Prerequisites

Prerequisite is a running SAP HANA system. This guide doesn't detail the installation of SAP HANA database and SAP NetWeaver solution.

This document outlines the necessary steps a user must follow to successfully implement a monitoring solution for SAP.

Gather SAP parameters

Gather the below parameter values from an existing SAP system running in IBM cloud. These values are required by the SAP HANA DB exporter which will be installed and confiured on the x86_64 Virtual Server Instance runnning in IBM Cloud VPC.

For more information, see Determine SAP Parameters.

Parameters from HANA DB server

IPv4 address of the SAP HANA DB server.
SQL access port to the system database on the SAP HANA server.
HTTP port of the sapstartsrv web service on the SAP HANA server.
SQL user credentials of the system database. If you want to create a user with ReadOnly permissions, see Creating a Read only system user

Parameters from SAP NetWeaver server

IPv4 address of server where the SAP ASCS instance is running.
IPv4 address of server where the SAP PAS instance is running.
IPv4 address of server where the SAP AAS instance is running (if any).
HTTP port of the sapstartsrv web service on the server where the SAP ASCS instance is running (for ENQ and MSG services).
HTTP port of the sapstartsrv web service on the server where the SAP PAS instance is running.
HTTP port of the sapstartsrv web service on the server where the SAP AAS instance is running(if any).

The following port numbers will be exposed from the x86_64 virtual server instance running in IBM Cloud VPC which servers as a monitoring host. The corresponding services are based on the SAP HANA Database exporter variables.

Exposed ports for services
Exposed port numbers	Service description
`5<sap_monitoring_nr>01`	Prometheus agent
`5<sap_monitoring_nr>02`	`hanadb_exporter`
`5<sap_monitoring_nr>03`	`sap_host_exporter` for the SAP HANA database.
`5<sap_monitoring_nr>04`	`sap_host_exporter` for the ABAP Central Service (ASCS) server.
`5<sap_monitoring_nr>05`	`sap_host_exporter` is the primary or first SAP Application Server.
`5<sap_monitoring_nr>06`	`sap_host_exporter` is the second SAP Application Server.
`5<sap_monitoring_nr>07`	`sap_host_exporter` is the third SAP Application Server.

If you have multiple SAP systems, you need to differentiate between them. This means that you have to adjust the configuration file names. That is, the names of the systemd processes and the numbers of the locally exposed HTTP ports.

Check firewall settings on the SAP system

IBM Cloud® provides configured ACLs (Access Control Lists) and security groups for each subnet.

On each SAP system, the local operating system firewall and SELinux/AppArmor are disabled by default.
If the operating system firewall is enabled, check the firewall settings on each SAP system for SQL ports and SAP instance ports.
If you decide to use the firewalld service, open the ports that are used on the SAP system and on the monitoring host(x86_64 Virtual Server Instance running in IBM Cloud VPC).
Use the following commands to allow additional ports in the firewalld service.

    firewall-cmd --zone=public --permanent --add-port ${port_number}/tcp

    systemctl reload firewalld

Creating an SAP HANA database monitoring user with ReadOnly permission(Optional)

Skip this step if you already have a read only user and you are okay to use the same SAP HANA database user for monitoring role.

Do not use a user with administrator privileges for monitoring of the SAP HANA database.

To create a new SAP HANA database user with ReadOnly permissions for a monitoring role run the following commands

as the SAP HANA database system administrator user.
using the SAP HANA command line tool hdbsql.

For more information, see the section Determine SAP Parameters.

CREATE USER <sap_hana_sql_systemdb_user> PASSWORD <sap_hana_sql_systemdb_password> \
NO FORCE_FIRST_PASSWORD_CHANGE;
CREATE ROLE HANADB_EXPORTER_ROLE;
GRANT MONITORING TO HANADB_EXPORTER_ROLE;
GRANT HANADB_EXPORTER_ROLE TO <sap_hana_sql_systemdb_user>;

Setting Up passwordless authentication for SAP monitoring

Configure your SAP System to allow the monitoring queries without user and password authentication.

By default, all sapstartsrv methods that can modify the status of an instance or the system are classified as protected methods. These methods can only be executed after successful user authentication. To enable monitoring without authentication, configure the sapstartsrv service so that the methods required for monitoring queries are treated as unprotected.

SDEFAULT -GetQueueStatistic -ABAPGetWPTable -EnqGetStatistic -GetProcessList -GetEnvironment -ABAPGetSystemWPTable

Configure this setting for the following SAP instances:

HDB<ID> on the SAP HANA database host
ASCS<ID> on the SAP Application Server host
D<ID> on all corresponding SAP Application Server hosts

Follow these steps for all sapstartsrv services.

List the instances and instance numbers.
```
/usr/sap/hostctrl/exe/lssap
```
Show the operating system user of the sapstartsrv service.
```
ps aux|grep sapstart
```
Switch the shell to sapstartsrv operating system user.
```
su - <OS-user of sapstartsrv>
```
List the configured web methods by using the instance numbers that were extracted with lssap.
```
sapcontrol -nr <ID> -function ParameterValue service/protectedwebmethods
```
If the output shows the following result,
```
SDEFAULT
```

then, the following configuration is required.

Add a line to the SAP default profile:

List the configuration files.

sapcontrol -nr <ID> -function ListConfigFiles

Edit the file named /usr/sap/<sid>/SYS/profile/<sid>_<instance-name>_<host-name>

Add a line at the end or change the existing line, if the entry service/protectedwebmethods exists.

#IBM SAP monitoring
service/protectedwebmethods = SDEFAULT -GetQueueStatistic -ABAPGetWPTable -EnqGetStatistic -GetProcessList -GetEnvironment -ABAPGetSystemWPTable

Save the configuration file without changing the file name.
Restart the corresponding services.
```
sapcontrol -nr <ID> -function RestartService
```
The restart might take some time.
Check the status by running the following command.
```
sapcontrol -nr <ID> -function GetSystemInstanceList
```
The status shows GREEN/ GRAY /YELLOW.

If the service does not return to GREEN, see the troubleshooting section.

Verify that the configuration change was successful.

sapcontrol -nr <ID> -function ParameterValue service/protectedwebmethods

The following output is shown, if successful:

SDEFAULT -GetQueueStatistic -ABAPGetWPTable -EnqGetStatistic -GetProcessList -GetEnvironment –ABAPGetSystemWPTable

Next steps

After the prerequisites are met, you can proceed to the next step Creating an IBM Cloud Monitoring Instance.