Skip to main content

Configuring SAP Host Agent

 How to Configure SAP Hostagent ?

To understand what is a SAP Hostagent and how it is installed and used , SAP Hostagent Introduction


Whenever we talk about SAP Hostagent Configuration these are the things that needs to be discussed, We are already aware that port used for sap hostagent is 1128

1. Enabling SAP Host Agent Registration in SLD 

2. SSL Configuration of SAP Host Agent 

3. Enable Audit Log

4. Binding only specific IP



Enabling SAP Host Agent Registration in SLD 

Now let's understand the need of it we obviously need to link our saphostagent with the SLD (SLD), To enable the automatic registration in SLD we need to configure the connectivity information using the command line tool sldreg.

This topic is somehow centered towards connection with SOLMAN , Prerequisite to enable this configuration is obviously that SAP Hostagent is already installed.

Note :

1. Is you selected to add SLD during data service installation . this enabling procedure would have been automatically done\
2. This process involves creation of both slddest.cfg and slddest.cfg.key and both are required for the SLD to work.

Configuring :

1. Login as root user or from administrator group in case of windows
2. Navigate to hostctrl executable files in case of linux cd /usr/sap/hostctrl/exe
3. Run the sldreg (SLD registration tool) ./sldreg -configure slddest.cfg     [slddest-> sld destination]
4. As mentioned it is sld destination you need to fill the destination configuration

sld destiination configuration file has following data 

UserName : SLD user which has assigned role DataSupplierID
Password : password of the above user 
Host : SLD host
Port Number : port of SLD that needs to be used
Specify to use http/https: Protocol that needs to be used

sldreg will automatically create slddest.cfg.key while performing the configuration , that key will be use by the DataSupplier user to push the information to SLD.

5. Confirm that the slddest.cfg file is in stored in encrypted file
6. Take a hostagent restart ./saphostexec -restart

Note : In order to SLD registration to work SLDReg must be running in <LINK_DIR>/sldreg otherwise all the files need to be manually copied to this directory

In order to check if the registration was done properly you can log in to https://<hotname>:<port >/sld , Choose your technical system and the registered host is displayed

Your local host is registered to SLD now.

SSL Configuration of SAP Host Agent 

Main steps are as followed :-

1. Preparing the environment for SAP Cryptographic Library

2. Preparing the pse (personal security environment ) for the server

3. Preparing the pse (personal security environment ) for the client

4. Establishing trust between the client and sap hostagent

5. Allowing the client to issue admin commands 

Prerequisite would be that saphostagent is already installed and login as root user 

If you are using the default naming server proceed as mentioned [path where pse files are stored] ,if you want to override the default[default path] .pse name you can see the following value for host_profile.

ssl/server_pse = <path to server pse> 

The server PSE contains the server certificate that is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates


1. Create a directory to store pse files

mkdir /usr/sap/hostctrl/exe/sec

2. Assign the ownership to sapadm:sapsys top the sec folder

3. Shared Dynamic Library (Shared / Dynamic Libraries ) should be understood here 

Set up the shared library search path ( LD_LIBRARY_PATHLIBPATH or SHLIB_PATH) and SECUDIR environment variables, and change to the exe directory of SAP Host Agent

export LD = /usr/sap/hostctrl/exe/
export SECUDIR = /usr/sap/hostctrl/exe/sec

To avoid issue with sapgense tool we give exact path in SECUDIR (sapgenpse)

4. Create the server PSE, the server certificate therein, and the Certificate Signing Request (CSR)

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -x <password> -r /tmp/myhost-csr.p10 "CN=myhost.wdf.sap.corp, O=SAP AG, C=DE"

This command creates a PSE file named SAPSSLS.pse (name is fixed), which can be used to authenticate myhost.wdf.sap.corp for incoming SSL connections. The access to the PSE file is protected with a password. Use the -r option to direct the certificate signing request to a file, or omit it if you intend to copy and paste the CSR into a web formular.

5. Grant SAP Hostagent access to the server pse

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x <password> -O sapadm


6. Get the CA Certificate [We generally have a separate team which performs this] So to request for this certificate you need to share the file which was generate in step 4 , the CSR which was saved in tmp/myhost-csr.p10  needs to be sent along with request will revert with CA-response-file which contains the signed certificate in the PKCS#7 format.

7. Import the signed server in the pse

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x <password> -c /tmp/myhost.p7b

8. Verify the server certificate 

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x <password> -v

9. Restart SAP Hostagent 

10. Prepare PSE for the client : This is application dependent so read the manual of the application to check the SAP Hostagent


Enable Audit Log

The operating systems which are supported by Host Agent have built-in means of audit logging. On UNIX and Linux, SAP Host Agent uses the syslog (/var/log/messages), and in Windows the Application Eventlog. The user can decide if audit logging is done using OS means or provide a file to which all audit messages are written. Audit logging is disabled by default. You can enable and configure it using host_profile parameters.

