nfs://server/path1
sap
nfs://server/path3
supplement
PASSWORD
SID
INSTANCE_NUMBER
no
Partitioning for an SAP Application Without the SAP Installation Wizard SLES for SAP 12
43 SP4
The sapMDC element is only applicable to SAP HANA.
The sapVirtHostname element must be specified for distributed or highly available in-
stallations.
For a full SAP HANA example, including partitioning, see /usr/share/doc/packages/sap-
installation-wizard/hana-autoyast.xml .
4.6.2 SAP NetWeaver Installation
For SAP NetWeaver, the following example shows how the installation can be automated. Specif-
ically, this example is tailored to installing ASCS Instance of an SAP NetWeaver 7.5 ABAP Server
distributed system with MaxDB (product ID NW_ABAP_ASCS:NW750.ADA.ABAP ). When installing
other products based on SAP NetWeaver, not all of the following variables may be necessary or
these variables might need to be replaced by others:
The master password for the SAP NetWeaver instance: MASTER_PASSWORD
The SAP Identifier (SID): SID
The SAP kernel: KERNEL
The SAP instance number: INSTANCE_NUMBER
The ASCS virtual host name: ASCS_VIRTUAL_HOSTNAME
The SCS virtual host name: SCS_VIRTUAL_HOSTNAME
nfs://SERVER/PATH1
sap
nfs://SERVER/PATH2
sap
44 SAP NetWeaver Installation SLES for SAP 12 SP4nfs://SERVER/PATH3
supplement
NW_ABAP_ASCS:NW750.ADA.ABAP
adm user. Provided value
# may be encoded.
DiagnosticsAgent.dasidAdmPassword =
# Windows domain in which the Diagnostics Agent users must be created.
# The property is Microsoft Windows only. This is an optional property.
DiagnosticsAgent.domain =
# Password for the Diagnostics Agent specific SAPService user.
# Provided value may be encoded.
# The property is Microsoft Windows only.
DiagnosticsAgent.sapServiceDASIDPassword =
NW_GetMasterPassword.masterPwd = MASTER_PASSWORD
# Human readable form of the Default Login language - valid names are stored
# in a table of the subcomponent NW_languagesInLoadChecks. Used when freshly
# installing an ABAP stack for the machine that performs an ABAP load (in the
# case of a distributed system, that is the database, otherwise it is used by
# the normal installer). The available languages must be declared in the
# LANGUAGES_IN_LOAD parameter of the product.xml . In this file, the one
# character representation of the languages is used. Check the same table in
# the subcomponent mentioned above.
NW_GetSidNoProfiles.SAP_GUI_DEFAULT_LANGUAGE =
# The drive to use (Windows only)
NW_GetSidNoProfiles.sapdrive =
# The /sapmnt path (Unix only)
NW_GetSidNoProfiles.sapmnt = /sapmnt
# The SAP System ID of the system to install
NW_GetSidNoProfiles.sid = SID
# Will this system be unicode system?
NW_GetSidNoProfiles.unicode = true
NW_SAPCrypto.SAPCryptoFile = /data/SAP_CDs/745-UKERNEL-SAP-Unicode-Kernel-745/DBINDEP/
SAPEXE.SAR
45 SAP NetWeaver Installation SLES for SAP 12 SP4NW_SCS_Instance.ascsInstanceNumber =
NW_SCS_Instance.ascsVirtualHostname = ASCS_VIRTUAL_HOSTNAME
NW_SCS_Instance.instanceNumber = INSTANCE_NUMBER
NW_SCS_Instance.scsInstanceNumber =
NW_SCS_Instance.scsMSPort =
NW_SCS_Instance.scsVirtualHostname = SCS_VIRTUAL_HOSTNAME
NW_System.installSAPHostAgent = true
NW_Unpack.igsExeSar =
NW_Unpack.igsHelperSar =
NW_Unpack.sapExeDbSar =
NW_Unpack.sapExeSar =
NW_Unpack.sapJvmSar =
NW_Unpack.xs2Sar =
NW_adaptProfile.templateFiles =
# The FQDN of the system.
NW_getFQDN.FQDN =
# Do we want to set the FQDN for the system?
NW_getFQDN.setFQDN = false
# The path to the JCE policy archive to install into the Java home directory
# if it is not already installed.
NW_getJavaHome.jcePolicyArchive =
hostAgent.domain =
# Password for the SAP Host Agent specific sapadm user. Provided value may be
# encoded.
hostAgent.sapAdmPassword = MASTER_PASSWORD
nwUsers.sapDomain =
nwUsers.sapServiceSIDPassword =
46 SAP NetWeaver Installation SLES for SAP 12 SP4nwUsers.sidadmPassword =
]]>
47 SAP NetWeaver Installation SLES for SAP 12 SP45 Setting Up an Installation Server for SAP Media Sets
Using the SAP Installation Wizard, it is possible to copy the SAP media sets from a remote server
(for example, via NFS or SMB). However, using the option provided there means that you need
to install the product at the same time. Additionally, it does not allow for copying all SAP media
used in your organization to a single server.
However, you can easily create such a server on your own. For example, to put the SAP media
sets on an NFS Server, proceed as follows:
PROCEDURE 5.1: ADDING SAP PRODUCT INSTALLATION FILES TO AN NFS SERVER
1. On your installation server, create the directory /srv/www/htdocs/sap_repo .
2. Open the le /etc/exports and add the following:
/srv/www/htdocs/sap_repo *(ro,no_root_squash,sync,no_subtree_check,insecure)
Important: Executable Rights Must Be Visible
Clients must be able to see which les are executable. Otherwise, SUSE''s SAP In-
stallation Wizard will not be able to execute the SAP Installer.
3. In /srv/www/htdocs/sap_repo , create a directory for every SAP medium you have. Give
these directories speaking names, so you can identify them later on. For example, you
could use names like kernel , java , or hana .
4. Copy the contents of each SAP medium to the corresponding directory with cp -a .
Important: Avoid Using Windows* Operating Systems for
Copying
Using Windows operating system for copying or copying from/to Windows le sys-
tems like NTFS can break permission settings and capitalization of les and direc-
tories.
You can now install from the NFS server you set up. In the SAP Installation Wizard, specify the
path this way: server_name/srv/www/htdocs/sap_repo . For more information about speci-
fying the path, see Table 4.1, “Media Source Path”.
48 SLES for SAP 12 SP4For information about setting up an NFS server from scratch, see Administration Guide, Part
“Services”, Chapter “Sharing File Systems with NFS”, Section “Installing NFS Server” (https://
www.suse.com/documentation/sles-12/ ).
For information about installing SUSE Linux Enterprise Server from an NFS server, see De-
ployment Guide, Chapter “Remote Installation”, Section “Setting Up an NFS Repository Manually”
(https://www.suse.com/documentation/sles-12/ ).
49 SLES for SAP 12 SP46 Setting Up an SAP HANA Cluster
You can use a YaST wizard to set up SAP HANA or SAP S/4HANA Database Server clusters
according to best practices, including SAP HANA system replication. A summary of the setup
options is given in Section 1.1.3, “Simplified SAP HANA System Replication Setup”.
The following Best Practices from the SUSE Linux Enterprise Server for SAP Applications Re-
source Library (https://www.suse.com/products/sles-for-sap/resource-library/ ) contain setup
instructions:
Performance-optimized scenario and multi-tier/chained scenario: Setting up a SAP HANA
SR Performance Optimized Infrastructure
Cost-optimized scenario: Setting up a SAP HANA SR Cost Optimized Infrastructure
Important: Wizard Can Only Be Used for Initial Configuration
The YaST wizard described in the following can only be used for the initial cluster con-
figuration.
To reconfigure a cluster, use the separate YaST module Cluster (available from pack-
age yast2-cluster ). For more information about its usage, see Administration Guide,
Part “Installation, Setup and Upgrade”, Chapter “Using the YaST Cluster Module” at https://
www.suse.com/documentation/sle-ha-12/ .
Important: Not Suitable for Cloud Deployments
The instructions in the following sections are suitable for deployments on physical ma-
chines. They are not intended for cloud-based deployments.
6.1 Prerequisites
The following procedure has prerequisites:
Two machines which both have an SAP HANA installation created by the SAP Installation
Wizard or SAP HANA Application Lifecycle Management. Both machines need to be on
the same L2 network (subnet).
50 Prerequisites SLES for SAP 12 SP4In the case of a multi-tier/chained scenario, there must also be a third machine elsewhere.
The machines are not yet set up as a high-availability cluster.
openSSH is running on both machines and the nodes can reach each other via SSH. How-
ever, if that has not already happened, the wizard will perform the SSH key exchange itself.
For more information about SSH, see Security Guide, Part “Network Security”, Chapter “SSH:
Secure Network Operations” at https://www.suse.com/documentation/sles-12/ .
A disk device that is available to both nodes under the same path for SBD. It must not
use host-based RAID, cLVM2 or reside on a DRBD instance. The device can have a small
size, for example, 100 MB.
You have created either:
A key in the SAP HANA Secure User Store on the primary node
An initial SAP HANA backup on the primary node
The package yast2-sap-ha is installed on both the primary and the secondary node.
HANA-Firewall is set up on both computers with the rules HANA_HIGH_AVAILABILITY and
HANA_SYSTEM_REPLICATION on all relevant network interfaces.
For information about setting up HANA-Firewall, see Section 8.2, “Configuring HANA-Firewall”.
Cost-optimized scenario only: The secondary node has a second SAP HANA installation. The
database may be running but will be stopped automatically by the wizard.
Cost-optimized scenario only: For the non-production SAP HANA instance, you have created
an SAP HANA Secure User Store key QASSAPDBCTRL for monitoring purposes. For more
information, see SAP HANA SR Cost Optimized Scenario, Chapter “Installing the SAP HANA
Databases on both cluster nodes”, Section “Postinstallation configuration”, Section “Install the
non-productive SAP HANA database (QAS)” at https://www.suse.com/products/sles-for-sap/
resource-library/ .
