SAP LaMa 3.0 SP4 with VMware for Hana 2.0 SP2

In my documentation, I will explain and detail how configure SAP LaMa 3.0 SP4 in order to be integrate with VMware infrastructure to deploy and manage SAP Hana landscape.

Aside of the LaMa setup, I will also covert the installation and configuration of the different part of VMware product used for the integration.

For this scenario, I will integrate the replication of SAP Hana on-premise to Azrue Cloud and configure the authentication with SAML Single Sign-On with Azure AD.

For my setup, I will use my own lab on VMware VSphere 6.5 U1 with VMware vCloud Suite 2017 product, use SAP LaMa 3.0 SP4 Patch1 and use my own Microsoft Azure subscription.

Disclaimer: My deployment is only for test purpose; I make the security simple from a network perspective to realize this configuration and use open source software.

Best practice: Before to start anything make sure to read all necessary note relevant to your deployment, read the product guide for each component that you intend to deploy and make sure that you have done the sizing exercise properly.

Be careful on restriction and what is supported or not, this will avoid unnecessary hiccup.

 

In order execution

1. Configure VMware infrastructure
2. Prepare Template VM
3. Prepare the customization profile
4. Register the host in DNS
5. Integrate VMware to LaMa
6. VM Server provisioning for Hana
7. Monitor the provisioning process in LaMa and VMware
8. Check the VM host creation in LaMa and VMware
9. Install SAP Hana on-premise vm
10. Discover SAP Hana instance in LaMa
11. Configure SAML with Azure AD for authentication
12. Testing

Guide used:

SAP LaMa 3.0

• SAP Landscape Management 3.0, Enterprise Edition

VMware Product

• VMware Addapter for LaMa Install-Config-Admin Guide
• Installing and Configuring VMware vRealize Orchestrator 7.3

SAP Hana Platform SP2.0

• SAP HANA Administration Guide
• SAP HANA Technical Operations Manual
• SAP HANA Application Lifecycle Management

Note used:

• 2519232 – SAP Landscape Management 3.0 SP04 Patch01
• 1709155 – System Provisioning with SAP Landscape Virtualization Management
• 2050537 – Support for SAP HANA in SAP Landscape Management
• 2488113 – Discover SAP HANA Multitenant Database Containers in SAP LaMa 3.0
• 2039615 – Managing system landscapes with SAP Landscape Management Enterprise Edition
• 1438774 – New profile parameter system/uuid and system/description
• 2438888 – SAML SSO to HANA no longer works and logs show “Assertion is no longer valid”

Link used:

• SAP Landscape Management 3.0, Enterprise Edition
• SAP Help Portal – The central place for SAP documentation
• VMware vCloud Suite Documentation
• Microsoft Azure Documentation

 

Overview Architecture

From a high-level architecture point of view, I will setup multiples vms in order deploy hybrid landscape; all of them will be register in my internal DNS.

All my vms will be provision accordingly in order to respect the minimum requirement for each component deploy

Authentication Layer (Cloud)

Microsoft Azure – Identity provider use to store users credential and let them use SSO to access SAP Hana application over the web.

VMware Product

VMware Cloud Suite 2017 – The suite VMware Cloud Suite 2017 include multiple product from VMware which permit integration and automation with SAP LaMa and cloud product such as Azure and AWS

SAP Product

SAP LaMa 3.0 – The SAP LaMa 3.0 SP4 will be deploy as a VM and will be use to manage the SAP landscape from operation point of view.
SAP Hana Platform 2.0 – The SAP Hana database will be install as a multi container and will host my fiori application

 

Components details

This picture shows in detail the components deploy on each server such as add-on as well as product version, the protocol of communication are showed too but I intentionally omit to provide any port.

From a detail, components point of view, my SAP LaMa Add-on is deploy on SAP Netweaver 7.5 SP7 Java stack.

In order to integrate VMware vSphere with SAP LaMa for deployment automation, specific product needs to be install and configure; such as VLA, vRealize Orchestrator and vCenter.

I will explain in detail how perform the necessary deployment and configuration.

From an authentication standpoint, I will configure SAML with Microsoft Azure Active Directory as IDP in order to allow access from external user

 

Configure VMware Infrastructure

To allow SAP LaMa 3.0 to work interaction with VMware Infrastructure, specific components from VMware needs to be deploy:

VMware VLA 1.5.0 (VMware Adapter for SAP LaMa 3.0)
VMware VLA is a virtual appliance that integrates SAP LaMa with VMware management software such as vCenter Server and vRealize Orchestrator workflows to execute commands to VMware vCenter Server for VMware related operations like stop/start, provision and so on for VMs

VMware vRealize Orchestrator 7.3
vRealize Orchestrator automates management and operational tasks of both VMware and third-party (SAP LaMa), it is a platform that provides a library of extensible workflows to allow creating and running automated, configurable processes.
This product is part of VMware vCloud Suite 2017

vCenter Server Appliance 6.5.0 U1
VMware vCenter Server provides a centralized platform for managing VMware vSphere environments, allowing automating and delivering a virtual infrastructure.
This product is part of VMware vCloud Suite 2017

 

Download VMware product

VMware VLA can be download at the following location VMware Adapter for SAP LaMa

You need to have a valid account to proceed with the download, once done an OVA package will be provide

To use VMware VLA, specific product version needs to be use, such as vRealize Orchestrator 7.3.0.21553 and vSphere 6.5.
Note: some issue can encore between vRealize Orchestrator and vCenter if you are not using the updated version on vCenter (6.5 U1)

The VMware vCloud Suite 2017 product can be download at the following location VMware vCloud Suite

You need to have a valid account to proceed with the download, once done an OVA package will be provide

 

Install and configure vCloud Suite solution

I will not cover the installation of the ESXi and vCenter component since I have them already running as part of my lab.

