Managing your SAP landscape efficiently is key for any organization, both from an IT to business perspective. This is especially true when you are running your system in the cloud. In this regard, Google released a free-of-charge adapter for SAP LaMa, which allows you now to assess this part of the cloud journey on GCP.

In this 2-part article, I will explain and show you how to proceed with this adapter, but also highlight the available operations.

SAP LaMa Adapter for GCP

 

Before starting any action and to guarantee the success of the exercise, it is important to do some research on our subjects.

Here is a collection of guides, references, and SAP Notes to be reviewed.

Note that these references differ from the previous article, so take the time to review them.

SAP Notes
3051302 - SAP Landscape Management 3.0 SP20
2039615 - Managing system landscapes with SAP Landscape Management Enterprise Edition
3078321 - Google Cloud Connector for SAP Landscape Management (LaMa) 3.x, enterprise edition
2456432 - SAP Applications on Google Cloud: Supported Products and GCP VM types
2488113 - Discover SAP HANA Multitenant Database Containers in SAP LaMa 3.0
2844322 - SAP HANA Platform 2.0 SPS 05 Release Note

Guides
SAP Landscape Management 3.0, Enterprise Edition
SAP Landscape Management 3.0, Enterprise Edition, Developer Guide

Knowledge Base
SAP on Google Cloud Documentation

What and how to articulate it?

Before diving into the technical detail about the process and the solution, let’s first review some comprehensive and basic understanding.

If you are reading this article you might be already familiar with the SAP LaMa product, If not I’m here to share 😉.

By design SAP LaMa comes with two (2) built-in cloud adapter, Azure and AWS, so in order to provide clients the ability to use the tool in its true form, Google has decided to release its own adapter (free of charge) for you to install.

SAP LaMa default Adapter

 

Let’s have a look now at how to articulate SAP LaMa, here I’m referring to the deployment of SAP LaMa itself. You can run it on a hybrid model (different platform than GCP) which will be required for you to have a dedicated service account with the necessary permission to authenticate and administer your managed system in the project they belong to or at the upper level.
You will also need to think about your connectivity and DNS resolution.

SAP LaMa Adapter Option 1

 

The other option will be to run your SAP LaMa instance in GCP directly. Will this be simple? Yes, but you need to be mindful of some requirements, including:

1. You will need to run SAP LaMa on a certified VM for SAP workload, you will find the certified VMs on the SAP Note 2456432—SAP Applications on Google Cloud: Supported Products and GCP VM types


2. Make sure that you have the required API scope activated for VM instance


3. Finally, just like for the on-prem option, a dedicated service account.

SAP LaMa Adapter Option 2

 

Prepare your managed system

We know what it takes now for the SAP LaMa portion, so let’s dive in and prepare the managed environment. The 3 following components will need to be deployed on your remote system:

1. SAP Host Agent 7.21 PL51 or higher required


2. SAP Adaptive Extension 1.0 EXT PL61 or higher


3. Host Agent Extensions for Google Cloud

SAP LaMa GCP Host Extension

 

I will not detail how to install the Host Agent and Adaptive Extension. Instead, I will focus on the install of the GCP Host Agent Extension. Note that the package extension is part of the full package for SAP LaMa.
I start by downloading the package by running wget $(curl https://storage.googleapis.com/cloudsapdeploy/lama-connector/LATEST.txt) and extract the content.

GCP Connector Download

 

And finally, run the install.sh script.

GCP Connector Script Installation

 

Make sure to have the operations.d folder in the exe repository. The script will copy all the necessary libraries for LaMa to perform GCP actions.

I will recommend you to take a GMI (Google Machine Image) once your system preparation is completed, by doing so you will have a standard based image for your future deployment.
However, be mindful of the OS version or release (SLES vs SLES for SAP).
From the GCP console, under Compute Engine, select Machine Images and create your image from the source vm.

Google Machine Image

 

Authentication and Access Control

In order for SAP LaMa to interact with GCP resources, a service account will be required whatever scenario you envision (on-prem/GCP). I would recommend you to create a dedicated user for more control and visibility.

