Skip to main content

Configuring SAP Host Agent

 How to Configure SAP Hostagent ?

To understand what is a SAP Hostagent and how it is installed and used , SAP Hostagent Introduction


Whenever we talk about SAP Hostagent Configuration these are the things that needs to be discussed, We are already aware that port used for sap hostagent is 1128

1. Enabling SAP Host Agent Registration in SLD 

2. SSL Configuration of SAP Host Agent 

3. Enable Audit Log

4. Binding only specific IP



Enabling SAP Host Agent Registration in SLD 

Now let's understand the need of it we obviously need to link our saphostagent with the SLD (SLD), To enable the automatic registration in SLD we need to configure the connectivity information using the command line tool sldreg.

This topic is somehow centered towards connection with SOLMAN , Prerequisite to enable this configuration is obviously that SAP Hostagent is already installed.

Note :

1. Is you selected to add SLD during data service installation . this enabling procedure would have been automatically done\
2. This process involves creation of both slddest.cfg and slddest.cfg.key and both are required for the SLD to work.

Configuring :

1. Login as root user or from administrator group in case of windows
2. Navigate to hostctrl executable files in case of linux cd /usr/sap/hostctrl/exe
3. Run the sldreg (SLD registration tool) ./sldreg -configure slddest.cfg     [slddest-> sld destination]
4. As mentioned it is sld destination you need to fill the destination configuration

sld destiination configuration file has following data 

UserName : SLD user which has assigned role DataSupplierID
Password : password of the above user 
Host : SLD host
Port Number : port of SLD that needs to be used
Specify to use http/https: Protocol that needs to be used

sldreg will automatically create slddest.cfg.key while performing the configuration , that key will be use by the DataSupplier user to push the information to SLD.

5. Confirm that the slddest.cfg file is in stored in encrypted file
6. Take a hostagent restart ./saphostexec -restart

Note : In order to SLD registration to work SLDReg must be running in <LINK_DIR>/sldreg otherwise all the files need to be manually copied to this directory

In order to check if the registration was done properly you can log in to https://<hotname>:<port >/sld , Choose your technical system and the registered host is displayed

Your local host is registered to SLD now.

SSL Configuration of SAP Host Agent 

Main steps are as followed :-

1. Preparing the environment for SAP Cryptographic Library

2. Preparing the pse (personal security environment ) for the server

3. Preparing the pse (personal security environment ) for the client

4. Establishing trust between the client and sap hostagent

5. Allowing the client to issue admin commands 

Prerequisite would be that saphostagent is already installed and login as root user 

If you are using the default naming server proceed as mentioned [path where pse files are stored] ,if you want to override the default[default path] .pse name you can see the following value for host_profile.

ssl/server_pse = <path to server pse> 

The server PSE contains the server certificate that is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates


1. Create a directory to store pse files

mkdir /usr/sap/hostctrl/exe/sec

2. Assign the ownership to sapadm:sapsys top the sec folder

3. Shared Dynamic Library (Shared / Dynamic Libraries ) should be understood here 

Set up the shared library search path ( LD_LIBRARY_PATHLIBPATH or SHLIB_PATH) and SECUDIR environment variables, and change to the exe directory of SAP Host Agent

export LD = /usr/sap/hostctrl/exe/
export SECUDIR = /usr/sap/hostctrl/exe/sec

To avoid issue with sapgense tool we give exact path in SECUDIR (sapgenpse)

4. Create the server PSE, the server certificate therein, and the Certificate Signing Request (CSR)

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -x <password> -r /tmp/myhost-csr.p10 "CN=myhost.wdf.sap.corp, O=SAP AG, C=DE"

This command creates a PSE file named SAPSSLS.pse (name is fixed), which can be used to authenticate myhost.wdf.sap.corp for incoming SSL connections. The access to the PSE file is protected with a password. Use the -r option to direct the certificate signing request to a file, or omit it if you intend to copy and paste the CSR into a web formular.

5. Grant SAP Hostagent access to the server pse

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x <password> -O sapadm


6. Get the CA Certificate [We generally have a separate team which performs this] So to request for this certificate you need to share the file which was generate in step 4 , the CSR which was saved in tmp/myhost-csr.p10  needs to be sent along with request will revert with CA-response-file which contains the signed certificate in the PKCS#7 format.

7. Import the signed server in the pse

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x <password> -c /tmp/myhost.p7b

8. Verify the server certificate 

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x <password> -v

9. Restart SAP Hostagent 

10. Prepare PSE for the client : This is application dependent so read the manual of the application to check the SAP Hostagent


Enable Audit Log

The operating systems which are supported by Host Agent have built-in means of audit logging. On UNIX and Linux, SAP Host Agent uses the syslog (/var/log/messages), and in Windows the Application Eventlog. The user can decide if audit logging is done using OS means or provide a file to which all audit messages are written. Audit logging is disabled by default. You can enable and configure it using host_profile parameters.

