Return to HOME Page-SAP BASIS Training Tutorials

                                                                                                                  SSFS (Secure Storage in File System) configuration

What is SSFS:

As of kernel release 7.20, SAP has therefore introduced a new method of securely storing the database password and for connecting to the database: "Secure Storage in File System" (SSFS). The encrypted password for the SAP database user is then no longer stored in the database, but in the file system.

Prior to SSFS, the connection between the SAP system (AS ABAP) and the SAP tools that use the ABAP database interface (R3trans, R3load etc.) to the database via SQLNet (using the database alias name, for like configured in TNS) worked in such a way that an OPS$ connection (with the database user OPS$<SID>ADM) that was authorized by the operating system user sidadm was created first ( via "connect /@TNS").  With this approach access to the table OPS$<SID>ADM.SAPUSER, and to this table was only allowed. It contains the encrypted password for the actual database connection of the SAP database user (default name Schema User).

Referred SAP Notes:
1. 1639578 = Documents Basis instructions/steps below.
2. 1623922 = Provides overview on how to connect to the Database using SSFS.
3. 1622837 = Documents steps/instructions to be taken care of by DBA team.

High Level Sequence:
Step 1: Basis change internal connect.  This is all accomplished in Note #1 above. 
Step 2: DBA change the external connect.  This is all accomplished in Note #3 above.
Step 3: DBA drop OPS$ and old authentication

NOTE:  No application validation required.

SW pre-requisites:

We should at a minimum, needs to be at Kernel 720, Patch 98. Referred SAP Note  1611877.

Basis Steps to be performed for to enable SSFS authentication:

1.       Preparing and securing the file system

Create dir rsecssfs/data and rsecssfs/key Under /sapmnt/SID/global/security.Make sure to give appropriate permission.


<server:sidadm>  mkdir rsecssfs

<server:sidadm>  chmod 775 rsecssfs

<server:sidadm>  rsecssfs

<server:sidadm>  mkdir data

<server:sidadm>  mkdir key 

<server:sidadm> chmod 777 data key




2.       Maintaining the SSFS profile parameters:

Add below mentioned parameter in Default profile-

rsdb_ssfs_connect = 0

RSEC_SSFS_DATAPATH = /sapmnt/<SID>/global/security/rsecssfs/data

RSEC_SSFS_KEYPATH = /sapmnt/<SID>/global/security/rsecssfs/key


3.       Maintaining the SSFS environment variable:

Update below mentioned env variables in .sapenv * profiles in home directory of sidadm ( Eg: /home/sapsys/<SID>adm)


setenv rsdb_ssfs_connect 0

setenv RSEC_SSFS_DATAPATH /sapmnt/<SID>/global/security/rsecssfs/data

setenv RSEC_SSFS_KEYPATH /sapmnt/<SID>/global/security/rsecssfs/key


NOTE: Make sure you are updating these env variable for app server also else app server will not come up after this activity.


4.       Change the ORA SCHEMA user password to “your password” from BR-Tools:

·         Find out schema user from env : dbs_ora_schema=<schema>

 Please refer any link to change ORA Schema (SAPSR3) user password.

5.       Bounce the System

Bounce the system to reflect the parameter changes .

Note: For doing bounce come out from sidadm  and do again sudo su – sidadm and then perform system bounce.

6.       Setting up the SSFS data storage and checking the access rights and perform check:


After the system bounce execute below mentioned commands as sidadm.

rsecssfx put DB_CONNECT/DEFAULT_DB_USER <schema name> -plain - Use SAPSCHEMA NAME
rsecssfx put DB_CONNECT/DEFAULT_DB_PASSWORD <pwd> - password of schema User


7.       Changing to the new connection method:

Change the Profile parameter : rsdb/ssfs_connect = 1 in Default profile .Initially we set it =0.

Update below mentioned env variable in .sapenv * profiles in home directory of sidadm ( Eg: /home/sapsys/<SID>adm) of all servers.

                rsdb_ssfs_connect=1 initially it was set 0.

8.       Bounce the System

Bounce the system to reflect the parameter changes .

Note: For doing bounce come out from sidadm  and do again sudo su – sidadm and then perform system bounce.

9.       Checking the successful changeover/Validation

Check below entries in SM50 work process log  --- B read_con_info_ssfs(): DBSL supports extended connect protocol
B ==> connect info for default DB will be read from ssfs


10.   DBA Team’s Activity-


DBA will perform below tasks:





drop sapuser table


drop table ops$<sid>adm.sapuser; note 1622837

execution - uptime (5 minutes)

remove the parameter REMOTE_OS_AUTHENT


alter system reset remote_os_authent scope=spfile; note 1622837

execution - uptime (5 minutes)

download BRTOOLS


per note 1764043, require version 7.20 patch 28 is required

execution - uptime (10 minutes)

create brtools user


 create user brt$adm

execution - uptime 5 minutes

create storage directories


Create dir  rsecssfs/data and rsecssfs/key Under /oracle/<SID>/security

execution - uptime 5 minutes

drop OPS$ users


lock OPS$ users

execution - uptime 5 minutes

After getting system back from DBA team perform a clean system bounce and perform system validation:

I hope ,you really got some useful information related to "SSFS" .Can you please give 30 sec of your time now to have a look into main tutorials collection home page ,I guarantee you will get very useful tutorials over there.

Here you'll get different set of tutorials <Beginner level ,Advance level ,SAP Upgrade related,Oracle Basis related ,Solution manager related >

Click to SAP BASIS Tutorials :


Some other interesting topic to increase your knowledge level:

SAP Upgrade Related :