Additional OS validations required for SAP Applications on RHEL 7.++
For SAP NetWeaver, if RHEL 7 is listed as supported in the SAP Product Availability Matrix this means that any update release of RHEL 7, for example RHEL 7 Update 1 (RHEL 7.1), can be used as well.
In order for your SAP system to be fully supported on RHEL 7, the following prerequisites must be fulfilled (this list is not exclusive, other notes may apply):
- You need to use the RHEL 7 server variant.
- You need to have valid support and update entitlements (“subscriptions”) from Red Hat for RHEL 7 and any additional layered components (e.g. Virtualization, Clustering, Cluster Storage). If the RHEL release has reached the end of the regular maintenance cycle (see SAP Note 936887 for an overview of the maintenance cycles of the Linux distributions supported by SAP) you need to make sure to have valid “Extended Lifecycle Support” subscriptions from Red Hat to be able to continue to use RHEL7 until the final maintenance for the distribution by Red Hat ends.
Red Hat recommends to get “RHEL for SAP Business Applications” subscriptions for all RHEL 7 servers running SAP applications. See SAP Note 1631106 or go to http://www.redhat.com/products/enterprise-linux/for-sap/ for more information. Please contact your local Red Hat sales representative for more information about how to purchase RHEL for SAP Business Applications subscriptions.
- Your machine must be able to retrieve additional RHEL 7 software packages and updates from the Red Hat Customer Portal either directly or via a Red Hat Satellite/Proxy server.
- You need to use hardware that is certified for SAP use on Linux by your hardware vendor. See the respective notes on certified hardware which are listed in SAP Note 171356.
- On x86_64 and s390x you can use any Linux kernel version shipped by Red Hat for Red Hat Enterprise Linux 7.
- On IBM Power Big Endian (ppc64) the minimum required RHEL7 kernel is 3.10.0-123.6.3.el7.ppc64.
- On IBM Power Little Endian (ppc64le) the minimum required release is RHEL 7.3 for IBM Power Little Endian.
- The original glibc version shipped with RHEL 7.0 is NOT sufficient (see https://rhn.redhat.com/errata/RHSA-2014-2023.html). The minimum required version of glibc for running SAP software on RHEL 7 is 2.17-55.el7_0.3 (see https://rhn.redhat.com/errata/RHSA-2014-2023.html). Higher versions of glibc built for RHEL7 can be used as well.
- It is recommended to always install the latest patches provided by Red Hat for all RHEL 7 packages installed on the system..
- See SAP Note 1452070 for additional recommendations for running SAP on zLinux.
Supported Hardware Platforms
Supported File Systems
In general any file system supported by Red Hat for RHEL7 can also be used for SAP installations. This currently includes XFS, EXT4, EXT3 and GFS2. Since the database vendors can limit the support of their database to certain file systems, please check with your DB vendor if the file system you plan to use is also supported by them.
Upgrading from a previous Red Hat Enterprise Linux release to RHEL 7
In-place upgrades from RHEL 6 to RHEL 7 is supported, however you must at least have the latest minor version installed on the system you plan to upgrade to RHEL 7. (Please note this is only for SAP Business Applications). Direct OS upgrades from RHEL 5 to RHEL 7 are not supported. Please see https://access.redhat.com/solutions/799813 for the list of supported use-cases for in-place upgrades to RHEL 7.
Before starting the upgrade please make sure that all SAP and DB instances running on the server have been updated to a level that is supported on RHEL 7 and that a working backup of the server exists.
All SAP and DB instances running on the server must be stopped, and all file systems belonging to the SAP installation (/usr/sap, /sapmnt, /<DB>) must be unmounted before starting the OS upgrade procedure to avoid damage to the SAP installation during the OS upgrade.
See https://access.redhat.com/site/solutions/637583 for detailed instructions on how to perform an in-place upgrade to RHEL7.
Installing Red Hat Enterprise Linux 7
Install the operating system as described in the RHEL 7 Installation guide (available at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/) using the following guidelines:
- Use English as the installation and system language. You can still change the keyboard layout to your local preference in the “Keyboard” configuration screen
- Manually partitioning the disks is strongly recommended to reserve space for the application.
- Select the correct timezone and make sure the date and time are set correctly in the “Date & Time” configuration screen. If a local NTP server is available you should also configure it in this screen
- In the “Network & Hostname” configuration screen enter the short name (e. g. “sapserver1”) and not the fully qualified hostname (e. g. “sapserver1.example.com”). How to map the short hostname to the fully qualified hostname is described below under Setting the Hostname.
