All Products
Search
Document Center

Object Storage Service:OSS Backint Agent for SAP HANA

Last Updated:Jun 02, 2026

Back up SAP HANA data directly to Alibaba Cloud OSS through the SAP Backint interface.

Install the agent

  1. Create the configuration directory.

    mkdir -p /usr/sap/<SID>/SYS/global/hdb/opt/hdbconfig/

    Replace <SID> with your SAP HANA system ID, such as HDB.

  2. Download the installation script.

    curl -O https://gosspublic.alicdn.com/oss-backint/v1/install.sh
  3. Run the installation script.

    chmod +x install.sh
    ./install.sh <SID>

    Expected output: <version> has successfully installed.

  4. Verify the installation.

    /usr/sap/HT1/SYS/global/hdb/opt/hdbbackint -v

    Expected output: #SOFTWAREID "backint 1.06" "ALIBABACLOUD OSS 1.0.4"

Configure the agent

Edit the configuration file to set your OSS bucket, region, and credentials:

/usr/sap/<SID>/SYS/global/hdb/opt/hdbconfig/oss-backint-agent.ini

Minimal configuration example:

[default]
bucket-name = my-hana-backup
region = cn-hangzhou
source-profile = ak-pair

[profile ak-pair]
access-key-id = LTAI5t****
access-key-secret = ****

Enable Backint backup

Log on as <sid>adm and run the following SQL statements to enable Backint:

-- Point the catalog, data, and log backup parameter files to the agent configuration file
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('backup', 'catalog_backup_parameter_file') = '/usr/sap/<SID>/SYS/global/hdb/opt/hdbconfig/oss-backint-agent.ini';
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('backup', 'catalog_backup_using_backint') = 'true';
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('backup', 'data_backup_parameter_file') = '/usr/sap/<SID>/SYS/global/hdb/opt/hdbconfig/oss-backint-agent.ini';
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('backup', 'log_backup_parameter_file') = '/usr/sap/<SID>/SYS/global/hdb/opt/hdbconfig/oss-backint-agent.ini';
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('backup', 'log_backup_using_backint') = 'true';

-- Enable continuous log recording for point-in-time recovery
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'log_mode') = 'normal';

Restart the database or run the following command as <sid>adm to apply the changes:

hdbnsutil -reconfig

Verify the configuration

Run a test backup to verify the configuration:

BACKUP DATA USING BACKINT ('oss-backint-agent-test');

If the backup succeeds, the data appears in your OSS bucket under the storage-prefix path (default: SAP-HANA-Backint). Routine backup and recovery procedures are covered in SAP HANA Backup and Recovery.

Additional credential methods

Scenario

Credential method

Description

SAP HANA runs on an ECS instance

ECS RAM role (recommended)

No AccessKey management required. The agent retrieves temporary credentials from instance metadata.

Cross-account backup

RAM role ARN

Uses STS tokens for secure cross-account access.

ACK cluster with RRSA enabled

OIDC

Uses OIDC tokens for pod-level credential isolation.

External key management system

External Process

Retrieves credentials by running a custom command.

ECS RAM role

If SAP HANA runs on an ECS instance, use an ECS RAM role to avoid managing AccessKey pairs. Ensure the instance has a RAM role with OSS access permissions.

source-profile = ecsramrole

[profile ecsramrole]
mode = EcsRamRole
# Optional. The role name is automatically retrieved if not specified.
# ecs-role-name = EcsRamRoleHana

RAM role ARN

To store backup data in an OSS bucket that belongs to a different Alibaba Cloud account, use a RAM role ARN for cross-account authorization.

source-profile = ramrolearn

[profile ramrolearn]
mode = RamRoleArn
access-key-id = yourAccessKeyID
access-key-secret = yourAccessKeySecret
role-arn = acs:ram::113511544585****:role/testrole
role-session-name = session_name_example

OIDC

If SAP HANA runs in a Container Service for Kubernetes (ACK) cluster with RRSA enabled, use OIDC authentication for pod-level credential isolation.