In the project, I want to manage my sap environment, I will first create a custom role that will be assigned to my service account. From the GCP console, under IAM & Admin select Roles.

GCP Role Console

 

And create a new role, provide the necessary information and most important give the right set of permissions.

GCP Custom Role Creation

 

From the Add permission, filter the role and select compute/admin.

GCP Role Permission

 

The list of permissions will show up, you can select all of them but the problem if you do that is the fact that your user will inherit unnecessary permissions which can create a security breach.
Instead of typing everything out, 😉 I will lead you to the following page for the full list of permission: Required IAM resource permissions for the Connector for LaMa

SAP LaMa Full Custom Permission

 

Once created you will see your custom role.

SAP LaMa Custom Enabled

 

Let’s create the service account from the GCP console now, under IAM & Admin, select Service Accounts and + Create Service Account.

GCP Service Account Creation

 

The creation of the account is pretty straightforward. Simply give a name and provide the custom role created in the earlier step.

GCP Service Account Role Assignment

 

Once created, select your service account and click on the KEYS tab to create a key. This one will be used for connectivity purposes since we don’t specify the password for the SA.

GCP Service Account KEYS

 

Create the new Key and use the JSON format.

Service Account Key Creation

Service Account Key JSON Format

 

Note that the key might be downloaded automatically on your laptop, hold it we will open it later.

Service Account Key Active and Download

 

Install and Configure the SAP LaMa Adapter for GCP

So, now that our GCP environment is prepared to hold and manage the SAP environment by SAP LaMa, I’m going to proceed with the installation of the adapter.
First of all, to allow the communication between the adapter and GCP API, a Google CA certificate is needed, go to the Google Trust Services at https://pki.goog/repository/

Google CA Certificate Repository

 

From the Subordinate CAs, download the GTS CA 1C3 certificate

Google GTS CA Certificate Download

 

And upload the certificate from NWA.

SAP Netweaver Certificates and Keys

 

From the Key Storage Views, select TrustedCAs and click on Import Entry.

SAP Netweaver TruestedCAs

 

Import the certificate as X.509

Import Google Certificate

 

Once done you should have the following:

Google Certificate Details

 

We also want to avoid using IPv6 from SAP LaMa, I will add the following parameter in the Java System Properties and restart your instance.

Netweavre IPv6 avoid

 

We are now ready to proceed with the installation of the adapter, I will run the installation by using the j2ee deployment script. My ear adapter is stored in my /tmp/sap location.

SAP LaMa GCP Connector Deployment

 

Once done, from SAP LaMa interface the new Google Adapter is now available so I can make the necessary configuration.

SAP LaMa Cloud Manager

 

I will click next and provide my label and monitoring interval, but because I’m using a dedicated service account, I will past the content of my private JSON key generated earlier in the “Service Account” field under Additional Properties.

Note that the value needs to be in one line from { to }

GCP Service Account Key Content Detail

SAP LaMa Cloud Manager GCP Configuration

 

Before saving, test the configuration to ensure it’s all good.

GCP Cloud Adapter Testing

 

Because the adapter brings capabilities to compute and storage operations, on Storage Manager and Virtualization managers new entries should appear with the suffix of the Label.

SAP LaMa Storage Managers

SAP LaMa Virtualiztion Managers

 

Finally, if I check under Advanced Operations the virtualization tab, I will see my project with my existing VM and storage attached to each of them.

SAP LaMa Advanced Operations

 

On the GCP side.

GCP Console Compute Engine Instances

 

Conclusion
The preparation to run SAP LaMa for GCP is not complicated but will require some attention in regard to the authorization that needs to be granted for your service account. Indeed, we want to be careful and avoid security problems especially if you grant these authorizations at the organization level, which will be inherited to all subsequent projects created.

In the second part of this blog, I will walk you through several operations available from SAP LaMa to GCP, from template deployment to system copy and backup.