SUSE Linux Enterprise Server for SAP Applications 12 SP2

hdbnsutil -sr_register --remoteHost=SECONDARY_HOST_NAME \ --remoteInstance=INSTANCE_NUMBER --replicationMode=async \ --name=SITE_NAME 6.3 Using Hawk After you have set up the cluster using the wizard, you can open Hawk. directly from the last screen of the HA Setup for SAP Products wizard. 50 Using Hawk SLES for SAP 12 SP2To revisit Hawk, open a browser and as the URL, enter the IP address or host name of any cluster node running the Hawk Web service. Alternatively, enter the virtual IP address you configured in Section 6.2, “Setup”. https://HAWKSERVER:7630/ On the Hawk login screen, use the following login credentials: Username: hacluster Password: linux Important: Secure Password Replace the default password with a secure one as soon as possible: root # passwd hacluster For more information about Hawk, see Administration Guide, Part “Configuration and Administration”, Chapter “Configuring and Managing Cluster Resources with Hawk” (https:// www.suse.com/documentation/sle-ha-12/ ). 51 Using Hawk SLES for SAP 12 SP27 Tuning This chapter presents information about tuning SLES for SAP to work optimally with SAP applications. 7.1 Kernel: Page-Cache Limit Problem The kernel swaps out rarely accessed memory pages to use freed memory pages as cache to speed up file system operations, for example during backup operations. SAP NetWeaver and SAP HANA use large amounts of memory for accelerated access to business data. Parts of this memory are rarely accessed. When a user request needs to access paged-out memory, the response time is poor. It is even worse when an SAP application running on Java incurs a Java garbage collection: The system starts heavy page-in (disc I/ O) activity and has a poor response time for an extended period of time. Solution SUSE Linux Enterprise Server for SAP Applications includes a kernel tuning option that allows the system administrator to limit the amount of page cache that the kernel uses when there is competition between application memory and page cache. This option tells the kernel that when the page cache is filled to the configured limit, application memory is more important and should thus not be paged out. No pages will be paged out if the memory footprint of the workload plus the configured page-cache limit do not exceed the amount of physical RAM in the system. These kernel options are available for configuration: vm.pagecache_limit_mb ( /proc/sys/vm/pagecache_limit_mb ) vm.pagecache_limit_ignore_dirty ( /proc/sys/vm/ pagecache_limit_ignore_dirty ) Tip: Use tuned to Configure These Parameters The parameters vm.pagecache_limit_mb and vm.pagecache_limit_ignore_dirty are also configured by the tuned profiles delivered with the package sapconf . 52 Kernel: Page-Cache Limit SLES for SAP 12 SP2For more information, see Section 7.2, “Tuning Systems with saptune”. Important: The Following Are Example Values The values reproduced in Example 7.1, “Permanently Setting the Page-Cache Limit” are example values only. Do not set the following parameters on a productive system without first trying and calibrating them on a non-productive system. If your system does not exhibit page-cache limit issues under the workloads it is running, there is no need to adjust these parameters. For more information, see SAP Note 1557506: Linux Paging Improvements (https:// launchpad.support.sap.com/#/notes/1557506 ). EXAMPLE 7.1: PERMANENTLY SETTING THE PAGE-CACHE LIMIT For permanent use, add both parameters to /etc/sysctl.conf , for example: vm.pagecache_limit_mb = 1024 vm.pagecache_limit_ignore_dirty = 2 7.2 Tuning Systems with saptune Using saptune , you can tune a system for SAP NetWeaver, SAP HANA/SAP BusinessOne, and SAP S/4HANA applications. This method relies on the system tuning service tuned . If you used the SAP Installation Wizard to install an SAP application, tuned is usually already active and configured with a profile for the application you installed. If you did not use the SAP Installation Wizard to install an SAP application, make sure that the packages tuned , saptune and sapconf are installed on your system. 7.2.1 Enabling saptune to Tune for an SAP Application 1. To tune a system, first find a tuning profile using saptune . To find the appropriate profile, use: tux > saptune solution list 53 Tuning Systems with saptune SLES for SAP 12 SP2saptune knows the following “solution” profiles: HANA .  Profile for servers hosting an SAP HANA database. MAXDB .  Profile for servers hosting a MaxDB database. NETWEAVER .  Profile for servers hosting an SAP NetWeaver application. S4HANA-APPSERVER .  Profile for servers hosting an SAP S/4HANA application. S4HANA-DBSERVER .  Profile for servers hosting the SAP HANA database of an SAP S/4HANA installation. Alternatively, you can tune the computer according to recommendations from specific SAP Notes. A list of notes that you can tune for is available via: root # saptune note list The referenced SAP Notes are available from the SAP Web site. The list entries starting with SUSE-GUIDE follow the recommendations made in https://www.suse.com/communities/blog/sles-1112-os-tuning-optimisation-guide- part-1/ and https://www.suse.com/communities/blog/sles-1112-network-cpu-tuning- optimization-part-2/ . 2. To set up saptune with a preconfigured solution, use: root # saptune solution apply SOLUTION To set up saptune for the recommendations of a specific SAP Note, use: root # saptune note apply NOTE Tip: Combining Optimizations You can freely combine “solutions” and “notes.” Combining multiple optimizations will never create conflicts. 3. Finally, enable the tuned profile saptune and make sure the tuned daemon is active: root # saptune daemon start 54 Enabling saptune to Tune for an SAP Application SLES for SAP 12 SP2In the background, saptune applies a tuned profile also named saptune that is dynamically customized according to selected “solutions” and “notes”. Using tuned-adm list , you can also see this profile. 