Managing your SAP landscape efficiently is key for any organization, both from an IT to business perspective. This is especially true when you are running your system in the cloud. In this regard, Google released a free-of-charge adapter for SAP LaMa, which allows you now to assess this part of the cloud journey on GCP.
In this 2-part article, I will explain and show you how to proceed with this adapter, but also highlight the available operations.
SAP LaMa Adapter for GCP
Before starting any action and to guarantee the success of the exercise, it is important to do some research on our subjects.
Here is a collection of guides, references, and SAP Notes to be reviewed.
Note that these references differ from the previous article, so take the time to review them.
SAP Notes
3051302 - SAP Landscape Management 3.0 SP20
2039615 - Managing system landscapes with SAP Landscape Management Enterprise Edition
3078321 - Google Cloud Connector for SAP Landscape Management (LaMa) 3.x, enterprise edition
2456432 - SAP Applications on Google Cloud: Supported Products and GCP VM types
2488113 - Discover SAP HANA Multitenant Database Containers in SAP LaMa 3.0
2844322 - SAP HANA Platform 2.0 SPS 05 Release Note
Guides
SAP Landscape Management 3.0, Enterprise Edition
SAP Landscape Management 3.0, Enterprise Edition, Developer Guide
Knowledge Base
SAP on Google Cloud Documentation
What and how to articulate it?
Before diving into the technical detail about the process and the solution, let’s first review some comprehensive and basic understanding.
If you are reading this article you might be already familiar with the SAP LaMa product, If not I’m here to share
😉.
By design SAP LaMa comes with two (2) built-in cloud adapter, Azure and AWS, so in order to provide clients the ability to use the tool in its true form, Google has decided to release its own adapter (free of charge) for you to install.
SAP LaMa default Adapter
Let’s have a look now at how to articulate SAP LaMa, here I’m referring to the deployment of SAP LaMa itself. You can run it on a hybrid model (different platform than GCP) which will be required for you to have a dedicated service account with the necessary permission to authenticate and administer your managed system in the project they belong to or at the upper level.
You will also need to think about your connectivity and DNS resolution.
SAP LaMa Adapter Option 1
The other option will be to run your SAP LaMa instance in GCP directly. Will this be simple? Yes, but you need to be mindful of some requirements, including:
- You will need to run SAP LaMa on a certified VM for SAP workload, you will find the certified VMs on the SAP Note 2456432—SAP Applications on Google Cloud: Supported Products and GCP VM types
- Make sure that you have the required API scope activated for VM instance
- Finally, just like for the on-prem option, a dedicated service account.
SAP LaMa Adapter Option 2
Prepare your managed system
We know what it takes now for the SAP LaMa portion, so let’s dive in and prepare the managed environment. The 3 following components will need to be deployed on your remote system:
- SAP Host Agent 7.21 PL51 or higher required
- SAP Adaptive Extension 1.0 EXT PL61 or higher
- Host Agent Extensions for Google Cloud
SAP LaMa GCP Host Extension
I will not detail how to install the Host Agent and Adaptive Extension. Instead, I will focus on the install of the GCP Host Agent Extension. Note that the package extension is part of the full package for SAP LaMa.
I start by downloading the package by running wget $(curl https://storage.googleapis.com/cloudsapdeploy/lama-connector/LATEST.txt) and extract the content.
GCP Connector Download
And finally, run the install.sh script.
GCP Connector Script Installation
Make sure to have the operations.d folder in the exe repository. The script will copy all the necessary libraries for LaMa to perform GCP actions.
I will recommend you to take a GMI (Google Machine Image) once your system preparation is completed, by doing so you will have a standard based image for your future deployment.
However, be mindful of the OS version or release (SLES vs SLES for SAP).
From the GCP console, under Compute Engine, select Machine Images and create your image from the source vm.