6.2 Setup
The following procedure needs to be executed on the primary node (also called the “mas-
ter”). Before proceeding, make sure the prerequisites listed in Section 6.1, “Prerequisites” are
fulfilled.
51 Setup SLES for SAP 12 SP41. Open the YaST control center. In it, click HA Setup for SAP Products in the category High
Availability.
2. If an SAP HANA instance has been detected, you can choose between the scale-up scenarios
Performance-optimized, Cost-optimized, or Chained (multi-tier). For information about these
scale-up scenarios, see Section 1.1.3, “Simplified SAP HANA System Replication Setup”.
Continue with Next.
3. This step of the wizard presents a list of prerequisites for the chosen scale-up scenario.
These prerequisites are the same as those presented in Section 6.1, “Prerequisites”.
Continue with Next.
4. The next step lets you configure the communication layer of your cluster.
Provide a name for the cluster.
The default transport mode Unicast is usually appropriate.
Under Number of rings, a single communication ring usually suffices.
For redundancy, it is often better to use network interface bonding instead of
multiple communication rings. For more information, see Administration Guide,
Part “Configuration and Administration”, Chapter “Network Device Bonding” at https://
www.suse.com/documentation/sle-ha-12/ .
From the list of communication rings, configure each enabled ring. To do so, click
Edit selected, then select a network mask (IP address) and a port (Port number) to
communicate over.
52 Setup SLES for SAP 12 SP4Finish with OK.
Additionally, decide whether to enable the configuration synchronization service
Csync2 and Corosync secure authentication using HMAC/SHA1.
For more information about Csync2, see Administration Guide Part “Installation, Setup
and Upgrade”, Chapter “Using the YaST Cluster Module”, Section “Transferring the Con-
figuration to All Nodes” at https://www.suse.com/documentation/sle-ha-12/ .
For more information about Corosync secure authentication, see Administration
Guide, Part “Installation, Setup and Upgrade”, Chapter “Using the YaST Cluster Module”,
Section “Defining Authentication Settings” at https://www.suse.com/documentation/sle-
ha-12/ .
Proceed with Next.
5. The wizard will now check whether it can connect to the secondary machine using SSH.
If it can, it will ask for the root password to the machine.
Enter the root password.
The next time, the primary machine needs to connect to the secondary machine, it will
connect using an SSH certificate instead of a password.
6. For both machines, set up the host names and IP address (for each ring).
Host names chosen here are independent from the virtual host names chosen in SAP HANA.
However, to avoid issues with SAP HANA, host names must not include hyphen characters
( - ).
53 Setup SLES for SAP 12 SP4If this has not already been done before, such as during the initial installation of SAP
HANA, host names of all cluster servers must now be added to the le /etc/hosts . For
this purpose, activate Append to /etc/hosts.
Proceed with Next.
7. If NTP is not yet set up, do so. This avoids the two machines from running into issues
because of time differences.
a. Click Reconfigure.
b. On the tab General Settings, activate Now and on Boot.
c. Add a time server by clicking Add. Click Server and Next. Then specify the IP address
of a time server outside of the cluster. Test the connection to the server by clicking
Test.
To use a public time server, click Select Public server and select a time server. Finish
with OK.
Proceed with OK.
d. On the tab Security Settings, activate Open Port in Firewall.
e. Proceed with Next.
8. In the next step, choose fencing options. The YaST wizard only supports the fencing mech-
anism SBD (STONITH block device). To avoid split-brain situations, SBD uses a disk device
which stores cluster state.
The chosen disk must be available from all machines in the cluster under the same path.
Ideally, use either by-uuid or by-path for identification.
The disk must not use host-based RAID, cLVM2 or reside on a DRBD instance. The device
can have a small size, for example, 100 MB.
Warning: Data on Device Will Be Lost
All data on the chosen SBD device or devices will be deleted.
To define a device to use, click Add, then choose an identification method such as by-uuid
and select the appropriate device. Click OK.
To define additional SBD command-line parameters, add them to SBD options.
If your machines reboot particularly fast, activate Delay SBD start.
54 Setup SLES for SAP 12 SP4For more information about fencing, see the Administration Guide at https://www.suse.com/
documentation/sle-ha-12/ .
Proceed with Next.
9. The following page allows configuring watchdogs which protect against the failure of the
SBD daemon itself and force a reboot of the machine in such a case.
It also lists watchdogs already configured using YaST and watchdogs that are currently
loaded (as detected by lsmod ).
To configure a watchdog, use Add. Then choose the correct watchdog for your hardware
and leave the dialog with OK.
For testing, you can use the watchdog softdog . However, we highly recommend using a
hardware watchdog in production environments instead of softdog . For more informa-
tion about selecting watchdogs, see Administration Guide, Part “Storage and Data Replica-
tion”, Chapter “Storage Protection”, Section “Conceptual Overview”, Section “Setting Up Stor-
age-based Protection”, Section “Setting up the Watchdog” at https://www.suse.com/documen-
tation/sle-ha-12/ .
Proceed with Next.
10. Set up the parameters for your SAP HANA installation or installations. If you have selected
the cost-optimized scenario, additionally, ll out details related to the non-production SAP
HANA instance.
Production SAP HANA Instance
Make sure that the System ID and Instance number match those of your SAP
HANA configuration.
Replication mode and Operation mode usually do not need to be changed.
For more information about these parameters, see the HANA Administration
Guide provided to you by SAP.
Under Virtual IP address, specify a virtual IP address for the primary SAP HANA
instance. Under Virtual IP Mask, set the length of the subnetwork mask in CIDR
format to be applied to the Virtual IP address.
Prefer site takeover defines whether the secondary instance should take over the
job of the primary instance automatically (true). Alternatively, the cluster will
restart SAP HANA on the primary machine.
55 Setup SLES for SAP 12 SP4Automatic registration determines whether primary and secondary machine
should switch roles after a takeover.
Specify the site names for the production SAP HANA instance on the two nodes
in Site name 1 and Site name 2.
Having a backup of the database is a precondition for setting up SAP HANA
replication.
If you have not previously created a backup, activate Create initial backup. Un-
der Backup settings, configure the File name and the Secure store key for the
backup. The key in the SAP HANA Secure User Store on the primary node must
have been created before starting the wizard.
For more information, see the documentation provided to you by SAP.
Cost-optimized scenario only: Within Production system constraints, configure how
the production instance of SAP HANA should behave while inactive on the
secondary node.
Setting the Global allocation limit allows directly limiting memory usage. Acti-
vating Preload column tables will increase memory usage.
For information about the necessary global allocation limit, see documentation
provided to you by SAP such as How to Perform System Replication for SAP HANA
at https://archive.sap.com/documents/docs/DOC-47702 .
Cost-optimized Scenario Only: Non-production SAP HANA Instance
Make sure that the System ID and Instance number match those of your non-
production SAP HANA instance.
These parameters are needed to allow monitoring the status of the non-produc-
tion SAP HANA instance using the SAPInstance resource agent.
Generate a hook script for stopping the non-production instance and starting
the production instance and removing the constraints on the production system.
The script is written in Python 2 and can be modified as necessary later.
Click Hook script and then set up the correct user name and password for the
database. Then click OK.
You can now manually verify and change the details of the generated hook
script. When you are done, click OK to save the hook script at /hana/shared/
SID/srHook .
56 Setup SLES for SAP 12 SP4Warning: Passwords Stored in Plain Text
By default, the hook script stores all credentials in plain text. To improve
security, modify the script yourself.
Proceed with Next.
FIGURE 6.1: SAP HANA OPTIONS (COST-OPTIMIZED SCENARIO)
11. On the page High-Availability Configuration Overview, check that the setup is correct.
To change any of the configuration details, return to the appropriate wizard page by click-
ing one of the underlined headlines.
Proceed with Install.
12. When asked whether to install additional software, confirm with Install.
13. After the setup is done, there is a screen showing a log of the cluster setup.
To be able to reuse the configuration le for an unattended installation, click Save configu-
ration. (For more details about unattended cluster installations, see Section 6.3, “Unattended
Installation of Cluster Servers”.)
To close the dialog, click Finish.
14. Multi-tier/chain scenario only: Using the administrative user account for the production
SAP HANA instance, register the out-of-cluster node for system replication:
SIDadm > hdbnsutil -sr_register --remoteHost=SECONDARY_HOST_NAME \
57 Setup SLES for SAP 12 SP4--remoteInstance=INSTANCE_NUMBER --replicationMode=async \
--name=SITE_NAME
6.3 Unattended Installation of Cluster Servers
On bare-metal servers, you can run the YaST module HA Setup for SAP Products in an unattended
mode to speed up the time it takes to configure additional servers with the same configuration.
As a prerequisite, you need a configuration le from a previous run of the YaST wizard HA Setup
for SAP Products.
1. Copy the configuration le to the target machine.
2. Validate the configuration le:
root # yast2 sap_ha readconfig CONFIGURATION_FILE_PATH
3. Import, validate, and install the cluster unattendedly:
root # yast2 sap_ha readconfig CONFIGURATION_FILE_PATH unattended
6.4 Using Hawk
After you have set up the cluster using the wizard, you can open Hawk. directly from the last
screen of the HA Setup for SAP Products wizard.
To revisit Hawk, open a browser and as the URL, enter the IP address or host name of any cluster
node running the Hawk Web service. Alternatively, enter the virtual IP address you configured
in Section 6.2, “Setup”.
https://HAWKSERVER:7630/
On the Hawk login screen, use the following login credentials:
Username: hacluster
Password: linux
58 Unattended Installation of Cluster Servers SLES for SAP 12 SP4Important: Secure Password
Replace the default password with a secure one as soon as possible:
root # passwd hacluster
For more information about Hawk, see Administration Guide, Part “Configuration and Administra-
tion”, Chapter “Configuring and Managing Cluster Resources with Hawk” (https://www.suse.com/
documentation/sle-ha-12/ ).
