sap_hana/sap_swpm: Linux Special Characters

[sean-freeman]

We should probably also provide a warning in the sap_hana_install and sap_swpm Ansible Roles, regarding Linux Special Characters (aka. Metacharacters).

It is most noticeable when hdbuserstore executes successfully, but the subsequent login does not work. This is because the password has been incorrectly parsed by the Shell.

For more information, see SAP Note 2667891 - R3trans gives authentication error after system copy and restart which recommends escaping characters during data entry (i.e. hdbuserstore) or subsequently escaping characters for all logins.

A warning message during Ansible Role execution to state the password may cause issues, will be sufficient.

[berndfinger]

Is there a list of forbidden characters? SAP note 2667891 mentions $ but only as an example.

Referenced SAP note 2250144 only refers to SAP note 3158257, which does not refer to valid passwords or special characters.

Referenced SAP note 3158257 does not refer to valid passwords or special characters either.

A first solution could be that we define a list or dict of forbidden special characters to be used for passwords and in the first step just use the character $ as the only entry.

[sean-freeman]

I do not believe there is a specific list published by SAP, which is unfortunate. The below are the notes from the Ansible Playbooks for SAP project FAQ page.

---

SAP HANA password restrictions?

• Between 6 and 64 characters
• Alphanumerical, not advisable to use space character
• No restrictions on Special Characters

Reference:

• SAP HANA Security Guide for SAP HANA Platform - Password Policy
• SAP Note 2969917 - Can't use special characters like ! @ # $ % & in HANA user's password

SAP AnyDB password restrictions?

SAP Sybase ASE

No special recommendations

SAP MaxDB

Restricted to certain Special Characters #$@_. Must not begin with a digit.

IBM Db2

Avoid use of Special Character $ which may cause automation errors when parsed

Oracle DB

Avoid use of Special Character $ which may cause automation errors when parsed. Must not begin with a digit or underscore.

SAP System / SAP NetWeaver password restrictions?

Note: These are configurable in the Profile Parameters (login/min_password_* and login/password_*), below are default

• Between 3 and 40 characters
• Alphanumerical, not advisable to use space character
• Restricted to certain Special Characters !"@$%&/()=?’*+~#-_.,;:{[]}\<>│. Not advisible to use \ or "

Reference:

For SAP NetWeaver Application Server (ABAP) see document Password Rules - User and Role Administration - SAP NetWeaver Application Server for ABAP 7.52.

For further information, please see User Guides for System Provisioning with Software Provisioning Manager which contains a list of different guides under two sections:

1. Installation Option of Software Provisioning Manager 2.0
   • Installation Guides - Application Server Systems - Software Provisioning Manager 2.0
2. Installation Option of Software Provisioning Manager 1.0
   • Installation Guides - Application Server Systems - Software Provisioning Manager 1.0

On each of these pages (for SWPM 1.0/2.0) there are documents (HTML/PDF) in a table with choice for Database, Product Release, Operating System Platform, Technical Track. Each document contains layered sections 'Planning > Basic Installation Parameters > SAP System Parameters' with Password limitation information.

For example, SAP System Parameters - Installation of SAP ABAP Systems on UNIX : SAP HANA 2.0 - SWPM 2.0.

Please note, these guides are different than those listed on Guide Finder for SAP NetWeaver and ABAP Platform.