Best Practices for Deploying HP-UX Secure Resource Partitions (SRP) for SAP Whitepaper

SRP rule file DEFAULT_SAPOSCOL.h for non-saphostctrl use

// Edit this file manually

// Variables to be replaced:

// _SAP_SID_ for one SAP system on this host

// _SAP_COMPARTMENT_ for each SAP SRP compartment

//for one SAP system on the host

Perm all /sapmnt/_SAP_SID_ /exe/saposcol

Perm all /usr/sap/tmp

//for each SAP SRP compartment on the host

grant ipc <_SAP_COMPARTMENT_ >

…

access ipc,fifo,uxsock *

SRP rule file DEFAULT_SAPHOST.h for saphostctrl use

// Edit this file manually

// Variables to be replaced:

// _SAP_COMPARTMENT_ for each SAP compartment

// _sap_sid_ = SAP SID in lower letters

Perm nsearch,read /usr/sap

Perm all /usr/sap/hostctrl

Perm all /usr/sap/tmp

//for each SAP compartment on the host

grant ipc <_SAP_COMPARTMENT_ >

…

access ipc,fifo,uxsock *

Script add_new_system

With the following script, the SAP directories of a new SAP system will be added to a global BLOCK

File. This block rule file will be included in the rule file for the compartment created for the SAP

system. The directories will get the respective allow rights for the SAP system. The general idea behind

this is to block all SAP-related directories on the system and then grant access only to the ones

associated with the SRP compartment.

To use this script, copy the files SAP_RUN.h and SAP_INST.h to the directory /etc/cmpt/include. The

variables will be replaced for you by the script.

#!/usr/bin/csh

# Script to create an entry in the block file for the new SAP system and an allow file for the

compartment

if ( ${#argv} == 5 ) then

echo "Start rule file creation and activation for SAP system $1\n\n"

else

echo "usage: $0 <SRP> <SAP_SID> <DB_SID> <SAP_SYSNUM> <RUN|INST>"

exit 1

endif