For SAP systems on IBM i, users are accustomed to use the SAP Menu to perform administrative tasks in a very simple and straightforward way. But as the number of SAP systems in one or multiple hosts increase, it becomes beneficial to access these using one integrated user interface. That being said, I’m sure many of you system administrators have already found ways to achieve this using the IBM i SAP main menu, but SAP also provides other graphical tools to accomplish cross-system administrative tasks. This Blog explains how to setup and use the SAP Microsoft Management Console (SAP MMC) to manage managed multiple SAP systems with this one tool and that using only one user.

SAP Microsoft Management Console

The SAP Microsoft Management Console (SAP MMC) is a framework allowing various tools delivered by SAP to be integrated in a common user-interface enabling centralized system management. The SAP Systems Manager snap-in provides basic monitoring and control from any Windows desktop of every SAP system within a landscape regardless of each system’s underlying operating and database system vendor. SAP recommends the use of the SAP MMC because it does simplify system administration and provides many new features.

/wp-content/uploads/2016/03/mmc1_902693.jpg

How does it work?

Since SAP NetWeaver 7.0 the sapstartsrv programs defined in /usr/sap/sapservices provide an interface for basic management of SAP systems and instances. These sapstartsrv services, batch jobs, or daemons as they are called on different operating systems, start automatically after installation and then during IBM i host IPL. The services interact with different types of clients using an SOAP webservice interface named “SAPControl”. One of these clients is the SAP MMC. sapstartsrv provides basic SOAP interfaces to start and stop SAP components, monitoring run-time state, read logs, traces and configuration files, execute remote commands, among others. The services provided by sapstartsrv are in turn exposed by the SAP MMC in a graphical fashion. Using the SAP MMC is straight forward; Download, Install, and Configure with each SAP system to be monitored and controlled.

Setting up admin users or admin groups

In the out-of-the-box configuration, the SAP MMC will pop-up a user / password window each time it needs to access the associated sapstartsrv for a particular SAP system; the correct user to choose is <SID>adm. This is not the only option, though.


The SAP start service have multiple ways to authorize access to all or specific methods. In this blog entry, only authentication with OS and user and password is shown. The profile parameter service/protectedwebmethods can be used to manage access for specific webmehtods in each SAP system. When using the SAP MMC to remotely invoke protected web services on the IBM i machine, it will be necessary to explicitly enter a valid OS user and password for the host. This can only be achieved when the credentials provided are for:

·         A user with write permission to the sapstartsrv executable file (only <SID>adm by default; even users with *ALLOBJ authority are not able to remotely invoke restricted webservices)

·         A user authorized by service/admin_users, service/admin_groups profile parameters

Therefore, to be able to administrate multiple SAP systems remotely using the SAP MMC console without using <SID>adm, add additional user(s) or admin group(s) to the systems default profiles using parameters service/admin_users = <admin_user> or service/admin_groups = <admin_group>.

Additional clients and local connection options

The sapcontrol command line tool available in every SAP system kernel can be used as well to invoke the many webmethods provided by SAP start services as well. In fact, since about a year the delivered SAP on IBM i menu utilizes the same sapcontrol interface to manage systems and instances. Contrary to the SAP consoles and the sapcontrol command line tool, it is not possible to explicitly provide user credentials. A local invocation of restricted webmethods can only then be issued without explicit credentials when the user invoking the webmethods is <SID>adm or by “a trusted UNIX domain socket user”. A trusted user is a user that has write access to the UNIX domain socket used by the associated SAP start service (/tmp/.sapstream<port-no>).

Console download and installation

Console

Instructions

SAP Microsoft   Management Console (SAP MMC)

https://support.sap.com/home.html

  -> Tile Software Downloads
    -> Search for Software
      -> Search Term: MMC

To enable the SAP MMC to monitor an IBM i instance, click on File, Add/Remove Snap-in, and select SAP Systems Manager. Right click on SAP Systems branch of the MMC, select properties, then Fixed to add   the specification of at least one SAP instance for the <SID>

SAP Management Console (SAP MC)

This java management console is available for each SAP System instance via browser at http://<ibm_i_host>:5<inst_no>13/

More information

SAP Note 927637 – Web service authentication in sapstartsrv as of Release 7.00

SAP Microsoft Management Console

How to use the SAPControl Web Service Interface

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply