1. Download the ISO image of SUSE® Linux Enterprise Server for SAP Applications 12 SP5 DVD 1 (electronic media kit) from https://www.suse.com/products/sles-for-sap/.

2. Burn the image onto a physical DVD and ensure that it is bootable. Alternatively, use a virtual DVD-ROM device for installation in a virtual machine.

1. • On AMD64/Intel 64, boot from the DVD. From the DVD boot menu, select Installation.

   • On POWER, follow the instructions in the SUSE Linux Enterprise Server documentation, see Deployment Guide, Part “Installation Preparation”, Chapter “Installation on IBM POWER” (https://documentation.suse.com/sles-12).

   

   Figure 3.1: DVD Boot Menu #

     

   While the initial operating system is starting, you can view boot messages by pressing Esc. When this process has completed, the graphical installation workflow will start.

2. Select the default system language under Language.

   

   Figure 3.2: Language, Keyboard and License Agreement #

     

3. Select the appropriate keyboard layout under Keyboard Layout. To test whether the selected layout matches your physical keyboard, use the text box Keyboard Test.

4. Read the license agreement. If you agree, select I Agree to the License Terms. Proceed with Next.

   Otherwise, cancel the installation with Abort › Abort Installation.

5. (Optional) If automatic network configuration via DHCP fails, the screen Network Settings will open.

   If instead the screen Registration appears, your network connection works. To change network settings anyway, click Network Configuration.

   When you are finished configuring networking, proceed with Next.

   

   Important: Configure Networking as Recommended by SAP

   Make sure to configure the network connection as recommended in the documentation provided to you by SAP.

   For information about configuring networking, see Administration Guide, Chapter “Basic Networking”, Section “Configuring a Network Connection with YaST” (https://documentation.suse.com/sles-12).

6. On the screen Registration, enter your E-mail Address and Registration Code. Successful registration is a prerequisite for receiving product updates and the entitlement to technical support.

   Proceed with Next.

   

   Important: Register at This Step

   Make sure to register your system at this step in the installation. Otherwise, you will not receive package updates immediately.

   

   Figure 3.3: Registration #

     

7. When asked whether to enable update repositories, choose Yes.

8. After the system is successfully registered, YaST lists additional software that is available for your product from the SUSE Customer Center. The list contains modules, which are free, and extensions, which require a registration key that is liable for costs. To enable a module or an extension, activate its entry.

   Proceed with Next.

9. The following screen allows you to choose the Product Installation Mode. You can now choose between:

   • A SUSE Linux Enterprise Server Installation.  To install a SLES system without SAP-specific customization, choose Proceed with standard SLES installation. For details, see Installation Quick Start, Section “Installing SUSE Linux Enterprise Server” (https://documentation.suse.com/sles-12).

     

     Important: Installing Oracle Databases

     To be able to install an Oracle database later, choose Proceed with standard SLES installation and later convert your installation to SLES for SAP.

     This is necessary because the installer for Oracle databases queries for the existence of certain files, not all of which are included in a SLES for SAP installation.

     For more information about converting, see Section 3.4, “Converting a SLES Installation to a SLES for SAP Installation”.

   • A SUSE Linux Enterprise Server for SAP Applications Installation.  To install a SLES system with SAP-specific customization, choose Proceed with standard SLES for SAP Applications installation.

     • To install an SAP Application together with the system, activate Launch the SAP Installation Wizard right after the operating system is installed.

     • To enable RDP access (Remote Desktop Protocol) to this machine, activate Enable RDP service and open port in firewall.

       For more information about connecting via RDP, see Chapter 12, Connecting via RDP.

     Proceed with Next.

   

   Figure 3.4: Installation Type #

     

1. You can now choose whether to install an Add On Product. Proceed with Next.

2. Review the proposed partition setup for the volumes /dev/system/root and /dev/system/swap. The volume /dev/system/data will be created later, as described in Section 2.7, “Partitioning”.

   Suitable values are preselected. However, if necessary, change the partition layout. You have the following options:

   Edit Proposal Settings

   Allows you to change the options for the proposed settings, but not the suggested partition layout itself.

   Create Partition Setup

   Select a disk to which to apply the proposal.

   Expert Partitioner

   Open the Expert Partitioner described in Deployment Guide, Chapter “Advanced Disk Setup”, Section “Using the YaST Partitioner” (https://documentation.suse.com/sles-12).

   For partitioning advice specific to SUSE Linux Enterprise Server for SAP Applications, see Section 2.7, “Partitioning”.

   To accept the proposed setup without changes, proceed with Next.

