Declaring Customer Network

The data centers and logical networks, as defined and operated by the network team, shall be declared within Focused Run. These network segments, named Customer Networks, are used by LMDB as namespaces, to bundle and protect system definitions and collected metrics. This is reflect, as an example, in the above schema with A and B. Such Customer Network can be then also assigned to a customer (via so called Business Partners).

To declare a Customer Network, within Focused Run using SSI Configuration, you shall have a clear understanding of the network layout and associated proxies and reverse proxies. You are asked to mention:

  • A Data Center ID, limited to 4 character, like "WDF1".
  • A globally unique Customer ID (also known as CID), composed of 3 characters, like "ABC".
  • A globally unique Customer Network name (belonging to a Data Center), like "ABC_Walldorf". Note: The Customer Network name must be limited to 40 characters.
  • A unique Admin Request Parameter, also called "inbound fencing string", which is usually the hostname of the Reverse Proxy. Note: It is mandatory that this same value is also manually maintained in the reverse proxy configuration file, as explained to the Security Guide, chapter: Enable Network Communication Encryption.

Follow below rules:

  • We recommend to use a combination of characters and digits. 
  • Do not use spaces or special characters
  • use _ (underscore) characters, instead of - (minus).
  • Spaces are only allowed for the Network Description. 
  • The Data Center ID, Customer ID, Customer Network Name must be clear and consistent, because the Data Center ID might be used for access/authorization checking in further releases.

 

Pay attention to the terminology: In the context of Focused Run, the term reverse proxy designates a pass-through from the managed objects of the customer network, to the FRUN system.

Finally, consider that a predefined customer network named LOCALNETWORK is created, while performing the initial set up of LMDB, as described in the Master Guide

This local network can be utilized within FRUN in case no specific security or data separation is required (and no proxy or reverse proxy is in place).

 

To create the customer network within Focused Run, navigate to Infrastructure Administration / Global Settings & Network Configuration, within the Launchpad and:

Choose the Network Creation tab.

  • Press New
  • Specify the required values
  • Press Save and Create

Note: Each time a customer network is created within Focused Run, using SSI Configuration, a set of associated technical users are created. Refer to following chapters in the Security Guide for further details:

  • Introduction to Data Separation
  • Technical Users to Authenticate Data Send Requests to the Focused Run system (ABAP)

 

Then select the Network Settings tab

Select the previously create Customer Network

Enter the Password of the existing sapadm OS user, relevant in that network segment

Note: The sapadm OS user dedicated to the SAP Host Agents. It is a reserved OS username and the password usually defined when installing a SAP Host Agent, or any SAP system. This OS user password shall be the same on all hosts that belong to a given customer network. It is currently not possible to define different sapadm OS user passwords for the hosts of a given customer network. Refer to the Security Guide, chapter Technical Users for Managed OS for further details.

  • Details about SSL/TLS settings can be found in the Security Guide, in chapter Enable Network Communication Encryption.
  • Press Save.

Finally:

The above customer network wizard creates users automatically with a generated password. Therefore, you shall define the password of the following technical users:

  • FRN_LDDS_<CID> : User on Focused Run system to authenticate Data Suppliers sending SLD payloads directly to LMDB.
  • FRN_LDSR_<CID> : User on Focused Run system to authenticate the SLDRs which are forwarding received SLD payloads.

Note: Do not simply use transaction SU01. Refer to the security guide for additional details.

 

Therefore, proceed as follow:

  • Run the RSSI_CHANGE_NETWORK_PASSWORD (transaction SA38).
  • Select the type of user, as mentioned above
  • Select the Customer ID
  • Provide a new password
  • Select Change Password

Use-Case Settings For Simple System Integration

Only since Focused Run FP2. In this section, select the Use-Cases that the Simple System Integration will Setup during the Automatic Technical Systems Configuration operation:

  • AIM – Advanced Integration & Exception Monitoring
  • ASM – Advanced System Management
  • AUM – Advanced User Monitoring
  • CSA – Configuration & Security Analytics

Note: None of the Use-Case are selected by default.

Change Customer Network Data Center

Note: Only experts shall use this report. Customer Networks are sensitives data. This procedure must only be used to change the Data Center ( field :  Data Center 1 ).

Procedure:

  • Ensure your user has the role SAP_FRN_LDB_ALL assigned
  • Start transaction SA38
  • Run report RLMDB_CUSTOMER_NETWORK_TOOLS
  • Depending on what you want to do, check or uncheck the option: Prohibit save of any changes
  • Press the "Execute" button
  • Resize the displayed columns so, that you can see and edit column: Data Center 1
  • Select the line/row for the Customer Network entity which you want to change
  • Press the "Display/Change" button
  • Edit (by simply (re)typing) the value in column: Data Center 1 (be careful to not change other fields)
  • Press the "Save" button
  • Exit the report
  • Run report RLMDB_CUSTOMER_NETWORK_TOOLS
  • Check option: Prohibit save of any changes
  • Press the "Execute" button
  • Review/confirm that the required change was saved