Version Control
Version | Revision Date | Types Of Changes | Effective Date |
1.0 | 2017/12/10 | ||
1.1 | 2018/07/31 | Certified IaaS platforms is updated. 2.Part of the content is adjusted and optimized. | 2018/07/31 |
1.2 | 2018/11/16 | Certified IaaS platforms is updated. | 2018/11/16 |
1.3 | 2019/1/10 | Certified IaaS platforms is updated. | 2019/1/10 |
1.4 | 2019/11/29 | Certified operation system is updated. | 2019/11/29 |
1.5 | 2020/11/9 | Certified IaaS platforms is updated. | 2020/11/9 |
Overview
SAP HANA is an in-memory, column-oriented, relational database management system developed and marketed by SAP. Its primary function as database server is to store and retrieve data as requested by the applications. In addition, SAP HANA performs high-performance analysis and real-time data processing to address customers’ rapidly growing requirements on business analysis.
This deployment guide describes how to plan and deploy the SAP HANA system on Alibaba Cloud ECS, including how to configure the ECS instances, block storage, network, and SUSE Linux Enterprise Server (SLES) operating system. This guide includes the best practices from Alibaba Cloud and SAP.
ECS instance types
This deployment guide describes a memory-optimized instance that runs on the Intel Broadwell architecture and belongs to the ECS enterprise instance type family. The SSD cloud disk and Ultra cloud disk can be used to host data volumes and logs in the SAP HANA database.
Find all ceritified and supported SAP HANA ECS families Alibaba Cloud Certified IaaS Platforms
Alibaba Cloud services
The following table lists services included in the Alibaba Cloud core components used by this deployment guide.
Services | Description |
ECS | Elastic Compute Service (ECS) is a type of computing service that features elastic processing capabilities. ECS has a simpler and more efficient management mode than that for the physical server. You can create instances, change the operating system, and add or release any number of ECS instances at any time to fit your business needs. |
SSD cloud disk | It is applicable to I/O intensive applications, and provides stable and high random IOPS performance. |
Ultra cloud disk | It is applicable to medium I/O load application scenarios and provides the storage performance of up to 3,000 random read/write IOPS for ECS instances. |
VPC | The Alibaba Cloud Virtual Private Cloud (VPC) is a private network built on Alibaba Cloud. It is logically isolated from other virtual networks in Alibaba Cloud. VPC enables you to start and use Alibaba Cloud resources in your own defined network. |
OSS | Alibaba Cloud Object Storage Service (OSS) is a network-based data access service. OSS enables you to store and retrieve structured and unstructured data, including text files, images, audios, and videos. |
Supported SAP HANA and Operation System Versions
Following SAP HANA and operation systems are supported:
HANA1
SLES for SAP Applications / SLES 15
15 SP1 (HANA 1.0 SPS12 revision 122.27 and newer)
15 (GA) (HANA 1.0 SPS12 revision 122.21 and newer)
SLES for SAP Applications / SLES 12
12 SP4 (HANA 1.0 SPS12 revision 122.22 and newer)
12 SP3 (HANA 1.0 SPS12 revision 122.15 and newer)
12 SP2 (HANA 1.0 SPS12)
12 SP1 (HANA 1.0 SPS12)
HANA2
SLES for SAP Applications / SLES 15
15 SP1 (HANA 2.0 SPS04 revision 44 and newer)
15 (GA) (HANA 2.0 SPS03 revision 34 and newer)
SLES for SAP Applications / SLES 12
12 SP4 (HANA 2.0 SPS03 revision 35 and newer)
12 SP3 (HANA 2.0 SPS02 revision 23 and newer)
12 SP2 (HANA 2.0 SPS01 and newer, up to HANA 2 SPS03)
12 SP1 (HANA 2.0 SPS00 and newer, up to HANA 2 SPS03)
For more details, please refer to SAP Note 2235581
SAP HANA deployment architecture
SAP HANA supports single-node (scale-up) and multi-node (scale-out) architectures.