   

   Figure 3.5: Suggested Partitioning #

     
   

   Note: Release Notes

   From this point on, the Release Notes can be viewed from any screen during the installation process by selecting Release Notes.

3. Select the clock and time zone to use on your system. To manually adjust the time or to configure an NTP server for time synchronization, choose Other Settings. For detailed information, see Deployment Guide, Chapter “Installation with YaST”, Section “Clock and Time Zone” (https://documentation.suse.com/sles-12).

   Proceed with Next.

4. Type a password for the system administrator account (called root) and repeat the password under Confirm Password. You can use the text box Test Keyboard Layout to make sure that all special characters appear correctly.

   For more information, see Deployment Guide, Chapter “Installation with YaST”, Section “Password for the System Administrator root” (https://documentation.suse.com/sles-12).

   Proceed with Next.

   

   Important: Do Not Forget the root Password

   The user root has the permission to carry out all administrative tasks. Without this password, you cannot log in to the system as root. The password entered here cannot be retrieved later.

5. On the screen Installation Settings, you can review and, if necessary, change several proposed installation settings. Each setting is shown alongside its current configuration. To change parts of the configuration, click the appropriate headline or other underlined items.

   

   Important: Firewall Configuration

   The software firewall of SLES for SAP is enabled by default. However, often, the ports your SAP product requires to be open are not opened automatically. This means that there may be network issues until you open the required ports manually.

   For details, see Section 9.1, “Configuring SuSEfirewall2”.

   

   Figure 3.6: Installation Settings #

     

6. When you are satisfied with the system configuration, click Install.

   Depending on your software selection, you may need to agree to further license agreements before you are asked to confirm that you want to start the installation process.

   

   Warning: Deletion of Data

   The installation process fully or partially overwrites existing data on the disk.

   In the installation confirmation box, click Install.

   When the installation of the operating system is finished, the system will reboot automatically:

   • If you chose to only prepare the system for installation, the system will boot to a desktop login screen.

   • If you chose to install an SAP application immediately after the operating system, the installation will continue after the reboot.

     In this case, continue with Chapter 4, Installing SAP Applications.

1. Copy the content of the SUSE Linux Enterprise Server for SAP Applications DVD to a Web server (for example, example.com), to the directory /srv/www/htdocs/sap_repo.

2. Boot from a SUSE DVD.

3. Select one of the boot menu options using the keys ↓/↑. Then add to the command line. To do so, specify the parameters listed below:

   • To allow network usage, add ifcfg=*=dhcp (though this should be the default).

   • Add the parameter install=SERVER/DIRECTORY.

4. Follow the instructions in Section 3.1, “Using the Installation Workflow”.

1. Execute the following command to install the required packages:

   # zypper in perl-XML-Twig migrate-sles-to-sles4sap

2. Execute the following command:

   # Migrate_SLES_to_SLES-for-SAP.sh

3. When asked to confirm to continue the migration, press Y, then Enter.

4. When asked, type the e-mail address to use for registration, then press Enter.

5. When asked, type the registration key, then press Enter.

   Wait until the script is finished. Afterward, you are subscribed to the SUSE Linux Enterprise Server for SAP Applications software repositories and the package SLES-release is removed in favor of SLES_SAP-release.

1. When the system is booted, it displays the screen Welcome. Proceed with Next.

2. The screen Network Settings will now open. This gives you an opportunity to change the network settings.

   When you are finished configuring networking, proceed with Next.

   

   Important: Configure Networking as Recommended by SAP

   Make sure to configure the network connection according to the documentation of your SAP application.

   For information about configuring networking, see Administration Guide, Chapter “Basic Networking”, Section “Configuring a Network Connection with YaST” (https://documentation.suse.com/sles-12).

   (While the next screen loads, the Welcome screen may appear again for a few seconds.)

3. Choose one of the following options:

   Create SAP file systems and start SAP product installation

   Allows installing an SAP application and setting up the system as a server providing SAP installation routines to other systems.

   Continue with Section 4.3, “Using the SAP Installation Wizard”.

   Only create SAP HANA file systems, do not install SAP products now

   Create an SAP HANA file system on SAP BusinessOne-certified hardware.

   

   Important: Hardware Requirements

   Make sure your machine fulfills the hardware requirements for SAP HANA detailed in Section 2.1, “Hardware Requirements”. Otherwise, this option will not create a new file system and the installation workflow ends at this point.

   Finish wizard and proceed to OS login

   Do not install an SAP application and continue to the login screen of SUSE Linux Enterprise Server for SAP Applications.

   Proceed with Next.

