All Products
Search
Document Center

SAP:IBM Db2 for SAP Deployment Guide

Last Updated:Dec 30, 2022

IBM Db2 for SAP Deployment Guide

Version Control:

Version

Revision Date

Types Of Changes

Effective Date

1.0

2019/2/28

This deployment guide shows you how to deploy the SAP system with IBM Db2 for Windows and Linux on Alibaba Cloud.

For more details about planning your deployment, please kindly refer to IBM Db2 for SAP Planning Guide.

Prerequisites

For SAP administrators who have experience in deploying and running SAP systems on traditional an infrastructure, the following prerequisite knowledge will help to understand some public cloud specific tasks before starting to create an ECS instance for SAP and the SAP system deployment.

Account setup

Creating a VPC and vSwitch

  1. Log on to the VPC console.

  2. In the left-side navigation pane, click VPC.

  3. Choose the region where the VPC is created.

  4. Click Create VPC in the upper-right corner.

  5. In the pop-up dialog, enter a VPC name and select the IP address range for the VPC in the form of a Classless Inter-Domain Routing block.

    Use the one of the following standard CIDR blocks as the IP address range. The CIDR block cannot be modified after you create the VPC.

  6. Click Create VPC.

    A VPC ID is generated after the VPC is created, and a VRouter is created by the system for the VPC.

  7. Click Next Step to create a vSwitch.

  8. In the Create vSwitch tab, provide the following information and click Create vSwitch.

    • Name: Enter a name for the vSwitch.

    • Zone: Select a zone for the vSwitch.

    • CIDR block: Specify the IP address range of the vSwitch in the form of a Classless Inter-Domain Routing block.

    The allowed block size for a vSwitch is between a /16 netmask and /29 netmask, and the CIDR block of the vSwitch can be the same as that of the VPC that it belongs to, or the subset of the VPC CIDR block.

    Note

    Note: If the CIDR block of the vSwitch is the same as that of the VPC, you can only create one vSwitch.

  9. Click Done.

Creating a security group

You can add security group rules to enable or disable access to and from the Internet, intranet, or private networks for ECS instances in the security group. For your VPC network: You only need to set outbound and inbound rules, and do not need different rules for private networks and Internet.

To create a security group, perform the following:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, click Security Groups.

  3. Select a region.

  4. Click Create Security Group.

Adding a security group rule

To add a security group rule, follow these steps:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, select Networks & Security > Security Groups.

  3. Select a region.

  4. Find the security group to add authorization rules, and in the Action column click Configure Rules.

  5. On the Security Group Rules page, click Add Security Group Rules.

    (Optional) If you do not need to enable or disable all ports for all protocols, ICMP, or GRE, you can select Quickly Create Rules.

  6. In the dialog box, set the following parameters:

    • NIC:

      • If the security group is for VPC, you do not need to select the NIC.

        • If your instances can access the Internet, the rules work for both the Internet and intranet.

    • Rule Direction:

      • Outbound: ECS instances access other ECS instances over intranet, private networks, or through Internet resources.

      • Inbound: Other ECS instances in the intranet or private networks and Internet resources access the ECS instance.

    • Authorization Policy: Select Allow or Drop.

    Note

    Note: Drop policy discards the data packet without returning a response. If two security groups overlap except the authorization policy, the Drop rule takes priority over the Allow rule.

    • Protocol Type and Port Range

      The port range setting is affected by the selected protocol type. SAP requires access to certain ports, so add firewall rules to allow access to the ports outlined by SAP. The following table shows the relationship between all major ones.

Protocol type

Port range

Scenarios

All

Shown as -1/-1, indicating all ports.

Used in scenarios:

- No limit to outbound calls;

- Both applications are fully mutually trusted.

RDP

Shown as 3389/3389, the default RDP port 3389.

Shown as 3389/3389, the default RDP port 3389.

SSH

Shown as 22/22, the default SSH port 22.

Used for remotely connecting to Linux instances.

TELNET

Shown as 23/23.

Used to remotely log on to instances by using Telnet.

HTTP

Shown as 80/80.

The instance is used as a server for a website or a web application.

HTTPS

Shown as 443/443.