Single-node architecture
The following figure shows the single-node architecture of SAP HANA, and its deployment design and disk layout in Alibaba Cloud. You can use OSS to back up your local files in the /hana/backup path. (The size of this attaching point must be equal to or greater than the size of the data volume.)
Note that the ECS instance for SAP HANA does not have a public IP address, which means that it cannot be accessed from an external network. Instead, a bastion host and SAP HANA Studio must be used for accessing SAP HANA during deployment. The SAP HANA Studio instance and bastion host must be deployed in the same VPC as the SAP HANA instance.
You must provide a Windows host to install SAP HANA Studio, deploy the host instance in the same VPC as the SAP HANA instance, and configure the firewall policies to enable your SAP HANA Studio to connect to the SAP HANA database.
The following components are used when SAP HANA is deployed in a single-node architecture:
The ECS instance
ecs.se1.14xlargefor the master node of the SAP HANA database, including: 56 vCPUs, 480 GB memory, an SSD cloud disk whose size is greater than 1.5 TB for the data volume, and two SSD cloud disks whose sizes are greater than 512 GB for the log volume and HANA shared volume. See the storage configuration example in Step 7 of Create an SAP HANA instance.A VPC with a custom topology and an IP address range that can be allocated in your selected region. The SAP HANA database and other ECS instances are launched within this VPC. You can use an existing VPC to deploy SAP HANA.
An Internet gateway configured for the public egress for your SAP HANA and other instances. This guide assumes that you are using this gateway.
ECS security group, used to restrict access between instances.
A 2TB ultra cloud disk for backup of the SAP HANA database.
ECS VM
ecs.sn2.mediumrunning in Windows to host SAP HANA Studio.ECS VM
ecs.n1.mediumas a bastion host.
Multi-node architecture
The following figure shows the SAP HANA multi-node architecture.
Systems where SAP business applications are deployed must be scaled up.
As HANA is an unshared architecture, scale-out systems connect a group of small SAP HANA systems together into one cluster database. With the increased workload demand, the multi-node (scale-out) architecture can balance the load across all nodes.
The scale-out architecture consists of one master node and several worker nodes. They are interconnected through a network with a capacity up to 10 Gbps. Each node has its own /hana/data and /hana/log volumes on the SSD cloud disk, providing consistent and high IOPS I/O services. The master node also serves as an NFS master node for the /hana/shared and /hana/backup volumes, which is attached to each worker node.
The following components are used when SAP HANA is deployed in a multi-host scale-out architecture:
The ECS instance
ecs.se1.14xlargefor the master node of the SAP HANA database, including: 56 vCPUs, 480 GB memory, an SSD cloud disk whose size is greater than 1.5 TB for the data volume, and two SSD cloud disks whose sizes are greater than 512 GB for the log volume and HANA shared volume. See the storage configuration example in Step 7 of Create an SAP HANA instance.The ECS instance
ecs.se1.14xlargefor the worker node of the SAP HANA database, including: 56 vCPUs, 480 GB memory, an SSD cloud disk whose size is greater than 1.5 TB for the data volume, and two SSD cloud disks whose sizes are greater than 512 GB for the log volume and HANA shared volume.A VPC with a custom topology and an IP address range that can be allocated in your selected region. The SAP HANA database and other ECS instances are launched within this VPC. You can use an existing VPC to deploy SAP HANA.
An Internet gateway configured for the public egress for your SAP HANA and other instances. This guide assumes that you are using this gateway.
ECS security group, used to restrict access between instances.
A 2TB ultra cloud disk for backup of the SAP HANA database.
ECS VM
ecs.sn2.mediumrunning in Windows to host SAP HANA studio.ECS VM
ecs.n1.mediumas a bastion host.
Deploy SAP HANA on Alibaba Cloud
This section describes how to deploy a multi-node SAP HANA on Alibaba Cloud.
