IBM Cloud Docs
Checking and preparing SAP system for monitoring

Checking and preparing SAP system for monitoring

Use the following information to check and prepare your SAP system for monitoring.

Collecting SAP system parameters

Gather parameter values from an SAP system. The values are used to replace variables in the configuration files of the monitoring instance. The table SAP variables description describes details about the values that are assigned to the corresponding variables. For more information, see Determine SAP Parameters.

SAP variables description:

SAP variables description
Variable name Description
sap_monitoring_nr Two-digit incremental number that starts with 01 up to 99. This ID is not an existing SAP system ID, but an arbitrary number to map a targeted SAP system.
sap_monitoring_solution_name Name of the targeted SAP system, for example: "PM2 6.1 (S/4 2022)" might include SID, SAP Product Version, SAP HANA edition.
sap_hana_ip IPv4 address of the SAP HANA DB server.
sap_ascs_ip IPv4 address of the SAP ASCS server.
sap_app_server_ip_01 IPv4 address of the first SAP (primary) application server.
sap_app_server_ip_02 The optional IPv4 address of the second SAP application server.
sap_app_server_ip_03 The optional IPv4 address of the third SAP application server.
sap_app_server_ip_<n> The optional IPv4 address of any other SAP application servers.
sap_hana_http_port HTTP port of the sapstartsrv web service on the SAP HANA server.
sap_ascs_http_port HTTP port of the sapstartsrv web service of the ASCS (ENQ and MSG Central Services) on the SAP ASCS server.
sap_app_server_port_01 HTTP port of the sapstartsrv web service on the first application server.
sap_app_server_port_02 HTTP port of the sapstartsrv web service on the second application Server.
sap_app_server_port_03 HTTP port of the sapstartsrv web service on the third application server.
sap_app_server_port_<n> HTTP port of the sapstartsrv web service on the n application Server.
sap_hana_sql_systemdb_port SQL access port to the system database on the SAP HANA server.
sap_hana_sql_systemdb_user The new SQL user of the system database that was created with ReadOnly permissions.
sap_hana_sql_systemdb_password The new password of sap_hana_sql_systemdb_user that was created with ReadOnly permissions.
ibmcloud_monitoring_instance_url URL for Prometheus remote write endpoint of the monitoring instance. The keyword private. is added to the URL and is used in the Prometheus agent configuration. Example https://ingest.prws.private.eu-de.monitoring.cloud.ibm.com/prometheus/remote/write.
ibmcloud_monitoring_authorization_credentials Credentials for authorization to identify a monitoring instance in the customer account that is used in the Prometheus agent configuration file.

The values for variables such as <ibmcloud_monitoring_instance_url> and <ibmcloud_monitoring_authorization_credentials> are available after you create a monitoring instance. For more information, see Creating of monitoring instance in the IBM Cloud.

You can set up two extra port numbers that you can use on the monitoring host in configuration files and exposed ports. Use the variable <sap_monitoring_nr> to assign a unique variable value for each monitored SAP system. This variable is used to compose the HTTP port numbers as listed in Table 2. Exposed ports for services.

The variable <sap_monitoring_nr> is a two-digit incremental number between 01 and 99. For example, the number 01 is used to map the first (or only one existing) SAP system as sap_monitoring_nr = 01.

The following port numbers are the required port numbers for an SAP system that is used as exposed ports on the monitoring host. The corresponding services are based on the SAP HANA Database exporter variables.

Exposed ports for services
Exposed port numbers Service description
5<sap_monitoring_nr>01 Prometheus agent
5<sap_monitoring_nr>02 hanadb_exporter
5<sap_monitoring_nr>03 sap_host_exporter for the SAP HANA database.
5<sap_monitoring_nr>04 sap_host_exporter for the ABAP Central Service (ASCS) server.
5<sap_monitoring_nr>05 sap_host_exporter is the primary or first SAP Application Server.
5<sap_monitoring_nr>06 sap_host_exporter is the second SAP Application Server.
5<sap_monitoring_nr>07 sap_host_exporter is the third SAP Application Server.

If you have multiple SAP systems, you need to differentiate between them. This means that you have to adjust the configuration file names. That is, the names of the systemd processes and the numbers of the locally exposed HTTP ports.