1. In the screen SAP Installation Wizard, provide the Location of the SAP Installation Master (Figure 4.1, “Location of SAP Installation Master”). The location can either be a local, removable, or remote installation source.

   

   Figure 4.1: Location of SAP Installation Master #

     

   Select the appropriate option from the drop-down box. In the text box, specify the path to your source according to the format given in the following table.

   Table 4.1: Media Source Path #

     

   Option	Description	Format of Path
   Local Sources
   dir://	a local directory	/path/to/dir/
   Removable Sources
   device://	a locally connected hard disk	devicename/path/to/dir/on/device
   usb://	a USB mass storage device	/path/to/dir/on/USB
   cdrom://	a CD or DVD	//
   Remote Sources
   nfs://	an NFS share	server_name/path/to/dir/on/device
   smb://	an SMB share	[user_name:password@]server_name//path/to/dir/on/server[?workgroup=workgroup_name]

   

   Tip: Remote Location Specification

   To install from an NFS source, specify the name of the server and the complete path to the media data. For information about setting up a remote installation server, see Chapter 5, Setting Up an Installation Server for SAP Media Sets.

   If you have installed an SAP application from an installation server before (or set up your system to be an installation server), you can also directly choose that server as the provider of the Installation Master. To do so, use the drop-down box below e an installation master.

2. Under Advanced Options, choose from the following options:

   Collect installation profiles for SAP products but do not execute installation

   Use this option to set the installation parameters, but not perform the actual installation. With this option, the SAP Installer (SAPinst) will stop without performing the actual SAP product installation. However, the steps that follow fully apply.

   For more information, see Section 4.4, “Continuing an Installation Using an Installation Profile”.

   Serve all installation media (including master) to local network via NFS

   Set up this system as an installation server for other SUSE Linux Enterprise Server for SAP Applications systems. The media copied to this installation server will be offered through NFS and can be discovered via Service Location Protocol (SLP).

   Proceed with Next.

   The SAP Installation Wizard will now copy the Installation Master to your local disk. Depending on the type of Installation Master you selected, the installation will continue differently:

   • If you are installing an SAP HANA database, skip ahead to Step 8.

   • If you are installing an SAP NetWeaver application, continue with the next step.

3. On the screen SAP Installation Wizard, provide the location of additional Installation Media you want to install. This can include an SAP kernel, a database, and database exports.

   Copy a medium

   Specify a path to additional Installation Media. For more information about specifying the path, see Table 4.1, “Media Source Path”.

   Skip copying of medium

   Do not copy additional Installation Media. Choose this option in the following cases: If you do not need additional Installation Media or if you want to install additional Installation Media directly from their source, for example CDs/DVDs or flash disks.

   When choosing this option despite your SAP product requiring additional Installation Media, you later need to provide the SAP Installer (SAPinst) with the relevant paths.

   Proceed with Next.

   If you chose to copy Installation Media, the SAP Installation Wizard will copy the relevant files to your local hard disk.

   

   Figure 4.2: SAP Installation Wizard: Additional Installation Media #

     

4. After copying the Installation Media, you will be asked whether you want to prepare additional Installation Media. To do so, click Yes. Then follow the instructions in Step 3.

   Otherwise, click No.

5. In the screen What Would You Like to Install, under The SAP product is, choose how you want to install the product:

   SAP Standard System

   Install an SAP application including its database.

   SAP Standalone Engines

   Engines that add functionality to a standard product: SAP TREX, SAP Gateway, and Web Dispatcher.

   Distributed System

   An SAP application that is separated onto multiple servers.

   SAP High-Availability System

   Installation of SAP NetWeaver in a high-availability setup.

   System Rename

   Allows changing system properties such as the SAP system ID, database ID, instance number or host name. This can be used to install the same product in a very similar configuration on different systems.

   

   Figure 4.3: SAP Installation Wizard: Installation Type and Database #

     

6. If you selected SAP Standard System, Distributed System, or SAP High-Availability System, additionally choose a back-end database under The back-end database system is.

   Proceed with Next.

7. You will now see the screen Choose a Product. The products shown depend on the Media Set and Installation Master you received from SAP. From the list, select the product you want to install.

   Proceed with Next.

   

   Figure 4.4: SAP Installation Wizard: Choose a Product #

     

8. You will be asked whether to copy Supplementary Media or Third-Party Media. To do so, click Yes and then follow the instructions in Step 3.

   Otherwise, click No.

   

   Note: Difference Between Supplementary Media/Third-Party Media and Additional Software Repositories

   Both types of delivery mechanisms allow installing software that is neither part of the SUSE Linux Enterprise Server for SAP Applications media nor part of your Media Set from SAP. However, the delivery mechanism is different:

   • Supplementary Media/Third-Party Media is installed using an AutoYaST file which allows creating an installation wizard and custom installation scripts.

