SAP NetWeaver Operations Guide

This guide provides an overview of how to manage IT ops for a running SAP NetWeaver system on Compute Engine. This guide does not cover the specifics of managing the SAP NetWeaver product. Google Cloud is certified for running SAP NetWeaver application servers ABAP and Java, and SAP products based on these application server stacks.

To learn how to operate your deployment of SAP NetWeaver, see the SAP NetWeaver Master Guide.
To learn how to plan your deployment of SAP NetWeaver, see the SAP NetWeaver on Google Cloud Planning Guide and the SAP NetWeaver Master Guide.
To learn how to deploy and prepare Google Cloud resources for an SAP NetWeaver system, see the deployment guide for your operating system:
- SAP NetWeaver on Linux Deployment Guide
- SAP NetWeaver on Windows Deployment Guide

Managing Compute Engine VM instances

This section shows how to perform administrative tasks typically required to operate SAP NetWeaver on Compute Engine, including information about starting and stopping systems.

Managing VM lifetime

This section provides information about how to manage the running state of your Compute Engine VMs.

Maintaining VM availability

Compute Engine offers availability policies that determine how a VM behaves during certain infrastructure-related events. For VM instances in your SAP NetWeaver implementation, it is important that you do not disable the following features:

Live migrate, which enables Compute Engine to keep your instance running when responding to an infrastructure maintenance event.
Automatic restart, which enables Compute Engine to restart your instance in the event of an instance crash. Note that the SAP system does not automatically restart.

Stopping a VM

You can stop one or multiple SAP NetWeaver hosts at any time; stopping a VM instance shuts down the instance. If the shutdown doesn't complete within 2 minutes, the instance is forced to halt. As a best practice, you should first stop SAP NetWeaver before you stop the instance.

Stopping a VM causes Compute Engine to send the ACPI power-off signal to the VM instance. After it is stopped, you are not billed for the VM instance.

If you have persistent disks attached to the VM, the disks are not deleted and you continue to be charged for them. If the data in the persistent disk is important, you can either:

Keep the disk.
Create a snapshot of the persistent disk and then delete the disk. This option can help you save on costs. You can create another disk from the snapshot when you need the data again.

To stop a VM:

In the Google Cloud Console, navigate to the:

VM INSTANCES PAGE
Select one or more instances that you want to stop.
At the top of the VM instances page, click STOP.

For alternatives and more information, see Stopping an instance.

Restarting a VM

To restart a VM:

In the Cloud Console, navigate to the:

VM INSTANCES PAGE
Select the instances that you want to restart.
At the top right-hand of the page, click START.

For alternatives and more information, see Restarting an instance.

Modifying a VM

You can change various attributes of a VM, including the VM type, after the VM is deployed. Some changes might require you to restore your SAP system from backups, while others only require you to restart the VM.

For more information, see Modifying VM configurations for SAP systems.

Capturing system state

This section describes scenarios that require saving the state of your system, and the Compute Engine features that you can use for these purposes.

Using snapshots

You can create a snapshot of a persistent disk at any time to generate a point-in-time copy of the disk state. Compute Engine stores multiple copies of each snapshot, across multiple locations, with automatic checksums to ensure the integrity of your data.

Snapshots are useful for the following use cases:

Use case	Details
Migrate to a different type of storage.	You can use snapshots to move a persistent disk from one disk type, standard or SSD, to the other type. See Restoring a snapshot to a different disktype in the Compute Engine documentation.
Migrate SAP NetWeaver to another zone.	You can use snapshots to move your SAP NetWeaver system from one zone to another zone in the same region, or even from one region to another region. See Moving VMs between regions and zones.
Provide an easy, software-independent, and cost-effective backup solution.	Back up your attached persistent disks by using snapshots. You can back up your root disk and SAP NetWeaver installed binaries. Snapshots can be useful for taking backups of your database systems. However, depending on your implementation, you might want to use a different approach. For guidance about how to back up and restore databases, see the guides listed in Database operations.

To obtain a consistent snapshot, you must either stop SAP NetWeaver or stop the database from writing to the file system.