The instance is used as a server for a website or a web application that supports the HTTPS protocol.

MS SQL

Shown as 1433/1433.

The instance is used as a MS SQL server.

Oracle

Shown as 1521/1521.

The instance is used as an Oracle SQL server.

MaxDB

Shown as 7210/7210.

The instance is used as an MaxDB.

SAP HANA

Shown as 30015-39915.

The instance is used as an SAP HANA.

SAP Dispatcher

Range 3200-3299

Used by SAP GUI for Windows and Java.

SAP Gateway

Range 3300-3399

Used for CPIC and RFC communication.

SAP Message server

Range 3600-3699

Used for SAP message server communication.

For more details, see TCP/IP Ports of All SAP Products

  • Priority

    The smaller the number is, the higher the priority is. For more information on priority, see Security group rule priority.

  • Authorization Type and Authorization Object

    The authorization object affects setting of authorization type. The following table shows the relationship between them.

Authorization type

Authorization object

Address Field Access

Use the IP or CIDR block format such as 10.0.0.0 or 192.168.0.0/24. Only IPv4 addresses are supported. 0.0.0.0/0 indicates all IP addresses.

Security Group Access

Authorize the instances in a security group under your account or another account to access the instances in this security group.

- Authorize This Account: Select a security group under your account.

- Authorize Other Account: Enter the target security group ID and the Account ID. You can view the account ID in Account Management > Security Settings.

For VPC network instances, Security Group Access works for private IP addresses only. If you want to authorize Internet IP address access, use Address Field Access.

  • Click OK to add the security group rule to the specified security group.

Creating an SSH key pair(Linux only)

To create an SSH key pair, follow these steps:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Networks & Security > Key Pairs.

  3. On the Key Pairs page, select a region, and click Create Key Pair.

  4. On the Create Key Pair page, enter a name for the key pair, and select Automatically Create a Key Pair for the Creation Type.

    Note

    Note: The specified key pair name must be unique. It must not match with the existing key pair or a key pair that was deleted when it was still bound to an instance. Otherwise, an error message “The key pair already exists” appears.

  5. Click OK to create a key pair.

    Note

    Note: After a key pair is created, you must download and save the private key for further use. If you do not have the private key, you cannot log on to your ECS instance that is bound to this key pair.

    After creating the key pair, you can view the information, including Key Pair Name and Key Pair Fingerprint, in the key pair list.

Connecting ECS instance from Internet

VPC is a private network established in Alibaba Cloud. VPCs are logically isolated from other virtual networks in Alibaba Cloud. You can use NAT Gateway or EIP (Elastic IP) to connect ECS instances from Internet.

NAT Gateway is an enterprise-class public network gateway that provides NAT proxy services (SNAT and DNAT), up to 10 Gbps forwarding capacity, and cross-zone disaster recovery. As a public network gateway, NAT Gateway requires configured public IPs and bandwidth. Public IPs for NAT Gateway are grouped into abstract groups called shared bandwidth packages.

An EIP address is a type of NAT IP address. It is located in a public network gateway of Alibaba Cloud, and is mapped to the private network interface card (NIC) of the bound ECS instance in the way of NAT. Therefore, the ECS instance bound with the EIP address can communicate with the Internet without disclosing the EIP address on the NIC.

For each ECS instance that runs SAP applications, ECS Metrics Collector needs to be installed. So, your SAP ECS instances also require access to the Internet for SAP system monitoring. There are two ways to enable this access, you should bind an EIP to the ECS instance directly; or you can use a NAT Gateway, configure SNAT for your ECS instances.

Creating a NAT gateway

Create a NAT gateway

  • Log on to the VPC console.

  • In the left-side navigation pane, click NAT Gateway.

  • In the upper-right corner of the NAT Gateway page, click Create NAT Gateway.

  • Configure the NAT gateway with the following information.

Configuration

Description

Region

Select the region of the NAT gateway.

Make sure the regions of the NAT gateway and VPC are the same.

VPC

Choose the VPC for the NAT gateway. Once the gateway is created, you cannot change the VPC.

If you cannot find the required VPC in the VPC list, troubleshoot the following: Check whether the VPC already has a NAT gateway configured. A VPC can be configured with only one NAT gateway.