7.2.2 Disabling saptune To disable saptune , use one of the following ways: Completely disable the daemon tuned : root # systemctl disable tuned Switch to a different tuned profile: root # tuned-adm profile PROFILE_NAME 7.2.3 Tuning Kernel Parameters Manually Using sysctl In addition to or instead of tuning kernel parameters using saptune , you can also use sysctl to make manual adjustments to kernel parameters. However, such changes using sysctl do not persist across reboots by default. To make them persist across reboots, add them to the file /etc/sysctl.conf (or another configuration file read by sysctl ). For more information about sysctl , see the man pages sysctl(8) , sysctl.conf(5) , and sysctl.d(5) . 7.2.4 Legacy Profiles The tuned profiles sap-hana and sap-netweaver from the package sapconf exist for legacy reasons only. They have nothing to do with the saptune configuration. 7.2.5 Legacy Utility sapconf The package sapconf contains the deprecated utility sapconf . sapconf also allows tuning for SAP systems but is less comprehensive and offers less granularity than saptune . It will also only apply its profiles when no other tuned profile is set. 55 Disabling saptune SLES for SAP 12 SP2If you previously used sapconf , the SAP Installation Wizard will offer to migrate your system to using saptune . Additionally, enabling saptune will disable sapconf . To disable sapconf along with the underlying daemon tuned , use: root # systemctl disable sapconf tuned 7.2.6 For More Information See the following man pages: man 8 tuned-adm man 8 saptune Also see the project homepage https://github.com/HouzuoGuo/saptune/ . 56 For More Information SLES for SAP 12 SP28 Firewalling This chapter presents information about restricting access to the system using firewalling and encryption and gives information about connecting to the system remotely. 8.1 Configuring SuSEFirewall2 By default, the installation workflow of SUSE Linux Enterprise Server for SAP Applications enables SuSEFirewall2. The firewall needs to be manually configured to allow network access for the following: SAP application Database (see the documentation of your database vendor; for SAP HANA, see Section 8.2, “Configuring HANA-Firewall”) Additionally, open the ports 1128 (TCP) and 1129 (UDP). SAP applications require many open ports and port ranges in the firewall. The exact numbers depend on the selected instance. For more information, see the documentation provided to you by SAP. 8.2 Configuring HANA-Firewall To simplify setting up a firewall for SAP HANA, install the package HANA-Firewall. Whereas standard SuSEFirewall2 allows only three zones (internal, DMZ, and external), HANA-Firewall enables you to configure more zones to accommodate SAP HANA properly. HANA-Firewall works by adding rule sets to your existing SuSEFirewall2 configuration. HANA-Firewall consists of the following parts: YaST Module SAP HANA Firewall.  Allows configuring, applying, and reverting firewall rules for SAP HANA from a graphical user interface. Command-Line Utility hana-firewall .  Allows applying and reverting the configured firewall rules for SAP HANA. 57 Configuring SuSEFirewall2 SLES for SAP 12 SP2If you prefer, you can configure the rule sets using the configuration file at /etc/ sysconfig/hana-firewall instead of using YaST. Service hana-firewall .  Ensures that configured firewall rules for SAP HANA are kept. Important: Multi-Tenant Databases For multi-tenant SAP HANA databases, determining the port numbers that need to be opened is not yet possible automatically. If you are working with a multi-tenant SAP HANA database system, before you use YaST, run a script on the command line to create a new service definition: root # cd /etc/hana-firewall.d root # ./create_new_service You need to switch to the directory /etc/hana-firewall.d , otherwise the rule file for the new service will be created in a place where it cannot be used. The script will ask several questions: Importantly, it will ask for TCP and UDP port ranges that need to be opened. Note: Install HANA-Firewall Packages Before continuing, make sure that the packages HANA-Firewall and yast2-hana- firewall are installed. PROCEDURE 8.1: USING HANA-FIREWALL 1. Make sure the SAP HANA databases for which you want to configure the firewall are correctly installed. 2. To open the appropriate YaST module, select Applications YaST, Security and Users SAP HANA Firewall. 3. When you open this YaST module, it will create a configuration proposal based on the number of installed SAP HANA instances. Choose whether you want to accept the proposal using Yes or No. 58 Configuring HANA-Firewall SLES for SAP 12 SP2Important: Narrow Down Settings from Proposal The proposed settings allow all detected SAP HANA instances on all detected network interfaces. Narrow down the proposal to secure the system further. 4. Under Global Options, activate Enable Firewall. Additionally, decide whether to Allow Remote Shell Access (SSH). 5. Choose a network interface under Allowed Services on Network Interface. 6. Allow network services by selecting them in the list box on the left and clicking →. Remove services by selecting them in the list box on the right and clicking ←. To add services other than the preconfigured ones, add them using the following notation: SERVICE_NAME:CIDR_NOTATION For more information about the CIDR notation, see https://en.wikipedia.org/wiki/ Classless_Inter-Domain_Routing . To find out which services are available on your system, use getent services . 7. Repeat from Step 5 for all network interfaces. 8. When you are done, click OK. The firewall rules from HANA-Firewall will now be compiled and applied. Then, the service hana-firewall will be restarted. 