Configuring Support for SAP HANA
This section describes SAP HANA, which provides automatic host-failover support. It contains the following topics:
SAP HANA provides automatic host-failover support. CTE works with HANA fibre storage systems to enable and disable GuardPoints when a protected host starts, stops, or fails over to standby host.
CipherTrust Transparent Encryption - SAP HANA (CTE-SAP HANA) supports non-shared storage where each HANA node has its own separate storage volumes. CTE-SAP HANA provides customized scripts to support startups, shutdowns, and fail overs.
HANA attaches logical unit number (LUNs) or logical volume management (LVMs) using a Fibre Storage Connector (fcClient) providers. Thales provides hooks that are called by the HANA fcClient providers that manage guarding or unguarding of storage locations.
Thales recommends using host groups to manage configuring in a clustered host environment.
Customizing CTE for SAP HANA in HA Mode
The following procedure only applies if multiple HANA nodes are configured in a high availability (HA) environment. If you are installing CTE on a single HANA node, do not change the default HANA or CTE settings.
Go to the installation directory:
If required, edit the appropriate CTE
Script file Use
fcClient provider for LUN
fcClientLVM provider for LVMs
Copy the appropriate script file to a shared location that is accessible to all nodes. In a HANA cluster environment, all nodes require access to the CTE scripts.
Edit the storage section of the
global.inifile to indicate the corresponding CTE
fcClientas the High Availability (HA) provider and to point to the location of the CTE script.
[storage] ha_provider = fcClientRefinedVTE ha_provider_path = /hana/shared/myFcClient
If necessary, enable debug tracing:
[trace] ha_provider = debug ha_fcclient = debug ha_fcclientrefinedvte = debug
[storage] ha_provider = fcClientLVMRefinedVTE ha_provider_path = /hana/shared/myFcClient
If necessary, enable debug tracing:
[trace] ha_provider = debug ha_fcclientlvm = debug ha_fcclientlvmrefinedvte = debug
Use the same CTE agent with all hosts, including standby hosts.
/etc/sudoersincludes the following:
<sid>adm ALL=NOPASSWD: /usr/bin/secfsd
Enable the guard paths at the mount-point level.
For example, individual guards were placed on
/hana/data/HAN/mnt00001, /hana/data/HAN/mnt00002, and so forth.
Use a similar naming practice for log partitions, such as
/hana/log/HAN/mnt00001, and so forth.
Place the guard at the mount-point level. The guarded paths must match the corresponding data and log mount paths.
Configure GuardPoints as type
manual. You must enable and disable the GuardPoints immediately after the device is attached, or just prior to detachment.
The reason for manual GuardPoints is that it invokes guarding and unguarding from within the HANA during the startup, shutdown, or failover process. The process resembles that of mounting and unmounting guarded auto-mount points.
Configure all GuardPoints so that they are available in the standby host, so that any data and log partitions that fail over from any host can be guarded on the standby.
Thales recommends that you configure all GuardPoints on all hosts, because a failed-over active host can then become the new standby, and will require all available GuardPoints.
The following is an example of the data and log volumes for the host that are mounted.
/dev/mapper/VG_HAN_DATA_1-LV_HAN_DATA_1 793971096 3059712 750579916 1% /hana/data/HAN/mnt00001
/hana/data/HAN/mnt00001 793971096 3059712 750579916 1% /hana/data/HAN/mnt00001
/dev/mapper/VG_HAN_LOG_1-LV_HAN_LOG_1 496233160 2461764 468564152 1% /hana/log/HAN/mnt00001
/hana/log/HAN/mnt00001 496233160 2461764 468564152 1% /hana/log/HAN/mnt00001
Note that partition
mnt00002 is also configured, although not currently mounted by HANA. The
secfsd status output should show the GuardPoint configuration as follows:
GuardPoint Policy Type ConfigState Status Reason
---------- ------ ---- ----------- ------ ------
/hana/data/HAN/mnt00001 my-pol manual guarded guarded N/A
/hana/log/HAN/mnt00001 my-pol manual guarded guarded N/A
/hana/data/HAN/mnt00002 my-pol manual unguarded not guarded Inactive
/hana/log/HAN/mnt00002 my-pol manual unguarded not guarded Inactive
For more information, see SAP HANA Fiber Channel Storage Connector Admin Guide.
Using SAP HANA with LDT
SAP HANA is compatible with LDT with the following changes:
You must add additional CTE commands to the HANA administrator entry. Using a text editor, edit
/etc/sudoersand add entries for
hanadm ALL=NOPASSWD: /usr/bin/secfsd,/usr/bin/voradmin,/usr/bin/vmsec,/sbin/multipath,/sbin/multipathd,/etc/init.d/multipathd,/usr/bin/sg_persist,/bin/mount,/bin/umount,/bin/kill,/usr/bin/lsof,/sbin/vgchange,/sbin/vgscan
If you are using an
ext3file system, you must mount it with extended attributes. Using a text editor, edit the storage section of the
partition_*_data__mountOptions = -o user_xattr partition_*_log__mountOptions = -o user_xattr
Setting Memory Allocation
There is a limitation in memory allocations for SAP HANA with asynchronous direct I/O. When you use CTE in conjunction with applications like SAP HANA that can process large numbers of direct I/O writes through the Linux AIO interface, CTE can allocate more memory than is desirable.
To limit the amount of memory that CTE consumes for AIO buffers, use the following configuration to limit the amount of memory CTE consumed for AIO buffers:
The MB value specifies how much memory to allocate to temporary DIO buffers.
If you do not specify a value, the default is 0, which has no memory bounding effect.
Set the option by echoing a value into the
/opt/vormetric/DataSecurityExpert/agent//secfs/.sec/conf/ configuration file. For example:
echo 1024 > /opt/vormetric/DataSecurityExpert/agent/ secfs/.sec/conf/max_aio_memory_limit
This limits the memory consumed by AIO buffers to 1GB.
You must restart CTE after changing any values in the configuration directory to make the changes effective.