1. Edit the host_profile in /usr/sap/hostctrl/exe/ [executable path for hostctrl]

2. host_profile 

Parameters : service/auditlevel =0/1 1 will enable audit logging

service/auditlogfile = |If an audit logfile is provided by the user, SAP Host Agent uses the <FILE_NAME> logfile in the SAP Host Agent’s work directory for audit logging. Eventlog and Syslog are not used in this case. If the file does not exist, it is created by SAP Host Agent.

service/auditlogfilesize : If an audit logfile is provided, the user can decide to which extent the logfile is allowed to grow. All sizes must be given in MB (Megabyte). If the configured size is exceeded, the current audit logfile is saved to <FILENAME>.old and a new audit logfile is created. If the size is set to 0 or if the parameter is not configured at all, the audit logfile can grow unlimitedly.

Binding only specific IP


You can configure SAP Host agent only to accept network connections for specific IP addresses or host names

1. Specify the following value in the host_profile of the SAP Host Agent:

service/hostname = <host_name>

or

service/hostname = <IP_Address>


2. Restart saphostagent , saphostexec -restart 


We can also configure as Network Access Control  List using SAP note 1495075


How to check which ip as bound with host


<hostagent exe path > netstat -tlnp | grep 1128


Read more :
Labels:

Comments

Post a Comment

You might find these interesting

Notes for Build Resilient Applications on SAP BTP with Amazon Web Services [ Week 1]

Welcome back to the next chapter in our ongoing series dedicated to unraveling the dynamic interplay between SAP Business Technology Platform (BTP) and Amazon Web Services (AWS). For those just joining us, this blog serves as an invaluable resource for individuals delving into the world of SAP BTP or seeking a comprehensive reference guide. SAP BTP, or SAP Business Technology Platform, is a comprehensive platform that brings together various essential capabilities for application development, automation, data management, analytics, planning, integration, and AI. These features are all integrated into a unified environment, making it user-friendly for both professional IT developers and citizen developers. Image Credit  Key Features of SAP BTP: Application Development: SAP BTP offers a range of tools for development. For instance, SAP Build enables low-code development, while the SAP Business Application Studio caters to core developers, providing services like document management a...
1 comment
Read more

8 Must-Know Questions About Object Store on SAP Business Technology Platform

What is the problem that Object Store solves ? Modern enterprise systems increasingly deal with massive volumes of unstructured data such as documents, logs, media files, and backups. Traditional relational databases are not optimized for such workloads. What is Object Store ? Object storage—commonly referred to as blob storage—addresses this gap by providing scalable, durable, and cost-efficient storage for unstructured data. Object storage is a storage architecture designed to manage unstructured data as discrete units called objects.  Each object consists of: Binary data (file content) : Image , File etc Metadata (descriptive attributes) : File size, Content type, Last modified timestamp, Storage class (hot, cool, archive) Unique identifier (key or URL) : unique path-like string used to locate a blob inside a bucket Unlike file systems or relational databases, object storage does not rely on hierarchical file structures or schemas. The SAP BTP Object Store service is a managed, ...
Post a Comment
Read more

Understanding SAP BTP Global Accounts, Directories, Subaccounts, and Entitlements

In SAP Business Technology Platform (BTP), organizing your resources effectively is crucial for efficient management and scalability. This blog provides a comprehensive overview of global accounts, directories, subaccounts, and entitlements within SAP BTP. What is a Global Account in SAP BTP? A global account in SAP BTP represents the contractual agreement you have with SAP. It serves as the top-level container for managing various resources, including directories, subaccounts, members, entitlements, and quotas. Within a global account, you receive entitlements and quotas for platform resources, which can be allocated to subaccounts for actual consumption. How Do Directories Function in SAP BTP? Directories in SAP BTP allow you to organize and manage your subaccounts based on your technical and business requirements. A directory can contain other directories and subaccounts, enabling you to create a hierarchical structure. This hierarchy can be up to 7 levels deep, with the global ac...
Post a Comment
Read more

How to properly Start/Stop SAP system through command line ?

Starting/stopping an SAP system is not a critical task, but the method that most of us follow to achieve this is sometimes wrong. A common mistake that most of the SAP admins do is, making use of the 'startsap' and 'stopsap' commands for starting/stopping the system.  These commands got deprecated in 2015 because the scripts were not being maintained anymore and SAP recommends not to use them as many people have faced errors while executing those scripts. For more info and the bugs in scripts, you can check the sap note 809477.  These scripts are not available in kernel version 7.73 and later. So if these are not the correct commands, then how to start/stop the sap system?  In this post, we will see how to do it in the correct way. SAP SYSTEM VS INSTANCE In SAP, an instance is a group of resources such as memory, work processes and so on, usually in support of a single application server or database server with...
25 comments
Read more

