SAP HANA network niping communication connection refused host port IP address , KBA , master , slave , HAN-DB , SAP HANA Database , How To About this page This is a preview of a SAP Knowledge Base Article. system. Click more to access the full version on SAP for Me (Login required). When complete, test that the virtual host names can be resolved from Although various materials and documents for HANA networks have been available to ease your implementations and re-configurations, you might have found it time-consuming and experienced a hard time to see a whole picture at a glance. recovery). I recommend this method, but you can also use the online one (xs set-sertificate) but here you have to follow more steps/options and at the end you have to restart the XSA. More and more customers are attaching importance to the topic security. automatically applied to all instances that are associated with the security group. Here your should consider a standard automatism. You need at
Following parameters is set after configuring internal network between hosts. It must have the same software version or higher. This
Updates parameters that are relevant for the HA/DR provider hook. Figure 12: Further isolation with additional ENIs and security # 2021/03/18 Inserted XSA high security Kudos out to Patrick Heynen Once the above task is performed the services running on DT worker host will appear in Landscape tab in hana studio. Actually, in a system replication configuration, the whole system, i.e. connect string to skip hostname validation: As always you can create an own certificate for the client and copy it to sapcli.pse instead of using the server sapsrv.pse. global.ini -> [internal_hostname_resolution] : The delta backup mechanism is not available with SAP HANA dynamic tiering. The instance number+1 must be free on both
Before we get started, let me define the term of network used in HANA. Extended tables behave like all other SAP HANA tables, but their data resides in the disk-based extended store. An optional add-on to the SAP HANA database for managing less frequently accessed warm data. If set on the primary system, the loaded table information is
Wonderful information in a couple of blogs!! Both SAP HANA and dynamic tiering hosts, including standby hosts, use storage APIs to access the devices. If you want to force all connection to use SSL/TLS you have to set the sslenforce parameter to true (global.ini). Thanks for letting us know we're doing a good job! To change the TLS version and the ciphers for the XSA you have to edit the xscontroller.ini. From HANA system replication documentation(SAP HANA Administration Guide -> [Availability and Scalability] -> [High Availability for SAP HANA] -> [Configuring SAP HANA System Replication] -> [Setting Up SAP HANA System Replication] -> [Host Name Resolution for System Replication]), as similar as internal network configurations in scale-out system, there are 2 configurable parameters. Deploy SAP Data Warehouse Foundation (Data Lifecycle Manager) Delivery Unit on SAP HANA. ENI-3 If you raise the isolation level to high after the fact, the dynamic tiering service stops working. Or see our complete list of local country numbers. Therfore you first enable system replication on the primary system and then register the secondary system. On HANA you can also configure each interface. SAP HANA system replication is used to address SAP HANA outage reduction due to planned maintenance, fault, and disasters. Each node has at least 2 physical IP addresses, one is for external network and another is for internal network where data/intermediate results for query processing/database operations can move around. (1) site1 is broken and needs repair; Single node and System Replication(3 tiers)", for example, is that right? multiple physical network cards or virtual LANs (VLANs). This has never occurred in the past as the System Replication monitor immediately reflects the TIER3 as soon as the Replication is configured, Further checks confirmed each volume from TIER2 was indeed replicating to TIER3 and it took the same amount of time it usually takes to synchronize, yet no signs of the TIER3 on HANA Studio Replication monitor At the time of the parameters change in Production both TIER2 and TIER3 systems were stopped and removed from Replication setup If you change the HANA hostname resolution, you will map the physical hostname which represents your default gateway to the original installed vhostname. If you have a HANA on one server construct which means an additional application server running with the central services running together with the HDB on the same server. with Tenant Databases. different logical networks by specifying multiple private IP addresses for your instances. 1. is deployed. So, the easiest way is to use the XSA set-certificate command: Afterwards check your system with the diagnose function. before a commit takes place on the local primary system. Configure SAP HANA hostname resolution to let SAP HANA communicate over the More recently, we implemented a full-blown HANA in-memory platform . The secondary system must meet the following criteria with respect to the