Check whether a custom route entry, where the destination CIDR block is 0.0.0.0/0, already exists in the VPC. If so, delete this custom route entry.

Specification

Select a specification for the NAT gateway. The specification affects the maximum number of connections and the number of new connections allowed per second for the SNAT proxy service, but does not affect data throughput.

Note: The specification has no impact on the DNAT function. For more details, see Allow ECS instances to provide Internet-facing services by using DNAT.

Billing Cycle

Display the billing cycle.

  • NAT Gateway has different specifications. Different specifications correspond to different performance metrics (maximum connections and the number of new connections per second). The specifications only affect the SNAT performance and have no impact on the DNAT performance.

    The following table lists the available specifications. Generally, for or your SAP solution, small size is OK.

Specification

Max Connection

New Connections Per Second (CPS)

Small

10,000

1,000

Medium

50,000

5,000

Large

200,000

10,000

  • Click Buy Now and complete the creation.

    Note

    Note: The creation of a NAT gateway generally takes 1-5 minutes.

    After the NAT gateway is created, the system automatically creates a DNAT table and an SNAT table. A custom route entry with the destination CIDR block 0.0.0.0/0 pointing to the NAT gateway is automatically added to the VPC route table.

  • Maintain a name for NAT gateway

    In the right side of NAT gateway, choose More and click Edit to change the name of NAT gateway.

    Enter a name for your NET gateway, click OK to finish configuration.

Create a shared bandwidth package
  • Find the target NAT gateway, and click the Buy Shared Bandwidth Package link.

    Note

    Note: If the NAT gateway already has a shared bandwidth package, click Manage and then click Shared Bandwidth Package.

  • On the Shared Bandwidth Package page, click Buy Shared Bandwidth Package again.

  • Configure the shared bandwidth package according to the following information.

Configuration

Description

Public IP count

Select the number of public IPs that you want to purchase. You can adjust the number of public IPs at any time once a shared bandwidth package is created.

You need at least 1 public IP for SNAT to deploy ECS Metrics Collector.

Peak Bandwidth

Set a peak bandwidth.

You can adjust the peak bandwidth at any time.

ISP Type

BGP multi-pathing is used to connect the Internet.

Billing method

The shared bandwidth package is billed based on traffic usage. For more details, see Billing overview.

Billing cycle

Display the billing cycle.

  • Click Buy Now.

    Note

    Note: The creation of a shared bandwidth package generally takes 1-5 minutes.

Creating an Elastic IP (EIP)

Elastic IP (EIP) is a public IP address resource that you can purchase and possess independently. It can be dynamically bound to a VPC ECS instance without restarting the ECS instance.

  1. Log on to the EIP console and click Create EIP.

  2. On the purchase page, select the region, bandwidth, and purchase quantity for the EIP address, and click Buy Now.

  3. Complete the payment.

You can bind an EIP address to an ECS instance in any VPC as needed to make the instance accessible to the Internet, and release it whenever the Internet communication is not needed. Before binding an EIP address to an ECS instance, ensure that the following conditions are met:

  • The regions of the EIP address and ECS instance to be bound are the same.

  • The ECS instance to be bound is not allocated any public IP address.Procedure

  1. Log on to the EIP console.

  2. Choose a region. All Elastic IP addresses under the selected region are displayed.

  3. Click Bind in the Actions column of the target EIP address.

  4. In the Bind dialog box, perform the following operations:

    1. Instance type: Select ECS Instance.

    2. ECS instance: Select the ECS instance to be bound.

    3. Click OK.

After the EIP address is bound to the ECS instance, the ECS instance can communicate with the Internet. Make sure the configured security group rules do not block the Internet access.

RAM service role setup

The monitoring agent ECS Metrics Collector, which is designed for SAP systems running on Alibaba Cloud infrastructure, needs a specific RAM service role setup. Please be noticed that this is just a one-time effort, because it’s effective at your account level. For more information about RAM (Resource Access Management) Role setup, please refer to How to use the instance RAM role on the console.

