-
Non-Product Related Assistance
Request for existing cases, user IDs, Portal navigation support and more
Request for existing cases, user IDs, Portal navigation support and more
In a customer environment, a managed system can be easily connected to multiple Focused Run systems simultaneously. A common scenario is connecting a managed system to both a productive and a non-productive Focused Run system in parallel for testing purposes. This configuration is viable even when the different target systems have varying security requirements.
The connection to multiple systems is enabled by the following key technical aspects:
This chapter addresses the specific scenario of connecting a single managed system to multiple Focused Run systems where each connection requires a different level of authorization at the operating system (OS) level.
A common example for this architecture is in a multi-tenant hosting environment. Consider a scenario involving a service provider, such as SAP Enterprise Cloud Services (SAP RISE), utilizing an Focused Run system for its own operational management tasks. The customer also operates a separate Focused Run system for their own monitoring and analysis.
The usage of unique components must be organized. For example password information will not be shared between customer and service provider. Therefore the usage of certificates is necessary. This will lead to technical efforts (e.g., certificate trust from multiple CA entities) and ongoing coordination tasks (e.g., maintenance strategies for SAP Host Agents or Simple Diagnostics Agents).
As a result a secure separation of configuration and access will be established, while maintaining comprehensive monitoring capabilities.
Shared components to be considered are:
Focused Run is prepared for such a scenario by storing configuration data of Simple Diagnostics Agent in subdirectories identified by the Focused Run configuration ID. This configuration ID is automatically created during customer network creation (even if only localnetwork is used). The configuration ID allows also the usage of equal SIDs for both Focused Run systems.
In the following sub-sections, we describe certain aspects to be considered, when using two Focused Run systems in such scenario. The following figures show this scenario without firewalls, reverse proxies, and load balancers, as they are not relevant for the actual discussion here.
The model below illustrates one option, how a single SAP Host Agent on a managed system can securely serve two different Focused Run systems (Service Provider and customer). Each with distinct OS-level permissions.
There are different trust setups possible (e.g., Server Name Indication - SNI(opens in new tab)). Details must be discussed and aligned between Service Provider and customer.
Component Overview
The architecture consists of three primary components:
1. Customer Focused Run system
Represents the tenant’s monitoring environment with standard access rights.
Role: Performs monitoring and application-level tasks.
OS Permissions: Standard user authorization, sufficient for Focused Run applications, but restricted from administrative os-level access.
Client Certificate:
Issued By: Customer CA (Certificate Authority)
Subject: CN=FUN, OU=BASIS, O=CUST, C=CHE
Trust Configuration: Trusts the SAP Host Agent’s server certificate by trusting its issuing authority (the service provider CA) and its hostname (myhost.dummy.com).
2. Service Provider Focused Run system
Represents the service provider’s operational environment with administrative access rights.
Role: Performs privileged operations, including administrative OS access.
OS Permissions: Elevated user authorization (sapadm or root-equivalent).
Client Certificate:
Issued By: Service Provider CA
Subject: CN=FRN, OU=MONI, O=HOST, C=DE
Trust Configuration: Trusts the SAP Host Agent’s server certificate by trusting its own CA and the agent’s hostname (myhost.dummy.com).
3. SAP Host Agent on Managed System (myhost.dummy.com)
The central agent that receives data from both Focused Run systems and manages access control.
Service Endpoint: Exposes the Simple Diagnostics Agent functionality via the URI /lmsl/sda.
Server SSL PSE (Personal Security Environment):
Server Certificate: Identifies the Host Agent to clients.
Issued By: Service Provider CA
Subject: CN=myhost.dummy.com, OU=MONI, O=HOST, C=DE
Trust Store: Contains the public keys of trusted CAs to validate incoming client certificates.
Trusts: Service Provider CA and Customer CA.
Communication Flow & Trust Relationship
Both Focused Run systems (Customer and Service Provider) initiate a secure connection to the SAP Host Agent via a TLS handshake.
During the handshake, the SAP Host Agent presents its server certificate. Both Focused Run systems validate it because they trust the Service Provider CA.
In turn, each Focused Run system presents its own client certificate to the SAP Host Agent.
The Host Agent’s PSE trusts both the Customer CA and the Service Provider CA, allowing it to validate and accept connections from both systems simultaneously.
Based on the validated client certificate, the Host Agent applies the appropriate OS-level user context (sapadm for the provider, a standard user for the customer) for any subsequent actions.
This mutual trust configuration enables secure, segregated communication, allowing for multi-tenant monitoring on a single managed system.
Figure 1: SAP Host Agent
A Introscope ByteCode Agent for monitoring non-ABAP managed systems can only report to one Introscope Enterprise Manager. In the parallel operation scenario, described in figure 2, with multiple Focused Run systems connected to one Introscope Enterprise Manager the Service Provider and the customers need to be aligned about the shared Introscope Enterprise Manager. The connection address for the CA Bytecode Agent, respectively the host:port where the CA APM Enterprise Manager is installed, need to be agreed by the partners. The ByteCode Agent can be installed by the Simple Diagnostics Agent preparation tools or manually. Every partner who wants to update the ByteCode Agent need to apply the aligned connection credentials for the host:port of the CA APM Enterprise Manager.
Since CA APM Enterprise Manager 9.7 with latest Management Modules, the CA APM can serve several FRUNs in parallel with subject to release restriction. Please find the relevant release notes in SAP Note 797147(opens in new tab) – Introscope Installation for SAP Customers.
Figure 2: Bytecode Agent
The Maintenance Planner in the SAP Support Portal can handle several Focused Run systems as data sources (see also figure 3). Besides other features the Landscape Information Service in the SAP Support Portal only shows the latest complete technical system data to the Maintenance Planner. This way the partners do not need to consider which Focused Run system (at the customer and/or at the service provider) is sending the data.
It is enough that one Focused Run system is sending the data, but also several data sources are accepted. The access to the data in the SAP Support Portal and the maintenance planner is granted by the S-User authorizations.
Figure 3: Maintenance Planner
Please find more more information:
Focused Run does not provide the Session Workbench for EWA generation, therefore the data to generate the EarlyWatch reports are send to the SAP Support Backbone like shown in figure 4. This has the advantage, that you benefit always from the latest EWA content and can also make use of the SAP EarlyWatch Alert Workspace.
It is enough that one SAP Focused Run system is sending the data, but also several data sources are accepted. The access to the data in the SAP Support Portal and the maintenance planner is granted by the S-User authorizations.
Figure 4: EarlyWatch Alert (EWA)
Please find more more information:
If you plan your landscape, you also have to take care of a proper SLD DS Payload Distribution.