Any ideas? 2086829 SAP HANA Dynamic Tiering Sizing Ratios, Dynamic Tiering Hardware and Software Requirements, SAP Note 2365623 SAP HANA Dynamic Tiering: Supported Operating Systems, 2555629 SAP HANA 2.0 Dynamic Tiering Hypervisor and Cloud Support. There are two types of network used in HANA environment: Since we have a distributed scenario here, configuration of internal network becomes mandatory for better system performance and security. Or see our complete list of local country numbers. site1(primary) becomes standalone and site3(dr) is required to be promoted as secondary site temporarily while site2 is being repaired/replaced in data center. Use Secure Shell (SSH) to connect to your EC2 instance at the OS level. 1. Network and Communication Security. The extended store can reduce the size of your in-memory database. SAP Data Intelligence (prev. Switches system replication primary site to the calling site. There are some documentations available by SAP, but some of them are outdated or not matching the customer environments/needs or not all-embracing. Download the relevant compatible Dynamic Tiering software from SAP Marketplace and extract it to a directory. Figure 10: Network interfaces attached to SAP HANA nodes. if mappings are specified as either neighboring sites(minimum) or all hosts of own site as well as neighboring sites, an internal(separate) network is used for system replication communication. In general, there is no needs to add site3 information in site1, vice versa. Registers a site to a source site and creates the replication
To learn more about this step, see Configuring Hostname Resolution for SAP HANA System Replication in the SAP alter system alter configuration ('xscontroller.ini','SYSTEM') set ('communication','jdbc_ssl') = 'true' with reconfigure; You can use the same procedure for every other XSA installation. Javascript is disabled or is unavailable in your browser. Multiple interfaces => one or multiple labels (n:m). no internal interface found, listeninterface, .internal , KBA , HAN-DB , SAP HANA Database , Problem . Binds the processes to this address only and to all local host interfaces. resolution is working by creating entries in all applicable host files or in the Domain There is already a blog about this configuration: https://blogs.sap.com/2014/01/17/configure-abap-to-hana-ssl-connection/ Network Configuration for SAP HANA system replication Contact Us Contact us Contact us This site uses cookies and related technologies, as described in our privacy statement, for purposes that may include site operation, analytics, enhanced user experience, or advertising. Public communication channel configurations, 2. 2685661 - Licensing Required for HANA System Replication. You can also select directly the system view PSE_CERTIFICATES. (3) site3 is still registered to the site2 (as it's not impacted, async only as remote DR); In the step 5, it is possible to avoid exporting and converting the keys. After some more checks we identified the listeninterface and internal_hostname_resolution parameters were not updated on TIER2 and TIER3 Only set this to true if you have configured all resources with SSL. operations or SAP HANA processes as required. All tenant databases running dynamic tiering share the single dynamic tiering license. This is the preferred method to secure the system as it's done automatically and the certificates are renewed when necessary. How to Configure SSL in SAP HANA 2.0 I hope this little summary is helping you to understand the relations and avoid some errors and long researches. You cant provision the same service to multiple tenants. Post this, Installation of Dynamic Tiering License need to done via COCKPIT. properties files (*.ini files). HI DongKyun Kim, thanks for explanation . Here you can reuse your current automatism for updating them. When set, a diamond appears in the database column. the IP labels and no client communication has to be adjusted. Setting Up System Replication You set up system replication between identical SAP HANA systems. subfolder. Create virtual host names and map them to the IP addresses associated with client, SAP HANA supports asynchronous and synchronous replication modes. Connection to On-Premise SAP ECC and S/4HANA. If you receive such an error, just renew the db trust: global.ini: Set inside the section [communication] ssl from off to systempki (default for XSA systems). A full sync was triggered to TIER2 and after the completion the TIER3 full sync was triggered I see more alerts in the trace files, don't know if they are related: [178728]{419183}[119/-1] 2015-08-18 20:56:11.225670 e cePlanExec cePlanExecutor.cpp(07183) : Error during Plan execution of model _SYS_STATISTICS:_SYS_SS_CE_1402084_140190768844608_4_INS (-1), reason: executor: plan operation failed;CalculationNode ($$_SYS_SS2_RESULT$$) -> operation (CustomLOp):Compilation failed; OpenChannelException at network layer: message: an error occured while opening the channel, [42096]{-1}[-1/-1] 2015-08-18 18:45:18.355758 e TrexNet EndPoint.cpp(00260) : ERROR: failed to open channel 127.0.0.1:30107! Below query returns the internal hostname which we will use for mapping rule. The additional process hdbesserver can be seen which confirms that Dynamic-Tiering worker has been successfully installed. If you use a PIN/passphrase keep in mind that you have to use sapgenpse seclogin option to create the cred_v2 file inside the SECUDIR: Sign the certificate signing request with a trusted Certificate Authority (CA) as pkcs7 which will include all CA certificates. Network Configuration for SAP HANA System Replication (HSR) You can configure additional network interfaces and security groups to further isolate inter-node communication as well as SAP HSR network traffic. This option requires an internal network address entry. instance. The same instance number is used for