59 Using Hawk SLES for SAP 12 SP47 Tuning
This chapter presents information about tuning SLES for SAP to work optimally with SAP ap-
plications.
Note: Choosing between sapconf and saptune
On SUSE Linux Enterprise Server for SAP Applications you have the choice between sap-
conf and saptune . However, saptune is the more elaborate tool that offers more fea-
tures.
7.1 Kernel: Page-Cache Limit
Problem
The kernel swaps out rarely accessed memory pages to use freed memory pages as cache
to speed up le system operations, for example during backup operations.
SAP NetWeaver and SAP HANA use large amounts of memory for accelerated access to
business data. Parts of this memory are rarely accessed. When a user request needs to access
paged-out memory, the response time is poor. It is even worse when an SAP application
running on Java incurs a Java garbage collection: The system starts heavy page-in (disk I/
O) activity and has a poor response time for an extended period of time.
Solution
SUSE Linux Enterprise Server for SAP Applications includes a kernel tuning option that
allows the system administrator to limit the amount of page cache that the kernel uses
when there is competition between application memory and page cache. This option tells
the kernel that when the page cache is lled to the configured limit, application memory
is more important and should thus not be paged out. No pages will be paged out if the
memory footprint of the workload plus the configured page-cache limit do not exceed the
amount of physical RAM in the system.
These kernel options are available for configuration:
vm.pagecache_limit_mb ( /proc/sys/vm/pagecache_limit_mb )
vm.pagecache_limit_ignore_dirty ( /proc/sys/vm/pagecache_limit_ig-
nore_dirty )
60 Kernel: Page-Cache Limit SLES for SAP 12 SP4Tip: Use sapconf to Configure Parameters
The parameters vm.pagecache_limit_mb and vm.pagecache_limit_ig-
nore_dirty are also configured by the tuned profiles delivered with sapconf .
For more information, see Section 7.2, “Tuning Systems with sapconf”.
Important: The Following Are Example Values
The values reproduced in Example 7.1, “Permanently Setting the Page-Cache Limit” are
example values only. Do not set the following parameters on a productive system
without rst trying and calibrating them on a non-productive system.
If your system does not exhibit page-cache limit issues under the workloads it is
running, there is no need to adjust these parameters.
For more information, see SAP Note 1557506: Linux Paging Improvements (https://
launchpad.support.sap.com/#/notes/1557506 ).
EXAMPLE 7.1: PERMANENTLY SETTING THE PAGE-CACHE LIMIT
For permanent use, add both parameters to /etc/sysctl.conf , for example:
vm.pagecache_limit_mb = 1024
vm.pagecache_limit_ignore_dirty = 2
7.2 Tuning Systems with sapconf
The package sapconf contains the tuned profile sap-netweaver . This single tuning profile
sets recommended parameters for SAP applications, in particular SAP NetWeaver, SAP HANA,
and SAP HANA-based applications.
sapconf consists of two primary parts:
A systemd service that ensures tuned and related services are running and the sap-
netweaver profile is applied.
The tuned profile sap-netweaver that applies configured sapconf tuning parameters
using a script and configuration les.
(The profile sap-hana is currently identical to sap-netweaver . sapconf additionally
includes the profiles sap-ase and sap-bobj which are currently not recommended for
use.)
61 Tuning Systems with sapconf SLES for SAP 12 SP4To use sapconf , install the package sapconf on your system.
Note: sapconf Utility
The command-line utility sapconf is still available in SUSE Linux Enterprise Server for
SAP Applications 12 SP4. However, it is no longer the preferred utility to control sap-
conf .
Starting with SUSE Linux Enterprise Server for SAP Applications 15, the utility sapconf
is not included in the package sapconf anymore.
Note: Unified Profiles in SUSE Linux Enterprise Server for SAP
Applications 15
In SUSE Linux Enterprise Server for SAP Applications 15 and up, only a single tuned
profile, sapconf , is shipped. It is equivalent to the profiles sap-hana / sap-netweaver
(both profiles are identical) that are shipped with sapconf in SUSE Linux Enterprise
Server for SAP Applications 12 SP4.
7.2.1 Enabling and Disabling sapconf and Viewing Its Status
After the installation of sapconf , tuned is enabled and the sap-netweaver profile is activated.
However, if another tuned profile is already enabled, sapconf will not enable its own tuned
profile. If you previously made other changes to system tuning, these may be overridden by the
profile of sapconf .
To make sure sapconf applies all tuning parameters, reboot the machine after installation.
You can inspect or change the status of sapconf as described in the following:
To see the status of the service sapconf :
root # systemctl status sapconf
The service should be displayed as active (exited), as it is only responsible for starting
tuned and will exit afterward.
To start the service sapconf and with it the service tuned :
root # systemctl start sapconf
62 Enabling and Disabling sapconf and Viewing Its Status SLES for SAP 12 SP4Should sapconf be disabled, enable and start it with:
root # systemctl enable --now sapconf
To stop the service sapconf and with it the service tuned :
root # systemctl stop sapconf
As tuned is also terminated at that point, the vast majority of optimizations which do not
require a system reboot to disable are disabled immediately.
To disable sapconf , use:
root # systemctl disable sapconf
If you have not specifically enabled any of the services that sapconf depends on yourself,
this will also disable most tuning parameters and all services used by sapconf .
Similarly, you can inspect and change the status of the underlying service tuned :
To see the status of the service tuned :
root # systemctl status tuned
To see which tuned profile is currently in use:
root # tuned-adm active
If this command does not return the name of the currently active profile as sap-
netweaver , enable that profile:
root # tuned-adm profile sap-netweaver
63 Enabling and Disabling sapconf and Viewing Its Status SLES for SAP 12 SP4Tip: Additional Services that sapconf Relies On
In addition to the sapconf service itself and the tuned service, sapconf also relies on
the following two services:
sysstat collects data on system activity.
uuidd which generates time-based UUIDs that are guaranteed to be unique even
in settings where many processor cores are involved. This is necessary for SAP ap-
plications.
7.2.2 Configuring sapconf
In general, the default configuration of sapconf already uses the parameter values recommend-
ed by SAP. However, if you have special needs, you can configure the tool to better suit those.
The configuration of sapconf is split in two parts that can be configured in different ways:
/usr/lib/tuned/sap-netweaver/tuned.conf
This le contains basic parameters. It also calls the script.sh from the same directory.
To configure parameters from this le, copy it to the custom profile directory of tuned
under /etc/tuned rst and then change values in it. If you change the le in place instead,
you will lose the changes you make on the next update of the sapconf package.
Configure the le as described in the following:
PROCEDURE 7.1:
1. Create a new custom tuned profile directory and copy the le tuned.conf :
root # mkdir /etc/tuned/sap-netweaver
root # cp /usr/lib/tuned/sap-netweaver/tuned.conf /etc/tuned/sap-netweaver/
2. Within the newly copied tuned.conf , x the reference to script.sh to use an
absolute path that points to the script from the original profile:
script = /usr/lib/tuned/sap-netweaver/script.sh
Do not instead copy script.sh , as that provokes update compatibility issues for
sapconf .
3. Edit the parameters in /etc/tuned/sap-netweaver/tuned.conf .
64 Configuring sapconf SLES for SAP 12 SP4After each update to sapconf , make sure to compare the contents of the original and the
custom tuned.conf .
Log messages related to this le are written to /var/log/tuned/tuned.log .
/etc/sysconfig/sapconf
This le contains most parameters of sapconf . The parameters from this le are applied
using the aforementioned script /usr/lib/tuned/sap-netweaver/script.sh .
This le can be edited directly. All parameters in this le are explained by means of com-
ments and references to SAP Notes which can be viewed at https://launchpad.support.s-
ap.com/ .
When sapconf is updated, all customized parameters from this le will be preserved as
much as possible. However, sometimes parameters cannot be transferred cleanly to the
new configuration le. Therefore, after updating it is advisable to check the difference
between the previous custom configuration which during the update is moved to /etc/
sysconfig/sapconf.rpmsave and the new version at /etc/sysconfig/sapconf .
Log messages related to this le are written to /var/log/sapconf.log .
When editing either of these les, you will nd that some values are commented by means of
a # character at the beginning of the line. This means that while the parameter is relevant for
tuning, there is no suitable default for it.
Conversely, you can add # characters to the beginning of the line to comment specific parame-
ters. However, you should avoid this practice, as it can lead to sapconf not properly applying
the profile.
To apply edited configuration, restart sapconf :
root # systemctl restart sapconf
Confirming that a certain parameter value was applied correctly works differently for different
parameters. Hence, the following serves as an example only:
EXAMPLE 7.2: CHECKING PARAMETERS
To confirm that the setting for TCP_SLOW_START was applied, do the following:
View the log le of sapconf to see whether it applied the value. Within /var/log/
sapconf.log , check for a line containing this text:
Change net.ipv4.tcp_slow_start_after_idle from 1 to 0
65 Configuring sapconf SLES for SAP 12 SP4Alternatively, the parameter may have already been set correctly before sapconf
was started. In this case, sapconf will not change its value:
Leaving net.ipv4.tcp_slow_start_after_idle unchanged at 1
The underlying option behind TCP_SLOW_START can be manually configured at
/proc/sys/net.ipv4.tcp_slow_start_after_idle . To check its actual current
value, use:
root # sysctl net.ipv4.tcp_slow_start_after_idle
7.2.3 Removing sapconf
To remove sapconf from a system, uninstall its package with:
root # zypper rm sapconf
Note that when doing this, dependencies of sapconf will remain installed. However, the ser-
vices sysstat and tuned will go into a disabled state. If either is still relevant to you, make
sure to enable it again.
Certain parameters and les are not removed when sapconf is uninstalled. For more informa-
tion, see the man page man 7 sapconf , section PACKAGE REQUIREMENTS.
