SAP:IBM Db2 for SAP Deployment Guide

IBM Db2 for SAP Deployment Guide

• Prerequisites

  • Account setup

  • Creating a VPC and vSwitch

  • Creating a security group

  • Creating an SSH key pair

  • Connecting ECS instance from Internet

  • RAM service role setup

• Create and Configure ECS VM

  • File System Configuration

• SAP System installation

  • SWPM

  • Upgrade SAP kernel

  • Check Host Agent version

  • Upgrade Host Agent

  • Installation of a scale-out system

  • Installation of a single-node system

• Post-Installation

Version Control:

Version	Revision Date	Types Of Changes	Effective Date
1.0			2019/2/28

This guide covers deploying SAP systems with IBM Db2 for Windows and Linux on Alibaba Cloud.

Before you start, review the IBM Db2 for SAP Planning Guide.

Prerequisites

Complete the following cloud-specific prerequisites before you create an ECS instance and deploy the SAP system.

Account setup

• Signing up for Alibaba Cloud

• Adding a payment method

• Real-name registration, it is required only if you have to create an ECS instance in a region inside Chinese mainland

Creating a VPC and vSwitch

1. Log on to the VPC console.

2. In the left-side navigation pane, click VPC.

3. Choose the region where the VPC is created.

4. Click Create VPC in the upper-right corner.

5. Enter a VPC name and select a CIDR block as the IP address range.

   Use one of the standard CIDR blocks. The CIDR block cannot be changed after VPC creation.

6. Click Create VPC.

   A VPC ID and VRouter are automatically created.

7. Click Next Step to create a vSwitch.

8. In the Create vSwitch tab, provide the following information and click Create vSwitch.

   • Name: Enter a name for the vSwitch.

   • Zone: Select a zone for the vSwitch.

   • CIDR block: Specify the IP address range of the vSwitch in the form of a Classless Inter-Domain Routing block.

   The vSwitch CIDR block must be between /16 and /29, and can be the same as or a subset of the VPC CIDR block.

   Note

   If the CIDR block of the vSwitch is the same as that of the VPC, you can only create one vSwitch.

9. Click Done.

Creating a security group

Security group rules control inbound and outbound access for ECS instances. In a VPC, you only need to set outbound and inbound rules.

To create a security group:

1. Log on to the ECS console.

2. In the left-side navigation pane, click Security Groups.

3. Select a region.

4. Click Create Security Group.

Adding a security group rule

To add a security group rule:

1. Log on to the ECS console.

2. In the left-side navigation pane, select Networks & Security > Security Groups.

3. Select a region.

4. Find the security group to add authorization rules, and in the Action column click Configure Rules.

5. On the Security Group Rules page, click Add Security Group Rules.

   (Optional) If you do not need to enable or disable all ports for all protocols, ICMP, or GRE, you can select Quickly Create Rules.

6. In the dialog box, set the following parameters:

   • NIC:

     • If the security group is for VPC, you do not need to select the NIC.

       • If your instances can access the Internet, the rules work for both the Internet and intranet.

   • Rule Direction:

     • Outbound: ECS instances access other ECS instances over intranet, private networks, or through Internet resources.

     • Inbound: Other ECS instances in the intranet or private networks and Internet resources access the ECS instance.

   • Authorization Policy: Select Allow or Drop.

   Note

   Drop discards packets without a response. If two security group rules overlap, the Drop rule takes priority over Allow.

   • Protocol Type and Port Range

     The port range setting is affected by the selected protocol type. SAP requires access to certain ports, so add firewall rules to allow access to the ports outlined by SAP. The following table shows the relationship between all major ones.

Protocol type	Port range	Scenarios
All	Shown as -1/-1, indicating all ports.	Used in scenarios: - No limit to outbound calls; - Both applications are fully mutually trusted.
RDP	Shown as 3389/3389, the default RDP port 3389.	Shown as 3389/3389, the default RDP port 3389.
SSH	Shown as 22/22, the default SSH port 22.	Used for remotely connecting to Linux instances.
TELNET	Shown as 23/23.	Used to remotely log on to instances by using Telnet.
HTTP	Shown as 80/80.	The instance is used as a server for a website or a web application.
HTTPS	Shown as 443/443.	The instance is used as a server for a website or a web application that supports the HTTPS protocol.
MS SQL	Shown as 1433/1433.	The instance is used as a MS SQL server.
Oracle	Shown as 1521/1521.	The instance is used as an Oracle SQL server.
MaxDB	Shown as 7210/7210.	The instance is used as an MaxDB.
SAP HANA	Shown as 30015-39915.	The instance is used as an SAP HANA.
SAP Dispatcher	Range 3200-3299	Used by SAP GUI for Windows and Java.
SAP Gateway	Range 3300-3399	Used for CPIC and RFC communication.
SAP Message server	Range 3600-3699	Used for SAP message server communication.