Google Machine Image
Authentication and Access Control
In order for SAP LaMa to interact with GCP resources, a service account will be required whatever scenario you envision (on-prem/GCP). I would recommend you to create a dedicated user for more control and visibility.
In the project, I want to manage my sap environment, I will first create a custom role that will be assigned to my service account. From the GCP console, under IAM & Admin select Roles.
GCP Role Console
And create a new role, provide the necessary information and most important give the right set of permissions.
GCP Custom Role Creation
From the Add permission, filter the role and select compute/admin.
GCP Role Permission
The list of permissions will show up, you can select all of them but the problem if you do that is the fact that your user will inherit unnecessary permissions which can create a security breach.
Instead of typing everything out, 😉 I will lead you to the following page for the full list of permission: Required IAM resource permissions for the Connector for LaMa
SAP LaMa Full Custom Permission
Once created you will see your custom role.
SAP LaMa Custom Enabled
Let’s create the service account from the GCP console now, under IAM & Admin, select Service Accounts and + Create Service Account.
GCP Service Account Creation
The creation of the account is pretty straightforward. Simply give a name and provide the custom role created in the earlier step.
GCP Service Account Role Assignment
Once created, select your service account and click on the KEYS tab to create a key. This one will be used for connectivity purposes since we don’t specify the password for the SA.
GCP Service Account KEYS
Create the new Key and use the JSON format.
Service Account Key Creation
Service Account Key JSON Format
Note that the key might be downloaded automatically on your laptop, hold it we will open it later.
Service Account Key Active and Download
Install and Configure the SAP LaMa Adapter for GCP
So, now that our GCP environment is prepared to hold and manage the SAP environment by SAP LaMa, I’m going to proceed with the installation of the adapter.
First of all, to allow the communication between the adapter and GCP API, a Google CA certificate is needed, go to the Google Trust Services at https://pki.goog/repository/
Google CA Certificate Repository
From the Subordinate CAs, download the GTS CA 1C3 certificate
Google GTS CA Certificate Download
And upload the certificate from NWA.
SAP Netweaver Certificates and Keys
From the Key Storage Views, select TrustedCAs and click on Import Entry.
SAP Netweaver TruestedCAs
Import the certificate as X.509
Import Google Certificate
Once done you should have the following:
Google Certificate Details
We also want to avoid using IPv6 from SAP LaMa, I will add the following parameter in the Java System Properties and restart your instance.
Netweavre IPv6 avoid
We are now ready to proceed with the installation of the adapter, I will run the installation by using the j2ee deployment script. My ear adapter is stored in my /tmp/sap location.
SAP LaMa GCP Connector Deployment
Once done, from SAP LaMa interface the new Google Adapter is now available so I can make the necessary configuration.
SAP LaMa Cloud Manager
I will click next and provide my label and monitoring interval, but because I’m using a dedicated service account, I will past the content of my private JSON key generated earlier in the “Service Account” field under Additional Properties.
Note that the value needs to be in one line from { to }
GCP Service Account Key Content Detail
SAP LaMa Cloud Manager GCP Configuration
Before saving, test the configuration to ensure it’s all good.
GCP Cloud Adapter Testing
Because the adapter brings capabilities to compute and storage operations, on Storage Manager and Virtualization managers new entries should appear with the suffix of the Label.
SAP LaMa Storage Managers
SAP LaMa Virtualiztion Managers
Finally, if I check under Advanced Operations the virtualization tab, I will see my project with my existing VM and storage attached to each of them.
SAP LaMa Advanced Operations
On the GCP side.
GCP Console Compute Engine Instances
Conclusion
The preparation to run SAP LaMa for GCP is not complicated but will require some attention in regard to the authorization that needs to be granted for your service account. Indeed, we want to be careful and avoid security problems especially if you grant these authorizations at the organization level, which will be inherited to all subsequent projects created.
In the second part of this blog, I will walk you through several operations available from SAP LaMa to GCP, from template deployment to system copy and backup.