But still some more options e.g. Follow the Before drawing the architecture, I hope this blog would help to get better understanding of networks required in HANA database regardless of the complexity. Therefore, I would highly recommend to stick with the default value .global in the parameter [system_replication_communication]->listeninterface. You can modify the rules for a security group at any time. This is normally the public network. United States. Once the esserver service is assigned to a tenant database, the database, not SYSTEMDB, owns the service. instances. * The hostname in below refers to internal hostname in Part1. Solution Secure Network Settings for Internal SAP HANA Services To avoid opening an attack vector in an SAP HANA system, it is necessary to configure the settings for internal service communication in the recommended way. Configuring SAP HANA Inter-Service Communication in the SAP HANA Primary Host: Enable system replication. The XSA can be offline, but will be restarted (thanks for the hint Dennis). For more information, see Configuring Instances. global.ini -> [internal_hostname_resolution] : (details see part I). Operators Detail, SAP Data Intelligence. SAP HANA attributes.ini daemon.ini dpserver.ini executor.ini global.ini indexserver.ini multidb.ini nameserver.ini statisticsserver.ini webdispatcher.ini xsengine.ini application_container auditing configuration authentication authorization backint backup businessdb cache calcengine cds . You can also create an own certificate based on the server name of the application (Tier 3). Configuring SAP HANA Inter-Service Communication, Configuring Hostname Resolution for SAP HANA System Replication, Configuration for logical network separation, AWS replication. The OS process for the dynamic tiering host is hdbesserver, and the service name is esserver. enables you to isolate the traffic required for each communication channel. But keep in mind that jdbc_ssl parameter has no effect for Node.js applications! of ports used for different network zones. documentation. Wilmington, Delaware. Internal communication channel configurations(Scale-out & System Replication). You can use the same procedure for every other XSA installation. Stopped the Replication to TIER2 and TIER3 and removed them from the system replication configuration In the following example, two network interfaces are attached to each SAP HANA node as well instances. Log mode
Data Lifecycle Manager optimizes the memory footprint of data in SAP HANA tables by relocating data to Dynamic Tiering or HADOOP. SAP Real Time Extension: Solution Overview. SAP HANA, platform edition 2.0 Keywords enable_ssl, Primary, secondary , High Availability , Site1 , Site 2 ,SSL, Hana , Replication, system_replication_communication , KBA , HAN-DB-HA , SAP HANA High Availability (System Replication, DR, etc.) So for s1host1,10.5.2.1=s2host110.4.3.1=s3host1, For s2host110.5.1.1=s1host110.4.3.1=s3host1, For s3host110.4.1.1=s1host110.4.2.1=s2host1. * Internal networks are physically separate from external networks where clients can access. # Edit If you do this you configure every communication on those virtual names including the certificates! An elastic network interface is a virtual network interface that you can attach to an Name System (DNS). communications. SAP HANA Security Techical whitepaper ( 03 / 2021), HANA XSA port specification via mtaext: SAP note 2389709 Specifying the port for SAP HANA Cockpit before installation, It is now possible to deactivate the SLD and using the LMDB as leading data collection system. groups. System Monitoring of SAP HANA with System Replication. (2) site2 take over the primary role; Step 3. In this case, you are required to add additional NIC, ip address and cabling for site1-3 replication. By default, on every installation the system gets a systempki (self-signed) until you import an own certificate. Copyright |
* You have installed internal networks in each nodes. Understood More Information as in a separate communication channel for storage. , Problem. provide additional, dedicated capacity for Amazon EBS I/O. Maybe you are now asking for this two green boxes. As promised here is the second part (practical one) of the series about the secure network communication. Contact us. It is also possible to create one certificate per tenant. Contact us. How you can secure your system with less effort? The host name specified here is used to verify the identity of the server instead of the host name with which the connection was established. RFC Module. exactly the type of article I was looking for. Primary, SAP Landscape Management 3.0, Enterprise Edition, What's New in 3.0 SP11 Enterprise Edition, What's New in 3.0 SP10 Enterprise Edition, Initial Setup Using the Configuration Wizard, Preparing SAP Application Instances on Windows, Installing SAP Application Instances