- In the “Software Selection” screen it is recommended to select the software groups listed in the following at a minimum for an SAP server machine:
- Infrastructure Server
- Large Systems Performance
- Network File System Client
- Performance Tools
- Compatibiliy Libraries
- Infrastructure Server
- Some additional packages are required for running SAP software on RHEL 7 which can’t be selected during the interactive OS installation process:
- The compat-libstdc++-33 package which provides the libstdc++.so.5 which is required to run older releases of SAP software is no longer part of the standard package set on RHEL 7, it has been moved to the “Optional” channel.
Please see the section “Installing additional software packages” below for instructions on how to install additional packages after the OS installation.
Configuration changes required after the initial OS installation
- If you leave the firewall enabled, you need to open up the ports for your SAP product. The ports that have to be opened are listed during the installation of the SAP software but can also be found in /etc/services after it is installed. See the RHEL 7 Security Guide for more information on how to configure the firewall.
- Red Hat Enterprise Linux uses SELinux technology for additional security which is enabled by default. Because several components of an SAP server system (like the installation tools or some underlying RDBMS) are not aware of SELinux, we recommend setting SELinux to “Permissive” mode for the time being so that these components won’t break. We don’t recommend setting it to “Disabled” as this would require relabeling the whole filesystem if you want to enable it again at a later point for additional security when these components are made compatible or suitable procedures exist to make them function properly with SELinux. You can change SELinux settings by editing /etc/sysconfig/selinux for future boot processes. On a running system, you can switch between “Enforcing” and “Permissive” modes using the command “setenforce”.
- You have to register the system on the Red Hat Customer Portal or a local Red Hat Satellite or Red Hat Satellite Proxy to retrieve update packages for your machine. It is recommended that you update all packages (including kernel and glibc) to the latest version available in the official RHEL 7 channels after the first OS installation and at regular intervalls later on.
Setting the Hostname
Ensure that the system hostname is set to the short name as described above, i.e. both commands “hostname” and “hostname -s” must return the hostname without domain, “hostname -f” must return the fully qualified hostname and domain:
# hostname -s
# hostname -f
To set the hostname permanenty, please use the “hostnamectl” command.
Also set up /etc/hosts so that it is configured similar to the following example:
# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.0.1 sapserver1.example.com sapserver1
(any additional hosts should be added after these two lines)
It is important that the fully qualified domain name is in the second column, followed by any alias names and that the hostname of the machine is not associated with the IP address 127.0.0.1.
If you entered the fully qualified hostname during installation you can run the command ‘hostname <shorthostname>’ to set the short hostname without having to reboot the system.
See SAP Note 611361 for further information about hostname requirements for SAP NetWeaver based systems.
Linux kernel parameters
Some Linux kernel parameters have to be adjusted to meet the requirements of SAP software. To do this create a file /etc/sysctl.d/sap.conf with the following content (the valuies shown here are the required minimum values, higher values can be used as well):
# SAP settings
kernel.sem=1250 256000 100 1024
vm.max_map_count=2000000 (see SAP Note 900929 for more information)
Please check SAP Note 941735 for recommendations on how to configure the kernel parameters kernel.shmmax and kernel.shmall and other memory related settings for 64bit systems.
Run the command “sysctl –system” to activate the modified kernel parameters. You can use the command “ipcs -l –human” to check the current limits for shared memory, semaphores and message queues in the Linux kernel.
Process resource limits
Some components (e.g. the SAP J2EE engine, Oracle RDBMS software, …) need to keep a large number of file handles opened simultaneously. To increase the limit of files one process can open at a time for all OS users of the SAP system and DB, please create the file /etc/security/limits.d/99-sap.conf with the following content (these are the recommended minimum values, higher values can be used too):
@sapsys hard nofile 32800
@sapsys soft nofile 32800
@<DB group> hard nofile 32800
@<DB group> soft nofile 32800
(replace <DB group> with the name of the OS group of the OS database users, e. g. for Oracle <DB group> should be replaced with “dba” (without the double-quotes))
By default RHEL 7 limits the number of simultaneous processes for each user (except root) to 1024 via the file /etc/security/limits.d/90-nproc.conf to prevent so called “fork-bomb” attacks (see also https://access.redhat.com/solutions/146233). This can cause problems for example when running multiple SAP JAVA application server instances under the same userid. If you plan to run such a setup on RHEL 7, please also add the following line in /etc/security/limits.d/99-sap.conf:
@sapsys soft nproc unlimited
If you are running the database instance for an SAP system with a large number of dialog instances it might also be necessary to set the “nproc” limit to unlimited for the group of the database users as well. For example for Oracle you should also add the following line:
@dba soft nproc unlimited
(if a database other than Oracle is used replace “dba” with the name of the OS group that is used by all database processes)
Please logout and login all users belonging to these groups and restart all processes running under those users for the settings in the /etc/security/limits.d/99-sap.conf to take effect.
