General Extended Security Support By Name By Class History

SAP MaxDB Database Parameters (7.9.11.08, Security)


DenyAuthentication

change: DIRECT

 A comma separated list of identifiers that specify
 authentication methods that are not allowed for this server.

 Possible identifiers are:

 'SCRAMSHA256V2': Challenge/Response using a SHA256 hash algorithm (with server proof) 
 'SCRAMSHA256'  : Challenge/Response using a SHA256 hash algorithm
 'SCRAMMD5'     : Challenge/Response using a MD5 hash algorithm
 'BASIC'        : Passwords are sent using a reversible crypt algorithm
 
 If DenyAuthentication is empty, then all authentication methods are allowed.

EnableAuditing

default: "NO"

possible values: "YES" "NO"

change: RUNNING

new in 7.9.11.01

Allow the logging of access of a user to a database object,
if it is configured for the combination of user, database
object and the operation.

With this parameter it is possible to switch on and off the auditing 
at a single point without affect configured audit settings.

Possible values are:

  'YES' : configured audit settings will be used during execution of SQL statements
  'NO'  : no auditing will happen at all

(8 byte character)

EncryptDump

default: "NO"

possible values: "YES" "NO"

change: OFFLINE

new in 7.9.11.01


 Defines whether the kernel dump files are encrypted or not.

 The parameter works in conjunction with the parameter 'EncryptionAlgorithm'. 
 To enable it, the parameter 'EncryptionAlgorithm' must not be 'NONE'.
 

EncryptionAlgorithm

default: "NONE"

possible values: "NONE" "AES256-CBC"

change: OFFLINE

new in 7.9.11.01


 Defines encryption algorithm that is used to encrypt data container
 like volumes, backups etc.
 
 If the value is change, it has no efect on already created container.

&if $LC_STATE == DEV  
 Possible values are:
   'NONE'      : No encryption 
   'AES256-CBC': Advanced Encryption Standard 256 Bits with Cipher Block Chaining
&else
  Possible values are:
   'NONE'      : No encryption 
&endif
   
 

EncryptTrace

default: NO

possible values: "YES" "NO"

change: OFFLINE

new in 7.9.11.01


 Defines whether the kernel trace file is encrypted or not.

 The parameter works in conjunction with the parameter 'EncryptionAlgorithm'. 
 To enable it, the parameter 'EncryptionAlgorithm' must not be 'NONE'.
 

LastUsedPasswords

default: 0

change: DIRECT

new in 7.9.10.00

 The number of last used passwords that the user is not allowed to reuse when changing the current password.
   
 The value 0 allows the user to reuse the last password.
  

MaximumPasswordLifetime

default: 0

change: DIRECT

new in 7.9.10.00

 The number of days after which a user's password expires

 A value of 0 means the password expiration is disabled.

 The lower and upper limits are:
     0 <= MaximumPasswordLifetime <= 3650

 A user administrator can exclude users from this password check with the following
 SQL statement: 
 
  ALTER USER  DISABLE PASSWORD LIFETIME 

  However, this is not recommended for database users that correspond to real people.
  Use it for technical users only. 
  
 A user administrator can re-enable the password lifetime check for a user with the 
 following SQL statement: 
 
  ALTER USER  ENABLE PASSWORD LIFETIME 

 To exclude the DBM operator use the following DBM command:
 
  user_put  PASSWORD_LIFETIME=DISABLE

 The password lifetime check can be re-enabled for the DBM operator with following
 statement:  

  user_put  PASSWORD_LIFETIME=ENABLE


MinimumPasswordLifetime

default: 0

change: DIRECT

new in 7.9.10.00

 The minimum number of days that must elapse before a user can change the password
 
 A value of 0 means the password has no minimum lifetime

 The lower and upper limits are:
     0 <= MinimumPasswordLifetime <= 31

MinPasswordLength

default: 1

change: DIRECT

 Minimum number of password characters.

 The lower and upper limits are:
     1 <= MinPasswordLength <= 256

PasswordExcludeList

change: DIRECT

new in 7.9.11.01

 A list of words that are not allowed as passwords or parts of passwords.
 
 The password exclude list is a blank separated list of words that are not allowed as passwords or parts of passwords
 (the string comparison is done case-insensitive). 
 
 E.g. "SAP TRUE FALSE"   
  
 All blank characters within this parameter string will be interpreted as separator.  
   

PasswordLayout

change: DIRECT

new in 7.9.10.00

 Defines the character types that the password must contain and how many (minimum).

 The following character types are allowed in passwords: 
  
    - Lowercase letter (a-z)
    - Uppercase letter (A-Z)
    - Numerical digits (0-9)
    - Special characters
     
    Any character except blank and double quote that is not an uppercase letter, a lowercase letter, 
    or a numerical digit is considered a special character.
    
  If configuring this parameter, you can use any character allowed in a password (see above).
  The characters can be in any order.
  
  Aa1, that is, at least one uppercase letter, at least one number, and at least one lowercase letter 
  This value example could also be represented by a1A, hQ5, or 9fG.

  To enforce the use of a specific number of a particular character type, specify the character type multiple times. 
  For example, if passwords must contain at least 3 digits, you could specify the layout with a123A or 789fG.
   
  To enforce the use of at least one of each character type including special characters, you specify A1a_ or 2Bg?.
  
  All blank or double quote characters within this parameter string will be silently ignored.
   

PSEFileName

default: "SDBSRV.pse"

change: RUNNING

new in 7.9.11.01

    The name of the PSE container file for the volume encryption.

    A Personal Certificate Environment (PSE) is a container for X.509 certificates. It contains

      - A private RSA/DSA key,
      - The corresponding X.509 public key certificate,
      - The certificate chain (CA certificates including the root certificate),
      - Certificate list used as trust anchors for certificate verification (the root certificate of the 
        own certificate chain is always used as trust anchor).

      The path where the file must be located is defined by the kernel parameter 'PSEPath'. 

 (char(256))

PSEPath

default: <GlobalDataPath>/sec

change: OFFLINE

new in 7.9.11.01

    Path where the PSE container for the volume encryption can be found. 
    The container name is defined by the kernel parameter 'PSEFileName'.
 (char(256))

SAPSupportIdentifier

change: OFFLINE

new in 7.9.11.01

    The SAP support identifier used to allow the access to encrypted trace and dump files.

      - The subject of a corresponding X.509 public key certificate 

 (char(256))

UseBackupSecurityDescriptor

default: depends on operating system or instance type

possible values: "YES" "NO"

change: OFFLINE

 Specifies whether Windows operating system security descriptor is to be used for file backups.

 UseBackupSecurityDescriptor = 'YES' or 'NO'

 'YES': Use Windows security descriptor on file backups
 'NO' : Do not use Windows security descriptor on file backups (e.g., backing up to Samba share)

 (char(8))