AutoUpgrade SAP Host Agent
AutoUpgrade SAP Host Agent
PUBLIC
Warning
This document has been generated from the SAP Help Portal and is an incomplete version of the official SAP product
documentation. The information included in custom documentation may not re ect the arrangement of topics in the SAP Help
Portal, and may be missing important aspects and/or correlations to other topics. For this reason, it is not for productive use.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a4… 1/36
12/20/2019
Note
SAP Host Agent 7.20 was deprecated. For more information, see SAP Note 2130510 .
For information about how to check the version of an existing SAP Host Agent installation, see SAP Host Agent Reference -
Command Line Options of the saphostexec Executable.
Recommendation
It is strongly recommended that you regularly upgrade SAP Host Agent to its latest version. See also SAP Note 2219592 .
Features
SAP Host Agent provides you with the following features:
Hosting the infrastructure of SAP Landscape Virtualization Management (LVM), formerly known as SAP NetWeaver
Adaptive Computing Controller (ACC)
Using saposcol
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a4… 2/36
12/20/2019
Related Information
SAP Host Agent Change Log
Architectural Overview of SAP Host Agent
Downloading the SAPHOSTAGENT.SAR Archive
SAP Host Agent Installation
SAP Host Agent Upgrade
SAP Host Agent Con guration
Uninstalling SAP Host Agent
SAP Host Agent Reference
Command line option -archive With the -archive option you can use the SAP HOST AGENT 7.21 PL003
saphostexec executable program of the
existing SAP Host Agent for the upgrade
while providing the direct path to the
SAPHOSTAGENT<PL-target
version>.SAR archive. You then do not
need to manually extract the archive before.
Veri cation of Digital Signature The production version of the SAP Host SAP HOST AGENT 7.20 PL201
Agent is available as a digitally signed SAR
archive. You can now use the additional
parameter -verify to verify the content of
the SAP Host Agent archive against the SAP
digital signature during installation and
upgrade.
Audit Logging SAP Host Agent provides the means to SAP HOST AGENT 7.20 PL118
audit-log every operation the SAP Host
Agent is performing. If you want to use audit
logging, you have to activate it.
sapcrypto library and command line tool The sapcrypto library and the command SAP HOST AGENT 7.20 PL62
sapgenpse already contained in the line tool sapgenpse are already contained
SAPHOSTAGENT<version>.SAR archive in the SAPHOSTAGENT <version>.SAR
archive.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a4… 3/36
12/20/2019
Automated upgrade SAP Host Agent is enabled to check for SAP HOST AGENT 7.20 PL45
updates automatically and get upgraded if a
version of the SAP Host Agent executable is
found that is higher than the existing one.
Related Information
SAP Host Agent
The following graphics provide an overview about SAP Host Agent and its components:
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a4… 4/36
12/20/2019
UNIX /usr/sap/hostctrl/exe
Windows %ProgramFiles%\SAP\hostctrl\exe
SAP Host Agent has the following executable programs and services:
The SAPHostExec saphostexec is a service or daemon that only runs under privileged user accounts such as root on UNIX or
service Local System under Windows.
saphostexec hosts the life-cycle management processes of the SAP Host Agent itself, such as upgrade and
installation.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a4… 5/36
12/20/2019
The sapstartsrv SAPHostControl runs within SAP Host Agent under the sapadm user.
service
SAPHostControl SAPHostControl should not be confused with sapstartsrv which runs under the <sapsid>adm user in
the SAP system instance with the instance pro le.
Note
SAPHostControl contains the functionality of the previous CCMS agent SAPCCMSR, that is, the agent
that monitors hosts.
The operating system saposcol is a stand-alone program that runs in the operating system background. It runs independently of
collector saposcol SAP instances exactly once per monitored host. saposcol collects data about operating system resources,
including:
CPU utilization
saposcol makes the data available using a segment of the shared memory for various applications and all
SAP instances on a host.