All required ports are listed in TCP/IP Ports of All SAP Products.

• Priority

  Lower numbers indicate higher priority. Security group rule priority.

• Authorization Type and Authorization Object

  The authorization object determines the authorization type.

Authorization type	Authorization object
Address Field Access	Use the IP or CIDR block format such as 10.0.0.0 or 192.168.0.0/24. Only IPv4 addresses are supported. 0.0.0.0/0 indicates all IP addresses.
Security Group Access	Authorize the instances in a security group under your account or another account to access the instances in this security group. - Authorize This Account: Select a security group under your account. - Authorize Other Account: Enter the target security group ID and the Account ID. You can view the account ID in Account Management > Security Settings. For VPC network instances, Security Group Access works for private IP addresses only. If you want to authorize Internet IP address access, use Address Field Access.

• Click OK to add the security group rule to the specified security group.

Creating an SSH key pair(Linux only)

To create an SSH key pair:

1. Log on to the ECS console.

2. In the left-side navigation pane, choose Networks & Security > Key Pairs.

3. On the Key Pairs page, select a region, and click Create Key Pair.

4. On the Create Key Pair page, enter a name for the key pair, and select Automatically Create a Key Pair for the Creation Type.

   Note

   The key pair name must be unique and must not match an existing key pair or one that was deleted while still bound to an instance.

5. Click OK to create a key pair.

   Note

   Download and save the private key immediately. You cannot retrieve it later, and you need it to log on to ECS instances bound to this key pair.

   After creating the key pair, you can view the information, including Key Pair Name and Key Pair Fingerprint, in the key pair list.

Connecting ECS instance from Internet

VPCs are logically isolated private networks in Alibaba Cloud. Use NAT Gateway or EIP to connect ECS instances to the Internet.

NAT Gateway provides SNAT and DNAT proxy services with up to 10 Gbps forwarding capacity and cross-zone disaster recovery. It requires public IPs configured through shared bandwidth packages.

An EIP is a public IP address mapped to a private NIC through NAT, enabling Internet access without exposing the EIP on the instance NIC.

SAP ECS instances require Internet access for ECS Metrics Collector. Bind an EIP directly to the instance, or configure SNAT through a NAT Gateway.

Creating a NAT gateway

Create a NAT gateway

• Log on to the VPC console.

• In the left-side navigation pane, click NAT Gateway.

• In the upper-right corner of the NAT Gateway page, click Create NAT Gateway.

• Configure the NAT gateway with the following information.

Configuration	Description
Region	Select the region of the NAT gateway. Make sure the regions of the NAT gateway and VPC are the same.
VPC	Choose the VPC for the NAT gateway. Once the gateway is created, you cannot change the VPC. If you cannot find the required VPC in the VPC list, troubleshoot the following: Check whether the VPC already has a NAT gateway configured. A VPC can be configured with only one NAT gateway. Check whether a custom route entry, where the destination CIDR block is 0.0.0.0/0, already exists in the VPC. If so, delete this custom route entry.
Specification	Select a specification for the NAT gateway. The specification affects the maximum number of connections and the number of new connections allowed per second for the SNAT proxy service, but does not affect data throughput. Note: The specification does not affect DNAT. Allow ECS instances to provide Internet-facing services by using DNAT.
Billing Cycle	Display the billing cycle.

• NAT Gateway specifications affect SNAT performance (maximum connections and CPS) but not DNAT.

  The Small specification is typically sufficient for SAP solutions.

Specification	Max Connection	New Connections Per Second (CPS)
Small	10,000	1,000
Medium	50,000	5,000
Large	200,000	10,000

• Click Buy Now and complete the creation.

  Note

  NAT gateway creation takes 1-5 minutes.

  After the NAT gateway is created, the system automatically creates a DNAT table and an SNAT table. A custom route entry with the destination CIDR block 0.0.0.0/0 pointing to the NAT gateway is automatically added to the VPC route table.

• Maintain a name for NAT gateway

  In the right side of NAT gateway, choose More and click Edit to change the name of NAT gateway.

  Enter a name for your NET gateway, click OK to finish configuration.

Create a shared bandwidth package

• Find the target NAT gateway, and click the Buy Shared Bandwidth Package link.

  Note

  If a shared bandwidth package already exists, click Manage and then Shared Bandwidth Package.