59 Configuring HANA-Firewall SLES for SAP 12 SP29. Finally, check whether HANA-Firewall was enabled correctly: root # hana-firewall status HANA firewall is active. Everything is OK. Tip: Checking Which Firewall Rules Are Enabled Gaining an overview of which firewall rules are enabled in the current configuration of the script is possible using the command line: root # hana-firewall dry-run For more information, see the man page of hana-firewall . 8.3 SAProuter Integration The SAProuter software from SAP allows proxying network traffic between different SAP systems or between an SAP system and outside networks. SUSE Linux Enterprise Server for SAP Applications now provides integration for SAProuter into systemd . This means, SAProuter will be started and stopped properly with the operating system and can be controlled using systemctl . Before you can use this functionality, make sure the following has been installed, in this order: An SAP application that includes SAProuter The SAProuter systemd integration, packaged as systemd-saprouter If you got the order of applications to install wrong initially, reinstall systemd-saprouter . To control SAProuter with systemctl , use: Enabling the SAProuter Service: systemctl enable saprouter Starting the SAProuter Service: systemctl start saprouter Showing the Status of SAProuter Service: systemctl status saprouter Stopping the SAProuter Service: systemctl stop saprouter Disabling the SAProuter Service: systemctl disable saprouter 60 SAProuter Integration SLES for SAP 12 SP29 Encrypting Directories Using cryptctl cryptctl consists of two components: A client is a machine that has one or more encrypted partitions but does not have the necessary key to decrypt those partitions. Clients can be, for example, cloud or otherwise hosted machines. The server holds encryption keys that can be requested by clients to unlock encrypted partitions. Warning: cryptctl Server Maintenance Since the cryptctl server holds encryption keys, it should be under your direct control and managed only by trusted personnel. Additionally, it should be backed up regularly. Losing the server''s data means losing access to encrypted partitions on the clients. To handle encryption, cryptctl uses LUKS with aes-xts-256 encryption and 512-bit keys. Encryption keys are transferred using TLS with certificate verification. cryptctl Client cryptctl Server Waits for kernel notification that a disk was attached Sends RPC request to retrieve Listens for RPC requests encryption key over TCP Records request in system journal Responds to RPC request with partition key Uses key to mount partition FIGURE 9.1: KEY RETRIEVAL WITH cryptctl 61 SLES for SAP 12 SP2Note: Install cryptctl Before continuing, make sure the package cryptctl is installed on all machines you intend to set up as servers or clients. 9.1 Setting Up a cryptctl Server Before you can define machine as a cryptctl client, you need to set up a machine as a cryptctl server. 1. As root , run: root # cryptctl init-server 2. Answer each of the following prompts and press Enter after every answer. If there is a default answer, it is shown in square brackets at the end of the prompt. a. Choose a password with at least 10 characters and confirm it. This password assumes the role of a master password, able to unlock all partitions that are registered on the server. b. Specify the path to a PEM-encoded TLS certificate or certificate chain file or leave the field empty to create a self-signed certificate. If you specify a path, use an absolute path. c. If you want the server to be identified by a host name other than the default shown, specify a host name. cryptctl will then generate certificates which include the host name. d. Specify the IP address that belongs to the network interface that you want to listen on for decryption requests from the clients, then set a port number. If you use 0.0.0.0 as the IP address (the default), cryptctl will listen on all network interfaces for client requests using IPv4. e. Set a directory for the keys needed to decrypt partitions on the clients. f. Finally, configure an SMTP server for e-mail notifications for encryption and decryption requests or leave the prompt empty to skip setting up e-mail notifications. 62 Setting Up a cryptctl Server SLES for SAP 12 SP2Note: Password-Protected Servers cryptctl currently cannot send e-mail using authentication-protected SMTP servers. If that is necessary, set up a local SMTP proxy. g. When asked whether to start the cryptctl server, enter y . 3. To check the status of the service cryptctl-server , use: root # systemctl status cryptctl-server To reconfigure the server later, do either of the following: Run the command cryptctl init-server again. cryptctl will then propose the existing settings as the defaults, so that you only need to the specify values that you want to change. Make changes directly in the configuration file /etc/sysconfig/cryptctl-server . However, to avoid issues, do not change the settings AUTH_PASSWORD_HASH and AUTH_PASSWORD_SALT manually. The values of these options need to be calculated correctly. 9.2 Setting Up a cryptctl Client The following interactive setup of cryptctl is currently the only setup method. Make sure the following preconditions are fulfilled: A cryptctl server is available over the network. There is a directory to encrypt. The client machine has an empty partition available that is large enough to fit the directory to encrypt. When using a self-signed certificate, the certificate ( *.crt file) generated on the server is available locally on the client. Otherwise, the certificate authority of the server certificate must be trusted by the client. 