  1. Log on to the ECS console.

  2. On the left-side navigation pane, click Resource Access Management.

  3. Open Resource Access Management Console, selects the tab Roles, then click Create Role

  4. Select Service Role in step Select Role Type

  5. In step Enter Type, find the service ECS Elastic Compute Service

  6. In step Configure Basic, you need to define a role name. For example, you can add ecs-metrics-collector as the role name. Then click Create

  7. The service role is created. Click Authorize for next steps

  8. Click Edit Authorization Policy. By typing the Policy Name AliyunECSReadOnlyAccess and AliyunCloudMonitorReadOnlyAccess in the search bar, it will be easy for you to pick up the required policy. Select Policy Name AliyunECSReadOnlyAccess and AliyunCloudMonitorReadOnlyAccess and assign it to your RAM service role

  9. Click OK, the policy assignment is completed.

Create and Configure ECS VM

For details of ECS creation and general configuration, please kindly refer to SAP Netweaver Implementation Guide. Within this guide, we just focus on the IBM Db2 specific requirement.

File System Configuration

As mentioned in IBM Db2 for SAP Planning Guide, you need to set specific file system layout. In Linux, you can use either Logical Volume Manager (LVM) to format disks and split it into the required directories or non-LVM. Below you can find an example of using LVM:

Set up file system directory

sudo mkdir -p /db2
sudo mkdir -p /db2/[DB_SID]
sudo mkdir -p /db2/[DB_SID]/log_dir
sudo mkdir -p /db2/[DB_SID]/db2dump
sudo mkdir -p /db2/[DB_SID]/sapdata
sudo mkdir -p /db2/[DB_SID]/saptmp

Initialize the disk or a partition for use by LVM:

pvcreate /dev/vdb /dev/vdc

Create a volume group:

vgcreate db2vg /dev/vdb /dev/vdc

Create logical volumes for each drive with the size needed from your business workload:

lvcreate -L 8G -n db2lv db2vg
lvcreate -L 8G -n db2dbsidlv db2vg
lvcreate -L 30G -n db2logdirlv db2vg
lvcreate -L 10G -n db2dumplv db2vg
lvcreate -L 10G -n db2jldlv db2vg
lvcreate -L 10G -n db2sapdatalv db2vg
lvcreate -L 10G -n db2saptmplv db2vg

Format the volumes:

mkfs.ext3 /dev/db2vg/db2lv
mkfs.ext3 /dev/db2vg/db2dbsidlv
mkfs.ext3 /dev/db2vg/db2logdirlv
mkfs.ext3 /dev/db2vg/db2dumplv
mkfs.ext3 /dev/db2vg/db2jldlv
mkfs.ext3 /dev/db2vg/db2sapdatalv
mkfs.ext3 /dev/db2vg/db2saptmplv

Modify /etc/fstab to mount all above logical volumes

SAP System installation

Once you have provisioned and configured the required ECS instance on Alibaba Cloud, you are ready to begin the installation of the SAP solution. Before that, please refer to the following SAP official guides.

  • System Provisioning Guide

    • Check the section of Installation Guides - Application Server Systems > and find Installing SAP Systems Based on SAP NetWeaver 7.1 and Higher - Using Software Provisioning Manager 1.0 which is appropriate to your database, SAP product release, operating system and technical stack.

  • More specific installation guides for all supported combinations of technologies (ABAP, Java, or ABAP and Java), databases and operating systems, available at:http://support.sap.com/sltoolset

Start SWPM

The Software Provisioning Manager (SWPM) chooses the disk drive with the most free space as an installation suggestion for each component. Be sure to assign the disks to their proper roles in the SWPM dialog boxes.

You can download the latest SWPM as per the SAP note 1680045. You need to verify that you have installed JAVA JDK software on your SAP ECS instance.

Note

Note: When you run SWPM to perform an installation, if you want to connect to the SWPM with the browser, it is required using root user. So the password has to be set for root even if the customer selected to connect with a certificate. After installation, to secure the system, if required, the customer can disable password login within the ssh configuration.

Upgrade SAP kernel

After you have installed SAP NetWeaver, make sure that you apply the latest kernel as described in the Installation Guide, or update the SAP kernel to the minimum supported patch level.

