Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
williams_ruter3
Active Participant
In my documentation, I will explain and detail how configure SAP LaMa 3.0 SP4 in order to be integrate with VMware infrastructure to deploy and manage SAP Hana landscape.

Aside of the LaMa setup, I will also covert the installation and configuration of the different part of VMware product used for the integration.

For this scenario, I will integrate the replication of SAP Hana on-premise to Azrue Cloud and configure the authentication with SAML Single Sign-On with Azure AD.

For my setup, I will use my own lab on VMware VSphere 6.5 U1 with VMware vCloud Suite 2017 product, use SAP LaMa 3.0 SP4 Patch1 and use my own Microsoft Azure subscription.

Disclaimer: My deployment is only for test purpose; I make the security simple from a network perspective to realize this configuration and use open source software.

Best practice: Before to start anything make sure to read all necessary note relevant to your deployment, read the product guide for each component that you intend to deploy and make sure that you have done the sizing exercise properly.

Be careful on restriction and what is supported or not, this will avoid unnecessary hiccup.

 

In order execution



  1. Configure VMware infrastructure

  2. Prepare Template VM

  3. Prepare the customization profile

  4. Register the host in DNS

  5. Integrate VMware to LaMa

  6. VM Server provisioning for Hana

  7. Monitor the provisioning process in LaMa and VMware

  8. Check the VM host creation in LaMa and VMware

  9. Install SAP Hana on-premise vm

  10. Discover SAP Hana instance in LaMa

  11. Configure SAML with Azure AD for authentication

  12. Testing


Guide used:


SAP LaMa 3.0

  • SAP Landscape Management 3.0, Enterprise Edition


VMware Product

  • VMware Addapter for LaMa Install-Config-Admin Guide

  • Installing and Configuring VMware vRealize Orchestrator 7.3


SAP Hana Platform SP2.0

  • SAP HANA Administration Guide

  • SAP HANA Technical Operations Manual

  • SAP HANA Application Lifecycle Management


Note used:



  • 2519232 - SAP Landscape Management 3.0 SP04 Patch01

  • 1709155 - System Provisioning with SAP Landscape Virtualization Management

  • 2050537 - Support for SAP HANA in SAP Landscape Management

  • 2488113 - Discover SAP HANA Multitenant Database Containers in SAP LaMa 3.0

  • 2039615 - Managing system landscapes with SAP Landscape Management Enterprise Edition

  • 1438774 - New profile parameter system/uuid and system/description

  • 2438888 - SAML SSO to HANA no longer works and logs show "Assertion is no longer valid"


Link used:



 

Overview Architecture




From a high-level architecture point of view, I will setup multiples vms in order deploy hybrid landscape; all of them will be register in my internal DNS.

All my vms will be provision accordingly in order to respect the minimum requirement for each component deploy

Authentication Layer (Cloud)

Microsoft Azure – Identity provider use to store users credential and let them use SSO to access SAP Hana application over the web.

VMware Product

VMware Cloud Suite 2017 – The suite VMware Cloud Suite 2017 include multiple product from VMware which permit integration and automation with SAP LaMa and cloud product such as Azure and AWS

SAP Product

SAP LaMa 3.0 – The SAP LaMa 3.0 SP4 will be deploy as a VM and will be use to manage the SAP landscape from operation point of view.
SAP Hana Platform 2.0 – The SAP Hana database will be install as a multi container and will host my fiori application

 

Components details


This picture shows in detail the components deploy on each server such as add-on as well as product version, the protocol of communication are showed too but I intentionally omit to provide any port.



From a detail, components point of view, my SAP LaMa Add-on is deploy on SAP Netweaver 7.5 SP7 Java stack.

In order to integrate VMware vSphere with SAP LaMa for deployment automation, specific product needs to be install and configure; such as VLA, vRealize Orchestrator and vCenter.

I will explain in detail how perform the necessary deployment and configuration.

From an authentication standpoint, I will configure SAML with Microsoft Azure Active Directory as IDP in order to allow access from external user

 

Configure VMware Infrastructure


To allow SAP LaMa 3.0 to work interaction with VMware Infrastructure, specific components from VMware needs to be deploy:



VMware VLA 1.5.0 (VMware Adapter for SAP LaMa 3.0)
VMware VLA is a virtual appliance that integrates SAP LaMa with VMware management software such as vCenter Server and vRealize Orchestrator workflows to execute commands to VMware vCenter Server for VMware related operations like stop/start, provision and so on for VMs

VMware vRealize Orchestrator 7.3
vRealize Orchestrator automates management and operational tasks of both VMware and third-party (SAP LaMa), it is a platform that provides a library of extensible workflows to allow creating and running automated, configurable processes.
This product is part of VMware vCloud Suite 2017

vCenter Server Appliance 6.5.0 U1
VMware vCenter Server provides a centralized platform for managing VMware vSphere environments, allowing automating and delivering a virtual infrastructure.
This product is part of VMware vCloud Suite 2017

 

Download VMware product


VMware VLA can be download at the following location VMware Adapter for SAP LaMa



You need to have a valid account to proceed with the download, once done an OVA package will be provide



To use VMware VLA, specific product version needs to be use, such as vRealize Orchestrator 7.3.0.21553 and vSphere 6.5.
Note: some issue can encore between vRealize Orchestrator and vCenter if you are not using the updated version on vCenter (6.5 U1)

The VMware vCloud Suite 2017 product can be download at the following location VMware vCloud Suite



You need to have a valid account to proceed with the download, once done an OVA package will be provide



 

Install and configure vCloud Suite solution


I will not cover the installation of the ESXi and vCenter component since I have them already running as part of my lab.

