cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

REMOTE_OS_AUTHENT

Former Member

on ‎04-07-2008 5:16 PM

0 Kudos

Hi,

I'm an Oracle database security consultant, and I have a question regarding SAP installs on Oracle.

I've seen on a couple customers sites (who are running SAP) that they have the REMOTE_OS_AUTHENT parameter set to TRUE with an externally identified account "OPS$<sapsid>ADM".

Now this is a known Oracle security issue. It leaves all the data in the database vulnerable to query and update. I recommend to our clients that they change it, however they always respond with "but SAP requires it".

I've tried to googling for a solution, with little success. The only half solution I can find is from some SAP online documentation. See link below

http://help.sap.com/saphelp_nwmobile71/helpdata/en/8b/2488392020b625e10000000a114084/content.htm

The problem is that I don't know of many sites that would restrict database access by IP address as most sites run client software that accesses the database directly.

Has anyone seen a better solution to for this?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

fidel_vales
Employee
Employee
‎04-08-2008 7:56 AM
0 Kudos

Hello Simon,

Stefan is correct. To make the answer a little more complete, perhaps you can take a look at the SAP Note 700548 FAQ: Oracle authorizations.

If I'm not wrong, any user of the SDN can access the notes using the search functionality, no need for access to SAP

Show replies
Show replies
stefan_koehler
Active Contributor
‎04-07-2008 5:57 PM
0 Kudos

Hello Simon,

your customers are right - the "REMOTE_OS_AUTHENT" is needed for running a sap system.

The only solutions to "protect" your database is:

  • Restrict db access from the network

  • Enable TCP.VALIDNODE_CHECKING as you mentioned in the link

But wait: Why protecting your database for OPS$ access?

The user OPS$* has only restricted access by default (SAPDBA role and access to the table SAPUSER which includes the encrypted R/3 password for the sap schema user)

I don't think that it is necessary to protect the database for the REMOTE_OS_AUTHENT access. You can not really do any bad things with that access.

I can understand your point of view (from oracle security consultant), but these are the only solutions that you have.

Regards

Stefan

Show replies
Show replies
Ask a Question