Back up SAP HANA data directly to Alibaba Cloud OSS through the SAP Backint interface.
Install the agent
-
Create the configuration directory.
mkdir -p /usr/sap/<SID>/SYS/global/hdb/opt/hdbconfig/Replace
<SID>with your SAP HANA system ID, such asHDB. -
Download the installation script.
curl -O https://gosspublic.alicdn.com/oss-backint/v1/install.sh -
Run the installation script.
chmod +x install.sh ./install.sh <SID>Expected output:
<version> has successfully installed. -
Verify the installation.
/usr/sap/HT1/SYS/global/hdb/opt/hdbbackint -vExpected output:
#SOFTWAREID "backint 1.06" "ALIBABACLOUD OSS 1.0.4"
Configure the agent
Edit the configuration file to set your OSS bucket, region, and credentials:
/usr/sap/<SID>/SYS/global/hdb/opt/hdbconfig/oss-backint-agent.ini
Minimal configuration example:
[default]
bucket-name = my-hana-backup
region = cn-hangzhou
source-profile = ak-pair
[profile ak-pair]
access-key-id = LTAI5t****
access-key-secret = ****
Enable Backint backup
Log on as <sid>adm and run the following SQL statements to enable Backint:
-- Point the catalog, data, and log backup parameter files to the agent configuration file
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('backup', 'catalog_backup_parameter_file') = '/usr/sap/<SID>/SYS/global/hdb/opt/hdbconfig/oss-backint-agent.ini';
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('backup', 'catalog_backup_using_backint') = 'true';
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('backup', 'data_backup_parameter_file') = '/usr/sap/<SID>/SYS/global/hdb/opt/hdbconfig/oss-backint-agent.ini';
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('backup', 'log_backup_parameter_file') = '/usr/sap/<SID>/SYS/global/hdb/opt/hdbconfig/oss-backint-agent.ini';
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('backup', 'log_backup_using_backint') = 'true';
-- Enable continuous log recording for point-in-time recovery
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'log_mode') = 'normal';
Restart the database or run the following command as <sid>adm to apply the changes:
hdbnsutil -reconfig
Verify the configuration
Run a test backup to verify the configuration:
BACKUP DATA USING BACKINT ('oss-backint-agent-test');
If the backup succeeds, the data appears in your OSS bucket under the storage-prefix path (default: SAP-HANA-Backint). Routine backup and recovery procedures are covered in SAP HANA Backup and Recovery.
Additional credential methods
|
Scenario |
Credential method |
Description |
|
SAP HANA runs on an ECS instance |
ECS RAM role (recommended) |
No AccessKey management required. The agent retrieves temporary credentials from instance metadata. |
|
Cross-account backup |
RAM role ARN |
Uses STS tokens for secure cross-account access. |
|
ACK cluster with RRSA enabled |
OIDC |
Uses OIDC tokens for pod-level credential isolation. |
|
External key management system |
External Process |
Retrieves credentials by running a custom command. |
ECS RAM role
If SAP HANA runs on an ECS instance, use an ECS RAM role to avoid managing AccessKey pairs. Ensure the instance has a RAM role with OSS access permissions.
source-profile = ecsramrole
[profile ecsramrole]
mode = EcsRamRole
# Optional. The role name is automatically retrieved if not specified.
# ecs-role-name = EcsRamRoleHana
RAM role ARN
To store backup data in an OSS bucket that belongs to a different Alibaba Cloud account, use a RAM role ARN for cross-account authorization.
source-profile = ramrolearn
[profile ramrolearn]
mode = RamRoleArn
access-key-id = yourAccessKeyID
access-key-secret = yourAccessKeySecret
role-arn = acs:ram::113511544585****:role/testrole
role-session-name = session_name_example
OIDC
If SAP HANA runs in a Container Service for Kubernetes (ACK) cluster with RRSA enabled, use OIDC authentication for pod-level credential isolation.
source-profile = oidcrolearn
[profile oidcrolearn]
mode = OidcRoleArn
oidc-provider-arn = acs:ram::113511544585****:oidc-provider/TestOidcProvider
oidc-token-file-path = OIDCTokenFilePath
role-arn = acs:ram::113511544585****:role/testoidc
role-session-name = TestOidcAssumedRoleSession
External Process
If your organization uses an external key management system, configure the agent to retrieve credentials by running a custom command. The command must return a JSON object in one of the following formats:
Long-term credentials:
{
"AccessKeyId": "yourAccessKeyID",
"AccessKeySecret": "yourAccessKeySecret"
}
Temporary credentials:
{
"AccessKeyId": "yourAccessKeyID",
"AccessKeySecret": "yourAccessKeySecret",
"Expiration": "2023-12-29T07:45:02Z",
"SecurityToken": "yourSecurityToken"
}
Configuration example:
source-profile = process
[profile process]
mode = Process
credential-process = /path/to/your/credential-script
Configuration reference
The oss-backint-agent.ini file supports the following parameters.
|
Parameter |
Description |
|
|
(Required) OSS bucket name. |
|
|
(Required) Bucket region, such as |
|
|
(Required) Credential profile name. Supported profiles are listed in Additional credential methods. |
|
|
(Required) SAP HANA system ID. Automatically set by the installation script. |
|
|
OSS endpoint. Defaults to the public endpoint for the specified |
|
|
Object prefix in the bucket. Default: |
|
|
ACL for backup objects. Valid values: |
|
|
Tags for backup objects in key-value format. Example: |
|
|
Storage class for backup objects. Valid values: |
|
|
Server-side encryption method. Valid values: |
|
|
Data encryption algorithm. |
|
|
KMS customer master key (CMK) ID. |
|
|
Endpoint addressing style. Valid values: |
|
|
Signature algorithm version. Valid values: |
|
|
Read timeout in seconds. Default: |
|
|
Connection timeout in seconds. Default: |
|
|
Maximum retries after failure. Default: |
|
|
Skip TLS certificate verification. Default: |
|
|
Proxy server address. |
|
|
Local address to bind for outbound connections. |
|
|
Results per page for list operations. Default: |
|
|
Concurrent jobs across files. Default: |
|
|
File size threshold for multipart upload and parallel download, in bytes. Default: |
|
|
Concurrent threads in pipe mode. Default: |
|
|
Part size in pipe mode, in bytes. Maximum backup size per pipe = this value × 10,000. Default: Peak memory usage formula: job × pipe-parallel × pipe-part-size. For example, with default settings: 5 × 3 × 6 MiB = 90 MiB. |
|
|
Concurrent threads in file mode. Automatically calculated, maximum 12. Not applicable to SAP HANA (pipe mode). |
|
|
Part size in file mode, in bytes. Automatically calculated. Not applicable to SAP HANA (pipe mode). |
|
|
Use a shortened OSS backup path. Default:
to:
|
|
|
Log level. Valid values: |
|
|
Log output file path. Set to |