INTERNAL
SAP Host AgentDocument Version: 1.0 - 2015-01-22
SAP Host AgentValid for SAP Host Agent 7.20 Patch Level 201 and higher
Content
1 SAP Host Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
2 SAP Host Agent Change Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Architectural Overview of SAP Host Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 Downloading the SAPHOSTAGENT Archive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5 SAP Host Agent Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.1 Installing SAP Host Agent Manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.2 Installing SAP Host Agent Using Software Provisioning Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6 SAP Host Agent Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.1 Upgrading SAP Host Agent Manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.2 Automated Upgrade of SAP Host Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuring the Automated Upgrade Behavior of SAP Host Agent. . . . . . . . . . . . . . . . . . . . . . . . . . 19
Avoiding Incomplete Upgrade of SAP Host Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Configuring Delayed Auto-Upgrade of SAP Host Agent to Avoid Network Bottlenecks. . . . . . . . . . . .22
7 SAP Host Agent Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
7.1 Enabling SAP Host Agent Registration in SLD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
7.2 SSL Configuration for the SAP Host Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring SSL for SAP Host Agent on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configuring SSL for SAP Host Agent on UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configuring SSL for SAP Host Agent on IBM i. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.3 Enabling Audit Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
7.4 Binding Only Specific IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
8 Uninstalling SAP Host Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
9 SAP Host Agent Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.1 SAP Host Agent Reference - Command Line Options of the saphostexec Executable. . . . . . . . . . . . . . . 40
9.2 SAP Host Agent Reference - Command Line Options of the hostexecstart Executable. . . . . . . . . . . . . . 42
2I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentContent
1 SAP Host Agent
SAP Host Agent is an agent that can accomplish several life-cycle management tasks, such as operating system monitoring, database monitoring, system instance control and provisioning.
Validity of this Documentation
This documentation is valid for SAP Host Agent 7.20 Patch Level (PL) 201 and higher. For information about how to check the version of an existing SAP Host Agent installation, see SAP Host Agent Reference - Command Line Options of the saphostexec Executable [page 40].
See SAP Note 1907566 about how to update older versions of this documentation within your local SAP Library installations.
SAP Host Agent Usage
SAP Host Agent is installed automatically during the installation of new SAP instances with SAP kernel 7.20 or higher. SAP Host Agent is upgraded automatically as part of the SAP instance, when you patch or upgrade the SAP kernel. However, you can also install and upgrade SAP Host Agent independently from an SAP instance.
Features
SAP Host Agent provides you with the following features:
● SAP instance discovery and inventory● SAP instance control● Database monitoring and management● System or instance provisioning:
○ Hosting the infrastructure of SAP Landscape Virtualization Management (LVM), formerly known as SAP NetWeaver Adaptive Computing Controller (ACC)
○ Hosting software lifecycle (SL) tools interfaces● Operating system monitoring:
○ Using saposcol○ Using Common Information Model (CIM) based infrastructures
● IBM i-specific features:
○ Dynamically adopted authorization for SAP kernel 7.20 and higher○ SAP ILE daemon (SAPILED)
SAP Host AgentSAP Host Agent
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 3
○ SAP Database Performance Collector for IBM i
Related Information
SAP Host Agent Change Log [page 5]Architectural Overview of SAP Host Agent [page 6]Downloading the SAPHOSTAGENT Archive [page 10]SAP Host Agent Installation [page 11]SAP Host Agent Upgrade [page 16]SAP Host Agent Configuration [page 24]Uninstalling SAP Host Agent [page 38]SAP Host Agent Reference [page 40]
4I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent
2 SAP Host Agent Change Log
Some features are only available as of a certain patch level (PL) version of the SAP Host Agent archive. SAP recommends that you use the highest available PL version, even if you want to monitor a component of SAP NetWeaver with a lower release.
Table 1:
Feature Description Available as of
Verification of Digital Signature The production version of the SAP Host Agent is available as a digitally signed SAR archive. You can now use the additional parameter -verify to verify the content of the SAP Host Agent archive against the SAP digital signature during installation and upgrade.
SAP HOST AGENT 7.20 PL201
Audit Logging SAP Host Agent provides the means to audit-log every operation the SAP Host Agent is performing. If you want to use audit logging, you have to activate it.
For more information, see Enabling Audit Logging [page 35]
SAP HOST AGENT 7.20 PL118
sapcrypto library and command line tool sapgenpse already contained in the SAPHOSTAGENT<version>.SAR archive
The sapcrypto library and the command line tool sapgenpse are already contained in the SAPHOSTAGENT <version>.SAR archive.
For more information, see SSL Configuration for the SAP Host Agent [page 26].
SAP HOST AGENT 7.20 PL62
Automated upgrade SAP Host Agent is enabled to check for updates automatically and get upgraded if a version of the SAP Host Agent executable is found that is higher than the existing one.
For more information, see Automated Upgrade of SAP Host Agent [page 19].
SAP HOST AGENT 7.20 PL45
Related Information
SAP Host Agent [page 3]
SAP Host AgentSAP Host Agent Change Log
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 5
3 Architectural Overview of SAP Host Agent
SAP Host Agent provides a bunch of executables and services which are described in this section from an architecture point of view.
The following graphics provide an overview about SAP Host Agent and its components:
6I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentArchitectural Overview of SAP Host Agent
Executables and Services
The executable directory of SAP Host Agent is in the following location:
Table 2:
UNIX /usr/sap/hostctrl/exe
Windows %ProgramFiles%\SAP\hostctrl\exe
IBM i /usr/sap/hostctrl/exe and objects in library R3SAP400
SAP Host Agent has the following executable programs and services:
Table 3:
The SAPHostExec service
saphostexec is a service or daemon that only runs under privileged user accounts such as root on UNIX or Local System under Windows.
saphostexec hosts the life-cycle management processes of the SAP Host Agent itself, such as upgrade and installation.
The sapstartsrv service SAPHostControl
SAPHostControl runs within SAP Host Agent under the sapadm user.
SAPHostControl should not be confused with sapstartsrv which runs under the <sapsid>adm user in the SAP system instance with the instance profile.
NoteSAPHostControl contains the functionality of the previous CCMS agent SAPCCMSR, that is, the agent that monitors hosts. For more information, see Central Monitoring with SAP NetWeaver Management Agents in the SAP NetWeaver Application Server for ABAP (AS ABAP) documentation.
The operating system collector saposcol
saposcol is a stand-alone program that runs in the operating system background. It runs independently of SAP instances exactly once per monitored host. saposcol collects data about operating system resources, including:
● Usage of virtual and physical memory● CPU utilization● Utilization of physical disks and file systems● Resource usage of running processes
saposcol makes the data available using a segment of the shared memory for various applications and all SAP instances on a host.