with Virtual Host Names on Windows, Preparing Additional Hosts for Database Relocation, Preparing SAP Application Instances on UNIX, Installing SAP Application Instances with Virtual Host Names on UNIX, Configuring Individual User Interface Settings, Hiding Menu Items from the User Interface, Configuring Global User Interface Settings, Setting Up Validations for Landscape Entities, Integrating Partner Virtualization Technology, Obtaining Virtual Host Details from Virtual Host Provider, Creating Rolling Kernel Switch Repositories, Creating Rolling Kernel Switch Configurations, Configuring Diagnostics Agent Installations and Uninstallations, Configuring Application Server Installations and Uninstallations, Creating SAP Adaptive Extensions Repositories on UNIX, Configuring SAP Adaptive Extensions on UNIX, Creating SAP Adaptive Extensions Repositories on Windows, Configuring SAP Adaptive Extensions on Windows, Preparing Replication Status Repositories, Creating SAP HANA Replication Status Repositories, Configuring Custom Settings for System Provisioning, Configuring Additional Instance Information, Configuring Diagnostics Agent Connections, Configuring SystemDB Administrator Credentials, Configuring Database Administrator Credentials, Configuring Database Schema User Credentials, Specifying Configuration Directories of Database Instances, Specifying SQL Ports for Tenant Databases, Configuring Custom Properties for Instances, Assigning Custom Relations and Target Entities, Specifying Exclusively Consumed Resources, Extracting Mount Points from the File System, Enabling E-Mail Notifications for Activities, Enabling Custom Notifications for Activities, Configuring Managed Systems as SAP Solution Manager Systems, Assigning SAP Solution Manager Systems to Managed Systems, Configuring Managed Systems as Focused Run Systems, Assigning Focused Run Systems to Managed Systems, Configuring Custom Properties for Systems, Provisioning and Remote Function Call (RFC), Enabling Systems for Provisioning Operations, Configuring SAP Test Data Migration Server, Adding Mount Point Configurations on System Level, Configuring Remote Function Call Destinations, Configuring Outgoing Connections for System Isolation, Assigning Elements to Characteristic Values, Search Operators and Wildcards for Global Searches, Search Operators and Wildcards for Local Searches, Configuring the UI Refresh Interval per Screen, Operations for Adaptive Enabled Systems and Instances, Operations for Non-Adaptive Enabled Systems and Instances, Allowing One Instance to Run on One Host at a Time, Allowing Multiple Instances to Run on One Host at a Time, Managing SAP Adaptive Extensions Installations, General Prerequisites for Instance Operations, Starting Including Preparing Systems and Instances, Stopping and Unpreparing Systems and Instances, Relocating Not Running Systems and Instances, Restarting the AS Java Instance of an AS ABAP/Java System, Restarting and Reregistering an Instance Agent, Registering and Starting an Instance Agent, Executing Operations on Instances with an SAP Solution Manager System Assigned to Them, Executing Operations on Instances with a Focused Run System Assigned to Them, Description of the Rolling Kernel Switch Concept, Installing the License for ABAP Post-Copy Automation, Setting the Target Status for an Instance, Clearing the Target Status for an Instance, Getting A List of Users Who Are Logged On, Active/Active (Read Enabled) System Replication, Enabling or Disabling Full Sync Replication, Performing a Forced System Replication Takeover, Registering a Secondary Tier for System Replication, Starting Check of Replication Status Share, Stopping Check of Replication Status Share, Stopping Replicated Multi-Tier SAP HANA Systems, Unregistering Secondary Tier from System Replication, Unregistering System Replication Site on Primary, Assign Replication Status Repository Workflow, Moving a Tenant Database Near Zero Downtime, Near Zero Downtime Maintenance on Non-Primary Tier, Performing Near Zero Downtime Maintenance on Non-Primary Tier, Near Zero Downtime Maintenance on Non-Primary Tier Workflow, Near Zero Downtime Maintenance on Primary Tier, Performing Near Zero Downtime Maintenance on Primary Tier, Near Zero Downtime Maintenance on Primary Tier Workflow, Performing a Near Zero Downtime SAP HANA Update, Near Zero Downtime SAP HANA Update Workflow, Near Zero Downtime SAP HANA Update on Primary Tier, Performing a Near Zero Downtime SAP HANA Update on Primary Tier, Near Zero Downtime SAP HANA Update on Primary Tier Workflow, Register Primary Tier as new Secondary Tier, Registering a Primary Tier as new Secondary Tier, Register Primary Tier as new Secondary Tier Workflow, Removing Replication Status Configuration, Remove Replication Status Configuration Workflow, Updating Replication Status Configuration, Update Replication Status Configuration Workflow, Deactivating (OS Shutdown) Virtual Elements, Deactivating (Power Off) Virtual Elements, General Prerequisites for Provisioning Systems, Refreshing a Database Using a Database Backup, Executing Post-Copy Automation Standalone, Monitoring a System Clone, Copy, Refresh, or Rename, Installing Application Servers on an Existing System, Creating SAP HANA System Replication Tiers, Destroying SAP HANA System Replication