IBM Support

Setting the Data Protection SAP password after upgrading to 7.1.8 or 8.1.2

Question & Answer


Question

What steps are necessary to setup the Data Protection for SAP client after upgrading the API to version 7.1.8 or 8.1.2 (or greater), which includes the security enhancements.

Answer

There are specific steps that are necessary to enable the Data Protection for SAP clients when you are working with the newer release. Reference he following link to the Documentation Updates:
http://www-01.ibm.com/support/docview.wss?uid=swg27049254
The password information is in the section:
Password permissions for using the Backup archive client with Spectrum Protect for ERP
As noted here, it is necessary to ensure the password files were created by the application user (not root) using the Data Protection commands.

First, set the PASSWORDDIR in the dsm.sys file to a location that has write permissions for the dba user that performs the backup. Also ensure that PASSWORDACCESS GENERATE is set in this stanza within the dsm.sys. Then to store the password, for example,  for the Data Protection for SAP HANA client, run the command:
hdbbackint -p <initSID.utl> -f password
This will create the password files in the location specified by the PASSWORDDIR.
If there are any errors, check this directory and ensure the following files have Read/Write capability based on the group (dba):
 TSM.sth
 TSM.IDX
 TSM.KDB


NOTE:
  • If Node replication is enabled, then it is necessary to set the nrtablepath as noted in the following document:

  • https://www.ibm.com/support/knowledgecenter/SSGSG7_7.1.8/client/r_opt_nrtablepath.html
    For example, if this is an SAP HANA environment, you would add the option into the dsm.sys:
    NRTABLEPATH /usr/sap/{SID}/SYS/global/hdb/opt/hdbconfig.
    Then verify that the permissions for the following files are set for the dba user:
    tsmnrtable.DB
    tsmnrtable.DB.Lock
  • For the SSL certificate (again using HANA as an example), in the (/usr/sap/{SID}/SYS/global/hdb/opt/hdbconfig/ directory change the following files to have permissions for the dba user

  • spclicert.crl
    spclicert.kdb
    spclicert.rdb
    spclicert.sth

  • The newer clients have the performance tracing enabled by default and errors may be seen when the dba user attempts to write the performance statistics to the log. You can disable the performance tracing by adding the following entry to the dsm.sys file:

  • ENABLEINSTRUMENTATION No

[{"Product":{"code":"SSER83","label":"IBM Spectrum Protect for Enterprise Resource Planning"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Data Protection for SAP HANA\u00ae","Platform":[{"code":"PF016","label":"Linux"}],"Version":"8.1.4","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Product Synonym

TSM

Document Information

Modified date:
21 March 2019

UID

swg22010515