To create a snapshot, follow the Compute Engine instructions for creating snapshots. Pay careful attention to the preparation steps, such as flushing the disk buffers to disk, to make sure that the snapshot is consistent.

Creating images

To capture the state of a boot disk, you can create a custom image. An image is different from a backup because you use an image to create new VM instances that are based on a single, source VM.

When you followed the SAP NetWeaver on Google Cloud Deployment Guide, you should have created one or more images at the end of the deployment steps. However, you might want to create new images after you make important changes to the system, such as installing an update of SAP NetWeaver binaries or upgrading the SAP NetWeaver version.

For instructions, see:

Creating, Deleting, and Deprecating Custom Images, for Linux-based systems.
Creating a Windows image, for Windows-based systems.

Moving VMs between regions and zones

Compute Engine enables you to move VMs between zones in the same region and zones in different regions. You might want to move a VM if, for example, a new region or zone becomes available that would give you better performance, or if a zone becomes deprecated.

The Compute Engine documentation contains detailed instructions about how to move your VM to another zone.

Here are considerations for SAP NetWeaver:

SAP can run only in certain zones because of machine-type restrictions. See the SAP NetWeaver on Google Cloud Planning Guide for details.
Migrating the VM causes the VM's ID to change. This change triggers an SAP HW Key change, which requires you to import a new SAP license.
You can use the same hostname in the new zone, if it isn't already in use. If the hostname changes, you need to use the generic operations feature of SAP's SWPM to run a rename operation to change the SAP NetWeaver hostname.

Database operations

This section provides resources for managing the following database servers on Google Cloud:

SAP HANA
SAP ASE
IBM Db2 for Linux, UNIX and Windows (IBM Db2)
Microsoft SQL Server

SAP HANA operations

For more information about running SAP HANA on Google Cloud, see the SAP HANA on Google Cloud Operations Guide. That guide provides you with lots of details about administration, backup and recovery, security, networking, and other topics.

SAP ASE operations

For more information about using SAP ASE, see SAP Adaptive Server Enterprise.

IBM Db2 operations

For more information about using IBM Db2 with SAP, see SAP on IBM Db2 for Linux, UNIX and Windows.

Microsoft SQL Server operations

The following resources provide details about how to run Microsoft SQL Server on Google Cloud:

Resource	Description
Best Practices for Microsoft SQL Server	Learn how to configure Microsoft SQL Server for stability and performance on Compute Engine. Note the following important differences in best practices for SAP systems: Do not use local SSD drives. Use persistent disk SSDs, instead. For parallel query processing, set the max degree of parallelism to 1, not 8. The transaction log setting must be "FULL" for Microsoft SQL Server databases in production systems. Do not use the buffer pool extension feature.
Microsoft SQL Server Performance Tuning on Compute Engine	Discusses how to create a Microsoft SQL server on Compute Engine and then use metrics to optimize its performance.
Load Testing Microsoft SQL Server Using HammerDB	This tutorial shows how to use HammerDB to perform load testing on a Compute Engine Microsoft SQL Server instance.
Building a Microsoft SQL Server Disaster Recovery Plan on Compute Engine	Demonstrates how to implement a less-expensive disaster recovery solution for Microsoft SQL Server on Google Cloud.

IAM operations

Controlling access to Google Cloud resources is a critical part of securing and operating your deployment. While SAP provides its own user-management system, GCP's Identity and Access Management (IAM) provides unified control over permissions for Google Cloud resources. You can manage access control by defining who has what access for resources. For example, you can control who can perform control-plane operations on your SAP instances such as creating and modifying VMs, persistent disks, and networking.

For an overview of IAM in Compute Engine, see Access Control Options.

Managing team members

From time to time, you will want to add or remove team members from your project or change their permission levels. For details about how to manage team members, see Add, Remove Team Members, and Change Permissions.

IAM roles are key to granting permissions to users. For a reference about roles and which permissions they provide, see Identity and Access Management Roles.

Managing SSH keys

By default, Compute Engine automatically manages SSH keys. If you have decided to manage your own SSH keys, you need to add and remove keys from time to time during your normal operations. For detailed steps, see Adding and Removing SSH Keys.

