Enable SAP Focused Run Reverse Proxy in SAP Cloud ALM

Motivation

Several SAP public cloud solutions now support the delivery of monitoring data to SAP Focused Run using PUSH data collection.

PUSH data collection means that data collection is triggered in the managed cloud service and that the managed cloud service is actively pushing monitoring data to SAP Cloud ALM. The advantages of PUSH data collection are a usually much easier setup and that monitoring data is only transferred if there is actual monitoring data to report.

However, usually SAP Focused Run is located behind a firewall in the customer data center. To enable SAP public cloud services to push monitoring data directly to SAP Focused Run, this firewall would have to be opened and SAP Focused Run would be accessible from the Internet. This is not desirable. 

Hence, another solution had to be provided. The SAP Focused Run Reverse Proxy is this solution. In this solution SAP Cloud ALM together with an SAP Cloud Connector act as reverse proxy for SAP Focused Run and allow a secure transfer of pushed monitoring data to SAP Focused Run.

The SAP Cloud ALM entitlement is included in SAP Enterprise Support Cloud Editions. For more information please click here.

 

Architecture

The graphic below shows the architecture of the SAP Focused Run reverse proxy infrastructure. 

 

 

In this scenario SAP Cloud ALM solely acts as pass-through for the metrics pushed by the managed cloud services. The metrics are forwarded via the SAP BTP Connectivity Service and the SAP Cloud Connector directly to SAP Focused Run.

Only in SAP Focused Run the metrics alerts are generated as per the setup.

In SAP Cloud ALM only the connectivity to SAP Focused Run has to be defined. 

Prerequisites

The following prerequisites have to be fulfilled before the setup:

  • Obtain a subscription for SAP Cloud ALM (free of charge) 
  • Install SAP Cloud Connector in your SAP Focused Run system network (find more information here)
  • Implement SAP Note 3209577 on your SAP Focused Run system

Setup Steps in SAP Cloud Connector

Connect SAP Cloud ALM Subaccount

  1. Go to the Cloud Connector Administration page
  2. On the "Connector" page* choose "Add Subaccount" 
  3. Connect your SAP Cloud ALM tenant

* Please note: if the SAP Cloud ALM tenant is the first subaccount in this cloud connector you will automatically be forwarded to the "First Subaccount" page.

Add Connection to SAP Focused Run

  1. Go to Cloud Connector Administration → <SAP Cloud ALM tenant> → Cloud To On-Premise → ACCESS CONTROL
  2. Click the '+' button to add a new entry:
  3. Enter the following values:
    1. Back-end Type: "ABAP System"
    2. Protocol: "HTTPS"
    3. Internal Host: The hostname of your SAP Focused Run system
    4. Internal Port: The HTTPS port of your SAP Focused Run system
    5. Virtual Host: A virtual hostname for your SAP Focused Run system, e.g., <sid>_frun
    6. Virtual Port: A virtual port, e.g., 443
    7. Principal type: The recommended variant is X.509 Certificate (Strict Usage) as this lets you use principal propagation and, for example, basic authentication over the same access control entry, regardless of the logon order settings in the target system.
    8. Host In Request Header: Use Virtual Host
  4. Press "Finish"
  5. Select the entry for your SAP Focused Run system
  6. Note down the value of the column "Virtual Host" for later use
  7. In the section "Resources Of <SAP Focused Run system>" press the '+' button
  8. Enter the following values:
    1. URL Path: /sap/frun
    2. Access Policy: Path And All Sub-Paths
  9. Press the "Save" button

Setup Steps in SAP Focused Run

Collect Admin Request Parameter

Note down the "Admin Request Parameter" for each customer network in SAP Focused Run that will receive metrics from the metric push

  1. Open the Focused Run launchpad
  2. Go to Infrastructure Administration → Global Settings & Network Configuration → Network Administration
  3. Select the customer network for which you want to activate the metric push
  4. Note down the value in the field "Admin Request Parameter"

Create Technical User

Create a technical user to receive push metrics and assign a custom copy of the following SAP roles
  1. SAP_FRN_AIM_EXTPUSH
  2. SAP_FRN_RUM_EXTPUSH
  3. SAP_FRN_SUM_EXTPUSH
  4. SAP_FRN_SUM_EXTREG
  5. SAP_FRN_CNW_ACCESS (maintain LMDB_CN with LDB_CUSNET = '*', LDB_CUST = '*' and LDB_DC = '*')
  6. SAP_FRN_AAD_AIM_ALL
  7. SAP_FRN_AJM_EXTPUSH (starting with SAP Focused Run 3.0 FP03)

Register SAP Focused Run in your SAP Cloud ALM tenant

To make SAP Focused Run available in SAP Cloud ALM, please perform the registration as described on the page SAP NetWeaver Application Server for ABAP higher than 7.40.

After the registration is successful, you find your SAP Focused Run system in SAP Cloud ALM:

  1. Log on to your SAP Cloud ALM tenant
  2. Go to Administration → Landscape Management → On-Premise Systems

Setup Steps in SAP Cloud ALM

Create one endpoint for each customer network that will receive push monitoring metrics
  1. Log on to your SAP Cloud ALM tenant
  2. Go to Administration → Landscape Management → On-Premise Systems
  3. Drill down into the SAP Focused Run system entry by clicking on its name
  4. Click the "Add" button on the tab "PROXY"
  5. Under "General" enter:
    1. Logical System: Select the SAP Focused Run client
    2. Customer Network: The customer network name as known in SAP Focused Run (replace the Space character with '_')
    3. Admin Request Parameter: The value of the admin request parameter for the customer network (you collected it during the setup steps in SAP Focused Run above)
    4. Description: An optional description
    5. Cloud Connector Location ID: The name (description) of the SAP Cloud Connector instance that you want to use. You find this information in your SAP Cloud Connector or in the SAP BTP Cockpit in the SAP Cloud ALM subaccount under "Connectivity" > "Cloud Connectors". The location ID is the value in parenthesis next to the phrase "Master Instance" for the Cloud Connector you want to use. If you only have one Cloud Connector this value might be empty.
    6. Virtual Host and Port: Enter the virtual host and port as you maintained it during the setup of the system in Cloud Connector
    7. Landscape Sync: To import your cloud services from SAP Cloud ALM to SAP Focused Run set the toggle button to 'ON'. Before activating this, please read more information below. 
  6. Under "Authentication" enter:
    1. Authentication Type: Basic Authentication
    2. User: The technical user created in SAP Focused Run for this purpose
    3. Password: The password for the user
  7. Save the endpoint

For the setup in the managed system copy the reverse proxy URL

  1. Click the Root URL icon (it looks like a chain link) next to the endpoint in the column "Actions"
    1. Save the value of the reverse proxy URL for later use

Info: Landscape Sync between SAP Cloud ALM and SAP Focused Run

Starting with SAP Focused Run 3.0 FP03 you can automatically import the subscribed cloud services from the Landscape Management in SAP Cloud ALM into the Cloud Service Management in SAP Focused Run.

Please do not activate this for older SAP Focused Run releases. 

For older SAP Focused Run releases you might have to create the cloud services manually in Cloud Service Management, before activating the monitoring data push. Please refer to the respective product setup pages under Supported Products for details. 

Setup in the Managed Cloud Service

The setup in the managed cloud service depends on the cloud service type. Please refer to the page Supported Products and select the respective page for the detailed setup description.

The reverse proxy is used for the following cloud products:

  • SAP S/4HANA Cloud
  • SAP Integrated Business Planning for Supply Chain
  • SAP Marketing Cloud
  • SAP S/4HANA private cloud edition
  • SAP SuccessFactors