The first component to install is the vRO (Orchestrator), from vCenter web console, import the OVA file downloaded earlier

Provide the location of the OVA file

Specify the resource where to deploy it an d accept the license term

Select the datastore where to store the vm deployment

Choose the network according to your infrastructure

And customize the vm setting, you will need to setup: IP/ hostname/ domain/ network/ password

Review your setting and execute

Deployment completed

Power on the new created vm and wait until the main screen with all the url for configuration appears

In your browser now enter to the vco-controlcenter url and log as root user, choose “Standalone Orchestrator”, validate the hostname and click Next

For the authentication mode, I use vSphere and provide my vCenter hostname and click on connect

The connection successful, I accept the certificate

Now for the Identity service, we need to provide the local administrator or the vCenter server

Finally form the Admin group I select the vsphere.local\Administrators and save the change

My installation is complete so I click on “Validate Configuration” to see if I have pending action

All green, now I can log off and log back in as Administrator to check if the sso is working

All good, it’s working

Now installed, the Orchestrator needs to be integrate with vCenter. I start to open the vco url

This will open a java application, log as administrator

On the man page the workflow item and follow “vCenter –> Configuration –> Add a vCenter Server instance” and execute

Provide the provide the fqdn of vCenter, password and click submit

If no error, the workflow is completed

Finally, the last step will be to register the register the Orchestrator as an extension in vCenter

Select the vCenter server and submit

Once again, if no error it’s all green

The first component deployment is completed, now let’s install the VLA

 

Install and configure VMware Adapter for SAP LaMa

As an OVA appliance, open vCenter and upload the file like the procedure followed earlier for vRealize Orchestrator

Once power on, ssh in the server, sudo -s and create the administrator user “in my case vla is the account”
Syntax : vla_user -S LOCAL_USER –a vla-server –u <your vla admin user>

Once done you should be able to access the VLA dashboard console

Register your vRealize Orchestrator with the following command line
Syntax : vla_credentials -a -s vco -n <vRealize Orchestrator hostname> -u <vCenter local admin>

Once registered I can see in the dashboard my host

And install the vco package for LaMa

The packages are now listed in the dashboard

Now I connect the vCenter in VLA by the following command
Syntax: vla_credentials –a –s vcenter –n <vCenter hostname> -u <vCenter local admin> -A <vRealize Orchestrator ID>

Note : the vRealize Orchestrator ID can be find by the following command “vla_credentials –l”

Back to my dashboard, I can now see my vCenter connected

And the credential is also listed

Finally, I push the adapter to LaMa in order to retrieve it from the Virtualization Manager vendor, use the following command to do so

Syntax : vla_adapter –a –f <SAP LaMa hostname> –u root -x <LaMa Administrator>

The VMware based Infrastructure for SAP LaMa is now completed.

 

Prepare template VMs

In the case of provisioning server vm scenario, SAP LaMa needs to works with VM template configured and define in vCenter, to prepare a VM template in vSphere it’s pretty straight forward.

The first thing to do is to create a VM prepare it to host the target environment, file system, cpu, Ram and important point is to install the SAP Hostagent and SAPACEXT.SAR package.
Note: Make sure to install the hostagent with password

Once done right click on the VM convert it as a template

My template ready I can now prepare the host profile for SAP LaMa to work with

 

Prepare the customization profile

The customization profile I used by SAP LaMa while provisioning new VM server to understand the OS type
For the Home button, go on “Policies and Profiles”

Select the “Customization Specification” and create your profile

Once done save it, now let’s take a look at the DNS side.

 

Register the host in DNS

To provision a new host from SAP LaMa, the hostname of the following needs to be resolve by SAP LaMa. In general the exercice is done by the network and security group.