63 Setting Up a cryptctl Client SLES for SAP 12 SP21. As root , run: root # cryptctl encrypt 2. Answer each of the following prompts and press Enter after every answer. If there is a default answer, it is shown in square brackets at the end of the prompt. a. Specify the host name and port to connect to on the cryptctl server. b. Specify the path to the server certificate (the *.crt file). Specify an absolute path. c. Enter the encryption password that you specified when setting up the server. d. Specify the path to the directory to encrypt. Specify the path to the empty partition that will contain the encrypted content of the directory. e. Specify the number of machines that are allowed to decrypt the partition simultaneously. Then specify the timeout in seconds before additional machines are allowed to decrypt the partition after the last vital sign was received from the client or clients. When a machine unexpectedly stops working and then reboots, it needs to be able to unlock its partitions again. That means, this timeout should be set to a time slightly shorter than the reboot time of the client. Important: Timeout Length If the time is set too long, the machine cannot decrypt encrypted partitions on the first try. cryptctl will then continue to periodically check whether the encryption key has become available. However, this will introduce a delay. If the timeout is set too short, machines with a copy of the encrypted partition have an increased chance of unlocking the partition first. 3. cryptctl will now encrypt the specified directory to the previously empty partition and then mount the newly encrypted partition. The file system type will be of the same type as the original unencrypted file system. Before creating the encrypted partition, cryptctl moves the unencrypted content of the original directory to a location prefixed with cryptctl-moved- . 64 Setting Up a cryptctl Client SLES for SAP 12 SP24. To check that the directory is indeed mounted correctly, use: tux > lsblk -o NAME,MOUNTPOINT,UUID NAME MOUNTPOINT UUID [...] sdc └─sdc1 PARTITION_UUID └─cryptctl-unlocked-sdc1 /secret-partition UNLOCKED_UUID cryptctl identifies the encrypted partition by its UUID. In the previous example, that is the UUID displayed next to sdc1 . On the server, you can check whether the directory was decrypted using cryptctl : root # cryptctl list-keys 2016/10/10 10:00:00 ReloadDB: successfully loaded database of 1 records Total: 1 records (date and time are in zone EDT) Used By When UUID Max.Users Num.Users Mount Point IP_ADDRESS 2016-10-10 10:00:00 UUID 1 1 /secret-partition The UUID shown is that of the partition. This means you can 5. After verifying that the encrypted partition works, delete the unencrypted content, for example, using rm . For more safety, overwrite the content of the files before deleting them, for example, using shred -u . Important: shred Does Not Guarantee That Data Is Completely Erased Depending on the type of storage media, using shred is not a guarantee that all data is completely removed. In particular, SSDs usually employ wear leveling strategies that render shred ineffective. The configuration for the connection from client to server is stored in /etc/sysconfig/ cryptctl-client and can be edited manually. The server stores an encryption key for the client partition in /var/lib/cryptctl/keydb/ PARTITION_UUID . 65 Setting Up a cryptctl Client SLES for SAP 12 SP29.3 Checking Partition Unlock Status Using Server- side Commands When a cryptctl client is active, it will send a “heartbeat” to the cryptctl server every ten seconds. If the server does not receive a heartbeat from the client for the length of the timeout configured during the client setup, the server will assume that the client is offline and allow another client to connect (or allow the same client to reconnect after a reboot). To see the usage status of all keys, use: root # cryptctl list-keys The information under Num. Users shows whether the key is currently in use. To see more detail on a single key, use: root # cryptctl show-key UUID This command will show information about mount point, mount options, usage options, the last retrieval of the key and the last three heartbeats from clients. Additionally, you can use journalctl to find logs of when keys were retrieved. 9.4 Unlocking Encrypted Partitions Manually There are two ways of unlocking a partition manually, both of which are run on a client: Online Unlocking.  Online unlocking allows circumventing timeout or user limitations. This method can be used when there is a network connection between client and server but the client could not (yet) unlock the partition automatically. This method will unlock all encrypted partitions on a machine. To use it, run cryptctl online-unlock . Be prepared to enter the password specified when setting up the server. Offline Unlocking.  This method can be used when a client cannot or must not be brought online to communicate with its server. The encryption key from the server must still be available. This method is meant as a last resort only and can only unlock a single partition at a time. To use it, run cryptctl offline-unlock . The server''s key file for the requisite partition ( /var/lib/cryptctl/keydb/PARTITION_UUID ) needs to be available on the client. 66 Checking Partition Unlock Status Using Server-side Commands SLES for SAP 12 SP29.5 Maintenance Downtime Procedure To ensure that partitions cannot be decrypted during a maintenance downtime, turn off the client and disable the cryptctl server. You can do so by either: Stopping the service cryptctl-server : root # systemctl stop cryptctl-server Unplugging the cryptctl server from the network. 9.6 For More Information For more information, also see the project homepage https://github.com/HouzuoGuo/cryptctl/ . 67 Maintenance Downtime Procedure SLES for SAP 12 SP210 Protecting Against Malware With ClamSAP ClamSAP integrates the ClamAV anti-malware toolkit into SAP NetWeaver and SAP Mobile Platform applications. ClamSAP is a shared library that links between ClamAV and the SAP NetWeaver Virus Scan Interface (NW-VSI). The version of ClamSAP shipped with SUSE Linux Enterprise Server for SAP Applications 12 SP2 supports NW-VSI version 2.0. 