   • Additional software repositories are RPM package repositories that you will remain subscribed to. This means you receive updates for Third-Party Media along with your regular system updates.

   For information on creating Supplementary Media, see Appendix C, Supplementary Media.

9. On the screen Additional software repositories for your SAP installation, you can add further software repositories. For example, for add-ons that are packaged as RPM. To do so, click Add new software repositories. For more information about adding repositories, see Deployment Guide, Chapter “Installing and Removing Software”, Section “Adding Software Repositories” (https://documentation.suse.com/sles-12).

   Proceed with Next.

   

   Note: Location of Copied SAP Media

   At this point, all data required for the SAP installation has been copied to /data/SAP_CDs (unless you chose to skip the process of copying). Each Installation Medium is copied to a separate directory. You might find the following directory structure, for example:

   > ls /data/SAP_CDs
   742-KERNEL-SAP-Kernel-742
   742-UKERNEL-SAP-Unicode-Kernel-742
   RDBMS-MAX-DB-LINUX_X86_64
   SAP-NetWeaver-740-SR2-Installation-Export-CD-1-3
   SAP-NetWeaver-740-SR2-Installation-Export-CD-2-3
   SAP-NetWeaver-740-SR2-Installation-Export-CD-3-3

   /data/SAP_CDs is the default directory as specified in the /etc/sysconfig/sap-installation-wizard configuration file.

10. Depending on the product you are installing, one or more dialogs will prompt you to supply values for configuration parameters for the SAP application you are installing.

    Supply the values as described in the documentation provided to you by SAP. Help for the configuration parameters is also available on the left side of the dialog. For more information, see Section 2.6, “Required Data for Installing”.

    Fill out the form (or forms), then proceed with OK.

    

    Figure 4.5: Product Parameters #

      

    When you are done, the SAP Installation Wizard will download additional software packages.

11. You will be asked whether to continue the installation or prepare another SAP product for installation. If you choose to prepare another SAP product, start from the beginning of this procedure.

12. (Optional) When installing SAP HANA on a system that is not certified for SAP HANA and does not meet the minimum hardware requirements for SAP HANA TDI (Tailored Datacenter Integration), you will be asked whether to continue. If you receive this message unexpectedly, check Section 2.1, “Hardware Requirements” and the sizing guidelines from SAP at https://service.sap.com/sizing.

    Otherwise, continue with Yes.

13. The following steps differ depending on the type of SAP application you are installing:

    • When installing an SAP HANA database, SAP HANA will now be installed without further question.

    • When installing an SAP NetWeaver application, the actual installation will be performed using the SAP Installer (SAPinst). After a few seconds, SAP Installer will open automatically.

      Follow the SAP Installer as described in the documentation provided by SAP. Most configuration parameters are correctly filled already.

    

    Figure 4.6: SAP Installer: Defining Parameters #

      
    

    Tip: Installation Log Files

    If the installation of the SAP application fails, refer to the installation log files. They are located in /var/adm/autoinstall. Failed installations are recorded in files with names ending in .err.

    For more information about log files, see Chapter 14, Important Log Files.

14. The final screen is Installation Completed.

    To create an AutoYaST file for this installation, activate Clone This System for AutoYaST. The AutoYaST file will be placed in /root/autoinst.xml.

    Click Finish.

1. In /etc/sysconfig/sap-installation-wizard, set the following:

   SAP_AUTO_INSTALL="yes"

2. In the case of an SAP HANA/SAP BusinessOne installation, the SAP Installation Wizard will later use the parameters documented in the AutoYaST files in /data/SAP_INST/number.

   If you need to change any parameters, make sure to adapt the AutoYaST files at this point.

3. Open the YaST control center and start SAP Installation Wizard.

4. You will be asked whether to continue the pending installation. Select Install.

5. All further interactions happen within the SAP Installer. Follow the steps of SAP Installer as described in the documentation provided to you by SAP.

   • In the case of an SAP NetWeaver installation, all parameters of the SAP Installer will be offered again for fine-tuning.

   • In the case of an SAP HANA/SAP BusinessOne installation, the installer will not be offering to make any changes to parameters.

The following procedure needs to be executed on the primary node (also called the “master”). Before proceeding, make sure the prerequisites listed in Section 6.1, “Prerequisites” are fulfilled.