The DB4STATS program and command (IBM i only )
The DB4STATS program and command are partly contained in the R3SAP400 library. They provide the SAP Database Performance Collector for IBM i. You can find a detailed description of this collector in SAP Note 1622665 and in the documentation attached to this SAP Note.
The
SAP ILE daemon (IBM i only )
The SAP ILE daemon is needed to update ILE components (objects in libraries) from the patch archive after installing a SAP kernel patch. You can find a detailed description of the SAP ILE daemon in SAP Note 1637588 .
SAP Host AgentArchitectural Overview of SAP Host Agent
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 7
NoteThe installed programs are started automatically when the host is booted.
Table 4:
Windows On Windows hosts, this is done by the services SAPHostControl and SAPHostExec.
UNIX On UNIX the automatic start is ensured by the startup script sapinit.
IBM i On IBM i, the programs are started by the auto-start job entry SAPINIT in subsystem QUSRWRK, which was created during the installation.
Profile File
The profile parameters of SAP Host Agent are stored in the host_profile file. This file is located in the executable directory of the SAP Host Agent (see Executables and Services above).
Working Directory
The working directory of SAP Host Agent is in the following location:
Table 5:
UNIX, IBM i
/usr/sap/hostctrl/work
Windows %ProgramFiles%\SAP\hostctrl\work
The working directory contains, among other things, the following configuration files:
Table 6:
CSMCONF Start file for the agents that contains connection data for the central monitoring system
SAPCCMSR.INI Contains information about the extent to which plug-ins, log files, and SAPOSCOL information should be considered; this file is read when the agent is started. For more information, see Parameters of the SAPCCMSR.INI Configuration File in the SAP NetWeaver Application Server for ABAP (AS ABAP) documentation.
In an ABAP system, you can display all files in the working directory of SAP Host Agent in the central monitoring system. You can use transaction RZ21 to do this. In the Topology group box, select one of the Agents for ... radio buttons. The Monitoring: Display Technical Topology screen appears. Now select SAP Host Agent and then choose Working Directory of the Agent. The system displays the files of the directory. To display the contents of a file, choose the file by double-clicking it.
8I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentArchitectural Overview of SAP Host Agent
Log Files
The following log files are created during runtime for SAP Host Agent. They are available in the working directory of SAP Host Agent:
Table 7:
sapstartsrv_ccms.log
This log file is for central monitoring. It is stored in subdirectory sapccmsr of the working directory.
sapstartsrv.log Contains the developer trace for sapstartsrv
dev_saphostexec Contains the developer trace for saphostexec.
dev_sapdbctrl Contains the developer trace for sapdbctrl.
A log file is also created during runtime for SAP Host Agent with the name sapstartsrv_ccms.log, and log files are created for RFC communication. The log files are stored in the sapccmsr subfolder of the working directory.
AL Files
For system instances, the AL* files ( ALMTTREE, ALPERFHI, and ALALERTS) are in the working directory of the SAP Host Agent. $DIR_LOGGING directory. These files contain the monitoring segment data.
Related Information
SAP Host Agent [page 3]
SAP Host AgentArchitectural Overview of SAP Host Agent
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 9
4 Downloading the SAPHOSTAGENT Archive
The SAPHOSTAGENT<SP-version>.SAR archive contains all of the required elements for centrally monitoring any host. It is available for all operating system platforms supported by SAP.
Context
It is automatically installed during the installation of SAP systems or instances with SAP kernel 7.20 or higher.
Procedure
1. Go to the SAP Software Distribution Center of the SAP Service Marketplace at http://support.sap.com/swdc.
2. Log on with your SAP Support Portal ID.
3. In the navigation bar, choose Download Software Support Packages and Patches Browse Download Catalog SAP Technology Components SAP HOST AGENT SAP HOST AGENT 7.20 <operating system> .
4. Select the appropriate SAPHOSTAGENT<SP-version>.SAR archive from the Download tab.
RecommendationAlways select the highest SP version of the SAPHOSTAGENT<SP-version>.SAR archive, even if you want to monitor a component of SAP NetWeaver with a lower release.
5. Make sure that the SAPCAR tool is available on the host where you want to install SAP Host Agent.
You need the SAPCAR tool in order to be able to decompress the SAPHOSTAGENT<SP-version>.SAR archive. For more information about SAPCAR and how to get it, see SAP Note 212876 .
Related Information
SAP Host Agent [page 3]
10I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentDownloading the SAPHOSTAGENT Archive
5 SAP Host Agent Installation
In many cases SAP Host Agent is installed automatically. However, there are certain cases when you have to install it manually.
SAP Host Agent is installed automatically during the installation of all new SAP system instances or instances with SAP kernel 7.20 or higher.
RecommendationThe general strategy in high availability (HA) environments is to install the SAP Host Agent locally on each cluster node.
The following sections describe how you can install SAP Host Agent separately:
● Installing SAP Host Agent Manually [page 11]● Installing SAP Host Agent Using Software Provisioning Manager [page 15]
Related Information
SAP Host Agent [page 3]
5.1 Installing SAP Host Agent Manually
You can install SAP Host Agent manually by executing the saphostexec executable with option -install from the extracted SAPHOSTAGENT<SP-version>.SAR archive.
Prerequisites
● You have downloaded the SAPHOSTAGENT<SP-version>.SAR archive as described in Downloading the SAPHOSTAGENT Archive [page 10]
● You have made sure that the following operating system-specific requirements are met:
Table 8:
Windows You have installed the specified Microsoft security patch in accordance with the instructions in SAP Note 1375494 . You also need to install the latest version of the Microsoft Runtime used by SAP as described in SAP Note 684106 .
SAP Host AgentSAP Host Agent Installation
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 11
IBM i Option 33 of the operating system must be installed. Use menu GO LICPGM to check whether the option is installed and install it if required.
IBM i The system startup program (specified in system value QSTRUPPGM) must contain the STRSBS command to start subsystem QSYS/QUSRWRK. This is needed because SAPHOSTAGENT will be started as an auto-start job in subsystem QSYS/QUSRWRK
Procedure
1. Log on as a user with the required authorization:
Table 9:
Windows As a member of the local Administrators group
UNIX As a user with root authorization
IBM i As a user profile with special authorities *SECADM and *ALLOBJ, for example as user profile QSECOFR.