The DB4STATS program The DB4STATS program and command are partly contained in the R3SAP400 library. They provide the SAP
and command (IBM i only Database Performance Collector for IBM i. You can nd a detailed description of this collector in SAP Note
) 1622665 and in the documentation attached to this SAP Note.
The The SAP ILE daemon is needed to update ILE components (objects in libraries) from the patch archive after
SAP ILE daemon (IBM i installing a SAP kernel patch. You can nd a detailed description of the SAP ILE daemon in SAP Note 1637588
only ) .
Note
The installed programs are started automatically when the host is booted.
Windows On Windows hosts, this is done by the services SAPHostControl and SAPHostExec.
UNIX On UNIX the automatic start is ensured by the startup script sapinit.
IBM i On IBM i, the programs are started by the auto-start job entry SAPINIT in subsystem QUSRWRK, which was created
during the installation.
Pro le File
The pro le parameters of SAP Host Agent are stored in the host_profile le. This le is located in the executable directory of
the SAP Host Agent (see Executables and Services above).
Working Directory
The working directory of SAP Host Agent is in the following location:
Windows %ProgramFiles%\SAP\hostctrl\work
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a4… 6/36
12/20/2019
The working directory contains, among other things, the following con guration les:
CSMCONF Start le for the agents that contains connection data for the central monitoring system
SAPCCMSR.INI Contains information about the extent to which plug-ins, log les, and SAPOSCOL information should be
considered; this le is read when the agent is started.
In an ABAP system, you can display all les in the working directory of SAP Host Agent in the central monitoring system. You can
use transaction RZ21 to do this. In the Topology group box, select one of the Agents for ... radio buttons. The Monitoring: Display
Technical Topology screen appears. Now select SAP Host Agent and then choose Working Directory of the Agent. The system
displays the les of the directory. To display the contents of a le, choose the le by double-clicking it.
Log Files
The following log les are created during runtime for SAP Host Agent. They are available in the working directory of SAP Host
Agent:
sapstartsrv_ccms.log This log le is for central monitoring. It is stored in subdirectory sapccmsr of the working directory.
A log le is also created during runtime for SAP Host Agent with the name sapstartsrv_ccms.log, and log les are created
for RFC communication. The log les are stored in the sapccmsr subfolder of the working directory.
AL Files
For system instances, the AL* les ( ALMTTREE, ALPERFHI, and ALALERTS) are in the working directory of the SAP Host
Agent. $DIR_LOGGING directory. These les contain the monitoring segment data.
Related Information
SAP Host Agent
Context
It is automatically installed during the installation of SAP systems or instances with SAP kernel 7.20 or higher.
Procedure
1. Go to https://launchpad.support.sap.com/#/softwarecenter .
Recommendation
Always select the highest Patch Level (PL) of the SAPHOSTAGENT<PL>.SAR archive, even if you want to monitor a
component of SAP NetWeaver with a lower release.
5. Make sure that the SAPCAR tool is available on the host where you want to install SAP Host Agent.
You need the SAPCAR tool in order to be able to decompress the SAPHOSTAGENT<PL>.SAR archive. For more
information about SAPCAR and how to get it, see SAP Note 212876 .
SAP Host Agent is installed automatically during the installation of all new SAP system instances or instances with SAP kernel 7.20
or higher.
Recommendation
In high availability (HA) environments, SAP recommends installing the SAP Host Agent locally on every cluster node (host),
because the installation procedure places the SAP Host Agent les into the SAP system-independent directory path
/usr/sap/hostctrl. Make sure that this path is a local le system on every host of a high availability environment.
Installing the SAP Host Agent into a clustered le system is not supported.
The following sections describe how you can install SAP Host Agent separately:
Related Information
SAP Host Agent
Prerequisites
You have downloaded the SAPHOSTAGENT<PL>.SAR archive as described in Downloading the SAPHOSTAGENT.SAR
Archive
You have made sure that the following operating system-speci c requirements are met:
Windows You have installed the speci ed Microsoft security patch in accordance with the instructions in SAP Note 1375494 .