Preparations
Alibaba Cloud account
If you do not have an Alibaba cloud account yet, you can apply for one according to the following process:
Perform the registration process. Go to the Alibaba Cloud homepage, and click Free Account on the upper-right of the page.
Follow the guidance described in Sign up with Alibaba Cloud.
Then, Add a payment method.
SAP HANA installation media
Download SAP HANA installation media.
Please refer to SAP HANA Server Installation and Update.
Activate OSS.
Log on to the Alibaba Cloud website.
Click Buy Now on the OSS product details page https://www.alibabacloud.com/product/oss
After OSS is activated, click Console to go to the OSS console interface.
Create a bucket.
Go to the OSS console interface.
Click Create Bucket. The Create Bucket dialog box is displayed.
In the Bucket Name text box, enter the bucket name. The bucket name must comply with the naming rules and must be unique among all existing bucket names in Alibaba Cloud OSS. The bucket name cannot be changed after being created. For more information about bucket naming, see OSS basic concepts.
In the Region drop-down box, select the data center of the bucket. The region cannot be changed after being subscribed. To access the OSS through the ECS intranet, select the same region with your ECS instance. For more information, see Access domain name.
In the Read/Write Permissions drop-down box, select a permission for the bucket.
Public-Read-Write: Anyone (including anonymous access) can perform read and write operations on the files in the bucket. Use this permission with caution because the fees incurred by these operations will be borne by the creator of the bucket.
Public Read: Only the creator of the bucket can perform write operations on the files in the bucket, while anyone (including anonymous access) can perform read operations on the files.
Private: Only the creator of the bucket can perform read/write operations on the files in the bucket. Other users cannot access the files.
Click Submit. The bucket is successfully created.
Upload a file.
Go to the OSS console.
Click the name of the bucket to which you will upload a file to open the bucket management page.
Click Object Management to open the page where all files in the bucket are managed.
Click Upload File to open the “Select File” dialog box.
Select the HANA installation package and click Open. After the file is uploaded, click Refresh to view the uploaded file.
Account management
SAP HANA account
The SID needs to be specified during SAP HANA installation, and
<sid>admis used as the account for the HANA system (not the account for the HANA database). If this account does not exist, HANA will create one by default. When you create user accounts, do not name them with “adm” as the ending, in case HANA identifies them as the HANA system account and forcibly modifies related information. In addition, in the scale-out scenarios, all nodes must use the same<sid>adm, and uid and gid must be consistent.System internal account
Alibaba Cloud will not create any account within system. The default user in Linux is only the root user. During system use, you can create or delete user accounts as required by the operating system. For example, you can use useradd and userdel to manage your accounts in Linux.
Create a user:
useradd –u <uid> -g <gid> usernameDelete a user:
userdel username
Deployment process
Configure a network
Create a VPC and switch
Log on to the VPC console.
In the left-side navigation pane, click “VPC”.
On the VPC list page, select the region where the VPC is located, and click “Create VPC”.
In the “Create a VPC” dialog box, enter the VPC name and select the network segment for the VPC.
You can select one of the following standard network segments of the VPC: After the VPC is created, its network segment cannot be modified. We recommend that you use a large network segment to prevent subsequent resizing.
10.0.0.0/8(10.0.0.0 - 10.255.255.255) 172.16.0.0/12(172.16.0.0 - 172.31.255.255) 192.168.0.0/16(192.168.0.0 - 192.168.255.255)Click Create VPC.
After the VPC is created, a VPC ID is generated. A router is created for the VPC at the same time.
Click Next to create a switch.
On the Create a Switch tab page, provide the following information, and click Create Switch.
Name: Specify the switch name.
Zone: Select the zone of the switch.
Network segment: Specify the network segment of the switch.
The network segment of the switch can be the same as that of the VPC to which the switch belongs or the subnet of the VPC network segment. The size of the network segment of the switch must be between a 16-bit netmask and a 29-bit netmask.