If user profile R3GROUP does not exist on your server, it will be created during the installation of SAP Host Agent. If you have already installed SAP systems on other servers, we recommend that you use the same group ID (GID) for all sapsys and R3GROUP groups in the system landscape. To obtain the group ID (GID) for R3GROUP on another IBM i server in your landscape, enter the command DSPUSRPRF USRPRF(R3GROUP) and scroll down until you see the value for Group ID number.
2. IBM i only: Enter the command CALL PGM(QP2TERM) to start a PASE interactive terminal session.
3. Download the SAPHOSTAGENT<SP-version>.SAR archive as described in Downloading the SAPHOSTAGENT Archive [page 10]
4. Copy the downloaded SAPHOSTAGENT<SP-version> archive to a temporary directory, for example:
Table 10:
Windows c:\temp\hostagent
UNIX, IBM i
/tmp/hostagent
5. Change to the temporary directory that now contains the downloaded SAPHOSTAGENT<SP-version>.SAR archive.
6. Extract the SAPHOSTAGENT<SP-version>.SAR archive using SAPCAR.
Take SAP Note 212876 into account when doing so. Use the following command for extraction, and execute them in the directory of the archive:
Table 11:
Windows <path to SAPCAR> sapcar.exe -xvf SAPHOSTAGENT<SP-version>.SAR
UNIX <path to SAPCAR> sapcar -xvf SAPHOSTAGENT<SP-version>.SAR
IBM i <path to SAPCAR> SAPCAR -xvf SAPHOSTAGENT<SP-version>.SAR
Among others, the archive contains the saphostexec program.
12I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Installation
7. Start the installation by entering the following command:
Table 12:
Windows saphostexec.exe -install
If user sapadm does not yet exist, it is automatically created as a local user and you are prompted to enter a password for this user to be created.
NoteIn some cases it might be useful to configure sapadm as a domain user instead of a local user, for example if you have multiple Windows hosts in your system landscape each of which has SAP Host Agent. Enter the following command to install saphostexec while specifying sapadm as the domain user:
saphostexec.exe -install -user <domain>\sapadm
RecommendationUse the additional parameter -verify to verify the content of the installation package against the SAP digital signature:
saphostexec.exe -install -verify
UNIX ./saphostexec -install
The administrator user sapadm of the SAP Host Agent is created automatically during the installation, but it does not get assigned a password.
NoteYou can set the password in one of the following ways:
○ During the installation using the following command: ./saphostexec -install -passwdIn this case saphostexec will prompt you to enter a password
○ After the installation has finished by entering the following command as user root: passwd sapadm
RecommendationUse the additional parameter -verify to verify the content of the installation package against the SAP digital signature:
./saphostexec -install -verify
SAP Host AgentSAP Host Agent Installation
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 13
IBM i ./saphostexec -install -gid <gid>
NoteIf you have already installed SAP systems on other servers, we recommend that you use the same group ID (GID) for all sapsys or R3GROUP groups in the system landscape. To do this, enter your landscape system GID into <gid> on the above command. If user profile R3GROUP already exists, or if you want the saphostcontrol installation to automatically generate a new group ID, enter the command saphostexec -install without the addition -gid <gid> .
RecommendationUse the additional parameter -verify to verify the content of the installation package against the SAP digital signature:
./saphostexec -install -verify
The progress of the installation is displayed on the command line.
8. After the installation has finished successfully, you can check whether SAP Host Agent is up and running by executing the following command from the directory of the SAP Host Agent executables:
Table 13:
Windows %ProgramFiles%\SAP\hostctrl\exe\saphostexec.exe -status
UNIX, IBM i
/usr/sap/hostctrl/exe/saphostexec -status
9. IBM i only: Leave the PASE interactive terminal session using function key F3
Results
After the installation has finished successfully, SAP Host Agent is up and running.
Next Steps
You can now delete the temporary directory with all its content.
IBM i only: If it did not already exist, R3GROUP was created during the installation. Even though SAP Host Agent does not require special authorities, we recommend that you grant the required authorities for system API's that need to be authorized for user profile R3GROUP for your SAP system now. For more information, see SAP Note 175852 .
14I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Installation
Related Information
SAP Host Agent Installation [page 11]
5.2 Installing SAP Host Agent Using Software Provisioning Manager
You can also install SAP Host Agent using software provisioning manager 1.0 (formerly known as SAPinst).
Context
The required files are on the kernel medium for the current release.
Procedure
Proceed as described in section Installing SAP Host Agent Separately in the documentation Installation Guide - SAP Systems Based on the Application Server <ABAP or Java> of SAP NetWeaver on <OS>: <DB> - Using Software Provisioning Manager 1.0 at: http://service.sap.com/sltoolset
Related Information
SAP Host Agent Installation [page 11]
SAP Host AgentSAP Host Agent Installation
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 15
6 SAP Host Agent Upgrade
As part of the SAP instance, SAP Host Agent is upgraded automatically when you patch or upgrade the SAP kernel. However, we recommend upgrading SAP Host Agent independently from the SAP instance, either by doing this manually or by configuring automated upgrade.
RecommendationIf you have a 720_EXT patch level (PL) of SAP Host Agent installed, we recommend that you upgrade it to the latest version of SAP Host Agent 720.
The following sections describe how to do this:
● Upgrading SAP Host Agent Manually [page 16]● Automated Upgrade of SAP Host Agent [page 19]
Related Information
SAP Host Agent [page 3]
6.1 Upgrading SAP Host Agent Manually
You perform the upgrade by running saphostexec -upgrade from the directory to which you extracted the SAPHOSTAGENT<SP-version>.SAR archive before.
Prerequisites
You have downloaded the desired target release version of the SAPHOSTAGENT<SP-version>.SAR archive as described in Downloading the SAPHOSTAGENT Archive [page 10].
Procedure
1. Log on as a user with the required authorization:
16I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Upgrade
Table 14:
Windows As a member of the local Administrators group
UNIX As a user with root authorization or as a member of the sapsys group, for example <sapsid>adm
IBM i As a user profile with special authorities *SECADM and *ALLOBJ, for example as user profile QSECOFR.
2. IBM i only: Enter the command CALL PGM(QP2TERM) to start a PASE interactive terminal session.
3. Copy the downloaded SAPHOSTAGENT<SP-version>.SAR archive to a temporary directory, for example:
Table 15:
Windows c:\temp\hostagent
UNIX, IBM i
/tmp/hostagent
4. Change to the temporary directory that now contains the downloaded SAPHOSTAGENT<SP-version>.SAR archive.
5. Extract the SAPHOSTAGENT<SP-version>.SAR archive using SAPCAR.
Take SAP Note 212876 into account when doing so. Use the following command for extraction, and execute them in the directory of the archive:
Table 16:
Windows <path to SAPCAR> sapcar.exe -xvf SAPHOSTAGENT<SP-version>.SAR
UNIX <path to SAPCAR> sapcar -xvf SAPHOSTAGENT<SP-version>.SAR
IBM i <path to SAPCAR> SAPCAR -xvf SAPHOSTAGENT<SP-version>.SAR
Among others, the archive contains the saphostexec program.
