Changing Passwords of the
SAP System Users 
This section
provides information about the SAP system users and the passwords you need to
change. The users are as follows:
SAP
System Users
User
|
Function
|
<SID>ADM
|
User under which the work
processes on System i and Linux run
User for access to the ABAP
database
|
SAP<SID>DB
|
User
for access to Java database
|
SAPService<SID>
|
User
under which the work processes on Windows application servers run
|
Procedure
Change
the initial passwords of <SID>ADM and SAP<SID>DB to protect your system against unwanted access.
User <SID>ADM
To change the <SID>ADM user password, proceed as follows:
This
password must be the same on all hosts.
...
1. To change the password at operating system level on the
System i database server and each System i application server, enter command:
CHGUSRPRF
1. To change the operating system level password on each Windows application server, enter in
a command prompt:
C:\>lusrmgr.msc
Right-click on <SID>ADM and choose Set Password.
Right-click on <SID>ADM and choose Set Password.
1. To change the password at operating system level on each
LinuxPPC application server, enter in the command line:
passwd
1. When using either or both Windows and LinuxPPC application
servers, you also need to change the encrypted database password in NTLOGON.INF with setdb4pwd. For more information, see SAP Note 705886.
User SAP<SID>DB
To change the SAP<SID>DB user password, proceed as follows:
...
To change the operating system level password on the System
i database server, enter command:
CHGUSRPRF
1. To change the JDBC URL password in secure store, you need to
use the Config Tool as follows:
In the Windows Explorer, go to the following directory: \\<centralhost>\sapmnt\<SID>\<AnyInst>\j2ee\configtool
To change the password, double-click configtool.bat.
Navigate to secure store and change the entry of jdbc/pool/<SID>/Password.
User SAPService<SID> on Windows Application Servers
1. To change the password at operating system level on each
Windows application server, enter in a command prompt:
C:\>lusrmgr.msc
Right-click on <SID>ADM and choose Set Password.
Right-click on <SID>ADM and choose Set Password.
1. Using the services control manager modify the logon
properties of the SAP<SID>_<INST> services to match the newly
chosen password:
C:\>services.msc
Right-click on SAP<SID>_<INST>and choose Properties. Choose the Log On tab, and change the password.
Right-click on SAP<SID>_<INST>and choose Properties. Choose the Log On tab, and change the password.
Changing Passwords of the Database Standard Users
The following section provides information on the database
standard users, whose passwords you need to change. The users are as follows:
User
|
Type
|
Method used to change password
|
db2<dbsid>
|
UNIX and database user
|
UNIX command passwd
|
<sapsid>adm
|
UNIX and database user
|
Program dscdb6up
|
ABAP database connect user:
1.
sapr3
2.
sap<sapsid>
|
UNIX and database user
|
Program dscdb6up
|
Java database connect user sap<sapsid>db
|
UNIX and database user
|
1.
UNIX command passwd
2.
Maintainance in secure store. For more
information, see Security
Aspects for the Database Connection.
|
Changing Passwords for User db2<dbsid>
This user is the DB2 instance owner. It is the DB2 system
administrator and the SAP system database administrator. db2<dbsid> is authorized to execute database and
database manager administration functions such as:
Creating a database
Creating or changing a tablespace
Updating DB2 parameters
Backing up or restoring the database
db2<dbsid> has the DB2 system administration
authorities and belongs to group SYSADM_GROUP.
To change the password for user db2<dbsid>,
log on as user db2<dbsid> and enter the passwd command at the UNIX prompt. Enter the old and new
password.
If you use Network Information Service (NIS), you should
also refer to the NIS guide and the operating system documentation. (Changing
the password with an activated NIS may be different from changing it with the passwd
command).
It is not necessary but recommended for the
password to be the same on all hosts in your SAP system.
Changing Passwords for User <sapsid>adm
This user is the SAP system administrator. <sapsid>adm
is authorized to start and stop the SAP system and the DB2 database manager. <sapsid>adm has the DB2 authorities DBADM
and the ones belonging to group SYSCTRL_GROUP.
DB2-specific monitoring functions invoked by SAP system
application server functions require SYSCTRL
authority. The user belongs to group SYSCRTL_GROUP
and the operating system group SAPSYS.
To change the password of user <sapsid>adm,
use program dscdb6up.
For more information, see the documentation Database Administration Guide: SAP on IBM DB2 Universal Database
for UNIX and Windows that is available in SAP Service Marketplace at service.sap.com/instguidesnw2004 ® Operations.
Changing Passwords of the ABAP Database Connect User
This user is the owner of all SAP system database objects
(tables, indexes and views). All SAP System application server connections and
accesses are performed under the connect user. The connect user belongs to group SYSMAINT_GROUP and to the operating system group SAPSYS.
He is only created on the database server.
The user required at least the database authorizations CREATETAB, BINDADD, CONNECT, and IMPLICIT_SCHEMA.
He also needs access to the SAP tablespaces belonging to his <SAPSID>.
By default, tablespace access on SAP tablespaces is granted to PUBLIC, that is tablespaces can be
accessed by all users that have CONNECT
authorisations.
To change the password of the ABAP database connect user (sapr3
or sap<sapsid>),
use program dscdb6up.
For more information, see the documentation Database Administration Guide: SAP on IBM DB2 Universal Database
for UNIX and Windows that is available in SAP Service Marketplace at service.sap.com/instguidesnw2004 ® Operations.
Changing Passwords of the Java Database Connect User
This user is the owner of all SAP system database objects
(tables, indexes and views). All SAP system application server connections and
accesses are performed under the connect user. The connect user belongs to group
SYSMAINT_GROUP and to the operating system group SAPSYS. He
is only created on the database server.
The user required at least the database authorizations CREATETAB,
BINDADD,
CONNECT,
and IMPLICIT_SCHEMA.
He also needs access to the SAP tablespaces belonging to his <SAPSID>. By default, tablespace access on
SAP tablespaces is granted to PUBLIC,
that is tablespaces can be accessed by all users that have CONNECT
authorisations.
By default, only tablespaces <SAPSID>#DBD,
<SAPSID>#DBI, <SAPSID>#DBL are used by the Java stack.
For information about how to change the password of the Java
database connect user, see Security
Aspects for the Database Connection.
No comments:
Post a Comment