Managing service accounts

IAM's service accounts provide a way for you to give permissions to applications and services. It's important to understand how service accounts work in Compute Engine.

If a service account is assigned to a Compute Engine VM, that service account is the default service account for the applications that run on that VM. Any application that uses the VM service account inherits the IAM roles and permissions that are granted to the VM service account.

For more information, see Identity and access management for SAP programs on Google Cloud.

Using Cloud Logging

Cloud Logging is the Google Cloud solution for system-wide logging. Cloud Logging allows you to store, search, analyze, monitor, and alert on log data and events. Using Cloud Logging requires that you have installed the Cloud Logging agent on each VM.

If you didn't install the agent, you can install it now. See Installing the Agent.

See Compute Engine Logs for details about supported logs.

Access control

Cloud Logging provides granular access control to logs and logging operations. For details, see the Access Control Guide.

Audit logging

Cloud Audit Logs provides key information about activities happening in GCP through two log types: Admin Activity and Data Access. You can view the Activity Feed and the Logs Viewer in the Cloud Console.

The monitoring agent for SAP NetWeaver

Google Cloud provides a monitoring agent specifically for SAP NetWeaver, the Google Cloud monitoring agent for SAP NetWeaver, which collects data about the Google Cloud host machine and its environment and provides the data to the SAP Host Agent.

The SAP Host Agent, with the saposcol program, and the monitoring agent for SAP NetWeaver are required for support and to monitor system performance of SAP NetWeaver on Google Cloud.

When the monitoring agent for SAP NetWeaver is running on a Compute Engine, the agent also collects metadata from Cloud Monitoring, a part of Google Cloud's operations suite.

Metrics collected by the monitoring agent

The metrics collected by monitoring agent for SAP NetWeaver are determined by SAP. For a description of metrics that the agent collects, see SAP Note 2469354.

Understanding the monitoring agent lifecycle

When managing monitoring operations, it's helpful to understand what the monitoring agent for SAP NetWeaver is doing. In general, here's how it works:

Cloud Monitoring has a local agent that collects metrics, events, and metadata from Google Cloud. Compute Engine also provides APIs that provide monitoring functionality.
Each VM in your deployment must host an instance of the monitoring agent for SAP NetWeaver. The monitoring agent runs as a Windows service or a Linux process.
The monitoring agent for SAP NetWeaver combines monitoring data from Monitoring and the Compute Engine APIs.
The SAP Host Agent polls the monitoring agent for SAP NetWeaver for its cached data, over HTTP. It aggregates the metrics, reports them, and stores them in the SAP NetWeaver database.
SAP's transaction ST06 or the saposcol command line interface displays the aggregated metrics.
You can view the data from the monitoring agent for SAP NetWeaver by running a command in a terminal window.

Cloud API access for the monitoring agent for SAP NetWeaver

When the monitoring agent for SAP NetWeaver is running on a Compute Engine VM, it reads data from Monitoring.

The access to the Monitoring APIs can be controlled by IAM permissions granted to the host VM service account, by Google Cloud API access scopes granted to the VM, or both.

Compute Engine recommends using only the IAM permissions of the VM service account to control access to Google Cloud resources and setting the VM access scopes to allow full access to all Cloud APIs. For more information, see Best practices.

The monitoring agent for SAP NetWeaver uses the service account of its host VM to retrieve Cloud Monitoring metrics. Consequently, the monitoring agent requires that the host VM have a service account and that the service account includes the monitoring.timeSeries.list permission, which is contained in the predefined Monitoring Viewer role.

If you do limit access to the Cloud APIs, the monitoring agent for SAP NetWeaver requires the following minimum Cloud API access scopes on the host VM instance:

Compute Engine: Read Only
Stackdriver Monitoring API: Read Only

If you are running SAP NetWeaver on a VM that does not have an external IP address, you need to enable access the Google Cloud APIs and services for the monitoring agent for SAP NetWeaver.

To enable Private Google Access from a Compute Engine VM on a subnet, see Configuring Private Google Access.