7.2.4 For More Information
The following man pages provide additional information about sapconf :
High-level overview of tuning parameters used by sapconf : man 7 tuned-pro-
files-sapconf
Detailed description of all tuning parameters set by sapconf : man 5 sapconf
Information about configuring and customizing the sapconf profile: man 7 sapconf
Also see the blog series detailing the updated version of sapconf at https://www.suse.com/c/
a-new-sapconf-is-available/ .
66 Removing sapconf SLES for SAP 12 SP47.3 Tuning Systems with saptune
Using saptune , you can tune a system for SAP NetWeaver, SAP HANA/SAP BusinessObjects,
and SAP S/4HANA applications. This method relies on the system tuning service tuned .
If you used the SAP Installation Wizard to install an SAP application, tuned is usually already
active and configured with a profile for the application you installed.
If you did not use the SAP Installation Wizard to install an SAP application, make sure that the
packages tuned and saptune are installed on your system.
7.3.1 Enabling saptune to Tune for an SAP Application
1. To tune a system, rst nd a tuning solutions. To nd the appropriate solution, use:
tux > saptune solution list
saptune knows the following tuning solutions (groups of SAP notes):
BOBJ . Solution for running SAP BusinessObjects.
HANA . Solution for running a SAP HANA database.
MAXDB . Solution for running a SAP MaxDB database.
NETWEAVER . Solution for running SAP NetWeaver application servers.
S4HANA-APPSERVER . Solution for running SAP S/4HANA application servers (identi-
cal to SAP NetWeaver solution).
S4HANA-APP+DB . Solution for running both SAP S/4HANA application servers and
SAP HANA on the same host (identical to SAP NetWeaver + SAP HANA solution).
S4HANA-DBSERVER . Solution for running the SAP HANA database of an SAP
S/4HANA installation (identical to SAP HANA solution)
SAP-ASE . Solution for running an SAP Adaptive Server Enterprise database.
Alternatively, you can tune the computer according to recommendations from specific
SAP Notes. A list of notes that you can tune for is available via:
root # saptune note list
67 Tuning Systems with saptune SLES for SAP 12 SP42. To set up saptune with a preconfigured solution, use:
root # saptune solution apply SOLUTION
To set up saptune for the recommendations of a specific SAP Note, use:
root # saptune note apply NOTE
Note: Combining Optimizations
You can combine solutions and notes. However, only one solution can be active at
a time. In rare cases, notes can have conflicting options or parameters. To avoid
conflicts, order your notes, keeping in mind that the last note always overrides
conflicting options or parameters of previous notes.
3. To start saptune and enable it at boot, make sure to run the following command:
root # saptune daemon start
In the background, saptune applies a tuned profile also named saptune that is dynamically
customized according to selected “solutions” and “notes”. Using tuned-adm list , you can also
see this profile.
7.3.2 Customizing a SAP Note
Every SAP note can be configured freely with:
root # saptune note customise
The command includes changing a value or disabling a parameter.
7.3.3 Creating a new SAP Note
It is possible to create a new SAP note with:
root # saptune note create
All features of saptune are available.
68 Customizing a SAP Note SLES for SAP 12 SP47.3.4 Showing the Configuration of a SAP Note
The shipped configuration of a note can be listed with:
root # saptune note show
7.3.5 Verifying a SAP Note or a SAP Solution
The commands saptune note verify NOTE and saptune solution verify SOLUTION list
the following data for each active or requested note:
The parameter name
The expected value (default)
A configured override (created using saptune customise )
The current system value
Whether the current state is in accordance with the SAP recommendation
7.3.6 Simulating the Application of a SAP Note or a SAP Solution
To show each parameter of a note , use:
root # saptune note simulate
To show each parameter of a solution , use:
root # saptune solution simulate
It lists the current system value and the expected values (default and override).
7.3.7 Disabling saptune
To disable saptune and to stop and disable tuned run:
root # saptune daemon stop
69 Showing the Configuration of a SAP Note SLES for SAP 12 SP47.3.8 Tuning Kernel Parameters Manually Using sysctl
In addition to or instead of tuning kernel parameters using saptune , you can also use sysctl
to make manual adjustments to kernel parameters. However, such changes using sysctl do
not persist across reboots by default. To make them persist across reboots, add them to the le
/etc/sysctl.conf (or another configuration le read by sysctl ).
Tip
If you plan to configure sysctl parameters for your SAP system, consider to use saptune
as a central instance for managing your system configuration.
For more information about sysctl , see the man pages sysctl(8) , sysctl.conf(5) , and
sysctl.d(5) .
7.3.9 For More Information
See the following man pages:
man 8 saptune
man 8 saptune_v1
man 8 saptune_v2
man 8 saptune-migrate
man 8 saptune-note
Also see the project home page https://github.com/SUSE/saptune/ .
7.4 Tuning Kernel Parameters Manually Using
sysctl
In addition to or instead of tuning kernel parameters using sapconf / saptune , you can also
use sysctl to make manual adjustments to kernel parameters. However, such changes using
sysctl do not persist across reboots by default. To make them persist across reboots, add them
to one of the configuration les read by sysctl ).
70 Tuning Kernel Parameters Manually Using sysctl SLES for SAP 12 SP4For more information about sysctl , see the man pages sysctl(8) , sysctl.conf(5) , and
sysctl.d(5) .
71 Tuning Kernel Parameters Manually Using sysctl SLES for SAP 12 SP48 Firewalling
This chapter presents information about restricting access to the system using firewalling and
encryption and gives information about connecting to the system remotely.
8.1 Configuring SuSEFirewall2
By default, the installation workflow of SUSE Linux Enterprise Server for SAP Applications en-
ables SuSEFirewall2. The firewall needs to be manually configured to allow network access for
the following:
SAP application
Database (see the documentation of your database vendor; for SAP HANA, see Section 8.2,
“Configuring HANA-Firewall”)
Additionally, open the ports 1128 (TCP) and 1129 (UDP).
SAP applications require many open ports and port ranges in the firewall. The exact numbers
depend on the selected instance. For more information, see the documentation provided to you
by SAP.
8.2 Configuring HANA-Firewall
To simplify setting up a firewall for SAP HANA, install the package HANA-Firewall . HANA-
Firewall adds rule sets to your existing SuSEFirewall2 configuration.
HANA-Firewall consists of the following parts:
YaST Module SAP HANA Firewall. Allows configuring, applying, and reverting firewall rules
for SAP HANA from a graphical user interface.
Command-Line Utility hana-firewall . Allows applying and reverting the configured fire-
wall rules for SAP HANA.
If you prefer, you can configure the rule sets using the configuration le at /etc/syscon-
fig/hana-firewall instead of using YaST.
Service hana-firewall . Ensures that configured firewall rules for SAP HANA are kept.
72 Configuring SuSEFirewall2 SLES for SAP 12 SP4Important: SAP HANA MDC Databases
For multi-tenant SAP HANA (MDC) databases, determining the port numbers that need
to be opened is not yet possible automatically. If you are working with a multi-tenant
SAP HANA database system, before you use YaST, run a script on the command line to
create a new service definition:
root # cd /etc/hana-firewall.d
root # ./create_new_service
You need to switch to the directory /etc/hana-firewall.d , otherwise the rule le for
the new service will be created in a place where it cannot be used.
The script will ask several questions: Importantly, it will ask for TCP and UDP port ranges
that need to be opened.
Note: Install HANA-Firewall Packages
Before continuing, make sure that the packages HANA-Firewall and yast2-hana-fire-
wall are installed.
PROCEDURE 8.1: USING HANA-FIREWALL
1. Make sure the SAP HANA databases for which you want to configure the firewall are
correctly installed.
2. To open the appropriate YaST module, select Applications YaST, Security and Users SAP
HANA Firewall.
3. When you open this YaST module, it will create a configuration proposal based on the
number of installed SAP HANA instances.
Choose whether you want to accept the proposal using Yes or No.
Important: Narrow Down Settings from Proposal
The proposed settings allow all detected SAP HANA instances on all detected net-
work interfaces. Narrow down the proposal to secure the system further.
4. Under Global Options, activate Enable Firewall. Additionally, decide whether to Allow Re-
mote Shell Access (SSH).
73 Configuring HANA-Firewall SLES for SAP 12 SP45. Choose a network interface under Allowed Services on Network Interface.
6. Allow network services by selecting them in the list box on the left and clicking →. Remove
services by selecting them in the list box on the right and clicking ←.
To add services other than the preconfigured ones, add them using the following notation:
SERVICE_NAME:CIDR_NOTATION
For more information about the CIDR notation, see https://en.wikipedia.org/wiki/Class-
less_Inter-Domain_Routing . To nd out which services are available on your system, use
getent services .
7. Repeat from Step 5 for all network interfaces.
8. When you are done, click OK.
The firewall rules from HANA-Firewall will now be compiled and applied. Then, the ser-
vice hana-firewall will be restarted.
9. Finally, check whether HANA-Firewall was enabled correctly:
root # hana-firewall status
HANA firewall is active. Everything is OK.
74 Configuring HANA-Firewall SLES for SAP 12 SP4Tip: Checking Which Firewall Rules Are Enabled
Gaining an overview of which firewall rules are enabled in the current configuration
of the script is possible using the command line:
root # hana-firewall dry-run
For more information, see the man page of hana-firewall .
8.3 SAProuter Integration
The SAProuter software from SAP allows proxying network traffic between different SAP sys-
tems or between an SAP system and outside networks. SUSE Linux Enterprise Server for SAP Ap-
plications now provides integration for SAProuter into systemd . This means, SAProuter will be
started and stopped properly with the operating system and can be controlled using systemctl .
Before you can use this functionality, make sure the following has been installed, in this order:
An SAP application that includes SAProuter
The SAProuter systemd integration, packaged as systemd-saprouter
If you got the order of applications to install wrong initially, reinstall systemd-saprouter .