10.1 Installing ClamSAP 1. On the application host, install the packages for ClamAV and ClamSAP. To do so, use the command: tux > sudo zypper install clamav clamsap 2. Start the service clamd : tux > sudo systemctl start clamd 3. Check the status of the service clamd with: tux > systemctl status clamd ● clamd.service - ClamAV Antivirus Daemon Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2017-04-11 10:33:03 UTC; 24h ago [...] 10.2 Creating a Virus Scanner Group in SAP NetWeaver 1. Log in to the SAP NetWeaver installation through the GUI. Do not log in as a DDIC or SAP* user, because the virus scanner needs to be configured cross-client. 2. Create a Virus Scanner Group using the transaction VSCANGROUP. 68 Installing ClamSAP SLES for SAP 12 SP23. To switch from view mode to change mode, click the button Change View ( ). Confirm the message This table is cross-client by clicking the check mark. The table is now editable. 4. Select the first empty row. In the text box Scanner Group, specify CLAMSAPVSI . Under Group Text, specify CLAMSAP . Make sure that Business Add-in is not checked. 5. To save the form, click the button Save ( ). 10.3 Setting Up the ClamSAP Library in SAP NetWeaver 1. In the SAP NetWeaver GUI, call the transaction VSCAN. 2. To switch from view mode to change mode, click the button Change View ( ). Confirm the message This table is cross-client by clicking the check mark. The table is now editable. 3. Click New entries. 69 Setting Up the ClamSAP Library in SAP NetWeaver SLES for SAP 12 SP24. Fill in the form accordingly: Provider Type: Adapter (Virus Scan Adapter) Provider Name: VSA_HOSTNAME (for example: VSA_SAPSERVER ) Scanner Group : The name of the scanner group that you set up in Section 10.2, “Creating a Virus Scanner Group in SAP NetWeaver” (for example: CLAMSAPVSI ) Server: HOSTNAME_SID_INSTANCE_NUMBER (for example: SAPSERVER_P04_00 ) Adapter Path: libclamsap.so 5. To save the form, click the button . 10.4 Engaging ClamSAP To run ClamSAP, go to the transaction VSCAN. Then click Start. 70 Engaging ClamSAP SLES for SAP 12 SP2FIGURE 10.1: CHANGE VIEW “VIRUS SCAN PROVIDER DEFINITION” Afterward, a summary will be displayed, including details of the ClamSAP and ClamAV (shown in Figure 10.2, “Summary of ClamSAP Data”). 71 Engaging ClamSAP SLES for SAP 12 SP2FIGURE 10.2: SUMMARY OF CLAMSAP DATA 10.5 For More Information For more information, also see the project homepage https://sourceforge.net/projects/ clamsap/ . 72 For More Information SLES for SAP 12 SP211 Connecting via RDP If you installed SLES for SAP with the RDP option activated or if you installed from a KIWI image, RDP is enabled on the machine via the service xrdp . Alternatively, you can enable RDP later as described at the end of this section. You can connect using any software that supports RDP, such as: Linux:  Vinagre (available in SUSE Linux Enterprise Desktop/SLE Workstation Extension and openSUSE) or Remmina (available in openSUSE) Windows:  Remote Desktop Connection Important: Connection Parameters Make sure to set up the connection with the following parameters: Port:  3389 Color Depth:  16-bit or 24-bit only PROCEDURE 11.1: SETTING UP RDP If you have not set up an RDP connection during the installation, you can also do so later using the following instructions. 1. First, create an exception for the firewall. Start by creating a file that sets up the port that needs to be opened for RDP. As root , create a new file under /etc/sysconfig/SuSEfirewall2.d/services/ with the name xrdp and the following content: ## Name: Remote Desktop Protocol TCP="3389" 2. Open the file /etc/sysconfig/SuSEfirewall2 and change the lines for the settings FW_CONFIGURATIONS_EXT , FW_CONFIGURATIONS_DMZ , and FW_CONFIGURATIONS_INT to include xrdp . If there are no other services enabled, the respective lines should read: FW_CONFIGURATIONS_EXT="xrdp" FW_CONFIGURATIONS_DMZ="xrdp" FW_CONFIGURATIONS_INT="xrdp" 73 SLES for SAP 12 SP2If there are other services, separate them within the quotes using a space character. 3. Now set up xrdp itself. If the package xrdp is not installed, install it: root # zypper install xrdp 4. Enable and start the service: root # systemctl restart SuSEfirewall2 5. Enable and start the service: root # systemctl enable xrdp root # systemctl start xrdp You can now connect to the machine. 74 SLES for SAP 12 SP212 Creating KIWI Images KIWI is a tool to create operating system images that can be easily copied to new physical or virtual machines. This chapter will present information on creating SLES for SAP images with KIWI. 12.1 Cleaning Up an Instance Before Using It as a Master Image Using a system like KIWI, it is possible to use an image of an already-configured master instance on multiple systems. However, normally such an image would contain certain configuration data that should not be copied along with the rest of the system. To avoid needing to clean up manually, use the script clone-master-clean-up (available from the package of the same name). It deletes the following data automatically: Swap device (zero-wiped, then re-enabled) SUSE registration information and repositories from SUSE User and host SSH keys Shell history, mails, cron jobs, temporary files, log files, random seeds The generated HANA-Firewall script (but not the configuration itself) Network configuration Additionally, sudo settings are reset and you can choose to set up a new root password. This script also ensures that, if the first-boot section of the installation workflow was used for the original installation, it is run again on the next boot. To use the script, do: root # clone-master-clean-up Then follow the instructions. 