The first component to install is the vRO (Orchestrator), from vCenter web console, import the OVA file downloaded earlier



Provide the location of the OVA file



Specify the resource where to deploy it an d accept the license term



Select the datastore where to store the vm deployment



Choose the network according to your infrastructure



And customize the vm setting, you will need to setup: IP/ hostname/ domain/ network/ password



Review your setting and execute



Deployment completed



Power on the new created vm and wait until the main screen with all the url for configuration appears



In your browser now enter to the vco-controlcenter url and log as root user, choose “Standalone Orchestrator”, validate the hostname and click Next



For the authentication mode, I use vSphere and provide my vCenter hostname and click on connect



The connection successful, I accept the certificate



Now for the Identity service, we need to provide the local administrator or the vCenter server



Finally form the Admin group I select the vsphere.local\Administrators and save the change



My installation is complete so I click on “Validate Configuration” to see if I have pending action



All green, now I can log off and log back in as Administrator to check if the sso is working



All good, it’s working



Now installed, the Orchestrator needs to be integrate with vCenter. I start to open the vco url



This will open a java application, log as administrator



On the man page the workflow item and follow “vCenter --> Configuration --> Add a vCenter Server instance” and execute



Provide the provide the fqdn of vCenter, password and click submit



If no error, the workflow is completed



Finally, the last step will be to register the register the Orchestrator as an extension in vCenter



Select the vCenter server and submit



Once again, if no error it’s all green



The first component deployment is completed, now let’s install the VLA

 

Install and configure VMware Adapter for SAP LaMa


As an OVA appliance, open vCenter and upload the file like the procedure followed earlier for vRealize Orchestrator



Once power on, ssh in the server, sudo -s and create the administrator user “in my case vla is the account”
Syntax : vla_user -S LOCAL_USER –a vla-server –u <your vla admin user>



Once done you should be able to access the VLA dashboard console



Register your vRealize Orchestrator with the following command line
Syntax : vla_credentials -a -s vco -n <vRealize Orchestrator hostname> -u <vCenter local admin>



Once registered I can see in the dashboard my host



And install the vco package for LaMa



The packages are now listed in the dashboard



Now I connect the vCenter in VLA by the following command
Syntax: vla_credentials –a –s vcenter –n <vCenter hostname> -u <vCenter local admin> -A <vRealize Orchestrator ID>

Note : the vRealize Orchestrator ID can be find by the following command “vla_credentials –l





Back to my dashboard, I can now see my vCenter connected



And the credential is also listed



Finally, I push the adapter to LaMa in order to retrieve it from the Virtualization Manager vendor, use the following command to do so

Syntax : vla_adapter –a –f <SAP LaMa hostname> –u root -x <LaMa Administrator>



The VMware based Infrastructure for SAP LaMa is now completed.

 

Prepare template VMs


In the case of provisioning server vm scenario, SAP LaMa needs to works with VM template configured and define in vCenter, to prepare a VM template in vSphere it’s pretty straight forward.

The first thing to do is to create a VM prepare it to host the target environment, file system, cpu, Ram and important point is to install the SAP Hostagent and SAPACEXT.SAR package.
Note: Make sure to install the hostagent with password





Once done right click on the VM convert it as a template



My template ready I can now prepare the host profile for SAP LaMa to work with



 

Prepare the customization profile


The customization profile I used by SAP LaMa while provisioning new VM server to understand the OS type
For the Home button, go on “Policies and Profiles”



Select the “Customization Specification” and create your profile



Once done save it, now let’s take a look at the DNS side.

 

Register the host in DNS


To provision a new host from SAP LaMa, the hostname of the following needs to be resolve by SAP LaMa. In general the exercice is done by the network and security group.