If you are running SAP NetWeaver on a machine in a Bare Metal Solution region extension, the monitoring agent for SAP NetWeaver does not require access to the Google Cloud APIs.

Installation overview

When you issue the install command, the provided start-up script completes the following tasks:

Downloads the latest version of the monitoring agent for SAP NetWeaver.
Downloads the dependencies, such as the OpenJDK and SIGAR libraries.
In Linux, creates a cron job as root that monitors whether the monitoring agent for SAP NetWeaver is running and, if necessary, restarts the agent.

Warning: Do not delete this cron entry. It is required for the continuous operation of the Google Cloud monitoring agent.
In Windows, creates a Windows service named "GCP Metrics Provider" and a scheduled task that runs every minute to check if the service is still running and, if necessary, restart it.

Warning: Do not manually stop the Windows service or delete the scheduled task.

For the installation instructions for Compute Engine VMs, see the deployment guide that applies to your deployment scenario:

Linux deployments
- Automated VM deployment for SAP NetWeaver on Linux
- Manual VM deployment for SAP NetWeaver on Linux
Windows deployments
- Automated VM deployment for SAP NetWeaver on Windows Server
- Manual VM deployment for SAP NetWeaver on Windows Server

For installation instructions for a Bare Metal Solution machine, see Installing the monitoring agent for SAP NetWeaver.

Verifying that the monitoring agent for SAP NetWeaver is running

The monitoring agent for SAP NetWeaver is a local HTTP server.

To check whether the monitoring agent is running, follow these steps:

Linux

Use SSH to connect to the host machine you want to monitor.
At the command prompt, enter the following command:
```
curl http://localhost:18181/health
```

Windows

Use RDP to connect to the host machine you want to monitor.
In a browser, visit http://localhost:18181/health.

If the monitoring agent for SAP NetWeaver is functioning properly, the status is UP. For example:

{"status":"UP","diskSpace":{"status":"UP","total":105552769024,"free":103920615424f,"threshold":10485760}}

If the monitoring agent for SAP NetWeaver isn't running, see Restarting the monitoring agent for SAP NetWeaver.

Verifying that SAP NetWeaver is receiving metrics

To check whether the connection between the monitoring agent for SAP NetWeaver and SAP NetWeaver works, enter transaction ST06 in your SAP NetWeaver ABAP System. In the overview pane, check the availability and content of the following fields for the correct, end-to-end setup of the SAP and Google monitoring infrastructure:

Cloud Provider: "Google Cloud Platform"
Enhanced Monitoring Access: "TRUE"
Enhanced Monitoring Details: "ACTIVE"

Viewing the monitored metrics

You can view the monitored metrics by polling the server. Follow these steps:

Linux

Use SSH to connect to the host machine that you need to monitor.
At the command prompt, enter the following command:
```
curl http://localhost:18181
```

Windows

Use RDP to connect to the host machine that you need to monitor.
In a browser, visit
```
http://localhost:18181
```
.

The following example shows the first few lines of XML output from the monitoring agent for SAP NetWeaver.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <metrics>
    <metric category="config" context="vm" type="string" unit="none"
      last-refresh="1614389614" refresh-interval="0"><name>Data
      Provider Version</name><value>1.1.1.0</value>
    </metric>
    <metric category="config" context="host" type="string" unit="none"
    last-refresh="1614389614" refresh-interval="0">
      <name>Cloud Provider</name><value>Google Cloud
      Platform</value>
    </metric>
    <metric category="config" context="vm" type="string" unit="none"
    last-refresh="1614389614" refresh-interval="0">
      <name>Instance Type</name><value>n2-standard-16</value>
    </metric>
    <metric category="config" context="host" type="string" unit="none"
    last-refresh="1614389614" refresh-interval="0">
      <name>Virtualization Solution</name><value>KVM</value>
    </metric>
    ...
  </metrics>

Restarting the monitoring agent for SAP NetWeaver

If the monitoring agent for SAP NetWeaver stops working, follow these steps to restart:

Linux

From the /opt/gcpmetricsprovider directory, run the following command:

  nohup jdk/jre/bin/java -Djava.library.path="/opt/gcpmetricsprovider/sigar-bin/lib/" -jar ./gcpmetricsprovider.jar

The agent starts as a background job.