1. Edit the host_profile in /usr/sap/hostctrl/exe/ [executable path for hostctrl]

2. host_profile 

Parameters : service/auditlevel =0/1 1 will enable audit logging

service/auditlogfile = |If an audit logfile is provided by the user, SAP Host Agent uses the <FILE_NAME> logfile in the SAP Host Agent’s work directory for audit logging. Eventlog and Syslog are not used in this case. If the file does not exist, it is created by SAP Host Agent.

service/auditlogfilesize : If an audit logfile is provided, the user can decide to which extent the logfile is allowed to grow. All sizes must be given in MB (Megabyte). If the configured size is exceeded, the current audit logfile is saved to <FILENAME>.old and a new audit logfile is created. If the size is set to 0 or if the parameter is not configured at all, the audit logfile can grow unlimitedly.

Binding only specific IP


You can configure SAP Host agent only to accept network connections for specific IP addresses or host names

1. Specify the following value in the host_profile of the SAP Host Agent:

service/hostname = <host_name>

or

service/hostname = <IP_Address>


2. Restart saphostagent , saphostexec -restart 


We can also configure as Network Access Control  List using SAP note 1495075


How to check which ip as bound with host


<hostagent exe path > netstat -tlnp | grep 1128


Read more :

Comments

You might find these interesting

How to properly Start/Stop SAP system through command line ?

Starting/stopping an SAP system is not a critical task, but the method that most of us follow to achieve this is sometimes wrong. A common mistake that most of the SAP admins do is, making use of the 'startsap' and 'stopsap' commands for starting/stopping the system.  These commands got deprecated in 2015 because the scripts were not being maintained anymore and SAP recommends not to use them as many people have faced errors while executing those scripts. For more info and the bugs in scripts, you can check the sap note 809477.  These scripts are not available in kernel version 7.73 and later. So if these are not the correct commands, then how to start/stop the sap system?  In this post, we will see how to do it in the correct way. SAP SYSTEM VS INSTANCE In SAP, an instance is a group of resources such as memory, work processes and so on, usually in support of a single application server or database server with...

sapstartsrv is not started or sapcontrol is not working

 What is sapstartsrv ? The SAP start service runs on every computer where an instance of an SAP system is started. It is implemented as a service on Windows, and as a daemon on UNIX. The process is called  sapstartsrv.exe   on Windows, and   sapstartsrv   on UNIX platforms. The SAP start service provides the following functions for monitoring SAP systems, instances, and processes. Starting and stopping Monitoring the runtime state Reading logs, traces, and configuration files Technical information, such as network ports, active sessions, thread lists, etc. These services are provided on SAPControl SOAP Web Service, and used by SAP monitoring tools (SAP Management Console,  SAP NetWeaver  Administrator, etc.). For more understanding use this link : https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/enUS/b3/903925c34a45e28a2861b59c3c5623/content.htm?no_cache=true How to check if it is working or not ? In case of linux , you can simply ps -ef | grep s...

HANA System Replication - Prerequisites & Setup

Hey Folks! Welcome back to Hana high availability blog series. In our last blog we checked out operation & replication modes in hana system replication. If you haven't gone though that blog, you can checkout  this link In this blog we will be talking about the prerequisites of hana replication and it's setup. So let's get started. When we plan to setup hana system replication, we need to make sure that all prerequisite steps have been followed. Let's have a look at these prerequisites. HANA System Replication Prerequisites: Primary & secondary systems should be up & running HDB version of secondary should be greater than or equal to Primary database sever But, for Active/Active(read enabled config), HDB version should be same on both sites. System configuration/ini files should be identical on both sides Replication happe...

HANA hdbuserstore

The hdbuserstore (hana secure user store) is a tool which comes as an executable with the SAP Hana Client package. This secure user store allows you to store SAP HANA connection information, including user passwords, securely on clients. With the help of secure store, the client applications can connect to SAP HANA without the user having to enter host name or logon credentials. You can also use the secure store to configure failover support for application servers in a 3-tier scenario (for example, SAP Business Warehouse) by storing a list of all the hosts that the application server can connect to. To access the system using secure store, there are two connect options: (1)key and (2)virtualHostName. key is the hdbuserstore key that you use to connect to SAP HANA, while virtualHostName specifies the virtual host name. This option allows you to change where the hdbuserstore searches for the data and key files. Note...