• On the Shared Bandwidth Package page, click Buy Shared Bandwidth Package again.

• Configure the shared bandwidth package according to the following information.

Configuration	Description
Public IP count	Select the number of public IPs that you want to purchase. You can adjust the number of public IPs at any time once a shared bandwidth package is created. You need at least 1 public IP for SNAT to deploy ECS Metrics Collector.
Peak Bandwidth	Set a peak bandwidth. You can adjust the peak bandwidth at any time.
ISP Type	BGP multi-pathing is used to connect the Internet.
Billing method	Billed based on traffic usage. Billing overview.
Billing cycle	Display the billing cycle.

• Click Buy Now.

  Note

  Shared bandwidth package creation takes 1-5 minutes.

Creating an Elastic IP (EIP)

An EIP is an independent public IP address that you can dynamically bind to a VPC ECS instance without restarting.

1. Log on to the EIP console and click Create EIP.

2. On the purchase page, select the region, bandwidth, and purchase quantity for the EIP address, and click Buy Now.

3. Complete the payment.

Before binding an EIP to an ECS instance, ensure the following:

• The regions of the EIP address and ECS instance to be bound are the same.

• The ECS instance to be bound is not allocated any public IP address.Procedure

1. Log on to the EIP console.

2. Choose a region. All Elastic IP addresses under the selected region are displayed.

3. Click Bind in the Actions column of the target EIP address.

4. In the Bind dialog box, perform the following operations:

   1. Instance type: Select ECS Instance.

   2. ECS instance: Select the ECS instance to be bound.

   3. Click OK.

After the EIP address is bound to the ECS instance, the ECS instance can communicate with the Internet. Make sure the configured security group rules do not block the Internet access.

RAM service role setup

ECS Metrics Collector requires a RAM service role. This is a one-time account-level setup. How to use the instance RAM role on the console.

1. Log on to the ECS console.

2. On the left-side navigation pane, click Resource Access Management.

3. Open Resource Access Management Console, selects the tab Roles, then click Create Role

4. Select Service Role in step Select Role Type

5. In step Enter Type, find the service ECS Elastic Compute Service

6. In step Configure Basic, you need to define a role name. For example, you can add ecs-metrics-collector as the role name. Then click Create

7. The service role is created. Click Authorize for next steps

8. Click Edit Authorization Policy. By typing the Policy Name AliyunECSReadOnlyAccess and AliyunCloudMonitorReadOnlyAccess in the search bar, it will be easy for you to pick up the required policy. Select Policy Name AliyunECSReadOnlyAccess and AliyunCloudMonitorReadOnlyAccess and assign it to your RAM service role

9. Click OK, the policy assignment is completed.

Create and Configure ECS VM

General ECS setup is covered in the SAP Netweaver Implementation Guide. This section covers IBM Db2-specific requirements.

File System Configuration

Set up the file system layout as specified in the IBM Db2 for SAP Planning Guide. On Linux, use LVM or non-LVM. The following example uses LVM:

Set up file system directory

sudo mkdir -p /db2
sudo mkdir -p /db2/[DB_SID]
sudo mkdir -p /db2/[DB_SID]/log_dir
sudo mkdir -p /db2/[DB_SID]/db2dump
sudo mkdir -p /db2/[DB_SID]/sapdata
sudo mkdir -p /db2/[DB_SID]/saptmp

Initialize the disk or a partition for use by LVM:

pvcreate /dev/vdb /dev/vdc

Create a volume group:

vgcreate db2vg /dev/vdb /dev/vdc

Create logical volumes for each drive with the size needed from your business workload:

lvcreate -L 8G -n db2lv db2vg
lvcreate -L 8G -n db2dbsidlv db2vg
lvcreate -L 30G -n db2logdirlv db2vg
lvcreate -L 10G -n db2dumplv db2vg
lvcreate -L 10G -n db2jldlv db2vg
lvcreate -L 10G -n db2sapdatalv db2vg
lvcreate -L 10G -n db2saptmplv db2vg

Format the volumes:

mkfs.ext3 /dev/db2vg/db2lv
mkfs.ext3 /dev/db2vg/db2dbsidlv
mkfs.ext3 /dev/db2vg/db2logdirlv
mkfs.ext3 /dev/db2vg/db2dumplv
mkfs.ext3 /dev/db2vg/db2jldlv
mkfs.ext3 /dev/db2vg/db2sapdatalv
mkfs.ext3 /dev/db2vg/db2saptmplv

Modify /etc/fstab to mount all above logical volumes

SAP System installation

After provisioning and configuring the ECS instance, install the SAP system. Review the following SAP guides first.