6. Perform the upgrade by running the following command from the temporary directory:
Table 17:
Windows saphostexec.exe -upgrade
RecommendationUse the additional parameter -verify to verify the content of the installation package against the SAP digital signature:
saphostexec.exe -upgrade -verify
SAP Host AgentSAP Host Agent Upgrade
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 17
UNIX ○ If you are logged on as a user with root authorization, the command is as follows: ./saphostexec -upgrade
RecommendationUse the additional parameter -verify to verify the content of the installation package against the SAP digital signature:
./saphostexec -upgrade -verify
○ If you are logged on as a member of the sapsys group, for example <sapsid>adm, the command is as follows: /usr/sap/hostctrl/exe/hostexecstart -upgrade <path to temporary directory with extracted SAPHOSTAGENT<SP-version>.SAR>
IBM i ./saphostexec -upgrade
RecommendationUse the additional parameter -verify to verify the content of the installation package against the SAP digital signature:
./saphostexec -upgrade -verify
The progress of the upgrade is displayed on the command line.
7. After the upgrade has finished successfully, you can check the version of the upgraded host agent by executing the following command from the directory of the SAP Host Agent executables:
Table 18:
Windows %ProgramFiles%\SAP\hostctrl\exe\saphostexec.exe -version
UNIX, IBM i
○ If you are logged on as a user with root authorization, the command is as follows: /usr/sap/hostctrl/exe/saphostexec -version
○ If you are logged on as a member of the sapsys group, for example <sapsid>adm, the command is as follows: /usr/sap/hostctrl/exe/hostexecstart -version
/usr/sap/hostctrl/exe/saphostexec -version
8. IBM i only: Leave the PASE interactive terminal session using function key F3
Next Steps
Post-requisites:
You can now delete the temporary directory with all its content.
Related Information
SAP Host Agent Upgrade [page 16]
18I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Upgrade
6.2 Automated Upgrade of SAP Host Agent
SAP Host Agent is enabled to check for updates automatically and get upgraded if a version of the SAP Host Agent executable is found that is higher than the existing one.
● Configuring the Automated Upgrade Behavior of SAP Host Agent [page 19]● Avoiding Incomplete Upgrade of SAP Host Agent [page 21]● Configuring Delayed Auto-Upgrade of SAP Host Agent to Avoid Network Bottlenecks [page 22]● See also SAP Note 1473974 .
Related Information
SAP Host Agent Upgrade [page 16]
6.2.1 Configuring the Automated Upgrade Behavior of SAP Host Agent
The running saphostexec executable regularly checks a directory $DIR_NEW, by default /usr/sap/hostctrl/new (on UNIX and IBM i) or %ProgramFiles%\SAP\hostctrl\new (on Windows), where it expects to find the latest version of the executable of SAP Host Agent from the unpacked SAPHOSTAGENT.SAR archive.
Prerequisites
Table 19:
Windows You must be logged on as a member of the local Administrators group.
UNIX You must be logged on as a user with root authorizations.
IBM i You must be logged on as a user profile with special authorities *SECADM and *ALLOBJ, for example as user profile QSECOFR.
Context
An upgrade is only performed if a version of the SAP Host Agent executable programs is found in the $DIR_NEW directory that is higher than the version of the executable programs that exist in the SAP Host Agent executable directory.
SAP Host AgentSAP Host Agent Upgrade
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 19
RecommendationThe production version of the SAP Host Agent is available for customers as a digitally signed SAR archive. It is recommended that you create an empty file .verify in the $DIR_NEW directory to enable the verification of the package integrity using SAP digital signature during the auto-upgrade step.
Procedure
1. You can configure the automated upgrade behavior by adapting the host_profile file which you can find in the following directory:
Table 20:
UNIX and IBM i /usr/sap/hostctrl/exe
Windows %ProgramFiles%\SAP\hostctrl\exe
○ By default, the saphostexec program performs a check for updates every 5 minutes. You can change this behavior by adapting profile value hostexec/autoupgrade_delay= <minutes> .
○ In addition, you can also change the name and path of the directory that contains the newest SAP Host Agent version using profile value DIR_NEW= <path to a directory> .Windows: If the new SAP Host Agent version is located on a network share, you have to use the UNC path for the value of the DIR_NEW profile parameter, for example: DIR_NEW = \\<your_host>\<your_share>\SAPHostAgent\SAPHostAgent_Update
2. Once you have changed the SAP Host Agent profile, you need to restart SAP Host Agent in order to make the changes take effect:a. IBM i: Enter the command CALL PGM(QP2TERM) to start a PASE interactive terminal session .b. Change to the directory of the saphostexec executable:
Table 21:
UNIX, IBM i /usr/sap/hostctrl/exe
Windows %ProgramFiles%\SAP\hostctrl\exe
c. Run the following command to restart SAP Host Agent:
Table 22:
UNIX, IBM i ./saphostexec -restart
Windows saphostexec.exe -restart
Related Information
Automated Upgrade of SAP Host Agent [page 19]
20I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Upgrade
6.2.2 Avoiding Incomplete Upgrade of SAP Host Agent
We recommend that you create an empty file called .upgrading in the $DIR_NEW directory to avoid that saphostexec starts the upgrade procedure during the extraction of SAPHOSTAGENT<SP-version>.SAR - with the consequence that only part of the newest version of the packages is upgraded.
Procedure
1. Create the .upgrading file in the $DIR_NEW directory.
2. Extract SAPHOSTAGENT<SP-version>.SAR to $DIR_NEW.
3. Remove .upgrading from the $DIR_NEW directory.
ExampleThis example shows how you proceed on UNIX. You can proceed analogously on other operating system platforms:
Sample Codecd /usr/sap/hostctrl/new/
touch .upgrading
SAPCAR -xvf SAPHOSTAGENT <SP-version>.SAR
rm .upgrading
Related Information
Automated Upgrade of SAP Host Agent [page 19]
SAP Host AgentSAP Host Agent Upgrade
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 21
6.2.3 Configuring Delayed Auto-Upgrade of SAP Host Agent to Avoid Network Bottlenecks
Within large installations, it normally makes sense to use one single share where the content of SAPHOSTAGENT<SP-version>.SAR is extracted regularly.