Windows

Check the log for potential issues with the monitoring agent for SAP NetWeaver:

C:\Program Files\Google\GCP Metrics Provider\Logs\gcp-metric-provider.log

In Windows, the agent is configured as a Windows service that is named "GCP Metrics Provider". The service normally ensures that the agent restarts automatically.

Updating the monitoring agent for SAP NetWeaver

To update the monitoring agent for SAP NetWeaver to a new version:

Enable remote HTTP requests from the SAP NetWeaver host to https://www.googleapis.com/.
Install the new version:

Linux

sudo curl https://storage.googleapis.com/cloudsapdeploy/netweaver-agent/update.sh | sudo bash

The update.sh script installs the new version of the monitoring agent for SAP NetWeaver in the /opt/gcpmetricsprovider directory.

Windows

. { iwr -useb https://storage.googleapis.com/cloudsapdeploy/netweaver-agent/update.ps1 } | iex

The update.ps1 script installs the new version of the monitoring agent for SAP NetWeaver in C:\Program Files\Google\GCP Metrics Provider.

Troubleshooting monitoring

This section describes issues you can investigate if the monitoring agent for SAP NetWeaver isn't working.

Out-of-memory condition

Check the logs:

For Linux: /var/log/gcp-metric-provider/gcp-metric-provider.log.
For Windows: C:\Program Files\Google\GCP Metrics Provider\Logs\gcp-metric-provider.log

If the logs contain an OutOfMemoryError entry, restart the agent.

Insufficient IAM permissions

On the VM instance details page in Google Cloud Console, note the name of the VM service account. For example:

sap-example@example-project-123456.iam.gserviceaccount.com

On the IAM & Admin home page, confirm that the service account includes an IAM role that includes the monitoring.timeSeries.list permission.

If you installed the Cloud Monitoring agent (not the monitoring agent for SAP NetWeaver), you might need to grant additional IAM permissions to your VM service account, such as the predefined Monitoring Metric Writer role. To confirm the permissions that the Monitoring agent requires, see the Cloud Monitoring documentation:

Wrong access scopes for the VM service account

Access scopes are the legacy method of specifying permissions for your instance.

A best practice is to set the full cloud-platform access scope on the instance, then securely limit the service account's API access with IAM roles. For example:

'https://www.googleapis.com/auth/cloud-platform`

If you do limit the access scopes of your VM, you must ensure that the host VM has the following access scopes:

https://www.googleapis.com/auth/source.read_write
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/logging.admin
https://www.googleapis.com/auth/monitoring
https://www.googleapis.com/auth/trace.append
https://www.googleapis.com/auth/devstorage.full_control

To change the access scopes, you need to stop your VM instance, make the changes, and then restart the instance. For instructions, see the Compute Engine documentation. You don't need to make any changes to permissions for IAM roles for this issue.

Missing or incorrect SAP Host Agent

For the monitoring system to work, your SAP NetWeaver system must have the SAP Host Agent installed and the required minimum patch level for the Host Agent. For instructions to install the SAP Host Agent, see the SAP documentation.

For version requirements for the SAP Host Agent, refer to the following SAP Notes:

Linux: SAP Note 2460297 - SAP on Linux on Google Cloud Platform: Enhanced Monitoring
Windows: SAP Note 1409604 - Virtualization on Windows: Enhanced Monitoring

Download failure

If the host server that is running the monitoring agent for SAP NetWeaver was created without a public IP address, the monitoring agent cannot be downloaded. For a description about how to set up a NAT gateway that gives the host server outbound access to the internet, see the SAP NetWeaver deployment guide for your operating system:

Port not available

The monitoring agent for SAP NetWeaver listens for requests on port 18181. This port must be available or the monitoring agent cannot start up. If it is not, the SAP Host Agent logs show a Connection Refused error. Make sure port 18181 is available for the monitoring agent for SAP NetWeaver. If another service is using port 18181, you might need to restart the other service or otherwise reconfigure it so that it uses another port.