• System Provisioning Guide

  • Check the section of Installation Guides - Application Server Systems > and find Installing SAP Systems Based on SAP NetWeaver 7.1 and Higher - Using Software Provisioning Manager 1.0 which is appropriate to your database, SAP product release, operating system and technical stack.

• More specific installation guides for all supported combinations of technologies (ABAP, Java, or ABAP and Java), databases and operating systems, available at:http://support.sap.com/sltoolset

Start SWPM

The Software Provisioning Manager (SWPM) chooses the disk drive with the most free space as an installation suggestion for each component. Be sure to assign the disks to their proper roles in the SWPM dialog boxes.

You can download the latest SWPM as per the SAP note 1680045. You need to verify that you have installed JAVA JDK software on your SAP ECS instance.

Upgrade SAP kernel

After you have installed SAP NetWeaver, make sure that you apply the latest kernel as described in the Installation Guide, or update the SAP kernel to the minimum supported patch level.

In addition to that, please also make sure it contains the minimum SAP kernel patch level, as described in the SAP note 2533233 - Linux on Alibaba Cloud (IaaS): Adaption of your SAP License.

Check Host Agent version

SAP Host Agent handles lifecycle management tasks including OS monitoring, database monitoring, and instance control. It starts automatically at boot and can be managed with the saphostexec program.

Configure Enhanced Monitoring as required by SAP in cloud environments. SAP Note 2564176.

To check the SAP Host Agent version:

On Linux

• Login as root, since sidadm user doesn’t have permission for executing SAP HOST AGENT commands

• navigate to directory where SAP Host Agent is installed

  cd /usr/sap/hostctrl/exe

• execute command

  ./saphostexec –version

On Windows

• You are logged on as a member of the local Administrator group.

• Open a command-line window.

• Change to the directory where the saphostexec executable of SAP Host Agent is located:

  cd %ProgramFiles%\SAP\hostctrl\exe

• Execute the following command:

  saphostexec.exe -version

Enhanced Monitoring requires SAP Host Agent release 7.21 patch level 32 or later. SAP enhanced the Host Agent and ST06 transaction to include Alibaba Cloud performance counters.

For the required SAP NetWeaver support package levels please check SAP Note 1102124.

Upgrade Host Agent

Run at least the minimum SAP Host Agent version required for Alibaba Cloud. Upgrade the Host Agent independently from the SAP instance, either manually or through automated upgrade.

To configure automatic updates, use the auto-upgrade feature described in SAP Note 1473974.

Installation of a scale-out system

A 3-tier scale-out SAP system requires multiple ECS instances for different SAP components.

• ASCS: ABAP Central Services Instance, you can install ASCS on independent ECS instance, containing the enqueue server and the message server. There can only be one such instance in the SAP system, and it can be made into a high availability instance.

• SCS: SAP Central Services, for Java systems the Central Services are referred to as SCS.

• PAS: Primary Application Server Instance, a primary ECS instance that runs the SAP NetWeaver application server (AS), this ECS instance also hosts a shared file-system that contains the shared profile and must be accessible from each ECS instances which run parts of the same SAP SID. If it’s also used for the transport share it has to be shared with all SAP SIDs using the same transport directories.

  You also can install ASCS or SCS on this primary ECS instance.

• AAS: Additional Application Server Instances, some number of additional VMs that run the AS, for scaling purposes.

• DB Instance: An ECS instance that is dedicated to the central database.

• Everything needs to run in the same zone.

The primary steps are as follows:

• DB instance: Create the ECS instance that hosts the database and then install the database instance.

• PAS :

  • Run SWPM on the ECS instance that you want to run SAP NetWeaver.

  • Install central services, ASCS or SCS.

  • Install the AS ABAP or AS JAVA.

  • Connect to the existing database instance.

• AAS:

  • Run SWPM on each additional ECS instances that you want to run SAP NetWeaver.

  • Install the AAS.

  • Connect to the existing database instance.

  • Point to the network share that contains the profiles and is managed by the primary instance.

Installation of a single-node system

A 2-tier deployment is similar to 3-tier, with these differences:

• Both SAP NetWeaver and the database instance are installed a single ECS instance.

• Install the database instance before you install SAP NetWeaver.

Post-Installation

Complete the following tasks before using your SAP system with IBM Db2 on Alibaba Cloud:

• Update your IBM Db2 software with the latest patches.

• Install any additional components based on your usage.

• Configure and back up your new IBM Db2 database.

Additional tasks are described in the Post-installation Tasks section of the installation guide for your SAP system.