In addition to that, please also make sure it contains the minimum SAP kernel patch level, as described in the SAP note 2533233 - Linux on Alibaba Cloud (IaaS): Adaption of your SAP License.

Check Host Agent version

SAP Host Agent is an agent that can accomplish several life-cycle management tasks, such as operating system monitoring, database monitoring, system instance control and provisioning. Usually SAP Host Agent is automatically started when the operating system is booted. You can also manually control it using the saphostexec program.

You are running SAP in a Linux ECS instance on Alibaba cloud and want to configure Enhanced Monitoring as required by SAP in cloud environments. In addition you should reference SAP Note 2564176

The steps to check SAP Host Agent version, please follow below steps to check version:

On Linuxlinux

  • Login as root, since sidadm user doesn’t have permission for executing SAP HOST AGENT commands

  • navigate to directory where SAP Host Agent is installed

    cd /usr/sap/hostctrl/exe
  • execute command

    ./saphostexec –version

On Windowswindows

  • You are logged on as a member of the local Administrator group.

  • Open a command-line window.

  • Change to the directory where the saphostexec executable of SAP Host Agent is located:

    cd %ProgramFiles%\SAP\hostctrl\exe
  • Execute the following command:

    saphostexec.exe -version

The minimum SAP Host Agent version for Enhanced Monitoring is release 7.21 patch level 32. To include Alibaba cloud performance counters in the SAP enhanced monitoring, SAP has enhanced the SAP Host Agent and its monitoring transaction ST06.

For the required SAP NetWeaver support package levels please check SAP Note 1102124.

Upgrade Host Agent

Please ensure that you run at least the minimum SAP Host Agent version required for the Alibaba Cloud environment. We recommend upgrading SAP Host Agent independently from the SAP instance, either by doing this manually or by configuring automated upgrade.

To update your SAP Host Agent by default on a regular basis, see SAP Note 1473974 - Using the SAP Host Agent Auto Upgrade Feature.

Installation of a scale-out system

In a 3-tier scale-out SAP system, you should deploy several ECS instances as different SAP instances.

  • ASCS: ABAP Central Services Instance, you can install ASCS on independent ECS instance, containing the enqueue server and the message server. There can only be one such instance in the SAP system, and it can be made into a high availability instance.

  • SCS: SAP Central Services, for Java systems the Central Services are referred to as SCS.

  • PAS: Primary Application Server Instance, a primary ECS instance that runs the SAP NetWeaver application server (AS), this ECS instance also hosts a shared file-system that contains the shared profile and must be accessible from each ECS instances which run parts of the same SAP SID. If it’s also used for the transport share it has to be shared with all SAP SIDs using the same transport directories.

    You also can install ASCS or SCS on this primary ECS instance.

  • AAS: Additional Application Server Instances, some number of additional VMs that run the AS, for scaling purposes.

  • DB Instance: An ECS instance that is dedicated to the central database.

  • Everything needs to run in the same zone.

The primary steps are as follows:

  • DB instance: Create the ECS instance that hosts the database and then install the database instance.

  • PAS :

    • Run SWPM on the ECS instance that you want to run SAP NetWeaver.

    • Install central services, ASCS or SCS.

    • Install the AS ABAP or AS JAVA.

    • Connect to the existing database instance.

  • AAS:

    • Run SWPM on each additional ECS instances that you want to run SAP NetWeaver.

    • Install the AAS.

    • Connect to the existing database instance.

    • Point to the network share that contains the profiles and is managed by the primary instance.

Installation of a single-node system

The steps to deploy SAP NetWeaver in a 2-tier configuration on Linux are very similar to the steps for setting up a 3-tier configuration. In a 2-tier configuration:

  • Both SAP NetWeaver and the database instance are installed a single ECS instance.

  • Install the database instance before you install SAP NetWeaver.

Post-Installation

Before using your SAP system with IBM Db2 instance on Alibaba Cloud, it is recommended to perform the following post-installation tasks:

  • Update your IBM Db2 software with the latest patches.

  • Install any additional components based on your usage.

  • Configure and back up your new IBM Db2 database.

For additional post-deployment guidance, see the Post-installation Tasks section of the installation guide that applies to the SAP system that you are using with IBM Db2.