75 Cleaning Up an Instance Before Using It as a Master Image SLES for SAP 12 SP212.2 Creating Images with KIWI SUSE Linux Enterprise Server for SAP Applications now supports creating images with KIWI using the template from the package kiwi-template-sap . However, there are certain restrictions in the current implementation: Only building VMX disk images is supported. Building other image types is not supported. You must provide an ISO image of SUSE Linux Enterprise Server for SAP Applications at /tmp/SLES4SAP.iso , as the Open Build Service does not contain all necessary packages. To build a basic image, use the following two commands: 1. Build the root file system: root # kiwi -p SLES4SAP --root fsroot 2. Build the VMX image: root # kiwi --create fsroot --type vmx -d build To enable running graphical installations using SAPinst, the default settings of the image enable the following: Installation of an IceWM desktop The service xrdp is started automatically, so you can connect to the machine via RDP. For more information, see Chapter 11, Connecting via RDP. For more information about KIWI and SLES for SAP: On the KIWI configuration for SLES for SAP, see /usr/share/kiwi/image/SLES4SAP/ README . On KIWI in general, see the openSUSE-KIWI Image System Cookbook (https:// doc.opensuse.org/projects/kiwi/doc/ ). 76 Creating Images with KIWI SLES for SAP 12 SP213 Important Log Files The most important files for this product are: The SAP Installation Wizard is a YaST module. You can find its log entries in /var/log/ YaST/y2log . All SAP knowledge is bundled in a library. You can find its log entries in /var/log/ SAPmedia.log . You can find log files related to auto-installation in /var/adm/autoinstall/logs . 77 SLES for SAP 12 SP2A Additional Software for SLES for SAP SUSE Linux Enterprise Server for SAP Applications makes it easy to install software that is not included with your subscription: Extensions and modules allow installing additional software created and supported by SUSE. For more information about extensions and modules, see Deployment Guide, Part “Initial System Configuration”, Chapter “Installing Modules, Extensions, and Third Party Add- On Products” at https://www.suse.com/documentation/sles-12/ . SUSE Connect Program allows installing packages created and supported by third parties, specifically for SLES for SAP. It also gives easy access to third-party trainings and support. See Section A.1, “SUSE Connect Program”. SUSE Package Hub allows installation of packages created by SUSE Linux Enterprise community without support. See Section A.2, “SUSE Package Hub”. A.1 SUSE Connect Program Start SUSE Connect Program from the YaST control center using SUSE Connect Program. Choose from the available options. To enable a software repository, click Add repository. All software enabled by SUSE Connect Program originates from third parties. For support, contact the vendor in question. SUSE does not provide support for these offerings. Note: SUSEConnect command-line tool The SUSEConnect command-line tool is a separate tool with a different purpose: It allows you to register installations of SUSE products. 78 SUSE Connect Program SLES for SAP 12 SP2A.2 SUSE Package Hub SUSE Package Hub provides many packages for SLE that were previously only available on openSUSE. Packages from SUSE Package Hub are created by the community and come without support. The selection includes, for example: The R programming language The Haskell programming language The KDE 5 desktop To enable SUSE Package Hub, add the repository as described at https://packagehub.suse.com/ how-to-use/ . For more information, see the SUSE Package Hub Web site at https://packagehub.suse.com . 79 SUSE Package Hub SLES for SAP 12 SP2B Partitioning for the SAP System Using AutoYaST Partitioning for the SAP system is controlled by the files from the directory /usr/share/YaST2/ include/sap-installation-wizard/ . The following files can be used: SAP NetWeaver or SAP S/4HANA Application Server Installation.  base_partitioning.xml SAP HANA or SAP S/4HANA Database Server Installation.  hana_partitioning.xml SAP HANA or SAP S/4HANA Database Server Installation on SAP BusinessOne-Certified Hardware.  hardware-specific partitioning file The files will be chosen as defined in /etc/sap-installation-wizard.xml . Here, the content of the element partitioning is decisive. If the installation is, for example, based on HA or a distributed database, no partitioning is needed. In this case, partitioning is set to NO and the file base_partitioning.xml is used. Note: autoinst.xml Cannot Be Used Here autoinst.xml is only used for the installation of the operating system. It cannot control the partitioning for the SAP system. The files that control partitioning are AutoYaST control files that contain a partitioning section only. However, these files allow using several extensions to the AutoYaST format: If the partitioning_defined tag is set to true , the partitioning will be performed without any user interaction. By default, this is only used when creating SAP HANA file systems on systems certified for SAP HANA (such as from Dell, Fujitsu, HP, IBM, or Lenovo). For every partition, you can specify the size_min tag. The size value can be given as a string in the format of RAM*N . This way you can specify how large the partition should minimally be ( N times the size of the available memory ( RAM )). PROCEDURE B.1: CREATING A CUSTOM SAP PARTITIONING SETUP The steps below illustrates how to create a partitioning setup for TREX. However, creating a partitioning setup for other applications works analogously. 80 SLES for SAP 12 SP21. In /usr/share/YaST2/include/sap-installation-wizard/ , create a new XML file. Name it TREX_partitioning.xml , for example. 2. Copy the content of base_partitioning.xml to your new file and adapt the new file to your needs. 3. Finally, adapt /etc/sap-installation-wizard.xml to include your custom file. In the listitem for TREX , insert the following line: TREX_partitioning Important: Do Not Edit base_partitioning.xml Do not edit base_partitioning.xml directly. With the next update, this file will be overwritten. For more information about partitioning with AutoYaST, see AutoYaST Guide, Chapter “Partitioning” (https://www.suse.com/documentation/sles-12/ ). 