KPIs for Recovery in HANA Database Administration

Introduction: In the dynamic landscape of database administration, ensuring the robustness of a system is paramount. One crucial aspect that demands meticulous attention is the recovery process following a system failure. Two key performance indicators (KPIs) stand out in this realm – Recovery Point Objective (RPO) and Recovery Time Objective (RTO) . In this technical blog, we will delve into the significance of these KPIs for HANA database administrators and explore strategies to optimize them. Recovery Point Objective (RPO): RPO is a critical metric that defines the maximum acceptable data loss in the event of a system failure . For HANA database administrators, establishing an RPO involves a careful balance between data consistency and the overhead of continuous data replication. Continuous Data Backups: To meet stringent RPO requirements, implementing continuous data backups is imperative. Utilizing HANA's native backup capabilities and integrating them with a robust backup s...
Post a Comment
Read more

Huge Multiversion Concurrency Control (MVCC) Versions in HANA

What is MVCC? MVCC is a database concurrency control method that allows multiple transactions to occur concurrently without conflicting with each other. In a nutshell, it ensures that each transaction sees a snapshot of the database at a specific point in time, even if other transactions are making changes concurrently. MVCC in SAP HANA: SAP HANA uses MVCC to manage concurrent access to data. Each transaction in HANA sees a consistent snapshot of the data at the time the transaction began. This is achieved by maintaining multiple versions of a data row, each associated with a specific transaction or point in time. The Issue of Huge MVCC Versions: Now, the term "Huge MVCC Versions" indicates a situation where there is a significant number of these versions for a particular set of data. Here's why this might become a problem: Increased Memory Usage: Each version of a data row consumes memory. As the number of versions increases, the overall memory consumption by the databas...
Post a Comment
Read more

Execute HANASitter for hang situation analysis

The SAP HANAsitter is configured to perform default checks once every hour to ascertain the online and primary status of SAP HANA. Upon confirmation, it initiates tracking procedures, which involve regular responsiveness assessments (typically every minute). If SAP HANA becomes unresponsive, the HANAsitter commences recording activities, potentially capturing call stacks of active threads, run-time dumps, index server gstacks, and/or kernel profiler traces, although, by default, no recording occurs. When SAP HANA is responsive, the script scrutinizes critical features, including a standard check for more than 30 active threads. If this threshold is exceeded, the script triggers recording. Upon completing the recording process, the script exits, with an option to be configured for restart using the command line. Setup Steps Overview: Begin by creating an SAP HANA user with the desired name (e.g., HANASITTER) and assign the CATALOG READ privilege to it. Establish a user key in the hdbuse...
Post a Comment
Read more

Deploying SAP on Google Cloud : Part 1

 Connect to Google  Connection Method To be Used for Speed Explanation Example Uses Cloud VPN Proof of Concept Variable, up to 3 Gbps Connects on-premises network to Google Cloud securely over the internet using IPsec VPN tunnels. Creating a Cloud VPN tunnel between on-premises and Google Cloud. Encrypted IPsec tunnels Dedicated Interconnect For Enterprise level connect 10 Gbps to 100 Gbps Provides a dedicated, private connection between on-premises and Google Cloud through Google's network. Provisioning a dedicated interconnect connection. Direct physical connection between on-premises and Google Cloud network infrastructure Partner Connect If you have a data center which cannot be reached to Dedicated Google facility. Variable, up to 100 Gbps Allows connecting to Google Cloud through supported service providers. Establishing a connection with a supported service provider. Utilizes service provider's network infrastructure. Configure Tunnels with Google Cloud Platform IPsec
Post a Comment
Read more

Building the Foundation of the PO System: Architecture and some terminologies

1. Loosely Coupled and Tightly Coupled Services : Loosely Coupled Services : These services interact with each other with minimal dependencies. Changes in one service don't significantly impact others. Pros include flexibility, easier updates, and better scalability. A common example in PO is when a shipping service communicates with an inventory service. Changes in the inventory service won't necessarily disrupt shipping. Tightly Coupled Services : These services are interdependent, so changes in one service can affect others. While they might provide faster communication, they can be less flexible and harder to maintain. For example, tightly coupling an order processing service with a payment service means any change in payment could ripple to order processing. 2. SOA - Service-Oriented Architecture : SOA is an architectural approach where everything is treated as a service, encapsulating specific functionality. Service Orchestration Example (Banking Transaction) : Consider ...
2 comments
Read more

Work Process and Memory Management in SAP

Let’s talk about the entire concepts that are related to memory when we talk about SAP Application. Starting with few basic terminologies, Local Memory :  Local process memory, the operating system keeps the two allocation steps transparent. The operating system does the other tasks, such as reserving physical memory, loading and unloading virtual memory into and out of the main memory. Shared Memory :  If several processes are to access the same memory area, the two allocation steps are not transparent. One object is created that represents the physical memory and can be used by various processes. The processes can map the object fully or partially into the address space. The way this is done varies from platform to platform. Memory mapped files, unnamed mapped files, and shared memory are used.  Extended Memory : SAP extended memory is the core of the SAP memory management system. Each SAP work process has a part reserved in its virtual address space for extended memory...
7 comments
Read more