Checking the firewall settings on the SAP system

IBM Cloud® provides configured ACLs (Access Control Lists) and security groups for each subnet.

On each SAP system, the local operating system firewall and SELinux/AppArmor are disabled by default. If the operating system firewall is enabled, check the firewall settings on each SAP system for SQL ports and SAP instance ports.

If you decide to use the firewalld service, open the ports that are used on the SAP system and on the monitoring host. Use the following commands to allow additional ports in the firewalld service.

    firewall-cmd --zone=public --permanent --add-port ${port_number}/tcp

    systemctl reload firewalld

Creating an SAP HANA database monitoring user with ReadOnly permissions

Create a new SAP HANA database user with ReadOnly permissions for a monitoring role.

Do not use a user with administrator privileges for monitoring of the SAP HANA database.

Run the following commands as the SAP HANA database system administrator user to create a new user for the monitoring role. Use the SAP HANA command line tool hdbsql and execute the commands for all databases. For more information, see the section Determine SAP Parameters.

CREATE USER <sap_hana_sql_systemdb_user> PASSWORD <sap_hana_sql_systemdb_password> \
NO FORCE_FIRST_PASSWORD_CHANGE;
CREATE ROLE HANADB_EXPORTER_ROLE;
GRANT MONITORING TO HANADB_EXPORTER_ROLE;
GRANT HANADB_EXPORTER_ROLE TO <sap_hana_sql_systemdb_user>;

Configuring a user name and password free setup for the monitoring of SAP systems

Configure your SAP System to allow the monitoring queries without user and password authentication.

With default configuration, all sapstartsrv methods that might change the status of the instance or the system are protected methods. Protected methods can be run only after a successful user authentication. Configure the sapstartsrv services that the methods required for the monitoring queries are unprotected.

SDEFAULT -GetQueueStatistic -ABAPGetWPTable -EnqGetStatistic -GetProcessList -GetEnvironment -ABAPGetSystemWPTable

Configure this setting for the following SAP instances:

  • HDB<ID> on the SAP HANA database host
  • ASCS<ID> on the SAP Application Server host
  • D<ID> on all corresponding SAP Application Server hosts

Follow these steps for all sapstartsrv services.

  1. List the instances and instance numbers.

    /usr/sap/hostctrl/exe/lssap

  2. Show the operating system user of the sapstartsrv service.

    ps aux|grep sapstart

  3. Switch the shell to sapstartsrv operating system user.

    su - <OS-user of sapstartsrv>

  4. List the configured web methods by using the instance numbers that were extracted with lssap.

    sapcontrol -nr <ID> -function ParameterValue service/protectedwebmethods

  5. If the output shows the following result,

    SDEFAULT

then, the following configuration is required.

Add a line to the SAP default profile:

  1. List the configuration files.

    sapcontrol -nr <ID> -function ListConfigFiles

  2. Edit the file named /usr/sap/<sid>/SYS/profile/<sid>_<instance-name>_<host-name>

  3. Add a line at the end or change the existing line, if the entry service/protectedwebmethods exists.

    #IBM SAP monitoring
service/protectedwebmethods = SDEFAULT -GetQueueStatistic -ABAPGetWPTable -EnqGetStatistic -GetProcessList -GetEnvironment -ABAPGetSystemWPTable

  4. Save the configuration file without changing the file name.

  5. Restart the corresponding services.

    sapcontrol -nr <ID> -function RestartService

    The restart might take some time.

  6. Check the status by running the following command.

    sapcontrol -nr <ID> -function GetSystemInstanceList

    The status shows GREEN/ GRAY /YELLOW.

    If the service does not return to GREEN, see the troubleshooting section.

  7. Verify that the configuration change was successful.

    sapcontrol -nr <ID> -function ParameterValue service/protectedwebmethods

    The following output is shown, if successful:

    SDEFAULT -GetQueueStatistic -ABAPGetWPTable -EnqGetStatistic -GetProcessList -GetEnvironment –ABAPGetSystemWPTable

Next steps

After checking and preparing the SAP system, you can proceed to the next step Creating of monitoring instance in IBM Cloud®.