To control SAProuter with systemctl , use:
Enabling the SAProuter Service: systemctl enable saprouter
Starting the SAProuter Service: systemctl start saprouter
Showing the Status of SAProuter Service: systemctl status saprouter
Stopping the SAProuter Service: systemctl stop saprouter
Disabling the SAProuter Service: systemctl disable saprouter
75 SAProuter Integration SLES for SAP 12 SP49 Encrypting Directories Using cryptctl
cryptctl consists of two components:
A client is a machine that has one or more encrypted partitions but does not permanently
store the necessary key to decrypt those partitions. For example, clients can be cloud or
otherwise hosted machines.
The server holds encryption keys that can be requested by clients to unlock encrypted
partitions.
You can also set up the cryptctl server to store encryption keys on a KMIP 1.3-compatible
(Key Management Interoperability Protocol) server. In that case, the cryptctl server will
not store the encryption keys of clients and is dependent upon the KMIP-compatible server
to provide these.
Warning: cryptctl Server Maintenance
Since the cryptctl server manages timeouts for the encrypted disks and, depending on
the configuration, can also hold encryption keys, it should be under your direct control
and managed only by trusted personnel.
Additionally, it should be backed up regularly. Losing the server''s data means losing
access to encrypted partitions on the clients.
To handle encryption, cryptctl uses LUKS with aes-xts-256 encryption and 512-bit keys. En-
cryption keys are transferred using TLS with certificate verification.
76 SLES for SAP 12 SP4cryptctl Client cryptctl Server
Waits for kernel notification that
a disk was attached
Sends RPC request to retrieve Listens for RPC requests
encryption key over TCP
Records request in
system journal
Responds to RPC request
with partition key
Uses key to mount partition
FIGURE 9.1: KEY RETRIEVAL WITH cryptctl (MODEL WITHOUT CONNECTION TO KMIP SERVER)
Note: Install cryptctl
Before continuing, make sure the package cryptctl is installed on all machines you
intend to set up as servers or clients.
9.1 Setting Up a cryptctl Server
Before you can define machine as a cryptctl client, you need to set up a machine as a
cryptctl server.
Before beginning, choose whether to use a self-signed certificate to secure communication be-
tween the server and clients. If not, generate a TLS certificate for the server and have it signed
by a certificate authority.
Additionally, you can have clients authenticate to the server using certificates signed by a cer-
tificate authority. To use this extra security measure, make sure to have a CA certificate at hand
before starting this procedure.
1. As root , run:
root # cryptctl init-server
2. Answer each of the following prompts and press Enter after every answer. If there is a
default answer, it is shown in square brackets at the end of the prompt.
77 Setting Up a cryptctl Server SLES for SAP 12 SP4a. Choose a password with at least 10 characters and confirm it. This password assumes
the role of a master password, able to unlock all partitions that are registered on
the server.
b. Specify the path to a PEM-encoded TLS certificate or certificate chain le or leave the
eld empty to create a self-signed certificate. If you specify a path, use an absolute
path.
c. If you want the server to be identified by a host name other than the default shown,
specify a host name. cryptctl will then generate certificates which include the
host name.
d. Specify the IP address that belongs to the network interface that you want to listen
on for decryption requests from the clients, then set a port number (the default is
port 3737).
The default IP address setting, 0.0.0.0 means that cryptctl will listen on all
network interfaces for client requests using IPv4.
e. Specify a directory on the server that will hold the decryption keys for clients.
f. Specify whether clients need to authenticate to the server using a TLS certificate. If
you choose No, this means that clients authenticate using disk UUIDs only. (However,
communication will be encrypted using the server certificate in any case.)
If you choose Yes, pick a PEM-encoded certificate authority to use for signing client
certificates.
g. Specify whether to use a KMIP 1.3-compatible server (or multiple such servers) to
store encryption keys of clients. If you choose this option, provide the host names
and ports for one or multiple KMIP-compatible servers.
Additionally, provide a user name, password, a CA certificate for the KMIP server,
and a client identity certificate for the cryptctl server.
Important: No Easy Reconfiguration of KMIP Setting
The setting to use a KMIP server cannot easily be changed later. To change this
setting, both the cryptctl server and its clients need to be configured afresh.
h. Finally, configure an SMTP server for e-mail notifications for encryption and decryp-
tion requests or leave the prompt empty to skip setting up e-mail notifications.
78 Setting Up a cryptctl Server SLES for SAP 12 SP4Note: Password-Protected Servers
cryptctl currently cannot send e-mail using authentication-protected SMTP
servers. If that is necessary, set up a local SMTP proxy.
i. When asked whether to start the cryptctl server, enter y .
3. To check the status of the service cryptctl-server , use:
root # systemctl status cryptctl-server
To reconfigure the server later, do either of the following:
Run the command cryptctl init-server again. cryptctl will then propose the ex-
isting settings as the defaults, so that you only need to the specify values that you want
to change.
Make changes directly in the configuration le /etc/sysconfig/cryptctl-server .
However, to avoid issues, do not change the settings AUTH_PASSWORD_HASH and
AUTH_PASSWORD_SALT manually. The values of these options need to be calculated cor-
rectly.
9.2 Setting Up a cryptctl Client
The following interactive setup of cryptctl is currently the only setup method.
Make sure the following preconditions are fulfilled:
A cryptctl server is available over the network.
There is a directory to encrypt.
The client machine has an empty partition available that is large enough to t the directory
to encrypt.
When using a self-signed certificate, the certificate ( *.crt le) generated on the server is
available locally on the client. Otherwise, the certificate authority of the server certificate
must be trusted by the client.
If you set up the server to require clients to authenticate using a client certificate, prepare a
TLS certificate for the client which is signed by the CA certificate you chose for the server.
79 Setting Up a cryptctl Client SLES for SAP 12 SP41. As root , run:
root # cryptctl encrypt
2. Answer each of the following prompts and press Enter after every answer. If there is a
default answer, it is shown in square brackets at the end of the prompt.
a. Specify the host name and port to connect to on the cryptctl server.
b. If you configured the server to have clients authenticate to it using a TLS certificate,
specify a certificate and a key le for the client. The client certificate must be signed
by the certificate authority chosen when setting up the server.
c. Specify the absolute path to the server certificate (the *.crt le).
d. Enter the encryption password that you specified when setting up the server.
e. Specify the path to the directory to encrypt. Specify the path to the empty partition
that will contain the encrypted content of the directory.
f. Specify the number of machines that are allowed to decrypt the partition simulta-
neously.
Then specify the timeout in seconds before additional machines are allowed to de-
crypt the partition after the last vital sign was received from the client or clients.
When a machine unexpectedly stops working and then reboots, it needs to be able to
unlock its partitions again. That means, this timeout should be set to a time slightly
shorter than the reboot time of the client.
Important: Timeout Length
If the time is set too long, the machine cannot decrypt encrypted partitions on
the rst try. cryptctl will then continue to periodically check whether the
encryption key has become available. However, this will introduce a delay.
If the timeout is set too short, machines with a copy of the encrypted partition
have an increased chance of unlocking the partition rst.
3. To start encryption, enter yes .
cryptctl will now encrypt the specified directory to the previously empty partition and
then mount the newly encrypted partition. The le system type will be of the same type
as the original unencrypted le system.
80 Setting Up a cryptctl Client SLES for SAP 12 SP4Before creating the encrypted partition, cryptctl moves the unencrypted content of the
original directory to a location prefixed with cryptctl-moved- .
4. To check that the directory is indeed mounted correctly, use:
tux > lsblk -o NAME,MOUNTPOINT,UUID
NAME MOUNTPOINT UUID
[...]
sdc
└─sdc1 PARTITION_UUID
└─cryptctl-unlocked-sdc1 /secret-partition UNLOCKED_UUID
cryptctl identifies the encrypted partition by its UUID. For the previous example, that
is the UUID displayed next to sdc1 .
On the server, you can check whether the directory was decrypted using cryptctl :
root # cryptctl list-keys
2016/10/10 10:00:00 ReloadDB: successfully loaded database of 1 records
Total: 1 records (date and time are in zone EDT)
Used By When UUID Max.Users Num.Users Mount Point
IP_ADDRESS 2016-10-10 10:00:00 UUID 1 1 /secret-partition
Verify that the UUID shown is that of the previously encrypted partition.
5. After verifying that the encrypted partition works, delete the unencrypted content from
the client. For example, use rm . For more safety, overwrite the content of the les before
deleting them, for example, using shred -u .
Important: shred Does Not Guarantee That Data Is
Completely Erased
Depending on the type of storage media, using shred is not a guarantee that all data
is completely removed. In particular, SSDs usually employ wear leveling strategies
that render shred ineffective.
The configuration for the connection from client to server is stored in /etc/syscon-
fig/cryptctl-client and can be edited manually.
The server stores an encryption key for the client partition in /var/lib/cryptctl/key-
db/PARTITION_UUID .
81 Setting Up a cryptctl Client SLES for SAP 12 SP49.3 Checking Partition Unlock Status Using Server-
side Commands
When a cryptctl client is active, it will send a “heartbeat” to the cryptctl server every 10
seconds. If the server does not receive a heartbeat from the client for the length of the timeout
configured during the client setup, the server will assume that the client is offline. It will then
allow another client to connect (or allow the same client to reconnect after a reboot).
To see the usage status of all keys, use:
root # cryptctl list-keys
The information under Num. Users shows whether the key is currently in use. To see more
detail on a single key, use:
root # cryptctl show-key UUID
This command will show information about mount point, mount options, usage options, the last
retrieval of the key and the last three heartbeats from clients.
Additionally, you can use journalctl to nd logs of when keys were retrieved.
9.4 Unlocking Encrypted Partitions Manually
There are two ways of unlocking a partition manually, both of which are run on a client:
Online Unlocking. Online unlocking allows circumventing timeout or user limitations.
This method can be used when there is a network connection between client and server
but the client could not (yet) unlock the partition automatically. This method will unlock
all encrypted partitions on a machine.
To use it, run cryptctl online-unlock . Be prepared to enter the password specified
when setting up the server.
Offline Unlocking. This method can be used when a client cannot or must not be brought
online to communicate with its server. The encryption key from the server must still be
available. This method is meant as a last resort only and can only unlock a single partition
at a time.