NOTE: If the network segment of your switch is the same as that of the VPC to which your switch belongs, you can only create one switch under the VPC.
Click Finish.
Return to the instance list page, and click the ID link of the created VPC to enter the VPC details page. Check the VPC and switch on the page.
Configure a security group
About security groups
A security group is a logical group that consists of instances in the same region with the same security requirements and mutual trust. Each instance belongs to at least one security group, which must be specified at the time of creation. Instances in the same security group can communicate through the network, but instances in different security groups cannot communicate through an intranet by default. Mutual access can be authorized between two security groups.
A security group is a virtual firewall that provides the stateful packet inspection (SPI) function. Security groups are used to set network access control for one or more ECSs. As an important means of security isolation, security groups are used to divide security domains on the cloud.
Security group restrictions
A single security group cannot contain more than 1,000 instances. If you require intranet mutual access between more than 1,000 instances, you can allocate them to different security groups and permit mutual access through mutual authorization.
Each instance can join a maximum of five security groups.
Each user can have a maximum of 100 security groups.
Adjusting security groups will not affect the continuity of a user’s service.
Security groups are stateful. If an outbound packet is permitted, inbound packets corresponding to this connection will also be permitted.
Security groups have two network types: classic network and VPC.
Instances of the classic network type can join security groups on the classic networks in the same region.
Instances of the VPC type can join security groups on the same VPC.
Security group rules
Security group rules can be set to permit or forbid ECS instances associated with security groups to access a public network or an intranet from the inbound and outbound directions.
You can authorize or delete security group rules at any time. Security group rules you have changed will automatically apply to ECS instances associated with the security groups. When setting security group rules, make sure security group rules are simple. If you allocate multiple security groups to an instance, up to hundreds of rules may apply to the instance. When you access the instance, the network may be disconnected.
Security group rule restrictions
Each security group can have a maximum of 100 security group rules.
Security group configuration methods
Log on to the ECS console.
In the left-side navigation pane, click Security Group.
Select the region on which you want to create a security group.
Click Create Security Group.
Complete rule settings by following the corresponding instructions. We recommend that you keep only the ports for remote access.
During SAP HANA deployment, a VPC is used. You only need to set the rules in the outbound and inbound directions, without specifying the public network or VPC. The security group rules are blank by default. When creating an ECS instance, make sure that the selected security group contains port 22 (Linux) or 3389 (Windows). Otherwise, you cannot remotely log on to the ECS instance.
HANA Studio Windows VM
Inbound
Protocol type
Port range
Authorization object
Remarks
TCP
3389
Internet IP address
You must access all IP addresses of HANA Studio.
Outbound
TCP
1
0.0.0.0/0 (all VMs)
You can access any other VMs from a Windows VM.
Bastion host
Inbound
Protocol type
Port range
Authorization object
Remarks
TCP
22
Internet IP address
You must access all IP addresses of the bastion host.
Outbound
TCP
22
0.0.0.0/0 (all VMs)
You can access any other VMs from a bastion host.
For more information about specific ports that SAP needs to access and the related security group rules, see SAP official documentation.
Create an SAP HANA instance
Log on to Alibaba Cloud ECS ECS product purchase page.
Select Subscription as the billing method.
Select the region and zone.
Select the region as required. If you have configured a switch, select a zone.
Select “VPC” for the network type.
After selecting the network type, enter the information about the created or existing VPC and switch. In a multi-node architecture, SAP HANA does not provide external services directly. Therefore, set “Public IP Address” to “Not Allocate”.
Select an instance type.
Select an instance type that passes SAP HANA authentication, that is, “56 vCPU 480GB (ecs.se1.14xlarge)” in the “Memory se1” instance type family of “Series III”.
Select an operating system image.
The operating system is SUSE Linux Enterprise Server 12 SP1 for SAP Applications. The related images can be obtained from the image marketplace.