1. Open the YaST control center. In it, click HA Setup for SAP Products in the category High Availability.

2. If an SAP HANA instance has been detected, you can choose between the scale-up scenarios Performance-optimized, Cost-optimized, or Chained (multi-tier). For information about these scale-up scenarios, see Section 1.1.3, “Simplified SAP HANA System Replication Setup”.

   Continue with Next.

   

3. This step of the wizard presents a list of prerequisites for the chosen scale-up scenario. These prerequisites are the same as those presented in Section 6.1, “Prerequisites”.

   Continue with Next.

4. The next step lets you configure the communication layer of your cluster.

   • Provide a name for the cluster.

   • The default transport mode Unicast is usually appropriate.

   • Under Number of rings, a single communication ring usually suffices.

     For redundancy, it is often better to use network interface bonding instead of multiple communication rings. For more information, see Administration Guide, Part “Configuration and Administration”, Chapter “Network Device Bonding” at https://documentation.suse.com/sle-ha-12.

   • From the list of communication rings, configure each enabled ring. To do so, click Edit selected, then select a network mask (IP address) and a port (Port number) to communicate over.

     Finish with OK.

   • Additionally, decide whether to enable the configuration synchronization service Csync2 and Corosync secure authentication using HMAC/SHA1.

     For more information about Csync2, see Administration Guide Part “Installation, Setup and Upgrade”, Chapter “Using the YaST Cluster Module”, Section “Transferring the Configuration to All Nodes” at https://documentation.suse.com/sle-ha-12.

     For more information about Corosync secure authentication, see Administration Guide, Part “Installation, Setup and Upgrade”, Chapter “Using the YaST Cluster Module”, Section “Defining Authentication Settings” at https://documentation.suse.com/sle-ha-12.

   Proceed with Next.

   

5. The wizard will now check whether it can connect to the secondary machine using SSH. If it can, it will ask for the root password to the machine.

   Enter the root password.

   The next time, the primary machine needs to connect to the secondary machine, it will connect using an SSH certificate instead of a password.

6. For both machines, set up the host names and IP address (for each ring).

   Host names chosen here are independent from the virtual host names chosen in SAP HANA. However, to avoid issues with SAP HANA, host names must not include hyphen characters (-).

   If this has not already been done before, host names of all cluster servers must now be added to the file /etc/hosts. For this purpose, activate Append to /etc/hosts.

   Proceed with Next.

7. If NTP is not yet set up, do so. This avoids the two machines from running into issues because of time differences.

   1. Click Reconfigure.

   2. On the tab General Settings, activate Now and on Boot.

   3. Add a time server by clicking Add. Click Server and Next. Then specify the IP address of a time server outside of the cluster. Test the connection to the server by clicking Test.

      To use a public time server, click Select › Public server and select a time server. Finish with OK.

      Proceed with OK.

   4. On the tab Security Settings, activate Open Port in Firewall.

   5. Proceed with Next.

8. In the next step, choose fencing options. The YaST wizard only supports the fencing mechanism SBD (STONITH block device). To avoid split-brain situations, SBD uses a disk device which stores cluster state.

   The chosen disk must be available from all machines in the cluster under the same path. Ideally, use either by-uuid or by-path for identification.

   The disk must not use host-based RAID, cLVM2 or reside on a DRBD instance. The device can have a small size, for example, 100 MB.

   

   Warning: Data on Device Will Be Lost

   All data on the chosen SBD device or devices will be deleted.

   To define a device to use, click Add, then choose an identification method such as by-uuid and select the appropriate device. Click OK.

   To define additional SBD command line parameters, add them to SBD options.

   If your machines reboot particularly fast, activate Delay SBD start.

   For more information about fencing, see the Administration Guide at https://documentation.suse.com/sle-ha-12.

   Proceed with Next.

9. The following page allows configuring watchdogs. They protect against the failure of the SBD daemon itself and force a reboot of the machine in such a case.

   It also lists watchdogs already configured using YaST and watchdogs that are currently loaded (as detected by lsmod).

   To configure a watchdog, use Add. Then choose the correct watchdog for your hardware and leave the dialog with OK.

   For testing, you can use the watchdog softdog. However, we highly recommend using a hardware watchdog in production environments instead of softdog. For more information about selecting watchdogs, see Administration Guide, Part “Storage and Data Replication”, Chapter “Storage Protection”, Section “Conceptual Overview”, Section “Setting Up Storage-based Protection”, Section “Setting up the Watchdog” at https://documentation.suse.com/sle-ha-12.

   Proceed with Next.

10. Set up the parameters for your SAP HANA installation or installations. If you have selected the cost-optimized scenario, additionally, fill out details related to the non-production SAP HANA instance.