ST03N : The chapter for all BASIS Admins

This blog is targeted to BASIS ADMINS Transaction for workload analysis statistical data changed over time are monitored using transaction code ST03 , now ST03N (from SAP R/3 4.6C) . With SAP Web AS 6.4 the transaction ST03 is available again. From time to time ST03 and ST03N has seen many changes but later in SAP NW7.0 ST03N has reworked in detail specially processing time is now shown in separate column. Main Use of ST03N  is to get detailed information on performance of any ABAP based SAP system. Workload monitor analyzes the statistical data originally collected by kernel. You can compare or analyze the performance of a single application server or multiple application server. Using this you start checking from the entire system and finding your way to that one application server and narrowing down to exact issue. By Default :- You see data of current day as default view , you can change the default view. Source of the image : sap-perf.ca Let's discuss the WORKLO...

SAP application log tables: BALHDR (Application Log: Header Data) and BALDAT (Application Log: Detail Data)

  BALHDR (Application Log: Header Data): Usage : The BALHDR table stores the header information for application logs. It serves as a central repository for managing and organizing log entries. Example Data Stored: The table may contain entries for various system activities, such as error messages, warnings, or information logs generated during SAP transactions or custom programs. Columns Involved: LOGNUMBER: Unique log number assigned to each log entry. OBJECT: Identifies the object associated with the log entry (e.g., a program, transaction, or process). SUBOBJECT: Further categorizes the object. USERNAME: User ID of the person who created the log entry. TIME: Date and time when the log entry was created. ADD_OBJECT: Additional information or details related to the log entry. BALDAT (Application Log: Detail Data): Usage : The BALDAT table contains the detailed data for each log entry, linked to the corresponding entry in the BALHDR table. It stores the specific log details an...

Work Process and Memory Management in SAP

Let’s talk about the entire concepts that are related to memory when we talk about SAP Application. Starting with few basic terminologies, Local Memory :  Local process memory, the operating system keeps the two allocation steps transparent. The operating system does the other tasks, such as reserving physical memory, loading and unloading virtual memory into and out of the main memory. Shared Memory :  If several processes are to access the same memory area, the two allocation steps are not transparent. One object is created that represents the physical memory and can be used by various processes. The processes can map the object fully or partially into the address space. The way this is done varies from platform to platform. Memory mapped files, unnamed mapped files, and shared memory are used.  Extended Memory : SAP extended memory is the core of the SAP memory management system. Each SAP work process has a part reserved in its virtual address space for extended memory...

How to resolve Common Error : Standard Template "sap_sm.xls" missing

Hey everyone, putting forward a common error we usually face when we have “ Excel inplace” functionality enabled in our SAP system. This error occurs when validity of the signature of SAP standard templates expired or were incorrectly delivered via support packages. We can reproduce the error by doing as below.. Click on “spreadsheet” icon after any SAP ALV grid view of data is on screen to make this data to export into excel directly from SAP.

ABAP Dumps Analysis

Ever now and then have you heard about ABAP Dumps, We also have a joke everything in temporary in life except ABAP dumps for SAP Consultants. Lets try to understand ABAP dumps from perspective of a SAP BASIS Consultant. Dumps happen when an ABAP program runs and something goes wrong that cannot be handled by the program We have two broad categories of Dumps , In custom program Dumps and SAP provided program Dumps. Dumps that happen in the customer namespace ranges (i.e. own-developed code) or known as Custom Program , can usually be fixed by the ABAP programmer of your team. Dumps that happen in SAP standard code probably need a fix from SAP. You do not have to be an "ABAPer" in order to resolve ABAP dump issues. The common way to deal with them is to look up in ST22 How to correct the error ? Hints are given for the keywords that may be used to search on the note system. Gather Information about the issue  Go to System > Status and Check the Basis SP level as well as info...

SAP HANA System Replication - Operation Mode & Replication Mode

Hey Folks! Welcome back to Hana high availability blog series. In our last blog we checked out what is hana system replication and how it basically works. If you haven't gone through that blog, you can checkout link In this blog we will be talking about the replication modes and operation modes in hana system replication. So let's get started. When we setup the replication and register the secondary site, we need to decide the operation mode & replication mode we want to choose for replication. For now we won't focus on setting up replication as we'll cover it in our next blogs.  Operation Modes in Hana System Replication: There are three operation modes available in system replication: delta_datashipping, logreplay and logreplay_readaccess. Default operation mode is logreplay. 1. Delta_datashipping: In this operation mode initially one full data shipping is done as part of replication setup and then a delta data shipping takes place occasionally in addition to cont...