cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

DBA Cockpit: Planning calendar and remote Oracle databases- which method?

Go to solution
joe_ledesma
Participant

on ‎08-01-2011 7:23 PM

0 Kudos

For using DBA Planning Calendar to schedule BR*Tools for remote Oracle database AS Java systems I have successfully implemented both the Secure Shell and SAP gateway methods in [Note 1025707 - DBA Cockpit: Planning calendar and remote Oracle databases|https://service.sap.com/sap/support/notes/1025707] and was interested in which of these two methods others have found to be more supportable and maintainable?

-

In more detail, the note has these two methods for non-ABAP remote systems:

2. Connection through Remote/Secure Shell

Specifically Secure Shell. Rejecting remote shell as too old and insecure a protocol.

3 Connection through SAP gateway

The note provides clues as to how these methods work. Expanding on that:

With #2, central ABAP system calls out to its OS user level to execute the ssh client (after gw/rem_start has been set to the non-default value SSH_SHELL) which it finds in the location specified in gw/ssh (default value is /usr/bin/ssh). It must use password-less authentication and the key-based authentication must also not require a passphrase. (Using ssh-agent is not an option since this is being called from SAP, not from your own script.)

It remotely runs via ssh a command, sapxpg, which must be found in the PATH of the remote user. (This is why the note, which has you place this exe sapxpg and a subset of the BR*Tools in the home dir of the remote user, also has you make sure the home dir is included in the path--your OS might or might not include the user's home dir in the path in the default shell environment for a new user.)

Then via sapxpg, the BR*Tools are invoked.

One thing that may be confusing here is you have to check at least one gateway parameter 'gw/...' in the central system to get the method #2 the non-gateway method to work--this is because the two methods are technically almost the same: in #2, secure shell is used to basically start a gateway on the fly with sapxpg in order to call the BR*Tools each time a DBA Planning Calendar action runs or you view DBA or Backup logs of the remote system from the central system. With #3, the gateway runs continuously on the remote system.

With #3, central system connects to remote SAP standalone gateway, which executes the BR*Tools installed in the standard SAP kernel directory of the SAP gateway. This method is simpler to describe so it sounds like it has less components than the secure shell method, however you do have an entire SAP system running, although it is just a standalone gateway.

-

Thoughts:

These pros/cons are UNIX/Linux-oriented since I assume most Windows environments do not have added 3rd-party products that provide secure shell so SAP gateway is the only method.

Secure shell

+ Less software required (not counting secure shell which comes with the operating system distribution): just a few SAP executables placed in the home dir of an ordinary user on the remote system.

+ Secure shell service probably automatically starts upon boot of the remote system operating system.

+ Secure shell is a widely used tool outside of SAP for executing commands remotely without passwords.

- Installation is non-standard: shell environment of remote user is not adapted by SAP installer since SAP installer is not used, SAP executables in the home dir of the remote user is non-standard. Has to be setup manually.

- Requires setting up secure shell key-based authentication, which should be known by UNIX/Linux admins or combined Basis/UNIX/Linux admins, but might be less familiar to SAP Web AS only admins.

- If your admin config policy is to have SAP interact as little possible with the OS level for interfaces with other systems, here you are relying on the OS-level secure shell.

- Using a private key that does not require a passphrase on the central system may not fit with your security policies if you have standards for secure shell configuration.

SAP gateway

+ The gateway is a standard installation, performed with SAP installation tool, with the exception of a few additional environment settings that have to be added after the installation. BR*Tools are installed in the standard location. Can use standard procedures for updating this software.

+ Only uses SAP software.

- More software on remote system: standalone gateway just to run BR*Tools and view logs.

- SAP Kernel of remote gateway should probably be updated whenever you do SAP kernel updates across your systems for consistency. One more system to update.

- Shell environment of remote user that runs the gateway looks like something setup by the SAP installer but is not standard because it has a few additional environment variables added.

- Need to make sure the SAP gateway is started on the remote system.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-01-2011 9:31 PM
0 Kudos

Hi,

I prefer installing SAP gateway that kind of implementations rather than using 3rd parties. Because, it is a SAP product and very well documented. Additionally, you can have a support when you face with a problem by SAP.

Generally, I do not prefer to use 3rd party products on SAP systems, but this is my point of view.

Best regards,

Orkun Gedik

Show replies
Show replies
joe_ledesma
Participant
‎08-01-2011 10:11 PM
0 Kudos

Thank you for your reply. I get your overall point, that with the SAP gateway approach all the software involved is directly supportable by SAP Support.

I only meant to refer to Secure Shell as something 3rd party in the context of MS Windows (I have heard of the product Bitvise WinSSHD for example). For UNIX/Linux platforms I am considering Secure Shell as something that comes with the operating system for the purpose of the choice here (despite how the OS vendor typically gets it from open source OpenSSH). 'support' can be a tricky word: It is of course supported by SAP to use Secure Shell in this manner since it is included in the SAP note but I would not expect SAP Support to support us in configuring key-based authentication. For that we have the operating system vendor, which SAP expects us to have a support contract with anyway.

I am interested in replies from anyone regarding having a central system in which DBA Cockpit Planning Calendar is used for BR*Tools on remote Oracle databases.

Former Member
‎08-02-2011 6:21 AM
0 Kudos

Hi Joe,

I configured a monitoring/dba landscape for two SAP Portals and one SAP BusinessObjects system on a SAP landscape by using DBACOCKPIT, at a customer site. These systems are running on AIX, Windows 2003/2008 servers and attached to the central monitoring system with standalone SAP gateway installations.

One another reason to not use OS based commands or 3rd party tools is security. We are stopping and disabling most of the services on OS where SAP system is running on, because of the security reasons. I faced more security gaps on rsh/ssh and the other tools than standalone SAP Gateway installations. As you can figure out that rsh/ssh is getting more attack than standalone SAP Gateway, because of well known by the IT world.

As a summary of it, this depends to point of view and policy of the IT organization. I applied both ssh and standalone SAP Gateway solutions at my customers, but I choose standalone SAP Gateway installation among of them.

Best regards,

Orkun Gedik

Answers (0)

Ask a Question