Configure storage disks.
NOTE: After the instance and storage disks are created, open a ticket from the Alibaba Cloud support portal to request a special support for using an SSD cloud disk in SAP HANA deployment. Alibaba Cloud support experts will contact you to introduce more details.
Configure initialization information.
After setting the initial password, click “Create”, and wait several minutes for instance initialization.
Create a bastion host.
Create a bastion host with one vCPU and 2 GB memory and without additional storage in the same VPC of the same zone by following the preceding steps.
Configure the network for the bastion host.
There are multiple ways to configure a public IP address now. The elastic IP address (EIP) configuration is used as an example.
An EIP is a public IP address resource that can be independently bought and held. It can be dynamically bound to or unbound from different ECS instances without stopping the ECS instances.
Log on to the EIP console.
Click “Apply for EIP”.
On the purchase page, select the region, bandwidth peak, and billing method of the EIP, click “Buy Now”, and make the payment.
NOTE: The region of the EIP must be the same as that of the ECS instance to which the EIP is to be bound.
Return to the EIP list page, select the region of the EIP, and click “Refresh” to check the created EIP instance.
Click “Bind”.
In the “Bind a Public EIP” dialog box, select the created ECS instance, and click “OK”.
After the binding is complete, click “Refresh” on the EIP list page to check the EIP instance status.
When the EIP instance status is “Allocated”, the ECS instance to which the EIP is bound can be accessed through a public network.
Log on to the ECS instance and run the following command to test access through a public network.
ping www.aliyun.com
Log on to an instance.
No public network is configured for the HANA ECS instance currently. Therefore, a bastion host is required for logon to the HANA ECS instance.
Install the SAP HANA database.
Create the
/hana/data,/hana/log,/hana/shared, and/hana/backupdirectories.Format and attach the four data disks based on the specifications and relationships of the disks applied in Step 7.
Download the SAP HANA installation file in OSS to the local
/hana/shareddirectory.Decompress the SAP HANA installation file and install the SAP HANA database. Note the directory during the installation. The following is an example of installation on the master node:
master:/hana/shared/122.05 # ./hdblcm
SAP HANA Lifecycle Management - SAP HANA 1.00.122.05.1481577062
***************************************************************
Scanning Software Locations...
Detected components:
SAP HANA Database (1.00.122.05.1481577062) in /hana/shared/122.05/server
Choose installation
Index | System | Database Properties
------------------------------------------------
1 | Install new system |
| |
2 | Extract components |
3 | Exit (do nothing) |
Enter selected system index [3]: 1 --> Newly deployed node
Enter Installation Path [/hana/shared]: --> Select a shared directory
Enter Local Host Name [master]: --> Ensure that the host name can be accessed
Do you want to add additional hosts to the system? (y/n) [n]: n
Enter SAP HANA System ID: AL1 --> Enter the system ID
Enter Instance Number [00]: 00 --> Enter the instance number
Index | Database Mode | Description
-----------------------------------------------------------------------------------------------
1 | single_container | The system contains one database
2 | multiple_containers | The system contains one system database and 1..n tenant databases
Select Database Mode / Enter Index [1]:
Index | System Usage | Description
-------------------------------------------------------------------------------
1 | production | System is used in a production environment
2 | test | System is used for testing, not production
3 | development | System is used for development, not production
4 | custom | System usage is neither production, test nor development
Select System Usage / Enter Index [4]:
Enter Location of Data Volumes [/hana/data/AL1]:
Enter Location of Log Volumes [/hana/log/AL1]:
Restrict maximum memory allocation? [n]:
Enter Certificate Host Name For Host 'master' [master]:
Enter SAP Host Agent User (sapadm) Password:
Confirm SAP Host Agent User (sapadm) Password:
Enter System Administrator (al1adm) Password: --> Enter the password
Confirm System Administrator (al1adm) Password:
Enter System Administrator Home Directory [/usr/sap/AL1/home]:
Enter System Administrator Login Shell [/bin/sh]:
Enter System Administrator User ID [1000]:
Enter ID of User Group (sapsys) [79]:
Enter Database User (SYSTEM) Password: --> Enter the password of the database
Confirm Database User (SYSTEM) Password:
Restart system after machine reboot? [n]:
Summary before execution:
=========================
SAP HANA Components Installation
Installation Parameters
Remote Execution: ssh
Installation Path: /hana/shared
Local Host Name: master
SAP HANA System ID: AL1
Instance Number: 00
Database Mode: single_container
System Usage: custom
Location of Data Volumes: /hana/data/AL1
Location of Log Volumes: /hana/log/AL1
Certificate Host Names: master -> master
System Administrator Home Directory: /usr/sap/AL1/home
System Administrator Login Shell: /bin/sh
System Administrator User ID: 1000
ID of User Group (sapsys): 79
Software Components
SAP HANA Database
Install version 1.00.122.05.1481577062
Location: /hana/shared/122.05/server
Do you want to continue? (y/n): y
Installing components...
