Skip to main content

SAP (Sybase) ASE/IQ Database

Connector name

agtsybct

Connector type

Executable

Type (UI field value)

SAP (Sybase) ASE Database

Target system versions supported / tested

Bravura Security Fabric can bind to any SAP ASE DBMS server (any version) using TDS, and issue SQL commands to enumerate users (SELECT) and validate current passwords (test bind or SELECT) and reset passwords(sp_password, sp_iqpassword, UPDATE, or invoke a stored procedure).

Connector status / support

Customer-Verified

Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system.

Installation / setup

No software is installed on the SAP ASE server.

Bravura Identity can create, delete, enable, disable, modify, and rename system users in any specified SAP ASE database server. It creates new SAP ASE users by cloning existing ones, and copying and adjusting their group memberships and tablespace rights in the process. It can also manage the membership of SAP ASE database users in SAP ASE database groups.

The following Bravura Security Fabric operations are supported by this connector:

  • user verify password

  • user change password

  • get server information

  • administrator reset password

  • administrator verify password

  • enable account

  • disable account

  • check account enabled

  • create account

  • delete account

  • lock account

  • unlock account

  • check account lock

  • add user to group

  • delete user from group

  • create group

  • delete group

  • update attributes

  • run command

  • list account attributes

  • List:

    • accounts

    • attributes

    • groups

    • members

    Note

    Bravura Security Fabric supports group management on SAP ASE targets, using what SAP ASE refers to as roles. The terms group and role have special meaning in SAP ASE. Consult your SAP ASE documentation for more information.

For a full list and explanation of each connector operation, see Connector operations.

See also

Bravura Security Fabric can also perform operations defined wholly within an application table space, rather than database-level accounts, using the scripted connector for SAP ASE (agtsybctscript). See SAP (Sybase) ASE/IQ Hosted Applications for details.

Preparation

Before Bravura Security Fabric can manage database-level accounts or passwords in a SAP ASE database, you must:

  1. Install the client software

  2. Configure a target administrator

  3. Create at least one template account

    Note

    The following instructions are for ASE version 12.5.1. Details may vary depending on your version of the software.

Installing client software

Bravura Security Fabric communicates with the SAP ASE server via the TDS protocol. Before you can target SAP ASE, you must install the ASE PC Client software (typical install) on the Bravura Security Fabric server.

SAP ASE 15 or later supports the DB-lib and requires libsybdb.dll to be in the system path. SAP ASE 12.5 or earlier supports the CT-lib and requires libsybcs.dll to be in the system path.

Using the Dsedit utility on the Bravura Security Fabric server, add a connection for each SAP ASE server you want to manage. To do this:

  1. Open the Dsedit utility. This program configures your client to connect to SAP ASE instances.

    Another window, titled Select Directory Service, may appear depending on your client.

  2. Select InterfacesDriver, then click OK.

  3. Select Server Object > Add from the toolbar.

  4. Enter a name for the SAP ASE server and then click OK. Remember this server name, as it will be used later by Bravura Security Fabric to target the server.

  5. Double-click the Server Address for the server you just added. In the Network Address Attribute window, click Add.

  6. Select TCP and then type the address to the server in the format:

    <host name>,<portnumber>

    For example, type sybasesrv,5000 .

    Note

    It is recommended that the Bravura Security Fabric server be rebooted after the installation of the SAP (Sybase) client software. This is to ensure that the new SAP (Sybase) environment variables are properly recognized by IIS.

    Defining a connection isn’t required if the SAP (Sybase) server will be targeted using server name and port number. It’s only required when targeting using server name only.

Configuring a target system administrator

Bravura Security Fabric uses a designated account (for example, psadmin) on the SAP ASE target system to manage accounts.

The target system administrator must have the site security officer (sso_role) and system administrator (sa_role) roles. Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the SAP ASE target system to Bravura Security Fabric .

Creating a template account

Bravura Security Fabric uses template accounts as models or "blueprints" for creating new SAP ASE accounts. The following example illustrates how you can create a template account on your SAP ASE server:

  1. Open SAP (Sybase) Central Java Edition.

  2. Connect to SAP ASE using your target system administrator account.

  3. Under the specified server, select the Logins folder.

  4. On the right side panel, double-click on Add login.

  5. Enter the name, password, and confirm password for the new login.

  6. Select Next and then enter the account’s default database, language, and full name if required.

  7. Select the database(s) accounts created from this template that the user will have access to. Click Next , then Finish.

See your systems administrator or SAP ASE documentation for more information if required.

Targeting SAP (Sybase) ASE

For each SAP ASE server, add a target system (Manage the system > Resources > Target systems):

  • Type is SAP (Sybase) ASE Database .

  • Address uses:

    Server Host name or IP address

    Port Optional

    Version SAP (Sybase) ASE version number

    Lock policy Only required for SAP IQ – The name of the lock policy defined in the SAP IQ system.

    Network Password Encryption Require all user name and password-based authentication requests to use RSA asymmetric encryption.

    The SAP (Sybase) target system address syntax is as follows:

    {server=<server name>;[port=<port number>;][version=<version number>;][lockpolicy=<lock policy>][secure=<true|false>]}

  • Administrator ID and Password is the login ID and password for the target system administrator you configured earlier.

The full list of target system parameters is explained in Target system options .

Handling account attributes

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using in the Manage the system (PSA) module. To do this, select SAP (Sybase) Database from the Manage the system > Resources > Account attributes > Target system type menu.

This section describes the attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior on SAP ASE. For information about the native SAP ASE attributes managed by Bravura Security Fabric , consult your SAP ASE documentation.

Note

SAP ASE is case-sensitive.

  • account_status can be either of two values if set, lock and unlock .

  • databases creates a database user in the databases specified.

  • defaultdatabase configures the account’s default database.

  • defaultlanguage configures the account’s default language.

  • fullname sets the account.s full name.

  • db_group_<database name> sets the user’s group within the database specified by <database name>. The user account must exist in <database name>.

    Because database names are unique to each SAP ASE install, you must create this attribute manually for each database. .See Account attributes in the Bravura Security Fabric documentation to learn how to do this. This attribute must be single-valued as SAP ASE only supports one group per user per database. If this attribute does not exist, Bravura Security Fabric adds the user to the public group.

Troubleshooting

If you experience any errors, verify that:

  • The SAP ASE client software is installed on the Bravura Security Fabric server.

  • The SAP ASE libraries are on the system-wide search path (PATH variable). If not, add the appropriate directories to the PATH environment variable and restart the Bravura Security Fabric server.

  • You can log into each SAP ASE server from the Bravura Security Fabric server using SQL Advantage and the target system administrator ID and password you created.

  • You can issue sp_addlogin and sp_adduser commands while logged in with the target system administrator account.

The easiest way to avoid problems with managing accounts in Bravura Security Fabric is to use the "sa" login. If errors occur while managing accounts, try adding "sa" as your target system administrator to determine if the problem is with permissions.

If your SAP (Sybase) system is not configured to allow administrative updates you may get a message like the following when you attempt an administrative reset:

Ad-hoc updates to system catalogs not enabled. A user with System Security Officer (SSO) role must reconfigure system to allow this.

To configure the SAP (Sybase) server to allow the "sa" login to be able to change passwords from Bravura Pass using the isql (Interactive SQL) utility, run the following command:

sp_configure "allow updates", 1

In this section: