你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
Configure the database for Azure Application Consistent Snapshot tool
This article provides a guide for configuring the database and the database prerequisites for use with the Azure Application Consistent Snapshot tool (AzAcSnap) that you can use with Azure NetApp Files or Azure Large Instances.
Enable communication with the database
This section explains how to enable communication with the database. Use the following tabs to correctly select the database that you're using.
If you're deploying to a centralized virtual machine, you need to install and set up the SAP HANA client so that the AzAcSnap user can run hdbsql
and hdbuserstore
commands. You can download the SAP HANA client from the SAP Development Tools website.
The snapshot tools communicate with SAP HANA and need a user with appropriate permissions to initiate and release the database save point. The following example shows the setup of the SAP HANA 2.0 user and hdbuserstore
for communication to the SAP HANA database.
The following example commands set up a user (AZACSNAP
) in SYSTEMDB on an SAP HANA 2.0 database. Change the IP address, usernames, and passwords as appropriate.
Connect to SYSTEMDB:
hdbsql -n <IP_address_of_host>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD>
Welcome to the SAP HANA Database interactive terminal. Type: \h for help with commands \q to quit hdbsql SYSTEMDB=>
Create the user. This example creates the
AZACSNAP
user in SYSTEMDB:hdbsql SYSTEMDB=> CREATE USER AZACSNAP PASSWORD <AZACSNAP_PASSWORD_CHANGE_ME> NO FORCE_FIRST_PASSWORD_CHANGE;
Grant the user permissions. This example sets the permission for the
AZACSNAP
user to allow for performing a database-consistent storage snapshot:For SAP HANA releases up to version 2.0 SPS 03:
hdbsql SYSTEMDB=> GRANT BACKUP ADMIN, CATALOG READ TO AZACSNAP;
For SAP HANA releases from version 2.0 SPS 04, SAP added new fine-grained privileges:
hdbsql SYSTEMDB=> GRANT BACKUP ADMIN, DATABASE BACKUP ADMIN, CATALOG READ TO AZACSNAP;
Optional: Prevent the user's password from expiring.
Note
Check with corporate policy before you make this change.
The following example disables the password expiration for the
AZACSNAP
user. Without this change, the user's password could expire and prevent snapshots from being taken correctly.hdbsql SYSTEMDB=> ALTER USER AZACSNAP DISABLE PASSWORD LIFETIME;
Set up the SAP HANA Secure User Store (change the password). This example uses the
hdbuserstore
command from the Linux shell to set up the SAP HANA Secure User Store:hdbuserstore Set AZACSNAP <IP_address_of_host>:30013 AZACSNAP <AZACSNAP_PASSWORD_CHANGE_ME>
Check that you correctly set up the SAP HANA Secure User Store. Use the
hdbuserstore
command to list the output, similar to the following example. More details on usinghdbuserstore
are available on the SAP website.hdbuserstore List
DATA FILE : /home/azacsnap/.hdb/sapprdhdb80/SSFS_HDB.DAT KEY FILE : /home/azacsnap/.hdb/sapprdhdb80/SSFS_HDB.KEY KEY AZACSNAP ENV : <IP_address_of_host>: USER: AZACSNAP
Using SSL for communication with SAP HANA
AzAcSnap uses SAP HANA's hdbsql
command to communicate with SAP HANA. Using hdbsql
allows the use of SSL options to encrypt communication with SAP HANA.
AzAcSnap always uses the following options when you're using the azacsnap --ssl
option:
-e
: Enables TLS/SSL encryption. The server chooses the highest available.-ssltrustcert
: Specifies whether to validate the server's certificate.-sslhostnameincert "*"
: Specifies the host name that verifies the server's identity. When you specify"*"
as the host name, the server's host name isn't validated.
SSL communication also requires key-store and trust-store files. It's possible for these files to be stored in default locations on a Linux installation. But to ensure that the correct key material is being used for the various SAP HANA systems (for the cases where different key-store and trust-store files are used for each SAP HANA system), AzAcSnap expects the key-store and trust-store files to be stored in the securityPath
location. The AzAcSnap configuration file specifies this location.
Key-store files
If you're using multiple system identifiers (SIDs) with the same key material, it's easier to create links into the securityPath
location as defined in the AzAcSnap configuration file. Ensure that these values exist for every SID that uses SSL.
- For
openssl
:ln $HOME/.ssl/key.pem <securityPath>/<SID>_keystore
- For
commoncrypto
:ln $SECUDIR/sapcli.pse <securityPath>/<SID>_keystore
If you're using multiple SIDs with different key material per SID, copy (or move and rename) the files into the securityPath
location as defined in the SID's AzAcSnap configuration file.
- For
openssl
:mv key.pem <securityPath>/<SID>_keystore
- For
commoncrypto
:mv sapcli.pse <securityPath>/<SID>_keystore
When AzAcSnap calls hdbsql
, it adds -sslkeystore=<securityPath>/<SID>_keystore
to the hdbsql
command line.
Trust-store files
If you're using multiple SIDs with the same key material, create hard links into the securityPath
location as defined in the AzAcSnap configuration file. Ensure that these values exist for every SID that uses SSL.
- For
openssl
:ln $HOME/.ssl/trust.pem <securityPath>/<SID>_truststore
- For
commoncrypto
:ln $SECUDIR/sapcli.pse <securityPath>/<SID>_truststore
If you're using multiple SIDs with the different key material per SID, copy (or move and rename) the files into the securityPath
location as defined in the SID's AzAcSnap configuration file.
- For
openssl
:mv trust.pem <securityPath>/<SID>_truststore
- For
commoncrypto
:mv sapcli.pse <securityPath>/<SID>_truststore
The <SID>
component of the file names must be the SAP HANA system identifier in all uppercase (for example, H80
or PR1
). When AzAcSnap calls hdbsql
, it adds -ssltruststore=<securityPath>/<SID>_truststore
to the command line.
If you run azacsnap -c test --test hana --ssl openssl
, where SID
is H80
in the configuration file, it executes the hdbsql
connections as follows:
hdbsql \
-e \
-ssltrustcert \
-sslhostnameincert "*" \
-sslprovider openssl \
-sslkeystore ./security/H80_keystore \
-ssltruststore ./security/H80_truststore
"sql statement"
In the preceding code, the backslash (\
) character is a command-line line wrap to improve the clarity of the multiple parameters passed on the command line.
Configure the database
This section explains how to configure the database.
Configure SAP HANA
There are changes that you can apply to SAP HANA to help protect the log backups and catalog. By default, basepath_logbackup
and basepath_catalogbackup
are set so that SAP HANA will put related files into the $(DIR_INSTANCE)/backup/log
directory. It's unlikely that this location is on a volume that AzAcSnap is configured to snapshot, so storage snapshots won't protect these files.
The following hdbsql
command examples demonstrate setting the log and catalog paths to locations on storage volumes that AzAcSnap can snapshot. Be sure to check that the values on the command line match the local SAP HANA configuration.
Configure the log backup location
This example shows a change to the basepath_logbackup
parameter:
hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'basepath_logbackup') = '/hana/logbackups/H80' WITH RECONFIGURE"
Configure the catalog backup location
This example shows a change to the basepath_catalogbackup
parameter. First, ensure that the basepath_catalogbackup
path exists on the file system. If not, create the path with the same ownership as the directory.
ls -ld /hana/logbackups/H80/catalog
drwxr-x--- 4 h80adm sapsys 4096 Jan 17 06:55 /hana/logbackups/H80/catalog
If you need to create the path, the following example creates the path and sets the correct ownership and permissions. You need to run these commands as root.
mkdir /hana/logbackups/H80/catalog
chown --reference=/hana/shared/H80/HDB00 /hana/logbackups/H80/catalog
chmod --reference=/hana/shared/H80/HDB00 /hana/logbackups/H80/catalog
ls -ld /hana/logbackups/H80/catalog
drwxr-x--- 4 h80adm sapsys 4096 Jan 17 06:55 /hana/logbackups/H80/catalog
The following example changes the SAP HANA setting:
hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'basepath_catalogbackup') = '/hana/logbackups/H80/catalog' WITH RECONFIGURE"
Check log and catalog backup locations
After you make the changes to the log and catalog backup locations, confirm that the settings are correct by using the following command.
In this example, the settings appear as SYSTEM
settings. This query also returns the DEFAULT
settings for comparison.
hdbsql -jaxC -n <HANA_ip_address> - i 00 -U AZACSNAP "select * from sys.m_inifile_contents where (key = 'basepath_databackup' or key ='basepath_datavolumes' or key = 'basepath_logbackup' or key = 'basepath_logvolumes' or key = 'basepath_catalogbackup')"
global.ini,DEFAULT,,,persistence,basepath_catalogbackup,$(DIR_INSTANCE)/backup/log
global.ini,DEFAULT,,,persistence,basepath_databackup,$(DIR_INSTANCE)/backup/data
global.ini,DEFAULT,,,persistence,basepath_datavolumes,$(DIR_GLOBAL)/hdb/data
global.ini,DEFAULT,,,persistence,basepath_logbackup,$(DIR_INSTANCE)/backup/log
global.ini,DEFAULT,,,persistence,basepath_logvolumes,$(DIR_GLOBAL)/hdb/log
global.ini,SYSTEM,,,persistence,basepath_catalogbackup,/hana/logbackups/H80/catalog
global.ini,SYSTEM,,,persistence,basepath_datavolumes,/hana/data/H80
global.ini,SYSTEM,,,persistence,basepath_logbackup,/hana/logbackups/H80
global.ini,SYSTEM,,,persistence,basepath_logvolumes,/hana/log/H80
Configure the log backup timeout
The default setting for SAP HANA to perform a log backup is 900
seconds (15 minutes). We recommend that you reduce this value to 300
seconds (5 minutes). Then it's possible to run regular backups of these files (for example, every 10 minutes). You can take these backups by adding the log_backup
volumes to the OTHER
volume section of the
configuration file.
hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'log_backup_timeout_s') = '300' WITH RECONFIGURE"
Check the log backup timeout
After you make the change to the log backup timeout, ensure that the timeout is set by using the following command.
In this example, the settings are displayed as SYSTEM
settings. This query also returns the DEFAULT
settings for comparison.
hdbsql -jaxC -n <HANA_ip_address> - i 00 -U AZACSNAP "select * from sys.m_inifile_contents where key like '%log_backup_timeout%' "
global.ini,DEFAULT,,,persistence,log_backup_timeout_s,900
global.ini,SYSTEM,,,persistence,log_backup_timeout_s,300