Bearbeiten

Freigeben über


Configure the database for Azure Application Consistent Snapshot tool

This article provides a guide for configuring the database and the database prerequisites for use with the Azure Application Consistent Snapshot tool (AzAcSnap) that you can use with Azure NetApp Files or Azure Large Instances.

Enable communication with the database

This section explains how to enable communication with the database. Use the following tabs to correctly select the database that you're using.

If you're deploying to a centralized virtual machine, you need to install and set up the SAP HANA client so that the AzAcSnap user can run hdbsql and hdbuserstore commands. You can download the SAP HANA client from the SAP Development Tools website.

The snapshot tools communicate with SAP HANA and need a user with appropriate permissions to initiate and release the database save point. The following example shows the setup of the SAP HANA 2.0 user and hdbuserstore for communication to the SAP HANA database.

The following example commands set up a user (AZACSNAP) in SYSTEMDB on an SAP HANA 2.0 database. Change the IP address, usernames, and passwords as appropriate.

  1. Connect to SYSTEMDB:

    hdbsql -n <IP_address_of_host>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD>
    
    Welcome to the SAP HANA Database interactive terminal.
    
    Type: \h for help with commands
    \q to quit
    
    hdbsql SYSTEMDB=>
    
  2. Create the user. This example creates the AZACSNAP user in SYSTEMDB:

    hdbsql SYSTEMDB=> CREATE USER AZACSNAP PASSWORD <AZACSNAP_PASSWORD_CHANGE_ME> NO FORCE_FIRST_PASSWORD_CHANGE;
    
  3. Grant the user permissions. This example sets the permission for the AZACSNAP user to allow for performing a database-consistent storage snapshot:

    • For SAP HANA releases up to version 2.0 SPS 03:

      hdbsql SYSTEMDB=> GRANT BACKUP ADMIN, CATALOG READ TO AZACSNAP;
      
    • For SAP HANA releases from version 2.0 SPS 04, SAP added new fine-grained privileges:

      hdbsql SYSTEMDB=> GRANT BACKUP ADMIN, DATABASE BACKUP ADMIN, CATALOG READ TO AZACSNAP;
      
  4. Optional: Prevent the user's password from expiring.

    Note

    Check with corporate policy before you make this change.

    The following example disables the password expiration for the AZACSNAP user. Without this change, the user's password could expire and prevent snapshots from being taken correctly.

    hdbsql SYSTEMDB=> ALTER USER AZACSNAP DISABLE PASSWORD LIFETIME;
    
  5. Set up the SAP HANA Secure User Store (change the password). This example uses the hdbuserstore command from the Linux shell to set up the SAP HANA Secure User Store:

    hdbuserstore Set AZACSNAP <IP_address_of_host>:30013 AZACSNAP <AZACSNAP_PASSWORD_CHANGE_ME>
    
  6. Check that you correctly set up the SAP HANA Secure User Store. Use the hdbuserstore command to list the output, similar to the following example. More details on using hdbuserstore are available on the SAP website.

    hdbuserstore List
    
    DATA FILE : /home/azacsnap/.hdb/sapprdhdb80/SSFS_HDB.DAT
    KEY FILE : /home/azacsnap/.hdb/sapprdhdb80/SSFS_HDB.KEY
    
    KEY AZACSNAP
    ENV : <IP_address_of_host>:
    USER: AZACSNAP
    

Using SSL for communication with SAP HANA

AzAcSnap uses SAP HANA's hdbsql command to communicate with SAP HANA. Using hdbsql allows the use of SSL options to encrypt communication with SAP HANA.

AzAcSnap always uses the following options when you're using the azacsnap --ssl option:

  • -e: Enables TLS/SSL encryption. The server chooses the highest available.
  • -ssltrustcert: Specifies whether to validate the server's certificate.
  • -sslhostnameincert "*": Specifies the host name that verifies the server's identity. When you specify "*" as the host name, the server's host name isn't validated.

SSL communication also requires key-store and trust-store files. It's possible for these files to be stored in default locations on a Linux installation. But to ensure that the correct key material is being used for the various SAP HANA systems (for the cases where different key-store and trust-store files are used for each SAP HANA system), AzAcSnap expects the key-store and trust-store files to be stored in the securityPath location. The AzAcSnap configuration file specifies this location.

Key-store files

If you're using multiple system identifiers (SIDs) with the same key material, it's easier to create links into the securityPath location as defined in the AzAcSnap configuration file. Ensure that these values exist for every SID that uses SSL.

  • For openssl: ln $HOME/.ssl/key.pem <securityPath>/<SID>_keystore
  • For commoncrypto: ln $SECUDIR/sapcli.pse <securityPath>/<SID>_keystore

If you're using multiple SIDs with different key material per SID, copy (or move and rename) the files into the securityPath location as defined in the SID's AzAcSnap configuration file.

  • For openssl: mv key.pem <securityPath>/<SID>_keystore
  • For commoncrypto: mv sapcli.pse <securityPath>/<SID>_keystore

When AzAcSnap calls hdbsql, it adds -sslkeystore=<securityPath>/<SID>_keystore to the hdbsql command line.

Trust-store files

If you're using multiple SIDs with the same key material, create hard links into the securityPath location as defined in the AzAcSnap configuration file. Ensure that these values exist for every SID that uses SSL.

