Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CTE Agent Linux Integration and Solutions Guides

Configuring Support for SAP HANA

search

Please Note:

Configuring Support for SAP HANA

This section describes SAP HANA, which provides automatic host-failover support. It contains the following topics:

Overview

SAP HANA provides automatic host-failover support. CTE works with HANA fibre storage systems to enable and disable GuardPoints when a protected host starts, stops, or fails over to standby host.

CipherTrust Transparent Encryption - SAP HANA (CTE-SAP HANA) supports non-shared storage where each HANA node has its own separate storage volumes. CTE-SAP HANA provides customized scripts to support startups, shutdowns, and fail overs.

HANA attaches logical unit number (LUNs) or logical volume management (LVMs) using a Fibre Storage Connector (fcClient) providers. Thales provides hooks that are called by the HANA fcClient providers that manage guarding or unguarding of storage locations.

Note

Thales recommends using host groups to manage configuring in a clustered host environment.

Customizing CTE for SAP HANA in HA Mode

Caution

The following procedure only applies if multiple HANA nodes are configured in a high availability (HA) environment. If you are installing CTE on a single HANA node, do not change the default HANA or CTE settings.

  1. Go to the installation directory:

     cd /opt/vormetric/DataSecurityExpert/agent/secfs/saphana

  2. If required, edit the appropriate CTE fcClient refined script:

    Script file Use
    fcClientRefinedVTE.py fcClient provider for LUN
    fcClientLVMRefinedVTE.py fcClientLVM provider for LVMs

  3. Copy the appropriate script file to a shared location that is accessible to all nodes. In a HANA cluster environment, all nodes require access to the CTE scripts.

  4. Edit the storage section of the global.ini file to indicate the corresponding CTE fcClient as the High Availability (HA) provider and to point to the location of the CTE script.

    LUN Example

    [storage]
   ha_provider = fcClientRefinedVTE
   ha_provider_path = /hana/shared/myFcClient

    If necessary, enable debug tracing:

    [trace]
   ha_provider = debug
   ha_fcclient = debug
   ha_fcclientrefinedvte = debug

    LVM Example

    [storage]
   ha_provider = fcClientLVMRefinedVTE
   ha_provider_path = /hana/shared/myFcClient

    If necessary, enable debug tracing:

    [trace]
   ha_provider = debug
   ha_fcclientlvm = debug
   ha_fcclientlvmrefinedvte = debug

  5. Use the same CTE agent with all hosts, including standby hosts.

  6. Ensure that /etc/sudoers includes the following:

    <sid>adm ALL=NOPASSWD: /usr/bin/secfsd

  7. Enable the guard paths at the mount-point level.

    For example, individual guards were placed on /hana/data/HAN/mnt00001, /hana/data/HAN/mnt00002, and so forth.

    1. Use a similar naming practice for log partitions, such as /hana/log/HAN/mnt00001, and so forth.

    2. Place the guard at the mount-point level. The guarded paths must match the corresponding data and log mount paths.

  8. Configure GuardPoints as type manual. You must enable and disable the GuardPoints immediately after the device is attached, or just prior to detachment.

    The reason for manual GuardPoints is that it invokes guarding and unguarding from within the HANA during the startup, shutdown, or failover process. The process resembles that of mounting and unmounting guarded auto-mount points.

  9. Configure all GuardPoints so that they are available in the standby host, so that any data and log partitions that fail over from any host can be guarded on the standby.

    Thales recommends that you configure all GuardPoints on all hosts, because a failed-over active host can then become the new standby, and will require all available GuardPoints.

Example

The following is an example of the data and log volumes for the host that are mounted. 

/dev/mapper/VG_HAN_DATA_1-LV_HAN_DATA_1       793971096  3059712 750579916   1% /hana/data/HAN/mnt00001
/hana/data/HAN/mnt00001                    793971096  3059712 750579916   1% /hana/data/HAN/mnt00001
/dev/mapper/VG_HAN_LOG_1-LV_HAN_LOG_1      496233160  2461764 468564152   1% /hana/log/HAN/mnt00001
/hana/log/HAN/mnt00001                     496233160  2461764 468564152   1% /hana/log/HAN/mnt00001

Note that partition mnt00002 is also configured, although not currently mounted by HANA. The secfsd status output should show the GuardPoint configuration as follows:

GuardPoint               Policy    Type    ConfigState  Status       Reason
----------               ------    ----    -----------  ------       ------
/hana/data/HAN/mnt00001  my-pol    manual  guarded      guarded      N/A
/hana/log/HAN/mnt00001   my-pol    manual  guarded      guarded      N/A
/hana/data/HAN/mnt00002  my-pol    manual  unguarded    not guarded  Inactive
/hana/log/HAN/mnt00002   my-pol    manual  unguarded    not guarded  Inactive

For more information, see SAP HANA Fiber Channel Storage Connector Admin Guide.

Using SAP HANA with LDT

SAP HANA is compatible with LDT with the following changes:

  • You must add additional CTE commands to the HANA administrator entry. Using a text editor, edit /etc/sudoers and add entries for /usr/bin/voradmin and /usr/bin/vmsec:

     hanadm ALL=NOPASSWD: /usr/bin/secfsd,/usr/bin/voradmin,/usr/bin/vmsec,/sbin/multipath,/sbin/multipathd,/etc/init.d/multipathd,/usr/bin/sg_persist,/bin/mount,/bin/umount,/bin/kill,/usr/bin/lsof,/sbin/vgchange,/sbin/vgscan

  • If you are using an ext3 file system, you must mount it with extended attributes. Using a text editor, edit the storage section of the global.ini file, type:

    partition_*_data__mountOptions = -o user_xattr
partition_*_log__mountOptions = -o user_xattr

Setting Memory Allocation

There is a limitation in memory allocations for SAP HANA with asynchronous direct I/O. When you use CTE in conjunction with applications like SAP HANA that can process large numbers of direct I/O writes through the Linux AIO interface, CTE can allocate more memory than is desirable.

To limit the amount of memory that CTE consumes for AIO buffers, use the following configuration to limit the amount of memory CTE consumed for AIO buffers:

 max_aio_memory_limit <MB>

The MB value specifies how much memory to allocate to temporary DIO buffers.

Note

If you do not specify a value, the default is 0, which has no memory bounding effect.

Set the option by echoing a value into the /opt/vormetric/DataSecurityExpert/agent//secfs/.sec/conf/ configuration file. For example:

echo 1024 > /opt/vormetric/DataSecurityExpert/agent/ secfs/.sec/conf/max_aio_memory_limit

This limits the memory consumed by AIO buffers to 1GB.

Note

You must restart CTE after changing any values in the configuration directory to make the changes effective.

On this page