To use it, run cryptctl offline-unlock . The server''s key le for the requisite partition
( /var/lib/cryptctl/keydb/PARTITION_UUID ) needs to be available on the client.
82 Checking Partition Unlock Status Using Server-side Commands SLES for SAP 12 SP49.5 Maintenance Downtime Procedure
To ensure that partitions cannot be decrypted during a maintenance downtime, turn o the
client and disable the cryptctl server. You can do so by either:
Stopping the service cryptctl-server :
root # systemctl stop cryptctl-server
Unplugging the cryptctl server from the network.
9.6 For More Information
For more information, also see the project home page https://github.com/HouzuoGuo/cryptctl/ .
83 Maintenance Downtime Procedure SLES for SAP 12 SP410 Protecting Against Malware With ClamSAP
ClamSAP integrates the ClamAV anti-malware toolkit into SAP NetWeaver and SAP Mobile
Platform applications. ClamSAP is a shared library that links between ClamAV and the SAP
NetWeaver Virus Scan Interface (NW-VSI). The version of ClamSAP shipped with SUSE Linux
Enterprise Server for SAP Applications 12 SP4 supports NW-VSI version 2.0.
10.1 Installing ClamSAP
1. On the application host, install the packages for ClamAV and ClamSAP. To do so, use the
command:
tux > sudo zypper install clamav clamsap
2. Before you can enable the daemon clamd , initialize the malware database:
tux > sudo freshclam
3. Start the service clamd :
tux > sudo systemctl start clamd
4. Check the status of the service clamd with:
tux > systemctl status clamd
● clamd.service - ClamAV Antivirus Daemon
Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset:
disabled)
Active: active (running) since Tue 2017-04-11 10:33:03 UTC; 24h ago
[...]
10.2 Creating a Virus Scanner Group in SAP
NetWeaver
1. Log in to the SAP NetWeaver installation through the GUI. Do not log in as a DDIC or
SAP* user, because the virus scanner needs to be configured cross-client.
84 Installing ClamSAP SLES for SAP 12 SP42. Create a Virus Scanner Group using the transaction VSCANGROUP.
3. To switch from view mode to change mode, click the button Change View ( ).
Confirm the message This table is cross-client by clicking the check mark. The table is now
editable.
4. Select the rst empty row. In the text box Scanner Group, specify CLAMSAPVSI . Under
Group Text, specify CLAMSAP .
Make sure that Business Add-in is not checked.
5. To save the form, click the button Save ( ).
10.3 Setting Up the ClamSAP Library in SAP
NetWeaver
1. In the SAP NetWeaver GUI, call the transaction VSCAN.
2. To switch from view mode to change mode, click the button Change View ( ).
Confirm the message This table is cross-client by clicking the check mark. The table is now
editable.
3. Click New entries.
85 Setting Up the ClamSAP Library in SAP NetWeaver SLES for SAP 12 SP44. Fill in the form accordingly:
Provider Type: Adapter (Virus Scan Adapter)
Provider Name: VSA_HOSTNAME (for example: VSA_SAPSERVER )
Scanner Group : The name of the scanner group that you set up in Section 10.2,
“Creating a Virus Scanner Group in SAP NetWeaver” (for example: CLAMSAPVSI )
Server: HOSTNAME_SID_INSTANCE_NUMBER (for example: SAPSERVER_P04_00 )
Adapter Path: libclamsap.so
5. To save the form, click the button .
10.4 Engaging ClamSAP
To run ClamSAP, go to the transaction VSCAN. Then click Start.
86 Engaging ClamSAP SLES for SAP 12 SP4FIGURE 10.1: CHANGE VIEW “VIRUS SCAN PROVIDER DEFINITION”
Afterward, a summary will be displayed, including details of the ClamSAP and ClamAV (shown
in Figure 10.2, “Summary of ClamSAP Data”).
87 Engaging ClamSAP SLES for SAP 12 SP4FIGURE 10.2: SUMMARY OF CLAMSAP DATA
10.5 For More Information
For more information, also see the project home page https://sourceforge.net/projects/clam-
sap/ .
88 For More Information SLES for SAP 12 SP411 Connecting via RDP
If you installed SLES for SAP with the RDP option activated or if you installed from a KIWI
image, RDP is enabled on the machine via the service xrdp . Alternatively, you can enable RDP
later as described at the end of this section.
You can connect using any software that supports RDP, such as:
Linux: Vinagre (available in SUSE Linux Enterprise Desktop/SLE Workstation Extension
and openSUSE) or Remmina (available in openSUSE)
Windows: Remote Desktop Connection
Important: Connection Parameters
Make sure to set up the connection with the following parameters:
Port: 3389
Color Depth: 16-bit or 24-bit only
PROCEDURE 11.1: SETTING UP RDP
If you have not set up an RDP connection during the installation, you can also do so later
using the following instructions.
1. First, create an exception for the firewall. Start by creating a le that sets up the port that
needs to be opened for RDP.
As root , create a new le under /etc/sysconfig/SuSEfirewall2.d/services/ with
the name xrdp and the following content:
## Name: Remote Desktop Protocol
TCP="3389"
2. Open the le /etc/sysconfig/SuSEfirewall2 and change the lines for the settings
FW_CONFIGURATIONS_EXT , FW_CONFIGURATIONS_DMZ , and FW_CONFIGURATIONS_INT to
include xrdp . If there are no other services enabled, the respective lines should read:
FW_CONFIGURATIONS_EXT="xrdp"
FW_CONFIGURATIONS_DMZ="xrdp"
FW_CONFIGURATIONS_INT="xrdp"
89 SLES for SAP 12 SP4If there are other services, separate them within the quotes using a space character.
3. Now set up xrdp itself.
If the package xrdp is not installed, install it:
root # zypper install xrdp
4. Enable and start the service:
root # systemctl restart SuSEfirewall2
5. Enable and start the service:
root # systemctl enable xrdp
root # systemctl start xrdp
You can now connect to the machine.
90 SLES for SAP 12 SP412 Creating Operating System Images
There are multiple ways to create custom operating system images from SUSE Linux Enterprise
Server for SAP Applications. The preferred way is generally to use KIWI which ingests an XML
configuration le and then runs fully automatically.
Alternatively, you can also create an image from an existing installation that is cleaned up before
re-use.
12.1 Creating Images with KIWI
KIWI is a tool to create operating system images that can be easily copied to new physical or
virtual machines. This section will present information on creating SLES for SAP images with
KIWI.
SUSE Linux Enterprise Server for SAP Applications now supports creating images with KIWI
using the template from the package kiwi-template-sap . However, there are certain restric-
tions in the current implementation:
Only building VMX disk images is supported. Building other image types is not supported.
You must provide an ISO image of SUSE Linux Enterprise Server for SAP Applications at
/tmp/SLES4SAP.iso , as the Open Build Service does not contain all necessary packages.
To build a basic image, use the following two commands:
1. Build the root le system:
root # kiwi -p SLES4SAP --root fsroot
2. Build the VMX image:
root # kiwi --create fsroot --type vmx -d build
To enable running graphical installations using SAPinst, the default settings of the image enable
the following:
Installation of an IceWM desktop
The service xrdp is started automatically, so you can connect to the machine via RDP.
For more information, see Chapter 11, Connecting via RDP.
91 Creating Images with KIWI SLES for SAP 12 SP4For more information about KIWI and SLES for SAP:
On the KIWI configuration for SLES for SAP, see /usr/share/kiwi/image/SLES4SAP/
README .
On KIWI in general, see the openSUSE-KIWI Image System Cookbook (https://doc.open-
suse.org/projects/kiwi/doc/ ).
12.2 Cleaning Up an Instance Before Using It as a
Master Image
In some cases, it makes sense to use an image of an already-configured master instance on
multiple systems instead of generating a KIWI image from scratch. For example, when your
image needs to contain additional software or configuration that cannot be installed using KIWI.
However, normally such an image would contain certain configuration data that should not be
copied along with the rest of the system.
To avoid needing to clean up manually, use the script clone-master-clean-up (available from
the package of the same name).
It deletes the following data automatically:
Swap device (zero-wiped, then re-enabled)
SUSE registration information and repositories from SUSE, and the Zypper ID
User and host SSH keys and domain and host names
The generated HANA-Firewall script (but not the configuration itself)
Shell history, mails, cron jobs, temporary les ( /tmp , /var/tmp ), log les ( /var/log ),
random seeds, systemd Journal, collectd statistics, postfix configuration, parts of /
root
/var/cache , /var/crash , /var/lib/systemd/coredump
Additionally, the following configuration is restored to defaults:
Network interfaces that do not use DHCP and network configuration ( /etc/hostname , /
etc/hosts , and /etc/resolv.conf )
sudo settings
92 Cleaning Up an Instance Before Using It as a Master Image SLES for SAP 12 SP4Additionally, you can choose to set up a new root password. UUID-based entries in /etc/
fstab are replaced by device strings. This script also ensures that, if the rst-boot section of
the installation workflow was used for the original installation, it is run again on the next boot.
12.2.1 Configuring clone-master-clean-up
Before running clone-master-clean-up , the script can be configured in the following ways:
To configure the script to not clean up certain data, use the configuration le /etc/
sysconfig/clone-master-clean-up .
This le also gives short explanations of the available options.
To configure the script to clean up additional directories or les, create a list with the
absolute paths of such directories and les:
/additional/file/to/delete.now
/additional/directory/to/remove
Save this list as /var/adm/clone-master-clean-up/custom_remove .
12.2.2 Using clone-master-clean-up
To use the script, do:
root # clone-master-clean-up
Then follow the instructions.
12.2.3 For More Information
The following sources provide additional information about clone-master-clean-up :
For general information, see the man page clone-master-clean-up .
For information on which les and directories might additionally be useful to delete, see
/var/adm/clone-master-clean-up/custom_remove.template .