    Production SAP HANA Instance

    • Make sure that the System ID and Instance number match those of your SAP HANA configuration.

    • Replication mode and Operation mode usually do not need to be changed.

      For more information about these parameters, see the HANA Administration Guide provided to you by SAP.

    • Under Virtual IP address, specify a virtual IP address for the primary SAP HANA instance. Under Virtual IP Mask, set the length of the subnetwork mask in CIDR format to be applied to the Virtual IP address.

    • Prefer site takeover defines whether the secondary instance should take over the job of the primary instance automatically (true). Alternatively, the cluster will restart SAP HANA on the primary machine.

    • Automatic registration determines whether primary and secondary machine should switch roles after a takeover.

    • Specify the site names for the production SAP HANA instance on the two nodes in Site name 1 and Site name 2.

    • Having a backup of the database is a precondition for setting up SAP HANA replication.

      If you have not previously created a backup, activate Create initial backup. Under Backup settings, configure the File name and the Secure store key for the backup. The key in the SAP HANA Secure User Store on the primary node must have been created before starting the wizard.

      For more information, see the documentation provided to you by SAP.

    • Cost-optimized scenario only: Within Production system constraints, configure how the production instance of SAP HANA should behave while inactive on the secondary node.

      Setting the Global allocation limit allows directly limiting memory usage. Activating Preload column tables will increase memory usage.

      For information about the necessary global allocation limit, see documentation provided to you by SAP such as How to Perform System Replication for SAP HANA at https://archive.sap.com/documents/docs/DOC-47702.

    Cost-optimized Scenario Only: Non-production SAP HANA Instance

    • Make sure that the System ID and Instance number match those of your non-production SAP HANA instance.

      These parameters are needed to allow monitoring the status of the non-production SAP HANA instance using the SAPInstance resource agent.

    • Generate a hook script for stopping the non-production instance and starting the production instance and removing the constraints on the production system. The script is written in Python 2 and can be modified as necessary later.

      Click Hook script and then set up the correct user name and password for the database. Then click OK.

      You can now manually verify and change the details of the generated hook script. When you are done, click OK to save the hook script at /hana/shared/SID/srHook.

      

      Warning: Passwords Stored in Plain Text

      By default, the hook script stores all credentials in plain text. To improve security, modify the script yourself.

    Proceed with Next.

    

    Figure 6.1: SAP HANA Options (Cost-Optimized Scenario) #

      

11. On the page High-Availability Configuration Overview, check that the setup is correct.

    To change any of the configuration details, return to the appropriate wizard page by clicking one of the underlined headlines.

    Proceed with Install.

12. When asked whether to install additional software, confirm with Install.

13. After the setup is done, there is a screen showing a log of the cluster setup.

    To be able to reuse the configuration file for an unattended installation, click Save configuration. (For more details about unattended cluster installations, see Section 6.3, “Unattended Installation of Cluster Servers”.)

    To close the dialog, click Finish.

14. Multi-tier/chain scenario only: Using the administrative user account for the production SAP HANA instance, register the out-of-cluster node for system replication:

    SIDadm > hdbnsutil -sr_register --remoteHost=SECONDARY_HOST_NAME \
    --remoteInstance=INSTANCE_NUMBER --replicationMode=async \
    --name=SITE_NAME

1. Copy the configuration file to the target machine.

2. Validate the configuration file:

   # yast2 sap_ha readconfig CONFIGURATION_FILE_PATH

3. Import, validate, and install the cluster unattendedly:

   # yast2 sap_ha readconfig CONFIGURATION_FILE_PATH unattended

1. To tune a system, first find a tuning solution. To find the appropriate solution, use:

   > saptune solution list

   saptune recognizes the following tuning solutions (groups of SAP Notes):

   • BOBJ.  Solution for running SAP BusinessObjects.

   • HANA.  Solution for running an SAP HANA database.

   • MAXDB.  Solution for running an SAP MaxDB database.

   • NETWEAVER.  Solution for running SAP NetWeaver application servers.

   • S4HANA-APPSERVER.  Solution for running SAP S/4HANA application servers.

   • S4HANA-APP+DB.  Solution for running both SAP S/4HANA application servers and SAP HANA on the same host.

   • S4HANA-DBSERVER.  Solution for running the SAP HANA database of an SAP S/4HANA installation.

   • SAP-ASE.  Solution for running an SAP Adaptive Server Enterprise database.

   • NETWEAVER+HANA.  Solution for running both SAP application servers and SAP HANA on the same host.

   • NETWEAVER+MAXDB.  Solution for running both SAP application servers and MAXDB on the same host.