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a4… 8/36
12/20/2019
You also need to install the latest version of the Microsoft Runtime used by SAP as described in SAP Note 684106 .
IBM i Option 33 of the operating system must be installed. Use menu GO LICPGM to check whether the option is installed
and install it if required.
IBM i The system startup program (speci ed in system value QSTRUPPGM) must contain the STRSBS command to start
subsystem QSYS/QUSRWRK. This is needed because SAPHOSTAGENT will be started as an auto-start job in subsystem
QSYS/QUSRWRK
Procedure
1. Log on as a user with the required authorization:
IBM i As a user pro le with special authorities *SECADM and *ALLOBJ, for example as user pro le QSECOFR.
If user pro le R3GROUP does not exist on your server, it will be created during the installation of SAP Host Agent. If
you have already installed SAP systems on other servers, we recommend that you use the same group ID (GID) for all
sapsys and R3GROUP groups in the system landscape. To obtain the group ID (GID) for R3GROUP on another IBM i
server in your landscape, enter the command DSPUSRPRF USRPRF(R3GROUP) and scroll down until you see the
value for Group ID number.
Note
The default password for user SAPADM is “sapofr”.
But to be able to log on with user SAPADM, you must rst change the pro le using the following command:
CHGUSRPRF USRPRF(SAPADM) INLMNU(*LIBL/MAIN)
Having nished your work, you can reset the previous state with CHGUSRPRF USRPRF(SAPADM)
INLMNU(*SIGNOFF).
If the password is no longer “sapofr”, you can set your own password with CHGUSRPRF USRPRF(SAPADM)
PASSWORD(<new_password>).
To be able to execute the CHGUSRPRF commands, you must be logged on as a user with QSECOFR authorizations.
2. IBM i only: Enter the command CALL PGM(QP2TERM) to start a PASE interactive terminal session.
Windows c:\temp\hostagent
Take SAP Note 212876 into account when doing so. Use the following command for extraction, and execute them in the
directory of the archive:
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a4… 9/36
12/20/2019
UNIX /<path to SAPCAR>/sapcar -xvf <path to temporary directory>/SAPHOSTAGENT<PL>.SAR -
manifest SIGNATURE.SMF
If user sapadm does not yet exist, it is automatically created as a local user and you are prompted to enter a password
for this user to be created.
Note
In some cases it might be useful to con gure sapadm as a domain user instead of a local user, for example if you
have multiple Windows hosts in your system landscape each of which has SAP Host Agent. Enter the following
command to run saphostexec.exe while specifying sapadm as the domain user:
Recommendation
Use the additional parameter -verify to verify the content of the installation package against the SAP digital
signature:
The administrator user sapadm of the SAP Host Agent is created automatically during the installation, but it does not
get assigned a password.
Note
You can set the password in one of the following ways:
After the installation has nished by entering the following command as user root: passwd sapadm
Recommendation
Use the additional parameter -verify to verify the content of the installation package against the SAP digital
signature:
Note
If you have already installed SAP systems on other servers, we recommend that you use the same group ID (GID)
for all sapsys or R3GROUP groups in the system landscape. To do this, enter your landscape system GID into
<gid> on the above command. If user pro le R3GROUP already exists, or if you want the saphostcontrol
installation to automatically generate a new group ID, enter the command <path to temporary
directory>/saphostexec -install without the addition -gid <gid> .
Recommendation
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 10/36
12/20/2019
Use the additional parameter -verify to verify the content of the installation package against the SAP digital
signature.
7. After the installation has nished successfully, you can check whether SAP Host Agent is up and running by executing the
following command from the directory of the SAP Host Agent executables:
8. IBM i only: Leave the PASE interactive terminal session using function key F3
Results
After the installation has nished successfully, SAP Host Agent is up and running.