  • For openssl: ln $HOME/.ssl/trust.pem <securityPath>/<SID>_truststore
  • For commoncrypto: ln $SECUDIR/sapcli.pse <securityPath>/<SID>_truststore

If you're using multiple SIDs with the different key material per SID, copy (or move and rename) the files into the securityPath location as defined in the SID's AzAcSnap configuration file.

  • For openssl: mv trust.pem <securityPath>/<SID>_truststore
  • For commoncrypto: mv sapcli.pse <securityPath>/<SID>_truststore

The <SID> component of the file names must be the SAP HANA system identifier in all uppercase (for example, H80 or PR1). When AzAcSnap calls hdbsql, it adds -ssltruststore=<securityPath>/<SID>_truststore to the command line.

If you run azacsnap -c test --test hana --ssl openssl, where SID is H80 in the configuration file, it executes the hdbsqlconnections as follows:

hdbsql \
    -e \
    -ssltrustcert \
    -sslhostnameincert "*" \
    -sslprovider openssl \
    -sslkeystore ./security/H80_keystore \
    -ssltruststore ./security/H80_truststore
    "sql statement"

In the preceding code, the backslash (\) character is a command-line line wrap to improve the clarity of the multiple parameters passed on the command line.

Configure the database

This section explains how to configure the database.

Configure SAP HANA

There are changes that you can apply to SAP HANA to help protect the log backups and catalog. By default, basepath_logbackup and basepath_catalogbackup are set so that SAP HANA will put related files into the $(DIR_INSTANCE)/backup/log directory. It's unlikely that this location is on a volume that AzAcSnap is configured to snapshot, so storage snapshots won't protect these files.

The following hdbsql command examples demonstrate setting the log and catalog paths to locations on storage volumes that AzAcSnap can snapshot. Be sure to check that the values on the command line match the local SAP HANA configuration.

Configure the log backup location

This example shows a change to the basepath_logbackup parameter:

hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'basepath_logbackup') = '/hana/logbackups/H80' WITH RECONFIGURE"

Configure the catalog backup location

This example shows a change to the basepath_catalogbackup parameter. First, ensure that the basepath_catalogbackup path exists on the file system. If not, create the path with the same ownership as the directory.

ls -ld /hana/logbackups/H80/catalog
drwxr-x--- 4 h80adm sapsys 4096 Jan 17 06:55 /hana/logbackups/H80/catalog

If you need to create the path, the following example creates the path and sets the correct ownership and permissions. You need to run these commands as root.

mkdir /hana/logbackups/H80/catalog
chown --reference=/hana/shared/H80/HDB00 /hana/logbackups/H80/catalog
chmod --reference=/hana/shared/H80/HDB00 /hana/logbackups/H80/catalog
ls -ld /hana/logbackups/H80/catalog
drwxr-x--- 4 h80adm sapsys 4096 Jan 17 06:55 /hana/logbackups/H80/catalog

The following example changes the SAP HANA setting:

hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'basepath_catalogbackup') = '/hana/logbackups/H80/catalog' WITH RECONFIGURE"

Check log and catalog backup locations

After you make the changes to the log and catalog backup locations, confirm that the settings are correct by using the following command.

In this example, the settings appear as SYSTEM settings. This query also returns the DEFAULT settings for comparison.

hdbsql -jaxC -n <HANA_ip_address> - i 00 -U AZACSNAP "select * from sys.m_inifile_contents where (key = 'basepath_databackup' or key ='basepath_datavolumes' or key = 'basepath_logbackup' or key = 'basepath_logvolumes' or key = 'basepath_catalogbackup')"
global.ini,DEFAULT,,,persistence,basepath_catalogbackup,$(DIR_INSTANCE)/backup/log
global.ini,DEFAULT,,,persistence,basepath_databackup,$(DIR_INSTANCE)/backup/data
global.ini,DEFAULT,,,persistence,basepath_datavolumes,$(DIR_GLOBAL)/hdb/data
global.ini,DEFAULT,,,persistence,basepath_logbackup,$(DIR_INSTANCE)/backup/log
global.ini,DEFAULT,,,persistence,basepath_logvolumes,$(DIR_GLOBAL)/hdb/log
global.ini,SYSTEM,,,persistence,basepath_catalogbackup,/hana/logbackups/H80/catalog
global.ini,SYSTEM,,,persistence,basepath_datavolumes,/hana/data/H80
global.ini,SYSTEM,,,persistence,basepath_logbackup,/hana/logbackups/H80
global.ini,SYSTEM,,,persistence,basepath_logvolumes,/hana/log/H80

Configure the log backup timeout

The default setting for SAP HANA to perform a log backup is 900 seconds (15 minutes). We recommend that you reduce this value to 300 seconds (5 minutes). Then it's possible to run regular backups of these files (for example, every 10 minutes). You can take these backups by adding the log_backup volumes to the OTHER volume section of the configuration file.

hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'log_backup_timeout_s') = '300' WITH RECONFIGURE"

Check the log backup timeout

After you make the change to the log backup timeout, ensure that the timeout is set by using the following command.

In this example, the settings are displayed as SYSTEM settings. This query also returns the DEFAULT settings for comparison.

hdbsql -jaxC -n <HANA_ip_address> - i 00 -U AZACSNAP "select * from sys.m_inifile_contents where key like '%log_backup_timeout%' "
global.ini,DEFAULT,,,persistence,log_backup_timeout_s,900
global.ini,SYSTEM,,,persistence,log_backup_timeout_s,300

Next steps