Set up Google Cloud's Agent for SAP

Workload Manager for SAP solutions uses Google Cloud's Agent for SAP to detect and collect metadata for evaluating your SAP system configurations. The Agent for SAP, along with the SAP Host Agent, are required on all VM instances that run SAP systems for support and monitoring of your SAP systems running on Google Cloud, including SAP NetWeaver, SAP HANA, SAP ASE, and SAP MaxDB.

The following checklist summarizes the tasks you need to perform to ensure that the Agent for SAP is set up properly:

1. Grant required roles to the service account
2. Install the Agent for SAP
3. Verify the agent version and install updates, if any
4. Enable collection of evaluation metrics

Required IAM roles

Google Cloud's Agent for SAP requires an Identity and Access Management (IAM) service account for authentication with Google Cloud and for permission to access Google Cloud resources. For the collection of Workload Manager evaluation metrics, whether you use a new, existing, or default service account, the service account must include the following IAM roles:

• Compute Viewer (roles/compute.viewer)
• Workload Manager Insights Writer (roles/workloadmanager.insightWriter)
• Secret Manager Secret Accessor (roles/secretmanager.secretAccessor), if you use Secret Manager for storing the SAP HANA database password.

Install the agent

If not already done, then install Google Cloud's Agent for SAP on the VM hosting your SAP system:

To install the agent on a Compute Engine instance, follow these steps:

1. Establish an SSH connection to your compute instance.
2. In your terminal, install the agent by running the command that is specific to your operating system:
   • (Recommended) To install version 3.6 (latest) of the agent:

     RHEL

     sudo tee /etc/yum.repos.d/google-cloud-sap-agent.repo << EOM
     [google-cloud-sap-agent]
     name=Google Cloud Agent for SAP
     baseurl=https://packages.cloud.google.com/yum/repos/google-cloud-sap-agent-el$(cat /etc/redhat-release | cut -d . -f 1 | tr -d -c 0-9)-x86_64
     enabled=1
     gpgcheck=1
     repo_gpgcheck=0
     gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
     EOM
     sudo yum install google-cloud-sap-agent

     SLES15

     sudo zypper addrepo --refresh https://packages.cloud.google.com/yum/repos/google-cloud-sap-agent-sles15-x86_64 google-cloud-sap-agent
     sudo zypper install google-cloud-sap-agent

     SLES 12

     sudo zypper addrepo --refresh https://packages.cloud.google.com/yum/repos/google-cloud-sap-agent-sles12-x86_64 google-cloud-sap-agent
     sudo zypper install google-cloud-sap-agent

   • To install a specific version of the agent:

     RHEL

     sudo tee /etc/yum.repos.d/google-cloud-sap-agent.repo << EOM
     [google-cloud-sap-agent]
     name=Google Cloud Agent for SAP
     baseurl=https://packages.cloud.google.com/yum/repos/google-cloud-sap-agent-el$(cat /etc/redhat-release | cut -d . -f 1 | tr -d -c 0-9)-x86_64
     enabled=1
     gpgcheck=1
     repo_gpgcheck=0
     gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
     EOM
     sudo yum install google-cloud-sap-agent-VERSION_NUMBER.x86_64

     SLES15

     sudo zypper addrepo --refresh https://packages.cloud.google.com/yum/repos/google-cloud-sap-agent-sles15-x86_64 google-cloud-sap-agent
     sudo zypper install google-cloud-sap-agent-VERSION_NUMBER.x86_64

     SLES 12

     sudo zypper addrepo --refresh https://packages.cloud.google.com/yum/repos/google-cloud-sap-agent-sles12-x86_64 google-cloud-sap-agent
     sudo zypper install google-cloud-sap-agent-VERSION_NUMBER.x86_64

     Replace VERSION_NUMBER with the agent's version number that you want to install, such as 3.1-606637668. For information about the agent versions that you can install, see List all available versions of the agent.

     For information about downgrading the agent to a specific version, see Downgrade Google Cloud's Agent for SAP.

After the installation is complete, proceed to configure the agent for the collection of the Workload Manager evaluation metrics.

Verify the agent version

Google Cloud recommends that you install the latest version of Agent for SAP for accurate evaluation of your SAP workloads because periodic releases of the Agent for SAP might add or change metrics that are used for the evaluation.

To ensure that you have the latest version of Google Cloud's Agent for SAP, you need to check for updates periodically and update the agent.