Context
With this configuration the simultaneous upgrade of many machines is very easy. Unfortunately, if all machines start to access a single network share, it could result in a network bottleneck, and in case of a restrictive firewall configuration, to a complete outage.
To avoid this kind of problem, for large landscapes you can additionally create a configuration file within $DIR_NEW, containing the maximum time range of an upgrade. In this case the various saphostexec processes of the different machines will plan the upgrade in a random way within a well defined time window.
Procedure
Create a file in $DIR_NEW called .delay.
The format of the file is as follows: <Value1> random- <Value2> :
○ <Value1> represents the number of minutes after an auto-upgrade is checked, and <Value2> the maximum value of minutes after which the auto-upgrade is started.The real upgrade delay value in minutes is given by: Delay = <Value1> + <randomValue> *<Value2>
Example500
Auto-upgrade checks the version of the file contained in $DIR_NEW every 500 minutes.
○ <Value2> is optional and could be omitted.
Example500random500
Auto-upgrade checks the version of the file contained in $DIR_NEW every 500 minutes.
Once the version of SAP Host Agent contained within $DIR_NEW is newer, the upgrade will be started within the next 500 minutes. The exact time when the upgrade is started is a random value between 1 and 500 minutes.
22I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Upgrade
Related Information
Automated Upgrade of SAP Host Agent [page 19]
SAP Host AgentSAP Host Agent Upgrade
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 23
7 SAP Host Agent Configuration
Here you find information about the most relevant aspects of SAP Host Agent configuration.
● Enabling SAP Host Agent Registration in SLD [page 24]● SSL Configuration for the SAP Host Agent [page 26]● Enabling Audit Logging [page 35]● Binding Only Specific IP Addresses [page 36]
Related Information
SAP Host Agent [page 3]
7.1 Enabling SAP Host Agent Registration in SLD
To enable the automatic registration to SLD you have to configure the connectivity information using the command line tool sldreg.
Prerequisites
● You must be logged on as a user with the appropriate authorizations:
Table 23:
Windows As a member of the local Administrators group.
UNIX As a user with root authorizations.
IBM i As a user profile with special authorities *SECADM and *ALLOBJ, for example as user profile QSECOFR.
Procedure
1. You are on the host that you want to register in the SLD.
2. IBM i: Enter the command CALL PGM(QP2TERM) to start a PASE interactive terminal session .
3. Change to the following directory as current directory ( DIR_GLOBAL Directory):
24I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Configuration
Table 24:
Windows (language-dependent)
%ProgramFiles%\SAP\hostctrl\exe
UNIX, IBM i
/usr/sap/hostctrl/exe
4. Call the sldreg executable with the following command:
Table 25:
Windows sldreg -configure slddest.cfg
UNIX, IBM i
./sldreg -configure slddest.cfg
CautionYou have to make sure that the SLD connection file is named slddest.cfg and that it is located in the DIR_GLOBAL directory of SAP Host Agent. Otherwise the registration does not work.
NoteUNIX, IBM i: To be able to access its libraries, the sldreg program requires the path /usr/sap/hostctrl/exe in the search path for libraries.
○ UNIX: For example, under Linux with a C shell, you can achieve this with the following command:setenv LD_LIBRARY_PATH /usr/sap/hostctrl/exe:$LD_LIBRARY_PATH
○ IBM i: From within QP2TERM, you can achieve this with the following command: export LIBPATH=/usr/sap/hostctrl/exe:$LIBPATH
5. Enter the connection data for the SLD with which you want to register this host:
○ SLD user that has been assigned the role DataSupplierLD○ Password of the above user○ Host and HTTP port of the SLD○ Protocol (HTTP or HTTPS)
6. Confirm that you want to save this data in the encrypted file slddest.cfg.
7. Restart SAP Host Agent by executing the following command:
Table 26:
Windows saphostexec.exe -restart
UNIX, IBM i
./saphostexec -restart
The restart generates an XML file in the working directory of SAP Host Agent and transfers it to the SLD. This XML file contains all of the information about the host that the SLD requires.
SAP Host AgentSAP Host Agent Configuration
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 25
Results
You have registered the local host with an SLD.
Next Steps
You can check if the registration was performed successfully. To do this, call the start page of the SLD with the URL http:// <host>: <port>/sld, and choose Technical Systems. Choose AS Java In the Technical System Type drop-down list box. The host that you have just registered is displayed.
Related Information
SAP Host Agent Configuration [page 24]
7.2 SSL Configuration for the SAP Host Agent
Configuring secure socket layer (SSL) for SAP Host Agent is a multi-step procedure. The following sections exemplarily describe SSL configuration on UNIX, Windows and IMB i.
The main steps are as follows:
1. Preparing the environment for SAP Cryptographic Library2. Preparing the Personal Security Environment (PSE) for the server3. Preparing the Personal Security Environment (PSE) for the client4. Establishing trust between the client and SAP Host Agent5. Allowing the client to issue administrative commands
The following sections exemplarily describe SSL configuration on UNIX, Windows and IMB i:
● Configuring SSL for SAP Host Agent on Windows [page 27]● Configuring SSL for SAP Host Agent on UNIX [page 29]● Configuring SSL for SAP Host Agent on IBM i [page 32]
Related Information
SAP Host Agent Configuration [page 24]
26I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Configuration
7.2.1 Configuring SSL for SAP Host Agent on Windows
This section exemplarily describes SSL configuration for the SAP Host Agent on Windows.
Prerequisites
You must be logged on as a member of the local Administrators group.
Context
In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default .pse name, you can use the following value in the profile file of SAP Host Agent ( host_profile):
ssl/server_pse= <Path to Server PSE>
Procedure
1. Prepare the environment for SAP Cryptographic Library:a. Open a command line prompt and change to the %PROGRAMFILES%\SAP\hostctrl\exe directory.b. Create a subdirectory named sec and set the SECUDIR environment variable to refer to the new directory
using the following commands:
%PROGRAMFILES%\SAP\hostctrl\exe> mkdir sec
%PROGRAMFILES%\SAP\hostctrl\exe> set SECUDIR=%PROGRAMFILES%\SAP\hostctrl\exe\sec
NoteAlternatively, you can also use another directory, but then you have to specify the location of the PSE file using the parameter ssl/server_pse as described above.
RecommendationSet up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.
c. Make sure that the files are readable and executable by user sapadm.
