Manage SAP on GCP with SAP LaMa Adapter for GCP – Part 1

Managing your SAP landscape efficiently is key for any organization, both from an IT to business perspective. This is especially true when you are running your system in the cloud. In this regard, Google released a free-of-charge adapter for SAP LaMa, which allows you now to assess this part of the cloud journey on GCP.

In this 2-part article, I will explain and show you how to proceed with this adapter, but also highlight the available operations.

SAP%20LaMa%20Adapter%20for%20GCP

SAP LaMa Adapter for GCP

Before starting any action and to guarantee the success of the exercise, it is important to do some research on our subjects.

Here is a collection of guides, references, and SAP Notes to be reviewed.

Note that these references differ from the previous article, so take the time to review them.

SAP Notes
3051302 – SAP Landscape Management 3.0 SP20
2039615 – Managing system landscapes with SAP Landscape Management Enterprise Edition
3078321 – Google Cloud Connector for SAP Landscape Management (LaMa) 3.x, enterprise edition
2456432 – SAP Applications on Google Cloud: Supported Products and GCP VM types
2488113 – Discover SAP HANA Multitenant Database Containers in SAP LaMa 3.0
2844322 – SAP HANA Platform 2.0 SPS 05 Release Note

Guides
SAP Landscape Management 3.0, Enterprise Edition
SAP Landscape Management 3.0, Enterprise Edition, Developer Guide

Knowledge Base
SAP on Google Cloud Documentation

Before diving into the technical detail about the process and the solution, let’s first review some comprehensive and basic understanding.

If you are reading this article you might be already familiar with the SAP LaMa product, If not I’m here to share 😉.

By design SAP LaMa comes with two (2) built-in cloud adapter, Azure and AWS, so in order to provide clients the ability to use the tool in its true form, Google has decided to release its own adapter (free of charge) for you to install.
SAP%20LaMa%20default%20Adapter

SAP LaMa default Adapter

Let’s have a look now at how to articulate SAP LaMa, here I’m referring to the deployment of SAP LaMa itself. You can run it on a hybrid model (different platform than GCP) which will be required for you to have a dedicated service account with the necessary permission to authenticate and administer your managed system in the project they belong to or at the upper level.
You will also need to think about your connectivity and DNS resolution.
SAP%20LaMa%20Adapter%20Option%201

SAP LaMa Adapter Option 1

The other option will be to run your SAP LaMa instance in GCP directly. Will this be simple? Yes, but you need to be mindful of some requirements, including:

  1. You will need to run SAP LaMa on a certified VM for SAP workload, you will find the certified VMs on the SAP Note 2456432—SAP Applications on Google Cloud: Supported Products and GCP VM types
  2. Make sure that you have the required API scope activated for VM instance
  3. Finally, just like for the on-prem option, a dedicated service account.

SAP%20LaMa%20Adapter%20Option%202

SAP LaMa Adapter Option 2

We know what it takes now for the SAP LaMa portion, so let’s dive in and prepare the managed environment. The 3 following components will need to be deployed on your remote system:

  1. SAP Host Agent 7.21 PL51 or higher required
  2. SAP Adaptive Extension 1.0 EXT PL61 or higher
  3. Host Agent Extensions for Google Cloud

SAP%20LaMa%20GCP%20Host%20Extension

SAP LaMa GCP Host Extension

I will not detail how to install the Host Agent and Adaptive Extension. Instead, I will focus on the install of the GCP Host Agent Extension. Note that the package extension is part of the full package for SAP LaMa.
I start by downloading the package by running wget $(curl https://storage.googleapis.com/cloudsapdeploy/lama-connector/LATEST.txt) and extract the content.
GCP%20Connector%20Download

GCP Connector Download

And finally, run the install.sh script.
GCP%20Connector%20Script%20Installation

GCP Connector Script Installation

Make sure to have the operations.d folder in the exe repository. The script will copy all the necessary libraries for LaMa to perform GCP actions.

I will recommend you to take a GMI (Google Machine Image) once your system preparation is completed, by doing so you will have a standard based image for your future deployment.
However, be mindful of the OS version or release (SLES vs SLES for SAP).
From the GCP console, under Compute Engine, select Machine Images and create your image from the source vm.
Google%20Machine%20Image

Google Machine Image

In order for SAP LaMa to interact with GCP resources, a service account will be required whatever scenario you envision (on-prem/GCP). I would recommend you to create a dedicated user for more control and visibility.