   Alternatively, you can tune the computer according to recommendations from specific SAP Notes. A list of notes that you can tune for is available via:

   # saptune note list

2. • To set up saptune with a preconfigured solution, use:

     # saptune solution apply SOLUTION

   • To set up saptune for the recommendations of a specific SAP Note, use:

     # saptune note apply NOTE

3. To start saptune and enable it at boot, make sure to run the following command:

   # saptune service enablestart

   To make sure that sapconf and tuned gets stopped and disabled too, run instead:

   # saptune service takeover

1. Make sure the SAP HANA databases for which you want to configure the firewall are correctly installed.

2. To open the appropriate YaST module, select Applications › YaST, Security and Users › SAP HANA Firewall.

3. When you open this YaST module, it will create a configuration proposal based on the number of installed SAP HANA instances.

   Choose whether you want to accept the proposal using Yes or No.

   

   Important: Narrow Down Settings from Proposal

   The proposed settings allow all detected SAP HANA instances on all detected network interfaces. Narrow down the proposal to secure the system further.

4. Under Global Options, activate Enable Firewall. Additionally, decide whether to Allow Remote Shell Access (SSH).

5. Choose a network interface under Allowed Services on Network Interface.

6. Allow network services by selecting them in the list box on the left and clicking →. Remove services by selecting them in the list box on the right and clicking ←.

   To add services other than the preconfigured ones, add them using the following notation:

   SERVICE_NAME:CIDR_NOTATION

   For more information about the CIDR notation, see https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing. To find out which services are available on your system, use getent services.

   

7. Repeat from Step 5 for all network interfaces.

8. When you are done, click OK.

   The firewall rules from HANA-Firewall will now be compiled and applied. Then, the service hana-firewall will be restarted.

9. Finally, check whether HANA-Firewall was enabled correctly:

   # hana-firewall status
   HANA firewall is active. Everything is OK.

   

   Tip: Checking Which Firewall Rules Are Enabled

   Gaining an overview of which firewall rules are enabled in the current configuration of the script is possible using the command line:

   # hana-firewall dry-run

1. As root, run:

   # cryptctl init-server

2. Answer each of the following prompts and press Enter after every answer. If there is a default answer, it is shown in square brackets at the end of the prompt.

   1. Choose a password with at least 10 characters and confirm it. This password assumes the role of a master password, able to unlock all partitions that are registered on the server.

   2. Specify the path to a PEM-encoded TLS certificate or certificate chain file or leave the field empty to create a self-signed certificate. If you specify a path, use an absolute path.

   3. If you want the server to be identified by a host name other than the default shown, specify a host name. cryptctl will then generate certificates which include the host name.

   4. Specify the IP address that belongs to the network interface that you want to listen on for decryption requests from the clients, then set a port number (the default is port 3737).

      The default IP address setting, 0.0.0.0 means that cryptctl will listen on all network interfaces for client requests using IPv4.

   5. Specify a directory on the server that will hold the decryption keys for clients.

   6. Specify whether clients need to authenticate to the server using a TLS certificate. If you choose No, this means that clients authenticate using disk UUIDs only. (However, communication will be encrypted using the server certificate in any case.)

      If you choose Yes, pick a PEM-encoded certificate authority to use for signing client certificates.

   7. Specify whether to use a KMIP 1.3-compatible server (or multiple such servers) to store encryption keys of clients. If you choose this option, provide the host names and ports for one or multiple KMIP-compatible servers.

      Additionally, provide a user name, password, a CA certificate for the KMIP server, and a client identity certificate for the cryptctl server.

      

      Important: No Easy Reconfiguration of KMIP Setting

      The setting to use a KMIP server cannot easily be changed later. To change this setting, both the cryptctl server and its clients need to be configured afresh.

   8. Finally, configure an SMTP server for e-mail notifications for encryption and decryption requests or leave the prompt empty to skip setting up e-mail notifications.

      

      Note: Password-Protected Servers

      cryptctl currently cannot send e-mail using authentication-protected SMTP servers. If that is necessary, set up a local SMTP proxy.

   9. When asked whether to start the cryptctl server, enter y.

3. To check the status of the service cryptctl-server, use:

   # systemctl status cryptctl-server

1. As root, run:

   # cryptctl encrypt

2. Answer each of the following prompts and press Enter after every answer. If there is a default answer, it is shown in square brackets at the end of the prompt.

   1. Specify the host name and port to connect to on the cryptctl server.

   2. If you configured the server to have clients authenticate to it using a TLS certificate, specify a certificate and a key file for the client. The client certificate must be signed by the certificate authority chosen when setting up the server.