2. Prepare the Personal Security Environment (PSE) for the server:
The server PSE contains the server certificate, which is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates.
SAP Host AgentSAP Host Agent Configuration
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 27
a. Create the server PSE, the server certificate therein, and the Certificate Signing Request (CSR) .
Example%PROGRAMFILES%\SAP\hostctrl\exe> sapgenpse gen_pse -p SAPSSLS.pse -x passwd1 -r myhost-csr.p10 "CN=myhost.wdf.sap.corp, O=SAP AG, C=DE"
This command creates a PSE file named SAPSSLS.pse (name is fixed), which can be used to authenticate myhost.wdf.sap.corp for incoming SSL connections. The access to the PSE file is protected with passwd1. Use the -r option to direct the certificate signing request to a file, or omit it if you intend to copy and paste the CSR into a Web form.
b. Grant the SAP Host Agent access to the server PSE.
Example%PROGRAMFILES%\SAP\hostctrl\exe> sapgenpse seclogin -p SAPSSLS.pse -x passwd1 -O sapadm
c. Get the certificate as follows:
1. If you do not use individually trusted certificates, send the certificate signing request to an appropriate CA.
2. Assuming that the CA replies to the request file with a CA-response-file which contains the signed certificate in the PKCS#7 format, you can use this file as an input for importing the signed certificate into the server PSE.
d. Import the signed certificate into the server PSE.
Example%PROGRAMFILES%\SAP\hostctrl\exe> sapgenpse import_own_cert -p SAPSSLS.pse -x passwd1 -c myhost.p7b (if the used format is PKCS#7).
e. Verify the server certificate chain.
Example%PROGRAMFILES%\SAP\hostctrl\exe> sapgenpse get_my_name -p SAPSSLS.pse -x passwd1 -v
3. Restart SAP Host Agent.
4. Prepare the Personal Security Environment (PSE) for the client:
The client PSE contains the client certificate that is sent to SAP Host Agent when establishing the SSL connection, and the names and public keys of the trusted certificates. For the client, trusted certificates can only be certificates that are issued by a Certification Authority (CA).
The configuration steps are client-specific, that is why we only describe them in a generic way. Follow the instructions in the specific client documentation.
Examples for possible clients are the SAP Management Console (SAP MC), the Diagnostics Agent in SAP Solution Manager, or the SAP Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing Controller (ACC)).
28I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Configuration
Results
RecommendationIf you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.
Related Information
SSL Configuration for the SAP Host Agent [page 26]
7.2.2 Configuring SSL for SAP Host Agent on UNIX
This section exemplarily describes SSL configuration for the SAP Host Agent on UNIX.
Prerequisites
You are logged on as a user with root authorization.
Context
In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default .pse name, you can use the following value in the profile file of SAP Host Agent ( host_profile):
ssl/server_pse= <Path to Server PSE>
Procedure
1. Prepare the Personal Security Environment (PSE) for the server:
The server PSE contains the server certificate that is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates.
Proceed as follows:
a. Create a directory /usr/sap/hostctrl/exe/sec using the mkdir command.
SAP Host AgentSAP Host Agent Configuration
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 29
NoteAlternatively, you can also use another directory, but then you have to specify the location of the PSE file using the parameter ssl/server_pse as described above. In the following steps we always refer to the sec directory for the sake of simplicity.
b. Assign the ownership for the sec directory to sapadm:sapsys.c. Set up the shared library search path ( LD_LIBRARY_PATH, LIBPATH or SHLIB_PATH) and SECUDIR
environment variables, and change to the exe directory of SAP Host Agent.
Example○ On Linux and Solaris, the required commands are as follows:
export LD_LIBRARY_PATH=/usr/sap/hostctrl/exe/export SECUDIR=/usr/sap/hostctrl/exe/seccd /usr/sap/hostctrl/exe
○ On HP-UX, the required commands are as follows:export SHLIB_PATH=/usr/sap/hostctrl/exe/export SECUDIR=/usr/sap/hostctrl/exe/seccd /usr/sap/hostctrl/exe
○ On AIX , the required commands are as follows:export LIBPATH=/usr/sap/hostctrl/exeexport SECUDIR=/usr/sap/hostctrl/exe/seccd /usr/sap/hostctrl/exe
RecommendationSet up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.
d. Create the server PSE, the server certificate therein, and the Certificate Signing Request (CSR).Run the command as user sapadm so that the created files are owned by this user.
Examplesudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -x <password> -r /tmp/myhost-csr.p10 "CN=myhost.wdf.sap.corp, O=SAP AG, C=DE"
This command creates a PSE file named SAPSSLS.pse (name is fixed), which can be used to authenticate myhost.wdf.sap.corp for incoming SSL connections. The access to the PSE file is protected with a password. Use the -r option to direct the certificate signing request to a file, or omit it if you intend to copy and paste the CSR into a web formular.
e. Grant SAP Host Agent access to the server PSE.
Examplesudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x <password> -O sapadm
30I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Configuration
f. Get the certificate as follows:
1. Send the certificate signing request to an appropriate CA.2. Assuming that the CA replies to the request file with a CA-response-file which contains the signed
certificate in the PKCS#7 format, you can use this file as an input for importing the signed certificate into the server PSE.
ExampleIf the used format is PKCS#7, the text file could be named myhost.p7b. We use this file name in the following examples.
g. Import the signed certificate into the server PSE.
Examplesudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x <password> -c /tmp/myhost.p7b
h. Verify the server certificate chain.
Examplesudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x <password> -v
2. Restart SAP Host Agent.
3. Prepare the Personal Security Environment (PSE) for the client:
The client PSE contains the client certificate that is sent to SAP Host Agent when the SSL connection is established, and the names and public keys of the trusted certificates from CA.
The configuration steps are client-specific, that is why we only describe them in a generic way. Follow the instructions in the specific client documentation.
Examples for possible clients are the SAP Management Console (SAP MC), the SAP Solution Manager Diagnostics Agent, or the SAP Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing Controller (ACC)).
Results
RecommendationIf you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.
SAP Host AgentSAP Host Agent Configuration
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 31
Related Information
SSL Configuration for the SAP Host Agent [page 26]
7.2.3 Configuring SSL for SAP Host Agent on IBM i
This section exemplarily describes SSL configuration for the SAP Host Agent on IMB i.
Prerequisites
You must be logged on as a user profile with special authorities *SECADM and *ALLOBJ, for example as user profile QSECOFR.
