Recovering Database Users Passwords

  • Upload
    anandna

  • View
    464

  • Download
    27

Embed Size (px)

DESCRIPTION

Recovering Database Users Passwords

Citation preview

PTBTBL0058Recovering ASE Database Users Passwords

Recovering Database Users Passwords in ASEThis is achieved in two steps:Step 1: Recover password for user sapssoProcedure:1. Shut server down.2. Edit $SYBASE/$SYBASE_ASE/install/RUN_ file,add '-psso' (without the quotes) at the end of the file, on a new line. Make sure this change hasbeen saved before exiting the editor.3. Start your server.A new password will be printed into terminal screen follow the last system database online information. It looks like this:00:00000:00001:2013/06/12 22:41:52.40 server Database 'sybsystemprocs' is now online.New SSO password for test: manyorygksfdl2 ---- 'manyorygksfdl2' is the new password of SAPSSO account.Step 2: Use user sapsso to reset passwords for all the other users in the ASEProcedure:1. List all database logins.a. Log in as user syb on your database host.

HOST> su - sybb. Log in to your Sybase ASE database via isql with user 'sapsso'.

HOST ASE-15_0/install> isql -X -Usapsso -S -w10242. Get a list of all available database users:

use mastergoselect suid, status, name, password from sysloginsgo

The following users are displayed:saDefault Sybase ASE administrator, usually locked in SAP systems for security reasons. This user cannot be deleted.

probeThe login 'probe' and the user 'probe' exist for the two-phase commit probe process, which uses a challenge and response mechanism to access Adaptive Server. It has an unpublished password.

jstaskInternal Sybase ASE user 'jstask' for the database job scheduler

sapsaAdministration user for SAP systems

sapssoUser for SAP systems with the SSO role

SAPSR3This user is used for the ABAP stack. It only exists if the SAP system contains an ABAP stack.

SAPSR3DBThis user is used for the Java stack. It only exists if the SAP system contains a Java stack.

3. The passwords of users 'jstask' and 'probe' are unknown. You only need to change the passwords of users 'sa', 'sapsa', 'sapsso', and 'SAPSR3'/'SAPSR3DB'. If you get more than the above listed users, check why this user exists and whether a password change is necessary.4. Change the passwords of users 'sa' and 'sapsso'.a. Log in as user 'syb' on your database host:HOST> su - sybb. Log in to your Sybase ASE database via isql with user 'sapsso':HOST ASE-15_0/install> isql -X -Usapsso -S -w1024c. Change the passwords:use mastergoalter login sapsso with password "" modify password ""goalter login sa with password "" modify password ""goNo further post-processing steps are needed.5. Change the passwords of users 'sapsa' and 'SAPSR3'/'SAPSR3DB'.a. Log in as user 'syb' on your database host:

HOST> su - sybb. Log in to your Sybase ASE database via isql with user 'sapsso':

HOST ASE-15_0/install> isql -X -Usapsso -S -w1024c. Change the passwords:use mastergoalter login sapsa with password "" modify password ""goalter login SAPSR3 with password "" modify password ""goalter login SAPSR3DB with password "" modify password ""goAfter changing the passwords of database logins 'sapsa', 'SAPSR3'and 'SAPSR3DB', you should immediately change the passwords for the database users in the Secure Storage. The passwords in the ABAP/Java Secure Storage are used for the connection to the ABAP/Java database schema by the application servers.6. Change passwords in the ABAP Secure Storage:a. Log in as user 'adm' on your central instance host:

HOST > su - admb. Write the password to a temporary file that you delete after having called rsecssfx.c. List all entries in the Secure Storage File System (SSFS):

HOST:adm > rsecssfx listd. Change the password for the DEFAULT_DB_USER (SAPSR3) to the password you set previously for the SAPSR3 database user.

HOST:adm > rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD -valuefile -valuefile7bite. List all entries in the Secure Storage File System (SSFS) and check the last update time stamp.

HOST:adm > rsecssfx listYou should see the current time stamp in the record for the DEFAULT_DB_PASSWORD.f. Verify that R3trans is working properly:

HOST:adm > R3trans -d

This is R3trans version 6.22 (release 720 - 19.08.11 - 15:45:00).unicode enabled version R3trans finished (0000).You should get return code 0000.g. Change the password for SADB_USER (sapsa) to the password you set previously for the sapsa database user.

HOST:adm > rsecssfx put DB_CONNECT/SYB/SADB_USER sapsa -plainHOST:adm > rsecssfx put DB_CONNECT/SYB/SADB_PASSWORD -valuefile -valuefile7bith. Change the password for SSODB_USER (sapsso) to the password you set previously for the sapsa database user.

HOST:adm > rsecssfx put DB_CONNECT/SYB/SSODB_USER sapsso -plainHOST:adm > rsecssfx put DB_CONNECT/SYB/SSODB_PASSWORD -valuefile -valuefile7biti. Change the password for SYBSID_USER (syb) to the password you set previously for the syb operating system user.HOST:adm > rsecssfx put DB_CONNECT/SYB/SYBSID_USER syb -plainHOST:adm > rsecssfx put DB_CONNECT/SYB/SYBSID_PASSWORD -valuefile -valuefile7bitj. List all entries in the Secure Storage File System (SSFS) and check the last updated timestamp:

HOST:adm > rsecssfx list

You should see the current timestamp in the record for the updated users.!Make sure you delete the temporary as this contains the unencrypted password!Change passwords in the Java Secure Storagek. Log in as user 'adm' on your central instance host:

HOST > su - adml. Start /usr/sap//J/j2ee/configtool/configtool.m. Select node 'Secure Store' and tab 'Secure Store Data'.n. Update the passwords for the following keys:

db_connect/syb/sapsa_passworddb_connect/syb/sapsso_passwordo. Update the password for user SAPSR3DB:

NW70X based key for SAPSR3DB:jdbc/pool//PasswordNW73X based key for SAPSR3DB:Password (tab 'Connection Pools')7. Renew external logins (Component Integration Service)After changing the user passwords in the SSFS, you have to renew all external logins whose passwords were changed. This includes at least the external login for the Server SYB_JSTASK, which uses the 'sapsa' login. You can get a list of all external remote logins like this:a. Log in as user 'syb' on your database host:

HOST> su - sybb. Log in to your Sybase ASE database via isql with user 'sapsa':

HOST ASE-15_0/install> isql -X -Usapsa -S -w1024use mastergosp_helpexternlogingoc. Note down the existing external logins. Drop the external logins and create new ones. This is necessary, because no stored procedure for modifying external logins exists.

exec sp_dropexternlogin , god. Create the external logins:

exec sp_addexternlogin , , , ''goRepeat the drop/create process for every changed user/password.8. Post-processing steps:Change the password for user 'sapsa' in the DBA Cockpit and the Solution Manager manually. Change all passwords in all third-party tools, such as monitoring software and so on.