   3. Specify the absolute path to the server certificate (the *.crt file).

   4. Enter the encryption password that you specified when setting up the server.

   5. Specify the path to the directory to encrypt. Specify the path to the empty partition that will contain the encrypted content of the directory.

   6. Specify the number of machines that are allowed to decrypt the partition simultaneously.

      Then specify the timeout in seconds before additional machines are allowed to decrypt the partition after the last vital sign was received from the client or clients.

      When a machine unexpectedly stops working and then reboots, it needs to be able to unlock its partitions again. That means, this timeout should be set to a time slightly shorter than the reboot time of the client.

      

      Important: Timeout Length

      If the time is set too long, the machine cannot decrypt encrypted partitions on the first try. cryptctl will then continue to periodically check whether the encryption key has become available. However, this will introduce a delay.

      If the timeout is set too short, machines with a copy of the encrypted partition have an increased chance of unlocking the partition first.

3. To start encryption, enter yes.

   cryptctl will now encrypt the specified directory to the previously empty partition and then mount the newly encrypted partition. The file system type will be of the same type as the original unencrypted file system.

   Before creating the encrypted partition, cryptctl moves the unencrypted content of the original directory to a location prefixed with cryptctl-moved-.

4. To check that the directory is indeed mounted correctly, use:

   > lsblk -o NAME,MOUNTPOINT,UUID
   NAME                        MOUNTPOINT          UUID
   [...]
   sdc
   └─sdc1                                          PARTITION_UUID
     └─cryptctl-unlocked-sdc1  /secret-partition   UNLOCKED_UUID

   cryptctl identifies the encrypted partition by its UUID. For the previous example, that is the UUID displayed next to sdc1.

   On the server, you can check whether the directory was decrypted using cryptctl:

   # cryptctl list-keys
   2016/10/10 10:00:00 ReloadDB: successfully loaded database of 1 records
   Total: 1 records (date and time are in zone EDT)
   Used By      When                  UUID  Max.Users  Num.Users  Mount Point
   IP_ADDRESS   2016-10-10 10:00:00   UUID  1          1          /secret-partition

   Verify that the UUID shown is that of the previously encrypted partition.

5. After verifying that the encrypted partition works, delete the unencrypted content from the client. For example, use rm. For more safety, overwrite the content of the files before deleting them, for example, using shred -u.

   

   Important: shred Does Not Guarantee That Data Is Completely Erased

   Depending on the type of storage media, using shred is not a guarantee that all data is completely removed. In particular, SSDs usually employ wear leveling strategies that render shred ineffective.

1. On the application host, install the packages for ClamAV and ClamSAP. To do so, use the command:

   > sudo zypper install clamav clamsap

2. Before you can enable the daemon clamd, initialize the malware database:

   > sudo freshclam

3. Start the service clamd:

   > sudo systemctl start clamd

4. Check the status of the service clamd with:

   > systemctl status clamd
   ● clamd.service - ClamAV Antivirus Daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2017-04-11 10:33:03 UTC; 24h ago
   [...]

1. Log in to the SAP NetWeaver installation through the GUI. Do not log in as a DDIC or SAP* user, because the virus scanner needs to be configured cross-client.

2. Create a Virus Scanner Group using the transaction VSCANGROUP.

   

3. To switch from view mode to change mode, click the button Change View ().

   Confirm the message This table is cross-client by clicking the check mark. The table is now editable.

4. Select the first empty row. In the text box Scanner Group, specify CLAMSAPVSI. Under Group Text, specify CLAMSAP.

   Make sure that Business Add-in is not checked.

   

5. To save the form, click the button Save ().

1. In the SAP NetWeaver GUI, call the transaction VSCAN.

2. To switch from view mode to change mode, click the button Change View ().

   Confirm the message This table is cross-client by clicking the check mark. The table is now editable.

3. Click New entries.

4. Fill in the form accordingly:

   • Provider Type: Adapter (Virus Scan Adapter)

   • Provider Name: VSA_HOSTNAME (for example: VSA_SAPSERVER)

   • Scanner Group: The name of the scanner group that you set up in Section 11.2, “Creating a Virus Scanner Group in SAP NetWeaver” (for example: CLAMSAPVSI)

   • Server: HOSTNAME_SID_INSTANCE_NUMBER (for example: SAPSERVER_P04_00)

   • Adapter Path: libclamdsap.so

   

5. To save the form, click the button .

1. Build the root file system:

   # kiwi -p SLES4SAP --root fsroot

2. Build the VMX image:

   # kiwi --create fsroot --type vmx -d build