Check for updates

Select your operating system, and then follow these steps:

Install an update

Select your operating system, and then follow the steps:

Configure the collection of Workload Manager evaluation metrics

To configure Google Cloud's Agent for SAP, complete the following steps:

1. To let the agent collect the Workload Manager evaluation metrics:

   sudo /usr/bin/google_cloud_sap_agent configure -feature=workload_evaluation -enable

2. Optional: To enable the collection of "SAP HANA Insights" and "SAP HANA Security Best Practices" metrics in Workload Manager, add the workload_validation_db_metrics_config section after collect_workload_validation_metrics in the agent's configuration file, and then specify the following parameters:

   • hana_db_user: specify the user account that is used to query the SAP HANA instance.
   • hostname: specify the identifier for the machine, either local or remote, that hosts your SAP HANA instance.
   • port: specify the port on which your SAP HANA instance accepts queries.

   • hana_db_password_secret_name: specify the name of the secret in Secret Manager that stores the user account's password

     As an alternative to the secret, you can use the hdbuserstore_key configuration parameter.

   • hdbuserstore_key: specify the hdbuserstore key that authenticates the user you specified for hana_db_user

     If you specify hdbuserstore_key, then you skip specifying the hostname and port parameters.

   For information about these parameters, see Configuration parameters.

   The following examples are completed configuration files of Google Cloud's Agent for SAP running on a Compute Engine instance, where the collection of Workload Manager evaluation metrics is enabled.

   For SAP HANA authentication, the agent uses the following order of preference: if specified, the hdbuserstore_key configuration parameter is preferred over the hana_db_password parameter, which is preferred over the hana_db_password_secret_name parameter. We recommend that you set only one authentication option in your configuration file.

   • The following example uses a Secure user store (hdbuserstore) key for SAP HANA authentication:

     {
       "provide_sap_host_agent_metrics": true,
       "bare_metal": false,
       "log_level": "INFO",
       "log_to_cloud": true,
       "collection_configuration": {
         "collect_workload_validation_metrics": true,
         "workload_validation_db_metrics_frequency": 3600,
         "workload_validation_db_metrics_config": {
           "hana_db_user": "system",
           "sid": "DEH",
           "hdbuserstore_key": "user_store_key"
         },
         "collect_process_metrics": false
       },
       "discovery_configuration": {
         "enable_discovery": true,
         "enable_workload_discovery": true
       },
       "hana_monitoring_configuration": {
         "enabled": false
       }
     }

   • The following example uses a username and Secret Manager secret for SAP HANA authentication:

     {
       "provide_sap_host_agent_metrics": true,
       "bare_metal": false,
       "log_level": "INFO",
       "log_to_cloud": true,
       "collection_configuration": {
         "collect_workload_validation_metrics": true,
         "workload_validation_db_metrics_frequency": 3600,
         "workload_validation_db_metrics_config": {
           "hana_db_user": "system",
           "sid": "DEH",
           "hana_db_password_secret_name": "instance-id-hana-db-password-secret",
           "hostname": "localhost",
           "port": "30015"
         },
         "collect_process_metrics": false
       },
       "discovery_configuration": {
         "enable_discovery": true,
         "enable_workload_discovery": true
       },
       "hana_monitoring_configuration": {
         "enabled": false
       }
     }

   • The following example uses a username and password for SAP HANA authentication. We recommend that you instead use a Secret Manager secret or Secure user store (hdbuserstore) key for SAP HANA authentication.

     {
       "provide_sap_host_agent_metrics": true,
       "bare_metal": false,
       "log_level": "INFO",
       "log_to_cloud": true,
       "collection_configuration": {
         "collect_workload_validation_metrics": true,
         "workload_validation_db_metrics_frequency": 3600,
         "workload_validation_db_metrics_config": {
           "hana_db_user": "system",
           "sid": "DEH",
           "hana_db_password": "TempPa55word",
           "hostname": "localhost",
           "port": "30015"
         },
         "collect_process_metrics": false
       },
       "discovery_configuration": {
         "enable_discovery": true,
         "enable_workload_discovery": true
       },
       "hana_monitoring_configuration": {
         "enabled": false
       }
     }

3. Restart the agent for the new settings to take effect:

   sudo systemctl restart google-cloud-sap-agent

   After the agent successfully restarts, the agent starts sending the Workload Manager evaluation metrics to Workload Manager.

What's next

• Learn more about workload evaluations