93 Configuring clone-master-clean-up SLES for SAP 12 SP413 Important Log Files
The most important les for this product are:
The SAP Installation Wizard is a YaST module. You can nd its log entries in /var/log/
YaST/y2log .
All SAP knowledge is bundled in a library. You can nd its log entries in /var/log/
SAPmedia.log .
You can nd log les related to auto-installation in /var/adm/autoinstall/logs .
94 SLES for SAP 12 SP4A Additional Software for SLES for SAP
SUSE Linux Enterprise Server for SAP Applications makes it easy to install software that is not
included with your subscription:
Extensions and modules allow installing additional software created and supported by
SUSE. For more information about extensions and modules, see Deployment Guide, Part
“Initial System Configuration”, Chapter “Installing Modules, Extensions, and Third Party Add-
On Products” at https://www.suse.com/documentation/sles-12/ .
SUSE Connect Program allows installing packages created and supported by third parties,
specifically for SLES for SAP. It also gives easy access to third-party trainings and support.
See Section A.1, “SUSE Connect Program”.
SUSE Package Hub allows installation of packages created by SUSE Linux Enterprise com-
munity without support. See Section A.2, “SUSE Package Hub”.
A.1 SUSE Connect Program
Start SUSE Connect Program from the YaST control center using SUSE Connect Program. Choose
from the available options. To enable a software repository, click Add repository.
All software enabled by SUSE Connect Program originates from third parties. For support, con-
tact the vendor in question. SUSE does not provide support for these offerings.
Note: SUSEConnect command-line tool
The SUSEConnect command-line tool is a separate tool with a different purpose: It allows
you to register installations of SUSE products.
95 SUSE Connect Program SLES for SAP 12 SP4A.2 SUSE Package Hub
SUSE Package Hub provides many packages for SLE that were previously only available on
openSUSE. Packages from SUSE Package Hub are created by the community and come without
support. The selection includes, for example:
The R programming language
The Haskell programming language
The KDE 5 desktop
To enable SUSE Package Hub, add the repository as described at https://package-
hub.suse.com/how-to-use/ .
For more information, see the SUSE Package Hub Web site at https://packagehub.suse.com .
96 SUSE Package Hub SLES for SAP 12 SP4B Partitioning for the SAP System Using AutoYaST
Partitioning for the SAP system is controlled by the les from the directory /usr/share/YaST2/
include/sap-installation-wizard/ . The following les can be used:
SAP NetWeaver or SAP S/4HANA Application Server Installation. base_partition-
ing.xml
SAP HANA or SAP S/4HANA Database Server Installation. hana_partitioning.xml
SAP HANA or SAP S/4HANA Database Server Installation on SAP BusinessOne-Certified
Hardware. hardware-specific partitioning le
The les will be chosen as defined in /etc/sap-installation-wizard.xml . Here, the content
of the element partitioning is decisive.
If the installation is, for example, based on HA or a distributed database, no partitioning is
needed. In this case, partitioning is set to NO and the le base_partitioning.xml is used.
Note: autoinst.xml Cannot Be Used Here
autoinst.xml is only used for the installation of the operating system. It cannot control
the partitioning for the SAP system.
The les that control partitioning are AutoYaST control les that contain a partitioning
section only. However, these les allow using several extensions to the AutoYaST format:
If the partitioning_defined tag is set to true , the partitioning will be performed with-
out any user interaction.
By default, this is only used when creating SAP HANA le systems on systems certified for
SAP HANA (such as from Dell, Fujitsu, HP, IBM, or Lenovo).
For every partition, you can specify the size_min tag. The size value can be given as a
string in the format of RAM*N . This way you can specify how large the partition should
minimally be ( N times the size of the available memory ( RAM )).
PROCEDURE B.1: CREATING A CUSTOM SAP PARTITIONING SETUP
The steps below illustrates how to create a partitioning setup for TREX. However, creating
a partitioning setup for other applications works analogously.
97 SLES for SAP 12 SP41. In /usr/share/YaST2/include/sap-installation-wizard/ , create a new XML le.
Name it TREX_partitioning.xml , for example.
2. Copy the content of base_partitioning.xml to your new le and adapt the new le
to your needs.
3. Finally, adapt /etc/sap-installation-wizard.xml to include your custom le. In the
listitem for TREX , insert the following line:
TREX_partitioning
Important: Do Not Edit base_partitioning.xml
Do not edit base_partitioning.xml directly. With the next update, this le will be
overwritten.
For more information about partitioning with AutoYaST, see AutoYaST Guide, Chapter “Parti-
tioning” (https://www.suse.com/documentation/sles-12/ ).
98 SLES for SAP 12 SP4C Supplementary Media
Supplementary Media allow partners or customers to add their own tasks or workflows to the
Installation Wizard.
This is done by adding an XML le which will be part of an AutoYaST XML le. To be included
in the workflow, this le must be called product.xml .
This can be used for various types of additions, such as adding your own RPMs, running your
own scripts, setting up a cluster le system or creating your own dialogs and scripts.
C.1 product.xml
The product.xml le looks like a normal AutoYaST XML le, but with some restrictions.
The restrictions exist because only the parts of the XML that are related to the second stage of
the installation are run, as the rst stage was executed before.
Both XML les ( autoyast.xml and product.xml ) will be merged after the media is read and
a “new” AutoYaST XML le is generated on the y for the additional workflow.
The following areas or sections will be merged:
1
...
2
...
3
4
5
...
1 see Section C.2, “Own AutoYaST Ask Dialogs”
2 see Section C.3, “Installing Additional Packages”
3 after the package installation, before the rst boot
4 during the rst boot of the installed system, no services running
5 during the rst boot of the installed system, all services up and running
All other sections will be replaced.
99 product.xml SLES for SAP 12 SP4For more information about customization options, see AutoYaST Guide, Chapter “Configura-
tion and Installation Options”, Section “Custom User Scripts” (https://www.suse.com/documenta-
tion/sles-12/ ).
C.2 Own AutoYaST Ask Dialogs
For more information about the “Ask” feature of AutoYaST, see AutoYaST Guide, Chapter “Con-
figuration and Installation Options”, Section “Ask the User for Values During Installation” (https://
www.suse.com/documentation/sles-12/ ).
For the Supplementary Media, you can only use dialogs within the cont stage ( con-
t ), which means they are executed after the rst reboot.
Your le with the dialogs will be merged with the base AutoYaST XML le.
As a best practice, your dialog should have a dialog number and an element number, best with
steps of 10. This helps to include later additions and could be used as targets for jumping over
a dialog or element dependent on decisions. We also use this in our base dialogs and if you
provide the right dialog number and element number, you can place your dialog between our
base dialogs.
You can store the answer to a question in a le, to use it in one of your scripts later. Be aware
that you must use the prefix /tmp/ay for this, because the Installation Wizard will copy such
les from the /tmp directory to the directory where your media data also will be copied. This
is done because the next Supplementary Media could have the same dialogs or same answer le
names and would overwrite the values saved here.
Here is an example with several options:
cont
10
What is your name?
Enter your name here
Please enter your full name within the field
/tmp/ay_q_my_name
100 Own AutoYaST Ask Dialogs SLES for SAP 12 SP4
C.3 Installing Additional Packages
You can also install RPM packages within the product.xml le. To do this, you can use the
element for installation in stage 2.
For more information, see AutoYaST Guide, Chapter “Configuration and Installation Options”, Sec-
tion “Installing Packages in Stage 2” (https://www.suse.com/documentation/sles-12/ ). An exam-
ple looks as follows:
...
yast2-cim
...
C.4 Example Directory for Supplementary Media
A minimal example for Supplementary Media directory contains only a le called product.xml .
101 Installing Additional Packages SLES for SAP 12 SP4D Documentation Updates
This section contains information about documentation content changes made to the SUSE Linux
Enterprise Server for SAP Applications Guide.
This document was updated on the following dates:
Section D.1, “May 06, 2019—SLES for SAP 12 SP4 FCS Documentation Release”
Section D.2, “October 25, 2018—SLES for SAP 12 SP4 FCS Documentation Release”
Section D.3, “October 25, 2018—SLES for SAP 12 SP4 Initial Documentation Release”
Section D.4, “April 25, 2018—SLES for SAP 12 SP3 Documentation Update”
Section D.5, “November 1, 2017—SLES for SAP 12 SP3 Documentation Update”
Section D.6, “September 7, 2017—SLES for SAP 12 SP3 FCS”
Section D.7, “May 10, 2017—SLES for SAP 12 SP2 Documentation Update”
Section D.8, “December 07, 2016—SLES for SAP 12 SP2 Documentation Update”
Section D.9, “November 07, 2016—SLES for SAP 12 SP2 FCS”
Section D.10, “March 23, 2016”
Section D.11, “February 29, 2016”
Section D.12, “February 15, 2016”
Section D.13, “May 29, 2015”
Section D.14, “April 29, 2015”
Section D.15, “October 28, 2013”
D.1 May 06, 2019—SLES for SAP 12 SP4 FCS
Documentation Release
Updates were made to the following sections. The changes are explained below.
Section 1.3, “Included Services”
Updated information about ESPOS.
102 May 06, 2019—SLES for SAP 12 SP4 FCS Documentation Release SLES for SAP 12 SP4Section 7.3, “Tuning Systems with saptune”
Removed sentence discouraging use of saptune .
Section 7.2, “Tuning Systems with sapconf”
Fixed erroneous uses of the profile name sapconf that should have read sap-netweaver .
D.2 October 25, 2018—SLES for SAP 12 SP4 FCS
Documentation Release
Updates were made to the following sections. The changes are explained below.
Section 2.1, “Hardware Requirements”
Corrected hard disk and RAM requirements (bsc#1116907).
Section 6.3, “Unattended Installation of Cluster Servers”
Added section about unattended installation of HANA-SR cluster (FATE#325957).
Section 7.2, “Tuning Systems with sapconf”
Further added to sapconf section (FATE#325785).
D.3 October 25, 2018—SLES for SAP 12 SP4 Initial
Documentation Release
Updates were made to the following sections. The changes are explained below.