81 SLES for SAP 12 SP2C Supplementary Media Supplementary Media allow partners or customers to add their own tasks or workflows to the Installation Wizard. This is done by adding an XML file which will be part of an AutoYaST XML file. To be included in the workflow, this file must be called product.xml . This can be used for various types of additions, such as adding your own RPMs, running your own scripts, setting up a cluster file system or creating your own dialogs and scripts. C.1 product.xml The product.xml file looks like a normal AutoYaST XML file, but with some restrictions. The restrictions exist because only the parts of the XML that are related to the second stage of the installation are run, as the first stage was executed before. Both XML files ( autoyast.xml and product.xml ) will be merged after the media is read and a “new” AutoYaST XML file is generated on the fly for the additional workflow. The following areas or sections will be merged: 1 ... 2 ... 3 4 5 ... 1 see Section C.2, “Own AutoYaST Ask Dialogs” 2 see Section C.3, “Installing Additional Packages” 3 after the package installation, before the first boot 4 during the first boot of the installed system, no services running 5 during the first boot of the installed system, all services up and running All other sections will be replaced. 82 product.xml SLES for SAP 12 SP2For more information about customization options, see AutoYaST Guide, Chapter “Configuration and Installation Options”, Section “Custom User Scripts” (https://www.suse.com/documentation/ sles-12/ ). C.2 Own AutoYaST Ask Dialogs For more information about the “Ask” feature of AutoYaST, see AutoYaST Guide, Chapter 4 “Configuration and Installation Options”, Section 4.33 “Ask the User for Values During Installation” (https://www.suse.com/documentation/sles-12/ ). For the Supplementary Media, you can only use dialogs within the cont stage ( cont ), which means they are executed after the first reboot. Your file with the dialogs will be merged with the base AutoYaST XML file. As a best practice, your dialog should have a dialog number and an element number, best with steps of 10. This helps to include later additions and could be used as targets for jumping over a dialog or element dependent on decisions. We also use this in our base dialogs and if you provide the right dialog number and element number, you can place your dialog between our base dialogs. You can store the answer to a question in a file, to use it in one of your scripts later. Be aware that you must use the prefix /tmp/ay for this, because the Installation Wizard will copy such files from the /tmp directory to the directory where your media data also will be copied. This is done because the next Supplementary Media could have the same dialogs or same answer file names and would overwrite the values saved here. Here is an example with several options: cont

20

10 What is your name? Enter your name here Please enter your full name within the field /tmp/ay_q_my_name 83 Own AutoYaST Ask Dialogs SLES for SAP 12 SP2 C.3 Installing Additional Packages You can also install RPM packages within the product.xml file. To do this, you can use the element for installation in stage 2. For more information, see AutoYaST Guide, Chapter “Configuration and Installation Options”, Section “Installing Packages in Stage 2” (https://www.suse.com/documentation/sles-12/ ). An example looks as follows: ... yast2-cim ... C.4 Example Directory for Supplementary Media A minimal example for Supplementary Media directory contains only a file called product.xml . 84 Installing Additional Packages SLES for SAP 12 SP2D Documentation Updates This section contains information about documentation content changes made to the SUSE Linux Enterprise Server for SAP Applications Guide. This document was updated on the following dates: Section D.1, “May 10, 2017—SLES for SAP 12 SP2 Documentation Update” Section D.2, “December 07, 2016—SLES for SAP 12 SP2 Documentation Update” Section D.3, “November 07, 2016—SLES for SAP 12 SP2 FCS” Section D.4, “March 23, 2016” Section D.5, “February 29, 2016” Section D.6, “February 15, 2016” Section D.7, “May 29, 2015” Section D.8, “April 29, 2015” Section D.9, “October 28, 2013” D.1 May 10, 2017—SLES for SAP 12 SP2 Documentation Update Updates were made to the following sections. The changes are explained below. Section 1.1, “Software Components” Added links to project Web sites (FATE#323178). Section 1.2, “Software Repository Setup” , Section 1.3, “Included Services” Added information about repositories and support for extensions and modules (bsc#1022275). Section 6.2, “Setup” softdog is supported but not recommended (bsc#1022511). 85 May 10, 2017—SLES for SAP 12 SP2 Documentation Update SLES for SAP 12 SP2Section 7.2, “Tuning Systems with saptune” Documented disabling saptune / sapconf (FATE#322069). Chapter 10, Protecting Against Malware With ClamSAP Added new chapter (FATE#322612). Section A.2, “SUSE Package Hub” Added link to official usage instructions on the Web. D.2 December 07, 2016—SLES for SAP 12 SP2 Documentation Update Updates were made to the following sections. The changes are explained below. Section 2.1, “Hardware Requirements” Clarified RAM requirements. Chapter 6, Setting Up an SAP HANA Cluster Added new chapter (FATE#319068). Section 8.2, “Configuring HANA-Firewall” Updated UI description (FATE#320376, FATE#320564). Section 8.3, “SAProuter Integration” Added new section (FATE#320566). Appendix A, Additional Software for SLES for SAP Added new appendix (FATE#320373). Chapter 7, Tuning , Chapter 9, Encrypting Directories Using cryptctl Clarifications. D.3 November 07, 2016—SLES for SAP 12 SP2 FCS Updates were made to the following sections. The changes are explained below. Section 1.1, “Software Components” Updated list of components. 