Best Practices for Deploying HP-UX Secure Resource Partitions (SRP) for SAP Whitepaper

Example configurations

How to enable login to the INIT compartment

After calling srp_setup, login problems might occur if the default root user is not used to login to the

INIT compartment.

Starting with SRP 2.1 the following process can be used to add additional users and groups to login

to the INIT compartment:

 To enable additional users for INIT compartment login:

roleadm assign <user-name> SRPlogin-init

 To enable additional groups for INIT compartment login:

roleadm assign “&<group_name>” SRPlogin-init

For the SRP version 2.0 one additional step is required before enabling any user or groups:

 roleadm add SRPlogin-init

 authadm assign SRPlogin-init hpux.security.compartment.login “init”

SRP rule file SAP_RUN.h for a running system

// Variables to be replaced:

// _SAP_SID_ = SAP SID in capital letters

// _DB_SID_ = database SID in capital letters

// _SAP_SYSNUM_ = SAP System number

// _sap_sid_ = SAP SID in lower letters

// read access rules

perm nsearch /oracle

perm nsearch,read /oracle/client__SAP_SID _

perm nsearch,read /usr/sap

perm nsearch,read /usr/sap/tmp

// all access rules

perm all /oracle/_DB_SID_

perm all /oracle/_DB_SID_/102_64

perm all /home/_sap_sid_adm

perm nsearch /sapmnt

perm all /sapmnt/_SAP_SID_

perm nsearch /usr/sap

perm all /usr/sap/_SAP_SID_

perm all /usr/sap/trans__SAP_SID _

//not necessary for 6.40 systems

perm all /usr/sap/sapservices__SAP_SID _

//not necessary for 6.40 systems