Section 1.3, “Included Services”
Fixed typo (bsc#1088879).
Section 7.2, “Tuning Systems with sapconf”
Amended for sapconf 4.1.11 and up (FATE#325785).
D.4 April 25, 2018—SLES for SAP 12 SP3
Documentation Update
Updates were made to the following sections. The changes are explained below.
103 October 25, 2018—SLES for SAP 12 SP4 FCS Documentation Release SLES for SAP 12 SP4Section 1.3, “Included Services”
Fixed typo (bsc#1088879).
Section 6.2, “Setup”
Fixed misleading content: Other fencing types supported but not in YaST (bsc#1086628).
D.5 November 1, 2017—SLES for SAP 12 SP3
Documentation Update
Updates were made to the following sections. The changes are explained below.
Section 1.2, “Software Repository Setup”
Added note about ESPOS updates via regular update repositories (bsc#1062335).
D.6 September 7, 2017—SLES for SAP 12 SP3 FCS
Updates were made to the following sections. The changes are explained below.
Chapter 2, Planning the Installation
Added link to SAP help and support portals (documentation comment #33499).
Chapter 2, Planning the Installation, Chapter 4, Installing SAP Applications
Updated chapters with information about support for SAP HANA MDC and SAP HANA TDI
(FATE#322281, FATE#320408).
Section 3.1, “Using the Installation Workflow”
Updated section with reference to description of installation on POWER in SLES documen-
tation (FATE#320639).
Chapter 9, Encrypting Directories Using cryptctl
Updated chapter with information about support client certificates and KMIP
(FATE#322293, FATE#322979).
Section 3.4, “Converting a SLES Installation to a SLES for SAP Installation”
Added section about converting from SLES to SLES for SAP (FATE#320636,
FATE#320568).
104 November 1, 2017—SLES for SAP 12 SP3 Documentation Update SLES for SAP 12 SP4Chapter 7, Tuning
Updated list of profiles integrated into saptune and sapconf (FATE#320359). Created
own section for sapconf .
Section 12.2, “Cleaning Up an Instance Before Using It as a Master Image”
Clarified usage of clone-master-clean-up (DocComment#32698). Added information
about new configuration options (FATE#322066).
D.7 May 10, 2017—SLES for SAP 12 SP2
Documentation Update
Updates were made to the following sections. The changes are explained below.
Section 1.1, “Software Components”
Added links to project Web sites (FATE#323178).
Section 1.2, “Software Repository Setup” ,
Section 1.3, “Included Services”
Added information about repositories and support for extensions and modules
(bsc#1022275).
Section 6.2, “Setup”
softdog is supported but not recommended (bsc#1022511).
Section 7.3, “Tuning Systems with saptune”
Documented disabling saptune / sapconf (FATE#322069).
Chapter 10, Protecting Against Malware With ClamSAP
Added new chapter (FATE#322612).
Section A.2, “SUSE Package Hub”
Added link to official usage instructions on the Web.
D.8 December 07, 2016—SLES for SAP 12 SP2
Documentation Update
Updates were made to the following sections. The changes are explained below.
105 May 10, 2017—SLES for SAP 12 SP2 Documentation Update SLES for SAP 12 SP4Section 2.1, “Hardware Requirements”
Clarified RAM requirements.
Chapter 6, Setting Up an SAP HANA Cluster
Added new chapter (FATE#319068).
Section 8.2, “Configuring HANA-Firewall”
Updated UI description (FATE#320376, FATE#320564).
Section 8.3, “SAProuter Integration”
Added new section (FATE#320566).
Appendix A, Additional Software for SLES for SAP
Added new appendix (FATE#320373).
Chapter 7, Tuning ,
Chapter 9, Encrypting Directories Using cryptctl
Clarifications.
D.9 November 07, 2016—SLES for SAP 12 SP2 FCS
Updates were made to the following sections. The changes are explained below.
Section 1.1, “Software Components”
Updated list of components.
Section 1.2, “Software Repository Setup”
Added section (bsc#320632).
Chapter 3, Installing the Operating System, Chapter 4, Installing SAP Applications
Updated chapters to match new installation wizards. Added list of supported SAP products
(FATE#320454).
Section 4.5, “Partitioning for an SAP Application Without the SAP Installation Wizard”
Added section (bsc#929623).
Chapter 7, Tuning, Chapter 8, Firewalling, Chapter 12, Creating Operating System Images, Chapter 13,
Important Log Files
Separated former chapter Configuration into smaller chapters.
Section 7.3, “Tuning Systems with saptune”
Updated section to refer to saptune (FATE#320361, FATE#320362, FATE#320633).
106 November 07, 2016—SLES for SAP 12 SP2 FCS SLES for SAP 12 SP4Chapter 9, Encrypting Directories Using cryptctl
Added section (FATE#320367).
Chapter 11, Connecting via RDP
Added section (FATE#320363).
Appendix B, Partitioning for the SAP System Using AutoYaST
Moved parts of Section 2.6.2, “Partitioning for the SAP System (stage 2)” that related to AutoYaST
only to a new section.
D.10 March 23, 2016
Updates were made to the following sections. The changes are explained below.
Section 1.1.3.1, “SAPHana Resource Agent”
Clarify wording.
Section 3.3, “Using an External AutoYaST Profile”
Clarify support status of AutoYaST (https://bugzilla.suse.com/show_bug.cgi?id=969341 ).
D.11 February 29, 2016
Updates were made to the following sections. The changes are explained below.
Section 12.2, “Cleaning Up an Instance Before Using It as a Master Image”
Add new section.
Section 12.1, “Creating Images with KIWI”
Add new section.
Section 2.2, “Downloading the Installation Image”
Clarify that only DVD 1 is necessary for installation (doccomment#30069).
Other updates
Other corrections and small language updates.
D.12 February 15, 2016
Updates were made to the following sections. The changes are explained below.
107 March 23, 2016 SLES for SAP 12 SP4Updates to the Structure of the Guide
Improve organization of the guide by updating its structure. Chapter 2, Planning the Instal-
lation, Chapter 4, Installing SAP Applications, Configuring SUSE Linux Enterprise Server for SAP
Applications, and Chapter 5, Setting Up an Installation Server for SAP Media Sets are now chap-
ters instead of sections.
Appendix C, Supplementary Media is now an appendix instead of section.
Section 2.6, “Partitioning” is now a section within Chapter 2, Planning the Installation instead
of a chapter.
Merge Section 1.1, “Software Components” and Chapter 5, “SUSE Linux Enterprise Server for
SAP Applications Components”.
Move Section 3.2, “Using SLES for SAP Media from the Network” from Chapter 3, “Remote Instal-
lation from a Network Server” to Chapter 3, Installing the Operating System.
Move Section 2.5, “Required Data for Installing” from Chapter 3, Installing the Operating System
to Chapter 2, Planning the Installation.
Move certain information from Section 1.1.4, “Installation Workflow” to Section 2.4, “Overview
of the Installation Workflow”.
Chapter 1, What Is SUSE Linux Enterprise Server for SAP Applications?
Add figure.
Section 1.1.3, “Simplified SAP HANA System Replication Setup”
Add information on supported scenarios.
Section 1.1.6, “Malware Protection with ClamSAP”
Mention added support for NW-VSI 2.0.
Section 1.1.7, “SAP HANA Security”
Add new section.
Section 1.1.8, “Simplified Operations Management”
Add new section.
Section 3.1, “Using the Installation Workflow”
Remove outdated installation options. Update Installation Workflow.
Section 3.3, “Using an External AutoYaST Profile”
Remove information that duplicated.
Chapter 4, Installing SAP Applications
Update Installation Workflow.
108 February 15, 2016 SLES for SAP 12 SP4Section 8.2, “Configuring HANA-Firewall”
Add new section.
Section 7.3, “Tuning Systems with saptune”
Add new section.
D.13 May 29, 2015
Updates were made to the following sections. The changes are explained below.
Section 1.1, “Software Components”
Add more information on SUSE Linux Enterprise High Availability Extension.
There are also White Papers about SUSE Linux Enterprise High Availability Extension and
SUSE Linux Enterprise Server for SAP Applications.
Chapter 2, Planning the Installation
Provide ISO image download URL.
Section 2.2, “Booting the Installation Medium”
The package scope of the SLES for SAP Applications — Installation is identical to a default
SUSE Linux Enterprise Server installation.
Section 2.3, “SLES for SAP — Installation”
Add note about pre-selected packages in case of registration at this stage of the installation.
Section 2.4.3.5, “Registration”
Add note about pre-selected packages in case of registration at this stage of the installation.
Chapter 4, Installing SAP Applications
Rewrite remote location specification.
Section 2.6, “Partitioning”
SAP HANA requires 2 GB of swap.
Section 1.1.3, “Simplified SAP HANA System Replication Setup”
Address SAP HANA System Replication (https://bugzilla.suse.com/show_bug.c-
gi?id=929626 ).
Section 1.1.7.2, “Hardening Guide for SAP HANA”
New section (https://bugzilla.suse.com/show_bug.cgi?id=929625 ).
109 May 29, 2015 SLES for SAP 12 SP4D.14 April 29, 2015
Updates were made to the following sections. The changes are explained below.
General
Replace SUSE Linux Enterprise Server 11 references with SUSE Linux Enterprise Server 12
everywhere, and adjust the text according to the new installation ow.
About This Guide
Update feedback information.
Section 3.3, “Using an External AutoYaST Profile”
Add note about loading an external profile via HTTP (https://bugzilla.suse.com/show_bug.c-
gi?id=925747 ).
D.15 October 28, 2013
Updates were made to the following sections. The changes are explained below.
Chapter 3, Installing the Operating System
Update “Hardware Requirements”, “Hard Disk” space, and adjust the following text ac-
cordingly.
Section 2.6, “Partitioning”
New chapter.
Appendix D, Documentation Updates
New appendix.
110 April 29, 2015 SLES for SAP 12 SP4">
Product Categories