Context
In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default .pse name, you can use the following value in the profile file of SAP Host Agent ( host_profile):
ssl/server_pse= <Path to Server PSE>
Procedure
1. Prepare the Personal Security Environment (PSE) for the server:
The server PSE contains the server certificate, which is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates.
a. You must temporarily enable the login for user SAPADM. To change the user profile, enter the following command:CHGUSRPRF USRPRF(SAPADM) INLMNU(MAIN) LMTCPB(*NO)
b. Create a directory /usr/sap/hostctrl/exe/sec using the following command:CRTDIR DIR('/usr/sap/hostctrl/exe/sec') DTAAUT(*EXCLUDE) OBJAUT(*NONE)
NoteAlternatively, you can also use another directory, but then you must specify the location of the PSE file using the parameter ssl/server_pse as described above. In the following steps we always refer to the sec directory for the sake of simplicity.
32I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Configuration
c. Change the owner and primary group of the PSE directory and set the appropriate authorities using the following command:
QSYS/CHGOWN OBJ('/usr/sap/hostctrl/exe/sec') NEWOWN(SAPADM)
QSYS/CHGPGP OBJ('/usr/sap/hostctrl/exe/sec') NEWPGP(R3GROUP) DTAAUT(*RWX)d. Now log on as user SAPADM and execute the command CALL PGM(QP2TERM) before entering the
commands of the following steps.e. Set up the shared library search path ( LIBPATH) and SECUDIR environment variables, and change to the
exe directory of SAP Host Agent.
The required commands are as follows:
export LIBPATH=/usr/sap/hostctrl/exe
export SECUDIR=/usr/sap/hostctrl/exe/sec
cd /usr/sap/hostctrl/exe
RecommendationSet up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.
f. Create the server PSE, the server certificate therein, and the Certificate Signing Request (CSR) using the following command:
. ./sapgenpse gen_pse -p SAPSSLS.pse -x <PASSWORD>-r <PKCS#10 requestfile> <DISTINGUISHED NAME>
This command creates the PSE file /usr/sap/hostctrl/exe/sec/SAPSSLS.pse (the name is fixed), which can be used to authenticate the host described by <DISTINGUISHED NAME> for incoming SSL connections. Access to the PSE file is protected with password <PASSWORD> .
The CSR is written into the stream file <PKCS#10 requestfile> . You can ignore the warning sapgenpse WARNING: Environment variable "USER" not defined!
Example./sapgenpse gen_pse -p SAPSSLS.pse -x pass -r /tmp/myhost-csr.p10 "CN=myhost.wdf.sap.corp, O=SAP AG, C=DE"
This command creates the PSE file /usr/sap/hostctrl/exe/sec/SAPSSLS.pse, which can be used to authenticate myhost.wdf.sap.corp for incoming SSL connections. Access to the PSE file is protected with the password pass. The CSR is written into the stream file /tmp/myhost-csr.p10.
g. Grant SAP Host Agent access to the server PSE using the following command:
./sapgenpse seclogin -p SAPSSLS.pse -x <PASSWORD>-O sapadm
Example./sapgenpse seclogin -p SAPSSLS.pse -x pass -O sapadm
h. Get the certificate as follows:
1. Transfer the stream file containing the CSR (certificate signing request) to a PC and send it to the Certification Authority (CA) you are using.
SAP Host AgentSAP Host Agent Configuration
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 33
2. Assuming that the CA replies to the request file with a CA-response-file which contains the signed certificate in the PKCS#7 format, you can use this file as an input for importing the signed certificate into the server PSE. Transfer this text file to a stream file on your IBM i.
ExampleThe text file could be named myhost.p7b and transferred to the stream file /tmp/myhost.p7b. We use this file name in the following examples.
i. Import the signed certificate into the server PSE using the following command:
./sapgenpse import_own_cert -p SAPSSLS.pse -x <PASSWORD>-c <CA-response-file>
Example./sapgenpse import_own_cert -p SAPSSLS.pse -x pass -c /tmp/myhost.p7b
j. Verify the server certificate chain using the following command:
./sapgenpse get_my_name -p SAPSSLS.pse -x <PASSWORD>-v
Example./sapgenpse get_my_name -p SAPSSLS.pse -x pass -v
k. To reset the changes to user profile SAPADM that you have made in step 1.a), leave program QP2TERM with function key F3 and enter the following command:CHGUSRPRF USRPRF(SAPADM) INLMNU(*SIGNOFF) LMTCPB(*YES)
l. Log on as a user profile with special authorities *SECADM and *ALLOBJ, for example as user profile QSECOFR and execute the command CALL PGM(QP2TERM) before entering the command following which restarts SAP Host Agent:
/usr/sap/hostctrl/exe/saphostexec -restart2. Prepare the Personal Security Environment (PSE) for the client:
The client PSE contains the client certificate, which is sent to SAP Host Agent when the SSL connection is established, and the names and public keys of the trusted certificates from CA.
The configuration steps are client-specific, that is why we only describe them in a generic way. Follow the instructions in the specific client documentation.
Examples for possible clients are the SAP Management Console (SAP MC), the Diagnostics Agent in SAP Solution Manager, or the SAP Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing Controller (ACC)).
Results
If you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.
34I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Configuration
Related Information
SSL Configuration for the SAP Host Agent [page 26]
7.3 Enabling Audit Logging
SAP Host Agent provides the means to perform audit logging for every operation the SAP Host Agent is executing. If you want to use audit logging, you have to activate it using the related entries in the host_profile file.
Context
The operating systems which are supported by Host Agent have built-in means of audit logging. On UNIX and Linux, SAP Host Agent uses the syslog (/var/log/messages), and in Windows the Application Eventlog. The user can decide if audit logging is done using OS means or provide a file to which all audit messages are written. Audit logging is disabled by default. You can enable and configure it using host_profile parameters.
Procedure
1. Edit the host_profile file.
For information about where you can find this file, see the Profile File section in Architectural Overview of SAP Host Agent [page 6].
2. Change the following parameters according to your needs:
Table 27:
Parameter Description
service/auditlevel=0/1 0 disables audit logging, 1 enables audit logging.
service/auditlogfile=<PATH_TO_FILE>
If an audit logfile is provided by the user, SAP Host Agent uses the logfile for audit logging. Eventlog and Syslog will not be used in this case. If the file does not exist, it is created by SAP Host Agent.
service/auditlogfilesize=0...X
If an audit logfile is provided, the user can decide to which extent the logfile is allowed to grow. All sizes must be given in MB (Megabyte). If the configured size is exceeded, the current audit logfile is saved to <FILENAME>.old and a new audit logfile is created. If the size is set to 0 or if the parameter is not configured at all, the audit logfile can grow unlimitedly.
