Preparing Customer Network

Declaring Customer Network

The data centers and logical networks, as defined and operated by the network team, shall be declared within SAP Focused Run. These network segments, named Customer Networks, are used by LMDB as namespaces, to bundle and protect system definitions and collected metrics. This is reflected, as an example, in the below schema with A and B. Such Customer Network can be then also assigned to a customer (via so called Business Partners).


To declare a Customer Network, within SAP Focused Run using SSI Configuration, you shall have a clear understanding of the network layout and associated proxies and reverse proxies. You are asked to mention:

  • As of SAP Focused Run 2.0 FP02 a Data Center ID is a maximum of 16 characters, such as “DATACENTER1”.
  • A globally unique Customer ID (also known as CID), composed of 3 characters, like "ABC".
  • A globally unique Customer Network name (belonging to a Data Center), like "ABC_Walldorf". Note: The Customer Network name must be limited to 40 characters.
  • A unique Admin Request Parameter, also called "inbound fencing string", which is usually the hostname of the Reverse Proxy. Note: It is mandatory that this same value is also manually maintained in the reverse proxy configuration file, as explained to the Security Guide, chapter: Data Separation.

Follow below rules:

  • We recommend to use a combination of characters and digits. 
  • Do not use spaces or special characters
  • Use _ (underscore) characters, instead of - (minus).
  • Spaces are only allowed for the Network Description. 
  • The Data Center ID, Customer ID, Customer Network Name must be clear and consistent, because the Data Center ID might be used for access/authorization checking in further releases.

Pay attention to the terminology: In the context of SAP Focused Run, the term reverse proxy designates a pass-through from the managed objects of the customer network, to the SAP Focused Run system.

Finally, consider that a predefined customer network named LOCALNETWORK is created, while performing the initial set up of LMDB, as described in the Master Guide

This local network can be utilized within SAP Focused Run in case no specific security or data separation is required (and no proxy or reverse proxy is in place).

To create the customer network within SAP Focused Run:

  1. Navigate to Infrastructure Administration / Global Settings & Network Configuration, within the Launchpad
  2. Choose the "Network Administration" view.
  3. Press New
  4. Specify the required values
    • Starting with SAP Focused Run 3.0 FP02, it is possible to set up certificate-based communication for new customer networks. Please see the page Preparing Customer Networks for Certificate-Based Authentication for details.
    • Starting with SAP Focused Run 4.0 FP03, is it possible to explicitly choose the agent that will take over central monitoring activities during the network administration 
    • Starting with SAP Focused Run 4.0 FP03, is it possible to enable the verification of server certificates on the Simple Diagnostics Agent (SDA) level during the network administration
      • Please note: In case of an incorrect certificate setup, the SDA connections will stop working.
      • You can only activate this setting if "Reverse Proxy Port Type / Authentication" is one of:
        • HTTPS / Certificate-based Authentication
        • HTTPS / Basic Authentication
  5. Press Save and Activate
    • Note: Each time a customer network is created within SAP Focused Run, using SSI Configuration, a set of associated technical users is created. Refer to the following chapters in the SAP Focused Run Security Guide for further details:
      • Introduction to Data Separation
      • Technical Users to Authenticate Data Send Requests to the SAP Focused Run system (ABAP)
  6. Select the "Network Settings" view
  7. Select the previously created Customer Network
  8. Enter the Password of the existing sapadm OS user, relevant in that network segment
    • Note: The sapadm OS user is dedicated to the SAP Host Agents. It is a reserved OS username and the password usually defined when installing a SAP Host Agent, or any SAP system. This OS user password shall be the same on all hosts that belong to a given customer network. It is currently not possible to define different sapadm OS user passwords for the hosts of a given customer network. Refer to the SAP Focused Run Security Guide, chapter Technical Users for Managed OS for further details.
  9. Define your TLS/SSL settings
  10. Save you changes.

Finally:

The above customer network wizard creates users automatically with a generated password. Therefore, you shall define the password of the following technical users:

  • FRN_LDDS_<CID> : User on SAP Focused Run system to authenticate Data Suppliers sending SLD payloads directly to LMDB.
  • FRN_LDSR_<CID> : User on SAP Focused Run system to authenticate the SLDRs which are forwarding received SLD payloads.

Note: Do not simply use transaction SU01. Refer to the security guide for additional details.

Therefore, proceed as follow:

  • Run the RSSI_CHANGE_NETWORK_PASSWORD (transaction SA38).
  • Select the type of user, as mentioned above
  • Select the Customer ID
  • Provide a new password
  • Select Change Password

Use-Case Settings For Simple System Integration

Only since SAP Focused Run FP02. In this section, select the Use-Cases that the Simple System Integration will Setup during the Automatic Technical Systems Configuration operation:

  • AIM – Advanced Integration & Exception Monitoring
  • ASM – Advanced System Management
  • AUM – Advanced User Monitoring
  • CSA – Configuration & Security Analytics

Note: None of the Use-Case are selected by default.

Change Data Center for Customer Network

As of SAP Focused Run 2.0 FP02, the Data Center can simply be changed in the “Global Settings & Network Configuration” application

  • Go to the SAP Focused Run launchpad
  • Open the “Global Settings & Network Configuration” application
  • Go to the “Network Administration” page
  • Select the network you want to changed
  • Change the Data Center (and any other field you would like to change)
  • Press “Save”

For SAP Focused Run 2.0 FP01 and below, follow this procedure:

Note: Only experts shall use this report. Customer Networks are sensitives data. This procedure must only be used to change the Data Center (field:  Data Center 1).

Procedure:

  • Ensure your user has the role SAP_FRN_LDB_ALL assigned
  • Start transaction SA38
  • Run report RLMDB_CUSTOMER_NETWORK_TOOLS
  • Depending on what you want to do, check or uncheck the option: Prohibit save of any changes
  • Press the "Execute" button
  • Resize the displayed columns so, that you can see and edit column: Data Center 1
  • Select the line/row for the Customer Network entity which you want to change
  • Press the "Display/Change" button
  • Edit (by simply (re)typing) the value in column: Data Center 1 (be careful to not change other fields)
  • Press the "Save" button
  • Exit the report
  • Run report RLMDB_CUSTOMER_NETWORK_TOOLS
  • Check option: Prohibit save of any changes
  • Press the "Execute" button
  • Review/confirm that the required change was saved

Country/Region Name of Data Center

As of SAP Focused Run 3.0 SP00, The Maintain Data Centers tab in the Global Settings & Network Configuration application has been extended to show Country/Region-Code and Country/Region-Name information. Information on the country or region is retrieved from table T005T, column LANDX. If you have the requirement to display Country/Region-Name information different from what SAP provides by default, you must follow the maintenance instructions available in SAP Note 1164216.