General Information

The following section provides information on:

·        Database system groups

·        Database authentication

·        Password management

·        Encryption key DB2DB6EKEY

Database System Groups

Depending on the SAP system release and the DB2 Admin Tools release, the following operating system groups apply to your installation:

Group

Operating System Group

User

SYSADM_GROUP

·         db<dbsid>adm

·         sysadm

db2<dbsid>

SYSCTRL_GROUP

·         db<dbsid>ctl

·         sysctrl

<sapsid>adm

SYSMAINT_GROUP

db<dbsid>mmt

·         ABAP Stack connect user

·         Java Stack connect user

If you want to find out which operating system group applies to your SAP system installation, you must check parameters SYSADM_GROUP, SYSCTRL_GROUP and SYSMAINT_GROUP. To do so, log on to the database server as user db2<dbsid> and enter the following command: db2 get dbm cfg

Database Authentication

DB2 UDB for UNIX and Windows is always installed with one of the following database manager parameters:

·        Authentication = SERVER

The user ID and password provided on connect or attach are verified by DB2 using operating system services on the database server.

·        Authentication = SERVER_ENCRYPT

This parameter provides a higher level of security since passwords are send encrypted across the network. We recommend that you use this setting. It is supported by all currently supported database versions.

Password Management

This section describes how you set passwords of SAP users that connect to the database in the ABAP stack. For information about how to set passwords of database connect users of the Java stack, see Security Aspects for the Database Connection, subsection Using the Default DataSource.

The ABAP stack of remote and local application servers normally connect to the database using the connect user (sapr3 or sap<sapsid>). All SAP ABAP tables are created under the schema of these users. For special purposes, however (for example, taking database snapshots), SAP programs attach as user <sapsid>adm.

The SAP programs must know the passwords of the connect user and of <sapsid>adm. Therefore, DB2 UDB for UNIX and Windows additionally maintains the passwords for the connect user and user <sapsid>adm in file /usr/sap/<SAPSID>/SYS/global/dscdb6.conf. This file is accessible from all application servers using NFS or Windows shares. Passwords are stored encrypted. You should protect this file from unauthorized access.

DB2 provides functions to:

·        Create password file dscdb6.conf

This file can be recreated any time manually using the following command:

dscdb6up –create <connect_user_pwd> <sapsid_adm_pwd>

·        Retrieve passwords

This function is only used by SAP executables to connect or attach to the database.

·        Update passwords in file dscdb6.conf and in the operating system simultaneously

You can perform this task using the following command:

dscdb6up <user> <password>

Encryption Key DB2DB6EKEY

For all the dscdb6.conf accesses described in this guide, the environment variable DB2DB6EKEY is used to encrypt or decrypt the requested password.

DB2DB6EKEY is set initially during installation to the string <SAPSID><db_server_hostname>. You can change this value at any time when your SAP system is stopped, but if you do, then you also need to recreate password file dscdb6.conf. For more information, see Changing the Encryption Key DB2DB6EKEY.