3. Restart SAP Host Agent to activate the changed configuration settings.
SAP Host AgentSAP Host Agent Configuration
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 35
ExampleAudit logging output is always written in one line and can look like this:
[2012/08/24 11:22:16][AUDIT SUCCESS]Operation ListInstances; Socket type Network Socket; Remote IP 127.0.0.1; Remote port 60779; Username Not Available Labels parameters
Related Information
SAP Host Agent Configuration [page 24]
7.4 Binding Only Specific IP Addresses
You can configure SAP Host agent only to accept network connections for specific IP addresses or host names.
You can achieve this in one of the following ways:
Using the profile value service/hostname
1. Specify the following value in the host_profile of the SAP Host Agent:service/hostname = <host_name>orservice/hostname = <IP_Address>
Example
service/hostname = 127.0.0.1
2. Restart the SAP Host Agent by executing the following command:saphostexec -restart
SAP Host Agent should now bind only the specified IP address.
ExampleOn Linux, you can check this as follows:
/usr/sap/hostctrl/exe# netstat -tlnp | grep 1128
tcp 00 127.0.0.1:11280 0.0.0:* LISTEN 8368/sapstartsrv
/usr/sap/hostctrl/exe#
36I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Configuration
You can see that only 127.0.0.1 is bound
Using Network ACL (Access Control List)
1. Specify the following value in the host_profile of the SAP Host Agent:service/http/acl_file = <Path_to_an_ACL_file> or service/https/acl_file = <Path_to_an_ACL_file> if you use HTTPS.You can also set both values.
2. Restart the SAP Host Agent by executing the following command:saphostexec -restart
The ACL file should be configured as specified in SAP Note 1495075 .
SAP Host Agent will still bind all available addresses, but as soon a client tries to connect, it is either refused or accepted according to the ACL file configuration.
SAP Host AgentSAP Host Agent Configuration
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 37
8 Uninstalling SAP Host Agent
You can uninstall SAP Host Agent by running the saphostexec executable from the command line.
Prerequisites
Table 28:
Windows You must be logged on as a member of the local Administrators group.
UNIX You must be logged on as a user with root authorizations.
IBM i You must be logged on as a user profile with special authorities *SECADM and *ALLOBJ, for example as user profile QSECOFR.
Context
On Windows, you can also unistall the SAP Host Agent using Control Panel Programs and Features .
Procedure
1. IBM i only: Enter the command CALL PGM(QP2TERM) to start a PASE interactive terminal session.
2. Run the following command from the command line:
Table 29:
UNIX, IBM i
/usr/sap/hostctrl/exe/saphostexec -uninstall
Windows %ProgramFiles%\SAP\hostctrl\exe\saphostexec.exe -uninstall
Results
This command stops the executables and services of SAP Host Agent and deletes the following:
● The work directory of SAP Host Agent● The exe directory of SAP Host Agent● Windows: The local sapadm user and SAP_LocalAdmin group
38I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentUninstalling SAP Host Agent
Related Information
SAP Host Agent [page 3]
SAP Host AgentUninstalling SAP Host Agent
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 39
9 SAP Host Agent Reference
Here you can find a reference of the command line options available for the SAP Host Agent executables.
● SAP Host Agent Reference - Command Line Options of the saphostexec Executable [page 40]● SAP Host Agent Reference - Command Line Options of the hostexecstart Executable [page 42]
Related Information
SAP Host Agent [page 3]
9.1 SAP Host Agent Reference - Command Line Options of the saphostexec Executable
Usually SAP Host Agent is automatically started when the operating system is booted. You can also manually control it using the saphostexec program.
Prerequisites
You are logged on as a user with the required authorization:
Table 30:
Windows As a member of the local Administrators group
UNIX As a user with root authorization
IBM i As a user profile with special authorities *SECADM and *ALLOBJ, for example as user profile QSECOFR
Features
You call the program from the command line with the following syntax:
Table 31:
Windows %ProgramFiles%\SAP\hostctrl\exe\saphostexec.exe -[option] [pf=<ProfilePath>]
40I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Reference
UNIX, IBM i /usr/sap/hostctrl/exe/saphostexec -[option] [pf=<ProfilePath>]
where <ProfilePath> is path to the profile file ( host_profile) of SAP Host Agent. By default the host_profile file is located in the executable directory.
You can execute saphostexec with the following command line options:
Table 32:
Option Meaning
-help Lists all command line options of saphostexec with documentation
-install [-verify] Installs SAP Host Agent
RecommendationUse the additional parameter -verify to verify the content of the installation package against the SAP digital signature.
-upgrade [-verify] Upgrades SAP Host Agent
RecommendationUse the additional parameter -verify to verify the content of the installation package against the SAP digital signature.
-uninstall Uninstalls SAP Host Agent
-restart Starts or restarts SAP Host Agent
-stop Stops a running SAP Host Agent
-status Returns the status of SAP Host Agent
-version Returns the version of SAP Host Agent with detailed information
Related Information
SAP Host Agent Reference [page 40]
SAP Host AgentSAP Host Agent Reference
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 41
9.2 SAP Host Agent Reference - Command Line Options of the hostexecstart Executable
The hostexecstart program is a command line tool available for UNIX operating systems. It allows a user that does not have root authorization to perform some control operations relevant for the lifecycle of SAP Host Agent.
Prerequisites
You have to be member of group sapsys, for example <sapsid>adm, to be able to execute the program.
Features
You call the program from the command line with the following syntax:
/usr/sap/hostctrl/exe/hostexecstart -[option] [pf=<ProfilePath>]
Calling hostexecstart without any arguments starts SAP Host Agent
You can execute hostexecstart with the following command line options:
Table 33:
Option Meaning
-help Lists all command line options of hostexecstart with documentation
-upgrade <path> Upgrades SAP Host Agent using the path to the extracted SAPHOSTAGENT <SP-version>.SAR
-start Starts SAP Host Agent if it is not running
-restart Restarts SAP Host Agent
-status Returns the information whether SAP Host Agent is running or not running
-version Returns the version of SAP Host Agent with detailed information
Related Information
SAP Host Agent Reference [page 40]
42I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP Host AgentSAP Host Agent Reference
Important Disclaimers and Legal Information
Coding SamplesAny software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.
AccessibilityThe information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral LanguageAs far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet HyperlinksThe SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).
SAP Host AgentImportant Disclaimers and Legal Information
I N T E R N A L© 2015 SAP SE or an SAP affiliate company. All rights reserved. 43
www.sap.com/contactsap
© 2015 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Material Number:
**
Top Related