On my DNS I had the new name and IP

 

Integrate VMware to SAP LaMa

VMware integration to SAP LaMa is done through Virtualization Managers, by using the VLA adapter.
From the Infrastructure tab, choose Virtualization managers’ title and click Add

If the entire the step to register the adapter mentioned are done properly, you should see the VMware adapter for LaMa

Select the adapter, click next and provide the necessary information of the adapter (label/user/credential/url)

Test the config and save

Now the adapter is in the list

Let’s now try to provision the server for Hana

 

VM server provisioning for SAP Hana

Now we are ready to deploy the server from SAP LaMa, to do so select the provisioning tab and choose Virtual Host
As we can see, SAP LaMa is able to see my template created earlier, select the template and click on provision

Give a name for the host and select the resource pool where to deploy it. Make sure to have create pool before any provisioning deployment, over wise you cannot do it

Select the datastore to hold the vmdk

I don’t want to create a link clone so I choose false, and we can also see that my deployment will use my customer profile

I select the network I want to work in

Finally I give the hostname is have created in my dns

I review all the parameter and execute

Let’s monitor the execution

 

Monitor the provisioning process in LaMa and VMware

Once executed the provisioning process can be done at different place for the same execution:

From SAP LaMa Dashboard on the Monitoring activities

From vCenter in the task list

From Orchestrator on the running workflow

Once completed with no issue in SAP LaMa Monitoring dashboard

 

Check the VM host creation in SAP LaMa and vCenter

My new host created, it now appear in SAP LaMa under Configuration –> Hosts.
Notice that it is not in a managed state yet

From vCenter the new host also appears under the pool resources assigned to during the provisioning process setup

Note the within the integration of VMware with SAP LaMa through the VLA adapter, this gives you the capability to perform operations on vm found on the vSphere cluster.

From the Operations and Maintenance in the LaMa dashboard you can retrieve all of them

 

Install SAP Hana on-premise vm

I will not cover the Hana database installation in detail since I have done it in my previous documentation. I will show just the main screen

From the Hana Cockpit, after register them, we can see my tenant and system databases up and running

 

Discover SAP Hana instance in LaMa

To find and register my Hana instances in LaMa, from Configuration tab I click on “System” and select “Discover”

I will make the discovery by host agent, from the drop down list for source

I will check “Include Diagnostic Agent for instance” and “Standalone Databases”

Provide the fqdn of my host and keeping the http port for the host agent

In the Database Admin settings, I provide the admin user to connect to it

Finally I click on Detect to start the process

Now discovered, I click next and can see my new Hana instance

I will now create a new system for it by selecting “Assign to New System”

Assign New

Validate and click next

Specify the Pool chosen for the host and click next to finish discovery

Review the summary for host and instance and clock save to complete the task

Once completed I check under the systems tab I can see my Hana instance listed in a managed state

I now go on the Host tab, select my host provisioned earlier which host SAP Hana now and click “Detect on host”

Make sure to have “Detect on Managed Hosts” selected from Source and click on “Detect”

Now that my instance is detected on the host, I will assign my HB3 system created earlier from the drop down to my host and click Next

Validate or select the right pool and click next to continue

Review the summary and save to complete the process

Now my host is in manage state

My instance and host are now part of LaMa and from dashboard, the status of my instance is Running

Note: My instance is now register and manageable by SAP LaMa but in order to perform some task such as monitoring, system copy and so on, make sure to enter the necessary user credential in the Hana instance property.

I can now follow with the configuration for the authentication part with Microsoft Azure AD

 

Configure SAML with Azure AD for authentication with Hana

The SAML authentication will be use to access my internal application that is not role based but required an authentication method for mapped user.

Some background information before I start the config, I have configured my tenant database from a webdispatcher point of view to be accessible with a specific hostname and url for http and https

My set of applications are all under my tenant database

They are configured to use SAML authentication only

That things says I can start the configuration now, let’s first log into Azure portal (IDP) at : https://portal.azure.com/ and select “Azure Active Directory

From the overview, select Enterprise applications

And create a new application

From the search type “hana” to filter out and click on Hana application

On the main screen option, select single sign-on

In the drop down list, choose “SAML-based Sign-on”

Fill up all the necessary information according your landscape

Note: The Reply URL can be find from your instance at: https://<hana hostname>/sap/hana/xs/saml/info.xscfunc
You will see it at the line AssertionConsumerService

The identifier is required as well, it should reflect what you will configure for Hana XS as the SAML Service Provider

Once done download the Metadata XML and open XS admin from Hana under SAML Service Provider to configure it

Important as mentioned earlier, make sure to use the same Identifier entered in Azure previously and fill up all the mandatory information according you organization

In the Service Provider Configuration, make sure to match the Azure AD for Signing Algorithm

Azure AD Signing for SAML

Once done, save and click on SAML Identity Provider to add Azure AD

In the IP Metadata copy the content of the XML downloaded earlier from Azure

When the content is copy, all the information of the IDP (Azure) will be filled up

I save the new IDP and go in the XS Artifact Administration to change the authentication method for the my application

My application is now configure to use SAML; I will define my account to be use in Azure. From Azure AD, select SAP Hana application

Select “users and group” and click on the + sign to add user from AD

From the list of user available in my AD subscription I choose the on I want to try out the authentication with and assign it for SAML.

Now done, I go on Hana studio to map the user account with Azure AD.

Enter the IDP and the external Id to be mapped for the user

Once completed, I save and try and I’m ready to try.

 

Testing the authentication with SAML

In my browser I enter my application url

And I am automatically redirect to Azure AD for authentication when I hit enter

I select my account map to Hana to log in

It works !!!

My documentation is now completed, in the second part of my blog I will include the hybrid scenario with replication to Azure.