Tiers, Configuring SAP Host Agent Registered Scripts, Creating Provider Script Registered with Host Agent, Parameters for Custom Operations and Custom Hooks, Creating Documentation for Custom Operations, Rearranging the Order of Custom Operations, Parameterizing Values for Provisioning Templates, Saving Activities as Provisioning Blueprints, Saving Provisioning Blueprints as Operation Template, Grouping Templates available in the Schedule, Filtering Templates available in the Schedule, Downloading Activities Support Information, General Security Aspects and Relevant Assets, Assets SAP Landscape Management Relies On, Setting Authorization Permissions for Operations and Content, Setting Authorization Permissions for Views, SAP Note 2211663 - The license changes in an, SAP Note 1876398 - Network configuration for System Replication in, SAP Note 17108 - Shared memory still present, startup fails, SAP Note 1945676 - Correct usage of hdbnsutil -sr_unregister, Important Disclaimers and Legal Information. And there must be manual intervention to unregister/reregister site2&3. # 2021/09/09 updated parameter info: is/local_addr thx @ Matthias Sander for the hint Now you have to go to the HANA Cockpit Manager to change the registered resource to use SSL. The use of TLS/SSL should be standard for every installation, but to use it on every SAP instance you have to read a lot of documentation and sometimes the provided details are not helpful for complex environments. can use elastic network interfaces combined with security groups to achieve this network Thanks for the further explanation. Perform SAP HANA
You set up system replication between identical SAP HANA systems. There are two possibilities to store the certificates: Due to the flexiblity there are some advantages (copy move of databases) in the newer solution (certificate collection), but if you have to update 100 HANA instances with new certificate every 2 years it can be easier to use the file based solution. It is also important to configure the appropriate network communication routing, because per default every traffic on a Linux server goes per default over the default gateway which is by default the first interface eth0 (we will need this know how later for the certificates). well as for SAP HSR, Storage zone to persist SAP HANA data in the storage infrastructure for Questo articolo descrive come distribuire un sistema SAP HANA a disponibilit elevata in una configurazione con scalabilit orizzontale. For your information, I copy sap note Changed the parameter so that I could connect to HANA using HANA Studio. 3. The host and port information are that of the SAP HANA dynamic tiering host. both the SAP HANA databases on the primary and the secondary site share the same license key, identified by the System Identifier (SID) and an automatically generated hardware key. There is already a blog post in place covering this topic. * In the first example, the [system_replication_communication]listeninterface parameter has been set to .global and the neighboring hosts are specified. You add rules to each security group that allow traffic to or from its associated # Inserted new parameters from 2300943 And you need to change the parameter [communication]->listeninterface to .internal and add internal network entries as followings. For more information, see Assigning Virtual Host Names to Networks. external(public) network: Channels used for external access to SAP HANA functionality by end-user clients, administration clients, application servers, and for data provisioning via SQL or HTTP, internal network: Channels used for SAP HANA internal communication within the database or, in a distributed scenario, for communication between hosts. 2478769 Obtaining certificates with subject Alternative Name (SAN) within STRUST It must have the same SAP system ID (SID) and instance
Due the complexity of this topic the first part will once more the theoretical one and the second one will be more praxis oriented with the commands on the servers. It must have the same system configuration in the system
2475246 How to configure HANA DB connections using SSL from ABAP instance. Disables the preload of column table main parts. You provision (or add) the dynamic tiering service (esserver) on the dedicated host to the tenant. global.ini -> [communication] -> listeninterface : .global or .internal To learn After a validation on the non prod systems the change was made on our Production landscape that is using the HANA System Replication (HSR) installed. In the following example, ENI-1 of each instance shown is a member Pre-requisites. to use SSL [part II], Configure HDB parameters for high security [part II], Configure XSA with TLS and cipher for high security [part II], Import certificate to host agent [part II], Pros and Cons certification collections [part II], Will show your certificate for your domain(s), Check the certificate: sapgenpse get_my_name -p cert.pse, Replace the sapsrv.pse, SAPSSLS.pse and SAPSSLC.pse with the created cert.pse, the application server connection via SQLDBC have to set up to be secure, HANA Cockpit connections have to set up to be secure, Local hdbsql connections have to be set up for encryption, sslValidateCertificate = false => will not validate the certificate, sslHostNameInCertificate =