Changing Database User Passwords in an SAP System


Changing DB user's passwords using SQL commands is not advisable in some cases. The DB user's passwords are encrypted and stored in SAP tables or files which need to be updated with the new password. If you are using any custom script with passwords hardcoded, you will have to update them as well.

1. Changing DB Password for sapr3, sap<sid>, sap<xyz> or sapsr3

The passwords for DB users used by the ABAP engine are stored in the table SAPUSER. When the password is changed, the change must reflect in the table. To ensure that this is consistently done, use BR Tools:
brconnect -f chpass -o [sapr3 | sap<sid> | sap<xyz> | sapsr3] -p <new_password>
If the password changed using SQL command, the work processes, R3trans, saplicense etc will show error with return code ORA-01017.

2. Changing DB Password for sap<sid>db, sap<xyz>db or sap<sr3>db

The passwords for DB users used by J2EE engine are stored in the file /usr/sap/<SID>/SYS/global/security/data/SecStore.properties. The contents of this file are encrypted and can only be changed using config tool.

To change the password
1. Start the config tool
2. Select secure store
3. Open another command prompt and change the password using BR Tools
brconnect -f chpass -o [ sap<sid>db | sap<xyz>db | sapsr3db] -p <new_password>
4. Go back to config tool and update the password against the parameter jdbc/pool/<SID>/Password

It is advised that the passwords be changed with SAP applications stopped.

1 comment:

Thanks for reading the post. Hope it was useful.
Please let us know if we could have done a better job or if you have applied the ideas to a real life problem.
If you want us to post on something that has been bugging you, ask away!