86 December 07, 2016—SLES for SAP 12 SP2 Documentation Update SLES for SAP 12 SP2Section 1.2, “Software Repository Setup” Added section (bsc#320632). Chapter 3, Installing the Operating System, Chapter 4, Installing SAP Applications Updated chapters to match new installation wizards. Added list of supported SAP products (FATE#320454). Section 4.5, “Partitioning for an SAP Application Without the SAP Installation Wizard” Added section (bsc#929623). Chapter 7, Tuning, Chapter 8, Firewalling, Chapter 12, Creating KIWI Images, Chapter 13, Important Log Files Separated former chapter Configuration into smaller chapters. Section 7.2, “Tuning Systems with saptune” Updated section to refer to saptune (FATE#320361, FATE#320362, FATE#320633). Chapter 9, Encrypting Directories Using cryptctl Added section (FATE#320367). Chapter 11, Connecting via RDP Added section (FATE#320363). Appendix B, Partitioning for the SAP System Using AutoYaST Moved parts of Section 2.6.2, “Partitioning for the SAP System (stage 2)” that related to AutoYaST only to a new section. D.4 March 23, 2016 Updates were made to the following sections. The changes are explained below. Section 1.1.3.1, “SAPHana Resource Agent” Clarify wording. Section 3.3, “Using an External AutoYaST Profile” Clarify support status of AutoYaST (https://bugzilla.suse.com/show_bug.cgi?id=969341 ). D.5 February 29, 2016 Updates were made to the following sections. The changes are explained below. 87 March 23, 2016 SLES for SAP 12 SP2Section 12.1, “Cleaning Up an Instance Before Using It as a Master Image” Add new section. Section 12.2, “Creating Images with KIWI” Add new section. Section 2.2, “Downloading the Installation Image” Clarify that only DVD 1 is necessary for installation (doccomment#30069). Other updates Other corrections and small language updates. D.6 February 15, 2016 Updates were made to the following sections. The changes are explained below. Updates to the Structure of the Guide Improve organization of the guide by updating its structure. Chapter  2, Planning the Installation, Chapter 4, Installing SAP Applications, Configuring SUSE Linux Enterprise Server for SAP Applications, and Chapter 5, Setting Up an Installation Server for SAP Media Sets are now chapters instead of sections. Appendix C, Supplementary Media is now an appendix instead of section. Section 2.6, “Partitioning” is now a section within Chapter 2, Planning the Installation instead of a chapter. Merge Section 1.1, “Software Components” and Chapter 5, “SUSE Linux Enterprise Server for SAP Applications Components”. Move Section  3.2, “Using SLES for SAP Media from the Network” from Chapter 3, “Remote Installation from a Network Server” to Chapter 3, Installing the Operating System. Move Section 2.5, “Required Data for Installing” from Chapter 3, Installing the Operating System to Chapter 2, Planning the Installation. Move certain information from Section 1.1.4, “Installation Workflow” to Section 2.4, “Overview of the Installation Workflow”. Chapter 1, What Is SUSE Linux Enterprise Server for SAP Applications? Add figure. Section 1.1.3, “Simplified SAP HANA System Replication Setup” Add information on supported scenarios. 88 February 15, 2016 SLES for SAP 12 SP2Section 1.1.6, “Malware Protection with ClamSAP” Mention added support for NW-VSI 2.0. Section 1.1.7, “SAP HANA Security” Add new section. Section 1.1.8, “Simplified Operations Management” Add new section. Section 3.1, “Using the Installation Workflow” Remove outdated installation options. Update Installation Workflow. Section 3.3, “Using an External AutoYaST Profile” Remove information that duplicated. Chapter 4, Installing SAP Applications Update Installation Workflow. Section 8.2, “Configuring HANA-Firewall” Add new section. Section 7.2, “Tuning Systems with saptune” Add new section. D.7 May 29, 2015 Updates were made to the following sections. The changes are explained below. Section 1.1, “Software Components” Add more information on SUSE Linux Enterprise High Availability Extension. There are also White Papers about SUSE Linux Enterprise High Availability Extension and SUSE Linux Enterprise Server for SAP Applications. Chapter 2, Planning the Installation Provide ISO image download URL. Section 2.2, “Booting the Installation Medium” The package scope of the SLES for SAP Applications — Installation is identical to a default SUSE Linux Enterprise Server installation. Section 2.3, “SLES for SAP — Installation” Add note about pre-selected packages in case of registration at this stage of the installation. 89 May 29, 2015 SLES for SAP 12 SP2Section 2.4.3.5, “Registration” Add note about pre-selected packages in case of registration at this stage of the installation. Chapter 4, Installing SAP Applications Rewrite remote location specification. Section 2.6, “Partitioning” SAP HANA requires 2 GB of swap. Section 1.1.3, “Simplified SAP HANA System Replication Setup” Address SAP HANA System Replication (https://bugzilla.suse.com/show_bug.cgi? id=929626 ). Section 1.1.7.2, “Hardening Guide for SAP HANA” New section (https://bugzilla.suse.com/show_bug.cgi?id=929625 ). D.8 April 29, 2015 Updates were made to the following sections. The changes are explained below. General Replace SUSE Linux Enterprise Server 11 references with SUSE Linux Enterprise Server 12 everywhere, and adjust the text according to the new installation flow. About This Guide Update feedback information. Section 3.3, “Using an External AutoYaST Profile” Add note about loading an external profile via HTTP (https://bugzilla.suse.com/ show_bug.cgi?id=925747 ). D.9 October 28, 2013 Updates were made to the following sections. The changes are explained below. Chapter 3, Installing the Operating System Update “Hardware Requirements”, “Hard Disk” space, and adjust the following text accordingly. 90 April 29, 2015 SLES for SAP 12 SP2Section 2.6, “Partitioning” New chapter. Appendix D, Documentation Updates New appendix. 91 October 28, 2013 SLES for SAP 12 SP2">