To ensure that the process resource limits also get adjusted when the SAP system is started via sapcontrol or a web service client (e. g. SAP MMC) please make sure to update your SAP system at least to SAP kernel 720 PL 400. See SAP Note 1771258 for more information.
Installing additional software packages
You can also install or reinstall a package or a package group at a later point after the OS installation with the following commands, provided that your system can access the RHEL software channels via the officially supported ways (directly or via Red Hat Satellite/Proxy):
- For installing individual packages:
yum install <package1> [<package2> [< package3> […]]]
where <package*> are the names of the packages to be installed, e.g.:
yum install uuidd
- For installing package groups:
yum groupinstall ‘<group1>’ [‘<group2>’ [‘< group3’ […]]]
where <group*> are the names of the groups you want to install.
The following yum groups correspond to the groups listed for the interactive installation above:
If your system can’t use the officially supported ways to access the RHEL software channels “yum” cannot determine the individual packages contained in a package group. In this case, you need to install the individual packages as described above. To find out which packages fulfill a certain requirement or are part of a certain package group, please contact your operating system support.
Additional notes for installing SAP systems
- You may get a warning from the Prerequisite Checker that Red Hat Enterprise Linux 7.x is not supported. You can ignore this warning.
- Since RHEL 7 ships with a Linux 3.x kernel some components of the SAP system need to be updated to be able to properly recognize the Linux 3.x kernel. Please see SAP Note 1629558 for more information.
- To be able to use some older SAP NetWeaver releases in an LDAP environment on RHEL 7/x86_64, you need to install a symbolic link for two libraries because the SAP binaries used to access LDAP where built against versions of these libraries with a non-standard SONAME:
ln -s /usr/lib64/libldap-2.3.so.0 /usr/lib64/libldap.so.199
ln -s /usr/lib64/liblber-2.3.so.0 /usr/lib64/liblber.so.199
For this to work you need to have the compat-openldap package installed
- When installing Oracle 11gR2 (188.8.131.52) the installer may fail with a linking error during “ins_emagent.mk”. Please see SAP Note 2130122 for instructions on how to correct this error.
- When using BRBACKUP, don’t use the cpio tool as a backend because it can’t restore archives larger than 4GB. See SAP Note 20577 for details.
- You may encounter problems during an installation of SAP NetWeaver when using Hummingbird Exceed version 10.0.0.0 or lower. After starting the SAP installer “sapinst”, the installation window will not appear, however the installation process will not terminate. To fix this issue please upgrade Hummingbird Exceed to version 10.0.0.15 or later
- On RHEL7 the “systemd-tmpfiles” service is active by default to clean up the /tmp directory. Since some SAP applications can store lock files and sockets in /tmp it is necessary to configure systemd-tmpfiles to prevent the deletion of these files. Therefore please add the file /etc/tmpfiles.d/sap.conf with the following contents to all RHEL7 systems running SAP applications:
# systemd tmpfiles exclude file for SAP
# SAP software stores some important files
# in /tmp which should not be deleted
# Exclude SAP socket and lock files
# Exclude HANA lock file
Starting with systemd-219-19 this configuration is included by default in the systemd packages shipped for RHEL7.
- When using SNC with the built-in Kerberos 5 libraries of the OS you need to use at least version 1.14.1-14.el7 of the krb5 packages provided by Red Hat for RHEL7 (see also SSO with kerberos for SAP NetWeaver fails (Red Hat Customer Portal account required))
- After updating to RHEL 7.2 applications like SAP NetWeaver, Oracle, DB” using IPC (Semaphores, Shared Memory, Message queues) for interprocess communication might fail with errors like
- DpCleanupSharedResources: removing Semaphore-Management
*** ERROR => e=22 semctl(360454,0,IPC_RMID,..) (22: Invalid argument) [semux.c 1683]
*** ERROR => e=43 semctl(1867828,0,IPC_RMID,..) (43: Identifier removed) [semux.c 1683]
*** ERROR => e=43 semctl(1900597,0,IPC_RMID,..) (43: Identifier removed) [semux.c 1683
- ORA-27157: OS post/wait facility removed
- DpCleanupSharedResources: removing Semaphore-Management
ORA-27300: OS system dependent operation:semop failed with status: 43
This issue is due to a change in the behaviour of the logind component of systemd. To fix this issue please update to systemd-219-19.el7_2.4 or later (see Applications using IPC (semaphores, shared memory, message queues) have problems after update to RHEL 7.2 for more information (Red Hat Customer Portal account required))
TAI based timezones are not supported on a Redhat installation for SAP!
For further information please refer to the https://access.redhat.com/articles/15145, which refers to all issues related to leapsecond in RHEL and https://access.redhat.com/solutions/1465713#, which refers to mostly question and resolution regarding to update tzdata package, NTP client, TAI and UTC time scales, …