source-profile = oidcrolearn

[profile oidcrolearn]
mode = OidcRoleArn
oidc-provider-arn = acs:ram::113511544585****:oidc-provider/TestOidcProvider
oidc-token-file-path = OIDCTokenFilePath
role-arn = acs:ram::113511544585****:role/testoidc
role-session-name = TestOidcAssumedRoleSession

External Process

If your organization uses an external key management system, configure the agent to retrieve credentials by running a custom command. The command must return a JSON object in one of the following formats:

Long-term credentials:

{
  "AccessKeyId": "yourAccessKeyID",
  "AccessKeySecret": "yourAccessKeySecret"
}

Temporary credentials:

{
  "AccessKeyId": "yourAccessKeyID",
  "AccessKeySecret": "yourAccessKeySecret",
  "Expiration": "2023-12-29T07:45:02Z",
  "SecurityToken": "yourSecurityToken"
}

Configuration example:

source-profile = process

[profile process]
mode = Process
credential-process = /path/to/your/credential-script

Configuration reference

The oss-backint-agent.ini file supports the following parameters.

Parameter

Description

bucket-name

(Required) OSS bucket name.

region

(Required) Bucket region, such as cn-hangzhou.

source-profile

(Required) Credential profile name. Supported profiles are listed in Additional credential methods.

hana-sid

(Required) SAP HANA system ID. Automatically set by the installation script.

endpoint

OSS endpoint. Defaults to the public endpoint for the specified region. To use an internal endpoint, specify it explicitly, such as https://oss-cn-hangzhou-internal.aliyuncs.com.

storage-prefix

Object prefix in the bucket. Default: SAP-HANA-Backint.

object-acl

ACL for backup objects. Valid values: default, private, public-read, and public-read-write.

object-tagging

Tags for backup objects in key-value format. Example: Project=SAP&Environment=Production.

object-storage-class

Storage class for backup objects. Valid values: Standard, IA, Archive, ColdArchive, DeepColdArchive. Archive and colder classes require object restoration before recovery.

server-side-encryption

Server-side encryption method. Valid values: AES256, KMS, SM4. KMS requires server-side-encryption-key-id.

server-side-data-encryption

Data encryption algorithm.

server-side-encryption-key-id

KMS customer master key (CMK) ID.

addressing-style

Endpoint addressing style. Valid values: virtual, path, cname. Default: virtual.

sign-version

Signature algorithm version. Valid values: v1, v4. Default: v4.

read-timeout

Read timeout in seconds. Default: 20.

connect-timeout

Connection timeout in seconds. Default: 10.

retry-times

Maximum retries after failure. Default: 10.

skip-verify-cert

Skip TLS certificate verification. Default: false.

proxy

Proxy server address.

bind-address

Local address to bind for outbound connections.

page-size

Results per page for list operations. Default: 100.

job

Concurrent jobs across files. Default: 5.

big-file-threshold

File size threshold for multipart upload and parallel download, in bytes. Default: 67108864 (64 MiB).

pipe-parallel

Concurrent threads in pipe mode. Default: 3.

pipe-part-size

Part size in pipe mode, in bytes. Maximum backup size per pipe = this value × 10,000. Default: 6291456 (6 MiB), supporting up to ~60 GB. Increase for larger databases.

Peak memory usage formula: job × pipe-parallel × pipe-part-size. For example, with default settings: 5 × 3 × 6 MiB = 90 MiB.

file-parallel

Concurrent threads in file mode. Automatically calculated, maximum 12. Not applicable to SAP HANA (pipe mode).

file-part-size

Part size in file mode, in bytes. Automatically calculated. Not applicable to SAP HANA (pipe mode).

shorten-backup-destination-enabled

Use a shortened OSS backup path. Default: false.
When set to true, the backup path changes from:



oss://<bucket>/<storage-prefix>/<sid>/DB_<user_id>/usr/sap/<sid>/SYS/global/hdb/backint/

to:

oss://<bucket>/<storage-prefix>/<sid>/DB_<user_id>/

log-level

Log level. Valid values: off, info, debug. Default: off.

log-file

Log output file path. Set to - for stdout.