Preparing Customer Network
Declaring Customer Network
The data centers and logical networks, as defined and operated by the network team, shall be declared within SAP Focused Run. These network segments, named Customer Networks, are used by LMDB as namespaces, to bundle and protect system definitions and collected metrics. This is reflected, as an example, in the below schema with A and B. Such Customer Network can be then also assigned to a customer (via so called Business Partners).
To declare a Customer Network, within SAP Focused Run using SSI Configuration, you shall have a clear understanding of the network layout and associated proxies and reverse proxies. You are asked to mention:
- As of SAP Focused Run 2.0 FP02 a Data Center ID is a maximum of 16 characters, such as “DATACENTER1”.
- A globally unique Customer ID (also known as CID), composed of 3 characters, like "ABC".
- A globally unique Customer Network name (belonging to a Data Center), like "ABC_Walldorf". Note: The Customer Network name must be limited to 40 characters.
- A unique Admin Request Parameter, also called "inbound fencing string", which is usually the hostname of the Reverse Proxy. Note: It is mandatory that this same value is also manually maintained in the reverse proxy configuration file, as explained to the Security Guide, chapter: Data Separation.
Follow below rules:
- We recommend to use a combination of characters and digits.
- Do not use spaces or special characters
- Use _ (underscore) characters, instead of - (minus).
- Spaces are only allowed for the Network Description.
- The Data Center ID, Customer ID, Customer Network Name must be clear and consistent, because the Data Center ID might be used for access/authorization checking in further releases.
Pay attention to the terminology: In the context of SAP Focused Run, the term reverse proxy designates a pass-through from the managed objects of the customer network, to the SAP Focused Run system.
Finally, consider that a predefined customer network named LOCALNETWORK is created, while performing the initial set up of LMDB, as described in the Master Guide.
This local network can be utilized within SAP Focused Run in case no specific security or data separation is required (and no proxy or reverse proxy is in place).
To create the customer network within SAP Focused Run:
- Navigate to Infrastructure Administration / Global Settings & Network Configuration, within the Launchpad
- Choose the "Network Administration" view.
- Press New
- Specify the required values
- Starting with SAP Focused Run 3.0 FP02, it is possible to set up certificate-based communication for new customer networks. Please see the page Preparing Customer Networks for Certificate-Based Authentication for details.
- Starting with SAP Focused Run 4.0 FP03, is it possible to explicitly choose the agent that will take over central monitoring activities during the network administration
- Starting with SAP Focused Run 4.0 FP03, is it possible to enable the verification of server certificates on the Simple Diagnostics Agent (SDA) level during the network administration
- Please note: In case of an incorrect certificate setup, the SDA connections will stop working.
- You can only activate this setting if "Reverse Proxy Port Type / Authentication" is one of:
- HTTPS / Certificate-based Authentication
- HTTPS / Basic Authentication
- Press Save and Activate
- Note: Each time a customer network is created within SAP Focused Run, using SSI Configuration, a set of associated technical users is created. Refer to the following chapters in the SAP Focused Run Security Guide for further details:
- Introduction to Data Separation
- Technical Users to Authenticate Data Send Requests to the SAP Focused Run system (ABAP)
- Note: Each time a customer network is created within SAP Focused Run, using SSI Configuration, a set of associated technical users is created. Refer to the following chapters in the SAP Focused Run Security Guide for further details:
- Select the "Network Settings" view
- Select the previously created Customer Network
- Enter the Password of the existing sapadm OS user, relevant in that network segment
- Note: The sapadm OS user is dedicated to the SAP Host Agents. It is a reserved OS username and the password usually defined when installing a SAP Host Agent, or any SAP system. This OS user password shall be the same on all hosts that belong to a given customer network. It is currently not possible to define different sapadm OS user passwords for the hosts of a given customer network. Refer to the SAP Focused Run Security Guide, chapter Technical Users for Managed OS for further details.
- Define your TLS/SSL settings
- Details about TLS/SSL settings can be found in the SAP Focused Run Security Guide, in chapter Enable Network Communication Encryption
- Save you changes.
Finally:
The above customer network wizard creates users automatically with a generated password. Therefore, you shall define the password of the following technical users:
- FRN_LDDS_<CID> : User on SAP Focused Run system to authenticate Data Suppliers sending SLD payloads directly to LMDB.
- FRN_LDSR_<CID> : User on SAP Focused Run system to authenticate the SLDRs which are forwarding received SLD payloads.
Note: Do not simply use transaction SU01. Refer to the security guide for additional details.
Therefore, proceed as follow:
- Run the RSSI_CHANGE_NETWORK_PASSWORD (transaction SA38).
- Select the type of user, as mentioned above
- Select the Customer ID
- Provide a new password
- Select Change Password