You want to change the database user passwords.
DBMGUI, DBMCLI, SQLSTUDIO, control, password, password change, user, dbmuser, dbmpwd, superdba, sapr3, sapsid, sapsiddb
The latest versions (7.6) of DBMGUI and SQLStudio are required wherever these are mentioned. Install the DBMGUI of Version 7.6 to change the passwords using the procedure described in this note.
You can use the tools belonging to MaxDB Version 7.6 to manage databases with MaxDB kernel versions lower than Version 7.6 also.
For restrictions in relation to the choice or length of the password, see the MaxDB documentation.
In principle, there are several types of database users. These are described in detail in the documentation (Note 767598).
- 1. Brief description of the user types:
a) DBA user
The DBM user can manage the database 'externally'. This 'primary' user is specified in the 'db_create'.
dbmcli -R
This 'primary' DBM user
- can create other DB users
- is managed at operating system level
- is used for start, stop, backup, recovery, db_drop,
and so on
- uses the DBMGUI for working on the database
The default DBM user in the SAP environment is called 'control'.
b) SYSDBA user
The SYSDBA is the user with the most privileges in the database. This user is specified when the database is activated.
util_activate superdba,admin (SAP DB Versions 7.3/7.4)
db_activate superdba,admin (MaxDB Version 7.5 and higher)
The SYSDBA user
- only appears once in the database
- is managed within the database
- is used for all types of SQL statements
- generates other SQL users
- is an SQL user that uses SQLStudio for working on the database.
The default SYSDBA user in the SAP environment is called 'superdba'.
c) DBA user (schema user)
The DBA is a simple user within the database. This user is created using SQL tools before the database contents are loaded.
create user sapr3 password sap dba not exclusive ...
A DBA user
- can be created as many times as you like
- is managed within the database
- is used for SQL commands that the user can execute as part of its DBA
authorizations
- owns the tables of the relevant application in each case
- can log onto the SQLStudio
A default DBA user in the SAP environment is
sapr3, sap
sap
d) Domain and Sysinfo user
Domain and Sysinfo users are special users that are used only for internal administration. These users cannot access application data. You are not required to change these passwords.
Note:
To simplify logon procedures, SYSDBA users are also available at DBM user level and the 'primary' DBM user is also in the database.
- 2. Changing the DBM user password
The database must be 'offline'.
You can either change the password for the DBM user with the DBMGUI or directly at operating system level with DBMCLI.
2.1 Change with DBMGUI
Call the DBMGUI and log onto the database where you want to change the DBM password.
Configuration -> DBM Operator -> Select the DBM user, for example 'control' using 'Properties' and enter the new password twice using 'Change'.
2.2 Change with dbmcli
Log onto the relevant database as a DBM user with DBMCLI.
Change the password with the user_put command as follows:
user_put
For example: dbmcli -d C11 -u control,control user_put control password=new
Note: If you have saved default logon data in the DBMGUI, make sure that this is also adjusted.
Procedure: To validate the new password on your Windows PC within the DBMGUI, log onto the database by double-clicking again the relevant icon, but this time with the new password for the DBM user. (Confirm the error message '-2 ERR_USRFAIL: User authorization failed' to go automatically to the logon menu.) You must then save the new password with 'Store User Name and Password' for the implicit logon.
You must carry out this adjustment on all Windows PCs that allowed you to access the database via the DBMGUI in the past and should allow you to do so in the future.
The password changes are immediately active.
- 3. Changing the SYSDBA user password
The database must be 'offline' or 'warm'.
You can change the password for the SYSDBA user with either SQLStudio, DBMGUI or DBMCLI.
3.1 Change with SQL Studio (only database core versions lower than Version 7.6)
Log onto the relevant database on SQLStudio with the SYSDBA user (for example, 'superdba').
Execute the following SQL statement:
alter password
After executing this SQL statement, you must now load the system tables so that the new SYSDBA password is also maintained at DBM level (file: *.upc).
a) Loading the system tables with DBMCLI:
If you load the system tables with DBMCLI, you must then specify the new SYSDBA password in this case.
b) Loading the system tables with DBMGUI: the system tables are loaded using
Configuration -> Upgrade Systemtables
Note:
When loading the system tables, you will see the error message
-24909 SYSDBA unknown [load_systab....].
Once you confirm this error message, you must specify the logon data for the SYSDBA (for example, 'superdba') with the new password and the domain password.
3.2. Change with DBMGUI
Call the DBMGUI and log onto the database where you want to change the SYSDBA user password.
Enter Configuration -> Database User -> SYSDBA user (for example, 'superdba') with the existing password. Then highlight the SYSDBA (for example 'superdba') and choose 'Properties'. Using 'Change', specify the new password twice. The password is thus automatically updated in the *.upc file. You are not required to load the system tables.
3.3 Change with dbmcli
Log on as a DBM user with DBMCLI to the database:
for example, dbmcli -d C11 -u control,control
Change the password with the user_put command as follows:
user_put
for example, user_put SYSDBA password=new
The password is automatically maintained in the *.upc file in this case also. You are not required to load the system tables.
- 4. Changing the DBA user password
The database must be 'offline' or 'warm'.
You can change the password of a DBA user with SQLStudio or with DBMGUI.
4.1 Change with SQLStudio
a) The password for a DBA user is changed by SYSDBA:
Log onto the database as user SYSDBA in the SQLStudio.
Execute the following SQL statement:
alter password
b) The DBA user password is changed by the DBA itself.
Log onto the database as the relevant DBA user (for example, SAPR3) using SQLStudio.
Execute the following SQL statement:
alter password
4.2 Change with DBMGUI
Call the DBMGUI and log onto the database where you want to change the DBA user password.
If you are changing the password using the DBMGUI, make sure that the DBA user whose password you are changing is not logged onto the database. Otherwise, the system will display the following error message when you change the password:
-24988 sql error [sql_execute ALTER USER ...DBA TIMEOUT NULL ....
-7048 Drop User not allowed while user is connected
The password is changed as follows:
Configuration -> Database User -> Log on as user SYSDBA and
highlight the DBA user whose password you want to change. Using
'Properties' and 'Change', enter the new password twice.
- 5. Maintaining the connection data for the various applications
You must also save the new passwords directly in SAP products, depending on the particular SAP product used.
a) Precomp. (R/3, WebAS, SCM, all applications that run with disp + work)
In this case, you must maintain the Xuser data on all instance servers in accordance with Note 39439.
b) Java applications manage the connection information for the database in the Secure Store.
c) SCM connection to the liveCache
You use transaction LC10 to maintain the connection data.
In this case, a special command must also be executed for the DBA user.
To do so, log onto a command line with dbmcli on the liveCache:
dbmcli -d LCA -u control,control
> user_sap
>exit
d) Secondary database connections using transaction DB59
You must also maintain the new user data in this case.
No comments:
Post a Comment