Table of Contents:
- Customized deployments of Ansible Playbooks for SAP
- SAP Software Download common errors
- SAP System Passwords
- High Availability
Yes. All code is under the Apache license, you can extend and use for internal purposes without any concerns. All feedback and contributions back to the project are appreciated.
I'm an SAP Services Partner, can I use and amend this code to create new products/offerings for customers?
Yes. All code is under the Apache license you can extend and use for commercial purposes without any concerns. All feedback and contributions back to the project are appreciated.
Please read Customization of Ansible Playbooks for SAP in the main documentation. The host specifications are completely customisable.
Each Ansible Playbook for SAP used with a Cloud Hyperscaler, includes an OS Image lookup by name for all available OS Images from the Cloud Service Provider.
The Ansible Extravars file contains a list these OS Image lookup names (such as sles-15-2-sap-ha or rhel-8-4-sap-ha) and refer to a regex pattern specific to that Cloud Hyperscaler to retrieve the latest OS Image for the specific OS distribution version (i.e. major.minor release). This list can be appended to with custom OS Images as required.
Each Ansible Playbook for SAP used with a Cloud Hyperscaler, provides the user with the choice of Region and Availability Zone.
In principle, each Cloud Service Provider uses the same geographical location logic:
- Region (alt. Location Display Name)
- Availability Zone (aka. Data center)
- Placement segmentation within a Data center; known by various names e.g. Placement Groups / Physical Fault Domains / Pods etc.
- Availability Zone (aka. Data center)
SAP Software installation media downloads have error 'SAP SSO authentication failed - 401 Client Error'
SAP software installation media must be obtained from SAP directly, and requires valid license agreements with SAP in order to access these files.
The error HTTP 401 refers to either:
- Unauthorized, the SAP User ID being used belongs to an SAP Company Number (SCN) with one or more Installation Number/s which do not have license agreements for these files
- Unauthorized, the SAP User ID being used does not have SAP Download authorizations
- Unauthorized, the SAP User ID is part of an SAP Universal ID and must use the password of the SAP Universal ID
- In addition, if a SAP Universal ID is used then the recommendation is to check and reset the SAP User ID ‘Account Password’ in the SAP Universal ID Account Manager, which will help to avoid any potential conflicts.
This is documented:
SAP Software installation media from SAP Maintenance Planner fails with 'download link https://softwaredownloads.sap.com/file/___ is not available'
SAP has refreshed the installation media (new revisions or patch levels) for the files in your SAP Maintenance Planner stack, and you will need to update / create a new plan to re-generate the up to date files.
SAP Software installation media downloads from SAP Maintenance Planner fails with 'SAP SSO authentication failed - 404 Client Error: Not Found for url: https://origin.softwaredownloads.sap.com/tokengen/?file=___'
SAP has refreshed the installation media (new revisions or patch levels) for the files in your SAP Maintenance Planner stack, and you will need to update / create a new plan to re-generate the up to date files.
SAP Software Center search has error 'An exception has occurred - no result found for FILENAME_HERE.SAR'
SAP has refreshed the installation media (new revisions or patch levels), this filename cannot be found and you will need to search for the updated filename (usually an increment, e.g. _0 to _1 otherwise the file cannot be downloaded.
SAP Software installation media pre-check (dry-run) or downloads have error 'SAP SSO authentication failed - 403 Client Error: Forbidden for url: https://softwaredownloads.sap.com/file/___'
SAP Software Center is likely experiencing temporary problems, please try again later. The Ansible Collection for SAP Launchpad will always attempt 3 retries if a HTTP 403 error code is received, if after 3 attempts the file is not available then a failure will occur.
By default, Ansible Playbooks for SAP use the password NewPass$321 (as a reminder to reset the password post-installation).
However,
NewPass@321is used for SAP MaxDB,NewPass>321for IBM Db2, andNewPass#321for Oracle DB. See below information.
- Between 6 and 64 characters
- Alphanumerical, not advisable to use space character
- No restrictions on Special Characters
Reference:
- SAP HANA Security Guide for SAP HANA Platform - Password Policy
- SAP Note 2969917 - Can't use special characters like ! @ # $ % & in HANA user's password
No special recommendations
Restricted to certain Special Characters #$@_. Must not begin with a digit.
Avoid use of Special Character $ which may cause automation errors when parsed
Avoid use of Special Character $ which may cause automation errors when parsed. Must not begin with a digit or underscore.
Note: These are configurable in the Profile Parameters (
login/min_password_*andlogin/password_*), below are default
- Between 3 and 40 characters
- Alphanumerical, not advisable to use space character
- Restricted to certain Special Characters
!"@$%&/()=?’*+~#-_.,;:{[]}\<>│. Not advisible to use\or"
Reference:
For SAP NetWeaver Application Server (ABAP) see document Password Rules - User and Role Administration - SAP NetWeaver Application Server for ABAP 7.52.
For further information, please see User Guides for System Provisioning with Software Provisioning Manager which contains a list of different guides under two sections:
- Installation Option of Software Provisioning Manager 2.0
- Installation Guides - Application Server Systems - Software Provisioning Manager 2.0
- Installation Option of Software Provisioning Manager 1.0
- Installation Guides - Application Server Systems - Software Provisioning Manager 1.0
On each of these pages (for SWPM 1.0/2.0) there are documents (HTML/PDF) in a table with choice for Database, Product Release, Operating System Platform, Technical Track. Each document contains layered sections 'Planning > Basic Installation Parameters > SAP System Parameters' with Password limitation information.
For example, SAP System Parameters - Installation of SAP ABAP Systems on UNIX : SAP HANA 2.0 - SWPM 2.0.
Please note, these guides are different than those listed on Guide Finder for SAP NetWeaver and ABAP Platform.
High Availability is achieved through STONITH (Shoot The Other Node In The Head) fencing, multiple configuration approaches that can be summarised by usage of:
- Fencing Agents to Infrastructure Platform Authoritative Status API; this verifies health status and execute compute actions (power off) using a vendor-defined API
- Fencing Agent for STONITH Block Device (SBD); this verifies health status using a shared disk between all HA Cluster Nodes (e.g. iSCSI, Multi-Write Block Storage / Virtual Disk) or alternatively a Watchdog, and execute self-fencing
- Fencing Agent for Distributed Replicated Block Device (DRBD); this verifies health status using an NFS Server accessible from all HA Cluster Nodes, and execute self-fencing
The host nodes are halted using one of these approaches, to avoid an inconsistent state.
There are variances to each approach, for each Infrastructure Platform, for different SAP Software Scenarios and different Business Continuity Plans with their associated technical risk profiles (for example, HA only vs HA-DR). As such, the correct configuration of High Availability for an SAP System incorporates a range of decisions and cost implications.
The foremost recommendation (and frequently lowest cost) by each Infrastructure Platform vendor, is to leverage each vendor's respective Fencing Agent (e.g. fence_aws).
The Ansible Playbooks for SAP and the underlying sap_install Ansible Collection focus on this configuration approach, using the Fencing Agents to Infrastructure Platform Authoritative Status API. This is subject to further requests from the community and associated development contributions.