In the project, I want to manage my sap environment, I will first create a custom role that will be assigned to my service account. From the GCP console, under IAM & Admin select Roles.
GCP%20Role%20Console

GCP Role Console

And create a new role, provide the necessary information and most important give the right set of permissions.
GCP%20Custom%20Role%20Creation

GCP Custom Role Creation

From the Add permission, filter the role and select compute/admin.
GCP%20Role%20Permission

GCP Role Permission

The list of permissions will show up, you can select all of them but the problem if you do that is the fact that your user will inherit unnecessary permissions which can create a security breach.
Instead of typing everything out, 😉 I will lead you to the following page for the full list of permission: Required IAM resource permissions for the Connector for LaMa
SAP%20LaMa%20Full%20Custom%20Permission

SAP LaMa Full Custom Permission

Once created you will see your custom role.
SAP%20LaMa%20Custom%20Enabled

SAP LaMa Custom Enabled

Let’s create the service account from the GCP console now, under IAM & Admin, select Service Accounts and + Create Service Account.
GCP%20Service%20Account%20Creation

GCP Service Account Creation

The creation of the account is pretty straightforward. Simply give a name and provide the custom role created in the earlier step.
GCP%20Service%20Account%20Role%20Assignment

GCP Service Account Role Assignment

Once created, select your service account and click on the KEYS tab to create a key. This one will be used for connectivity purposes since we don’t specify the password for the SA.
GCP%20Service%20Account%20KEYS

GCP Service Account KEYS

Create the new Key and use the JSON format.
Service%20Account%20Key%20Creation

Service Account Key Creation

Service%20Account%20Key%20JSON%20Format

Service Account Key JSON Format

Note that the key might be downloaded automatically on your laptop, hold it we will open it later.

Service%20Account%20Key%20Active%20and%20Download

Service Account Key Active and Download

So, now that our GCP environment is prepared to hold and manage the SAP environment by SAP LaMa, I’m going to proceed with the installation of the adapter.
First of all, to allow the communication between the adapter and GCP API, a Google CA certificate is needed, go to the Google Trust Services at https://pki.goog/repository/
Google%20CA%20Certificate%20Repository

Google CA Certificate Repository

From the Subordinate CAs, download the GTS CA 1C3 certificate
Google%20GTS%20CA%20Certificate%20Download

Google GTS CA Certificate Download

And upload the certificate from NWA.
SAP%20Netweaver%20Certificates%20and%20Keys

SAP Netweaver Certificates and Keys

From the Key Storage Views, select TrustedCAs and click on Import Entry.
SAP%20Netweaver%20TruestedCAs

SAP Netweaver TruestedCAs

Import the certificate as X.509
Import%20Google%20Certificate

Import Google Certificate

Once done you should have the following:
Google%20Certificate%20Details

Google Certificate Details

We also want to avoid using IPv6 from SAP LaMa, I will add the following parameter in the Java System Properties and restart your instance.
Netweavre%20IPv6%20avoid

Netweavre IPv6 avoid

We are now ready to proceed with the installation of the adapter, I will run the installation by using the j2ee deployment script. My ear adapter is stored in my /tmp/sap location.
SAP%20LaMa%20GCP%20Connector%20Deployment

SAP LaMa GCP Connector Deployment

Once done, from SAP LaMa interface the new Google Adapter is now available so I can make the necessary configuration.
SAP%20LaMa%20Cloud%20Manager

SAP LaMa Cloud Manager

I will click next and provide my label and monitoring interval, but because I’m using a dedicated service account, I will past the content of my private JSON key generated earlier in the “Service Account” field under Additional Properties.

Note that the value needs to be in one line from { to }
GCP%20Service%20Account%20Key%20Content%20Detail

GCP Service Account Key Content Detail

SAP%20LaMa%20Cloud%20Managers%20GCP%20Configuration

SAP LaMa Cloud Manager GCP Configuration

Before saving, test the configuration to ensure it’s all good.
GCP%20Cloud%20Adapter%20Testing

GCP Cloud Adapter Testing

Because the adapter brings capabilities to compute and storage operations, on Storage Manager and Virtualization managers new entries should appear with the suffix of the Label.
SAP%20LaMa%20Storage%20Managers

SAP LaMa Storage Managers

SAP%20LaMa%20Virtualiztion%20Managers

SAP LaMa Virtualiztion Managers

Finally, if I check under Advanced Operations the virtualization tab, I will see my project with my existing VM and storage attached to each of them.
SAP%20LaMa%20Advanced%20Operations

SAP LaMa Advanced Operations

On the GCP side.
GCP%20Console%20Compute%20Engine%20Instances

GCP Console Compute Engine Instances

Conclusion
The preparation to run SAP LaMa for GCP is not complicated but will require some attention in regard to the authorization that needs to be granted for your service account. Indeed, we want to be careful and avoid security problems especially if you grant these authorizations at the organization level, which will be inherited to all subsequent projects created.

In the second part of this blog, I will walk you through several operations available from SAP LaMa to GCP, from template deployment to system copy and backup.