Installing SAP HANA Database...The above shows how to set up a single-node HANA environment. To set up a scale-out environment, continue to follow these steps:
A master HANA node is created in the preceding steps. Configure NFS services on the node and configure
/hana/sharedand/hana/backupas shared directory.Repeat steps 1 to 8 to create a worker node VM in the same VPC. Note that only
/hana/dataand/hana/logare required for storage of the worker node.Attach the
/hana/sharedand /hana/backup directories on the master node to the worker node.Configure the
/etc/hostsfile on all nodes to ensure that the relationship between the host name and the IP address of all nodes can be resolved.Run hdblcm on the master node to add a worker node.
Create a Windows instance for SAP HANA Studio
Create an SAP HANA Studio instance by following the above steps 1 to 8. Pay attention to the following:
Extra storage space does not need to be configured.
A Windows image is required.
No public IP address is allocated.
Repeat step 10 in the preceding process to configure a public IP address for the instance.
Connect to the instance through the public IP address.
Why are the bastion host and SAP HANA Studio required?
No public IP address is configured for the SAP HANA instance. Therefore, a bastion host and SAP HANA Studio are required to access SAP HANA. The SAP HANA Studio instance and bastion host are deployed in the same VPC as the SAP HANA instance. Therefore, they can access each other directly.
Generally, a bastion host runs in Linux and is used for SSH access, while SAP HANA Studio is deployed in Windows and is used for HANA management. A Linux instance is hard to directly access a Windows instance. Therefore, a public IP address is configured for the Windows VM so that SAP HANA Studio can be accessed through Internet.
Connect to SAP HANA
As no public IP address will be configured for your SAP HANA instance in the preceding deployment, you can only connect to the SAP HANA instances through the bastion host using SSH or through SAP HANA Studio deployed in the Windows VM.
To connect to SAP HANA through the bastion host, connect the SSH client you select to the bastion host and then to the SAP HANA instance.
To connect to the SAP HANA database through SAP HANA Studio, use a remote desktop client to the Windows VM instance. When the connection is established, manually install SAP HANA Studio and access your SAP HANA database.
Post-deployment tasks
Before using your SAP HANA instances, We recommend that you perform the following post-deployment steps.
When using custom SUSE Linux Enterprise Server as the operating system for your SAP HANA instances, make sure that the Linux kernel version is at least 3.12.74-60.64.40, so as to prevent HANA performance degradation in some cases. If the kernel version is earlier than 3.12.74-60.64.40, upgrade the kernel to the minimum required version. For more information, see SAP Notes 2205917.
Update your SAP HANA software to the latest version.
Install other additional components, such as Application Function Libraries (AFL) or Smart Data Access (SDA).
Configure and back up your new SAP HANA database. For more information, see Guide for backing up and restoring SAP HANA on Alibaba Cloud.