 
Search instead for 
Did you mean: 

Invalid Credentials in SAP Management Console on Solaris

Former Member
0 Kudos

I have been deploying the latest SAP Host Agent (Version 7.20, patch 63) on our Solaris 5.9 application servers. Days of reviewing and searching through SCN have not produced a resolution. There is a significant restriction in our environment that makes it impossible for the Basis team to get even temporary root access.

Other details of interest:

1. The users <SID>adm are local to each application server (/etc/shadow is in play).

2. These SAP notes have been reviewed 927639, 1564645, 992907,1348820 and many others.

To this point my Unix admin friends have not considered allowing any type of read access for <SID>adm to /etc/shadow.

It is more likely to snow this week here in Texas than getting root access on these servers.

Here are some of the files of interest for the SAP Host Agent

Contents of /tmp

srwx------ 1 sapadm sapsys 0 Sep 1 12:53 .sapstream1128

srwx------ 1 <SID>adm sapsys 0 Sep 1 10:25 .sapstream50014

srwx------ 1 <SID>adm sapsys 0 Sep 1 10:25 .sapstream50013

Contents of /usr/sap/hostctrl/exe

total 137466

drwxr-x--- 2 root sapsys 1024 Aug 17 16:51 .

drwxr-x--- 5 root sapsys 96 Aug 17 16:51 ..

-rw-r----- 1 root sapsys 352 Sep 1 10:46 host_profile

-rwxr-x--- 1 root sapsys 322 Aug 17 16:51 hostagent.mf

-rwsr-x--- 1 root sapsys 428992 Aug 17 16:51 hostexecstart

-rwxr-x--- 1 root sapsys 300872 Aug 17 16:51 ldappasswd

-rwxr-x--- 1 root sapsys 1607224 Aug 17 16:51 ldapreg

-rwxr-x--- 1 root sapsys 6673224 Aug 17 16:51 librfccm.so

-rwxr-x--- 1 root sapsys 3662680 Aug 17 16:51 libsapcrypto.so

-rwxr-x--- 1 root sapsys 1621912 Aug 17 16:51 libsapdbadactrl.so

-rwxr-x--- 1 root sapsys 208696 Aug 17 16:51 libsapdbdb6ctrl.so

-rwxr-x--- 1 root sapsys 467128 Aug 17 16:51 libsapdboractrl.so

-rwxr-x--- 1 root sapsys 5714920 Aug 17 16:51 lssap

-rwxr-x--- 1 root sapsys 4654504 Aug 17 16:51 sapacosprep

-rwxr-x--- 1 root sapsys 812352 Aug 17 16:51 sapcimc

-rwxr-x--- 1 root sapsys 5690472 Aug 17 16:51 sapcontrol

-rwxr-x--- 1 root sapsys 1173624 Aug 17 16:51 sapcpp47.so

-rwxr-x--- 1 root sapsys 1276416 Aug 17 16:51 sapdbctrl

-rwxr-x--- 1 root sapsys 4910096 Aug 17 16:51 saphostctrl

-rwxr-x--- 1 root root 1491992 Aug 17 16:51 saphostexec

-rwxr-x--- 1 root sapsys 2585312 Aug 17 16:51 saposcol

-rwxr-x--- 1 sapadm sapsys 19044152 Aug 17 16:51 sapstartsrv

-rwsr-x--- 1 root sapsys 519056 Aug 17 16:51 sapuxuserchk

-rwxr-x--- 1 root sapsys 431008 Aug 17 16:51 sldreg

-rwxr-x--- 1 root sapsys 4951592 Aug 17 16:51 sldreglib.so

-rwxr-x--- 1 root sapsys 2143704 Aug 17 16:51 xml71d.so

--> Observations about this default installation of the SAP Host Agent software

1. <SID>adm has very limited access to the executables

2. Only root can edit host_profile. If the permissions are changed, saphostexec will not run (because the permissions have changed)

3. The group ownership of saphostexec is a severe restriction

4. Changing ownership of the executables to <SID>adm or sapadm will result in loss of OS information only accessible by root.

ps u2013ef | grep hostctrl

root 15763 1 0 Sep 01 ? 0:02 /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile

sapadm 15765 1 0 Sep 01 ? 2:26 /usr/sap/hostctrl/exe/sapstartsrv pf=/usr/sap/hostctrl/exe/host_profile -D

root 15813 1 0 Sep 01 ? 1:24 /usr/sap/hostctrl/exe/saposcol -l -w60 pf=/usr/sap/hostctrl/exe/host_profile

Any additional suggestions or solutions that the community can share is greatly appreciated.

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi ,

Get SUDO access from UNIX/SALARIES on particular access path it will solve your issue.

Example:

To start host agent we should required root access.So ask UNIX/SOL team to provive SUDO access on particular hostagent directory

COMMAND is:

sudo /usr/sap/hostctrl/exe/saphostexec -restart   

markus_doehr2
Active Contributor
0 Kudos

> To this point my Unix admin friends have not considered allowing any type of read access for <SID>adm to /etc/shadow.

> It is more likely to snow this week here in Texas than getting root access on these servers.

Any thought about RBAC?

http://blogs.oracle.com/jayd/entry/solaris_tip_of_the_week7

Markus