on 06-24-2015 1:38 PM
We recently received advisory to change the default master key as part of security measure.
I have a quick question on this.
The command listed for the change is as below
RSEC_SSFS_DATAPATH=/usr/sap/<SID>/SYS/global/hdb/security/ssfs RSEC_SSFS_KEYPATH=<path to key file> rsecssfx changekey <paste the new key from step 2 here>
Does the value to this path(RSEC_SSFS_KEYPATH) come from hdbuserstore key location, which is a file SSFS_HDB.DAT
Also RSEC_SSFS_DATAPATH seem to imply the file SSFS_SID.DAT(SID = HANA DB SID) residing in /usr/sap/<SID>/SYS/global/hdb/security/ssfs. Is my understanding correct ?
Regards
Kalyan
Hi Kalyana,
Today only I got the chance to configure this.
RSEC_SSFS_DATAPATH=/usr/sap/<SID>/SYS/global/hdb/security/ssfs , this path is correct. Keep it as it is.
RSEC_SSFS_KEYPATH=<path to key file> rsecssfx changekey <paste the new key from step 2 here>
<path to key file>, this can be any path, but it should be secured. Only sidadm user of hana database should have rw access to key file.. I kept the path as /usr/sap/<SID>/SYS/global/hdb/security/ssfs .
The command will generate a key file SSFS_<SID>.KEY . Just make sure that only sidadm have access to read,write to this file (-rw-------) .
Then maintain the parameter in the global.ini and restart the system.
[cryptography]
ssfs_key_file_path = <path to key file>
Thanks
Amit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We do have the same issue.
What is the correct value for <path to key file>?
Best regards, Axel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.