Preparing Customer Network

Declaring Customer Network

The data centers and logical networks, as defined and operated by the network team, shall be declared within SAP Focused Run. These network segments, named Customer Networks, are used by LMDB as namespaces, to bundle and protect system definitions and collected metrics. This is reflected, as an example, in the below schema with A and B. Such Customer Network can be then also assigned to a customer (via so called Business Partners).

To declare a Customer Network, within SAP Focused Run using SSI Configuration, you shall have a clear understanding of the network layout and associated proxies and reverse proxies. You are asked to mention:

As of SAP Focused Run 2.0 FP02 a Data Center ID is a maximum of 16 characters, such as “DATACENTER1”.
A globally unique Customer ID (also known as CID), composed of 3 characters, like "ABC".
A globally unique Customer Network name (belonging to a Data Center), like "ABC_Walldorf". Note: The Customer Network name must be limited to 40 characters.
A unique Admin Request Parameter, also called "inbound fencing string", which is usually the hostname of the Reverse Proxy. Note: It is mandatory that this same value is also manually maintained in the reverse proxy configuration file, as explained to the Security Guide, chapter: Data Separation.

Follow below rules:

We recommend to use a combination of characters and digits.
Do not use spaces or special characters
Use _ (underscore) characters, instead of - (minus).
Spaces are only allowed for the Network Description.
The Data Center ID, Customer ID, Customer Network Name must be clear and consistent, because the Data Center ID might be used for access/authorization checking in further releases.

Pay attention to the terminology: In the context of SAP Focused Run, the term reverse proxy designates a pass-through from the managed objects of the customer network, to the SAP Focused Run system.

Finally, consider that a predefined customer network named LOCALNETWORK is created, while performing the initial set up of LMDB, as described in the Master Guide.

This local network can be utilized within SAP Focused Run in case no specific security or data separation is required (and no proxy or reverse proxy is in place).

To create the customer network within SAP Focused Run:

Navigate to Infrastructure Administration / Global Settings & Network Configuration, within the Launchpad
Choose the "Network Administration" view.
Press New
Specify the required values
- Starting with SAP Focused Run 3.0 FP02, it is possible to setup certificate-based communication for new customer networks. Please see the page Preparing Customer Networks for Certificate-Based Authentication for details.
Press Save and Activate
- Note: Each time a customer network is created within SAP Focused Run, using SSI Configuration, a set of associated technical users are created. Refer to following chapters in the SAP Focused Run Security Guide for further details:
  - Introduction to Data Separation
  - Technical Users to Authenticate Data Send Requests to the SAP Focused Run system (ABAP)
Select the "Network Settings" view
Select the previously created Customer Network
Enter the Password of the existing sapadm OS user, relevant in that network segment
- Note: The sapadm OS user dedicated to the SAP Host Agents. It is a reserved OS username and the password usually defined when installing a SAP Host Agent, or any SAP system. This OS user password shall be the same on all hosts that belong to a given customer network. It is currently not possible to define different sapadm OS user passwords for the hosts of a given customer network. Refer to the SAP Focused Run Security Guide, chapter Technical Users for Managed OS for further details.
Define your TLS/SSL settings
- Details about TLS/SSL settings can be found in the SAP Focused Run Security Guide, in chapter Enable Network Communication Encryption
Save you changes.

Finally:

The above customer network wizard creates users automatically with a generated password. Therefore, you shall define the password of the following technical users:

FRN_LDDS_<CID> : User on SAP Focused Run system to authenticate Data Suppliers sending SLD payloads directly to LMDB.
FRN_LDSR_<CID> : User on SAP Focused Run system to authenticate the SLDRs which are forwarding received SLD payloads.

Note: Do not simply use transaction SU01. Refer to the security guide for additional details.

Therefore, proceed as follow:

Run the RSSI_CHANGE_NETWORK_PASSWORD (transaction SA38).
Select the type of user, as mentioned above
Select the Customer ID
Provide a new password
Select Change Password

Change Data Center for Customer Network

As of SAP Focused Run 2.0 FP02, the Data Center can simply be changed in the “Global Settings & Network Configuration” application

Go to the SAP Focused Run launchpad
Open the “Global Settings & Network Configuration” application
Go to the “Network Administration” page
Select the network you want to changed
Change the Data Center (and any other field you would like to change)
Press “Save”

For SAP Focused Run 2.0 FP01 and below, follow this procedure:

Note: Only experts shall use this report. Customer Networks are sensitives data. This procedure must only be used to change the Data Center (field: Data Center 1).

Procedure:

Ensure your user has the role SAP_FRN_LDB_ALL assigned
Start transaction SA38
Run report RLMDB_CUSTOMER_NETWORK_TOOLS
Depending on what you want to do, check or uncheck the option: Prohibit save of any changes
Press the "Execute" button
Resize the displayed columns so, that you can see and edit column: Data Center 1
Select the line/row for the Customer Network entity which you want to change
Press the "Display/Change" button
Edit (by simply (re)typing) the value in column: Data Center 1 (be careful to not change other fields)
Press the "Save" button
Exit the report
Run report RLMDB_CUSTOMER_NETWORK_TOOLS
Check option: Prohibit save of any changes
Press the "Execute" button
Review/confirm that the required change was saved