On my DNS I had the new name and IP



 

Integrate VMware to SAP LaMa


VMware integration to SAP LaMa is done through Virtualization Managers, by using the VLA adapter.
From the Infrastructure tab, choose Virtualization managers’ title and click Add



If the entire the step to register the adapter mentioned are done properly, you should see the VMware adapter for LaMa



Select the adapter, click next and provide the necessary information of the adapter (label/user/credential/url)



Test the config and save



Now the adapter is in the list



Let’s now try to provision the server for Hana

 

VM server provisioning for SAP Hana


Now we are ready to deploy the server from SAP LaMa, to do so select the provisioning tab and choose Virtual Host
As we can see, SAP LaMa is able to see my template created earlier, select the template and click on provision



Give a name for the host and select the resource pool where to deploy it. Make sure to have create pool before any provisioning deployment, over wise you cannot do it



Select the datastore to hold the vmdk



I don’t want to create a link clone so I choose false, and we can also see that my deployment will use my customer profile



I select the network I want to work in



Finally I give the hostname is have created in my dns



I review all the parameter and execute



Let’s monitor the execution

 

Monitor the provisioning process in LaMa and VMware


Once executed the provisioning process can be done at different place for the same execution:

From SAP LaMa Dashboard on the Monitoring activities



From vCenter in the task list



From Orchestrator on the running workflow



Once completed with no issue in SAP LaMa Monitoring dashboard



 

Check the VM host creation in SAP LaMa and vCenter


My new host created, it now appear in SAP LaMa under Configuration --> Hosts.
Notice that it is not in a managed state yet



From vCenter the new host also appears under the pool resources assigned to during the provisioning process setup



Note the within the integration of VMware with SAP LaMa through the VLA adapter, this gives you the capability to perform operations on vm found on the vSphere cluster.

From the Operations and Maintenance in the LaMa dashboard you can retrieve all of them



 

Install SAP Hana on-premise vm


I will not cover the Hana database installation in detail since I have done it in my previous documentation. I will show just the main screen





From the Hana Cockpit, after register them, we can see my tenant and system databases up and running



 

Discover SAP Hana instance in LaMa


To find and register my Hana instances in LaMa, from Configuration tab I click on “System” and select “Discover”



I will make the discovery by host agent, from the drop down list for source



I will check “Include Diagnostic Agent for instance” and “Standalone Databases”



Provide the fqdn of my host and keeping the http port for the host agent



In the Database Admin settings, I provide the admin user to connect to it



Finally I click on Detect to start the process





Now discovered, I click next and can see my new Hana instance



I will now create a new system for it by selecting “Assign to New System”



Assign New



Validate and click next



Specify the Pool chosen for the host and click next to finish discovery



Review the summary for host and instance and clock save to complete the task



Once completed I check under the systems tab I can see my Hana instance listed in a managed state



I now go on the Host tab, select my host provisioned earlier which host SAP Hana now and click “Detect on host”



Make sure to have “Detect on Managed Hosts” selected from Source and click on “Detect”





Now that my instance is detected on the host, I will assign my HB3 system created earlier from the drop down to my host and click Next



Validate or select the right pool and click next to continue



Review the summary and save to complete the process



Now my host is in manage state



My instance and host are now part of LaMa and from dashboard, the status of my instance is Running



Note: My instance is now register and manageable by SAP LaMa but in order to perform some task such as monitoring, system copy and so on, make sure to enter the necessary user credential in the Hana instance property.

I can now follow with the configuration for the authentication part with Microsoft Azure AD

 

Configure SAML with Azure AD for authentication with Hana


The SAML authentication will be use to access my internal application that is not role based but required an authentication method for mapped user.



Some background information before I start the config, I have configured my tenant database from a webdispatcher point of view to be accessible with a specific hostname and url for http and https



My set of applications are all under my tenant database



They are configured to use SAML authentication only



That things says I can start the configuration now, let’s first log into Azure portal (IDP) at : https://portal.azure.com/ and select “Azure Active Directory



From the overview, select Enterprise applications



And create a new application



From the search type “hana” to filter out and click on Hana application



On the main screen option, select single sign-on



In the drop down list, choose “SAML-based Sign-on”



Fill up all the necessary information according your landscape



Note: The Reply URL can be find from your instance at: https://<hana hostname>/sap/hana/xs/saml/info.xscfunc
You will see it at the line AssertionConsumerService



The identifier is required as well, it should reflect what you will configure for Hana XS as the SAML Service Provider

Once done download the Metadata XML and open XS admin from Hana under SAML Service Provider to configure it



Important as mentioned earlier, make sure to use the same Identifier entered in Azure previously and fill up all the mandatory information according you organization



In the Service Provider Configuration, make sure to match the Azure AD for Signing Algorithm



Azure AD Signing for SAML



Once done, save and click on SAML Identity Provider to add Azure AD



In the IP Metadata copy the content of the XML downloaded earlier from Azure



When the content is copy, all the information of the IDP (Azure) will be filled up



I save the new IDP and go in the XS Artifact Administration to change the authentication method for the my application



My application is now configure to use SAML; I will define my account to be use in Azure. From Azure AD, select SAP Hana application



Select “users and group” and click on the + sign to add user from AD



From the list of user available in my AD subscription I choose the on I want to try out the authentication with and assign it for SAML.





Now done, I go on Hana studio to map the user account with Azure AD.



Enter the IDP and the external Id to be mapped for the user



Once completed, I save and try and I’m ready to try.

 

Testing the authentication with SAML


In my browser I enter my application url



And I am automatically redirect to Azure AD for authentication when I hit enter



I select my account map to Hana to log in



It works !!!



My documentation is now completed, in the second part of my blog I will include the hybrid scenario with replication to Azure.
7 Comments
Labels in this area