Next Steps
You can now delete the temporary directory with all its content.
IBM i only: If it did not already exist, R3GROUP was created during the installation. Even though SAP Host Agent does not require
special authorities, we recommend that you grant the required authorities for system API's that need to be authorized for user
pro le R3GROUP for your SAP system now. For more information, see SAP Note 175852 .
Related Information
SAP Host Agent Installation
Proceed as described in the documentation Installation Guide - Installation of SAP Host Agent on <OS> - Using Software
Provisioning Manager <Version> at: https://support.sap.com/sltoolset System Provisioning .
When using Software Provisioning Manager 2.0, choose the guide for your operating system from the following path:
Installation Option of Software Provisioning Manager 2.0 Installation Guides - SAP Host Agent
When using Software Provisioning Manager 1.0, choose the guide for your operating system from the following path:
System Provisioning Installation Option of Software Provisioning Manager 1.0 Installation Guides - Standalone Engines
and Clients SAP Host Agent
Related Information
SAP Host Agent Installation
Recommendation
If you have a 720 or 720_EXT patch level (PL) of SAP Host Agent installed, upgrade it to the latest version of SAP Host
Agent 721.
It is strongly recommended that you regularly upgrade SAP Host Agent to its latest version. See also SAP Note 2219592
.
Related Information
SAP Host Agent
You do not extract the downloaded SAPHOSTAGENT<PL>.SAR archive and run either the saphostexec executable with
option -upgrade -archive or the hostexecstart executable with option -upgrade from the hostctrl
directory while specifying the location of the downloaded SAPHOSTAGENT<PL>.SAR archive.
You extract the downloaded SAPHOSTAGENT<PL>.SAR archive to a temporary directory and run the saphostexec
executable with option -upgrade from this directory.
Related Information
Upgrading SAP Host Agent Without Extracting the SAPHOSTAGENT Archive
Upgrading SAP Host Agent From the ExtractedSAPHOSTAGENT Archive
Prerequisites
You have downloaded the required target release version of the SAPHOSTAGENT<PL>.SAR archive as described in Downloading
the SAPHOSTAGENT.SAR Archive.
Procedure
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 12/36
12/20/2019
1. Log on as a user with the required authorization:
UNIX As a user with root authorization or as a member of the sapsys group, for example <sapsid>adm
IBM i As a user pro le with special authorities *SECADM and *ALLOBJ, for example as user pro le QSECOFR.
2. IBM i only: Enter the command CALL PGM(QP2TERM) to start a PASE interactive terminal session.
Windows c:\temp\hostagent
UNIX , /tmp/hostagent
IBM i
Recommendation
Use the additional parameter -verify to verify the content of the installation package against the SAP digital
signature:
UNIX
If you are logged on as a user with root authorization, the command is as follows:
If you are logged on as a member of the sapsys group, for example <sapsid>adm, the command is as
follows: /usr/sap/hostctrl/exe/hostexecstart -upgrade <path to downloaded
SAPHOSTAGENT<PL>.SAR>
Recommendation
Use the additional parameter -verify to verify the content of the installation package against the SAP digital
signature:
Recommendation
Use the additional parameter -verify to verify the content of the installation package against the SAP digital
signature:
5. After the upgrade has nished successfully, you can check the version of the upgraded host agent by executing the
following command from the directory of the SAP Host Agent executables:
UNIX
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 13/36
12/20/2019
If you are logged on as a user with root authorization, the command is as follows:
/usr/sap/hostctrl/exe/saphostexec -version
If you are logged on as a member of the sapsys group, for example <sapsid>adm, the command is
as follows: /usr/sap/hostctrl/exe/hostexecstart -version
6. IBM i only: Leave the PASE interactive terminal session using function key F3
Next Steps
Post-requisites:
You can now delete the temporary directory with all its content.
Related Information
SAP Host Agent Upgrade
Prerequisites
You have downloaded the required target release version of the SAPHOSTAGENT<PL>.SAR archive as described in Downloading
the SAPHOSTAGENT.SAR Archive.
Procedure
1. Log on as a user with the required authorization:
IBM i As a user pro le with special authorities *SECADM and *ALLOBJ, for example as user pro le QSECOFR.
2. IBM i only: Enter the command CALL PGM(QP2TERM) to start a PASE interactive terminal session.
Windows c:\temp\hostagent
UNIX, /tmp/hostagent
IBM i
Recommendation
You can use the additional parameter -verify to verify the content of the installation package against the SAP
digital signature
IBM i
Recommendation
You can use the additional parameter -verify to verify the content of the installation package against the SAP
digital signature
6. After the upgrade has nished successfully, you can check the version of the upgraded host agent by executing the
following command from the directory of the SAP Host Agent executables:
UNIX
If you are logged on as a user with root authorization, the command is as follows:
/usr/sap/hostctrl/exe/saphostexec -version
If you are logged on as a member of the sapsys group, for example <sapsid>adm, the command is as
follows: /usr/sap/hostctrl/exe/hostexecstart -version
7. IBM i only: Leave the PASE interactive terminal session using function key F3
Next Steps
Post-requisites:
You can now delete the temporary directory with all its content.
Related Information
SAP Host Agent Upgrade
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 15/36
12/20/2019
Con guring Delayed Auto-Upgrade of SAP Host Agent to Avoid Network Bottlenecks
Related Information
SAP Host Agent Upgrade
Prerequisites
IBM i You must be logged on as a user pro le with special authorities *SECADM and *ALLOBJ, for
example as user pro le QSECOFR.
Context
An upgrade is only performed if a version of the SAP Host Agent executable programs is found in the $DIR_NEW directory that is
higher than the version of the executable programs that exist in the SAP Host Agent executable directory.
Recommendation
The production version of the SAP Host Agent is available for customers as a digitally signed SAR archive. It is recommended
that you create an empty le .verify in the $DIR_NEW directory to enable the veri cation of the package integrity using
SAP digital signature during the auto-upgrade step.
Procedure
1. You can con gure the automated upgrade behavior by adapting the host_profile le which you can nd in the
following directory:
Windows %ProgramFiles%\SAP\hostctrl\exe
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 16/36
12/20/2019
By default, the saphostexec program performs a check for updates every 5 minutes. You can change this
behavior by adapting pro le value hostexec/autoupgrade_delay= <minutes>.
In addition, you can also change the name and path of the directory that contains the newest SAP Host Agent
version using pro le value DIR_NEW= <path to a directory> .
Windows: If the new SAP Host Agent version is located on a network share, you have to use the UNC path for the
value of the DIR_NEW pro le parameter, for example: DIR_NEW = \\<your_host>\
<your_share>\SAPHostAgent\SAPHostAgent_Update
2. Once you have changed the SAP Host Agent pro le, you need to restart SAP Host Agent in order to make the changes take
effect:
a. IBM i: Enter the command CALL PGM(QP2TERM) to start a PASE interactive terminal session .
Windows %ProgramFiles%\SAP\hostctrl\exe
Windows saphostexec.exe -
restart
Related Information
Automated Upgrade of SAP Host Agent
Procedure
1. Create the .upgrading le in the $DIR_NEW directory.
Example
This example shows how you proceed on UNIX. You can proceed analogously on other operating system platforms:
Sample Code
cd /usr/sap/hostctrl/new/
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 17/36
12/20/2019
touch .upgrading
rm .upgrading
Related Information
Automated Upgrade of SAP Host Agent
Context
With this con guration the simultaneous upgrade of many machines is very easy. Unfortunately, if all machines start to access a
single network share, it could result in a network bottleneck, and in case of a restrictive rewall con guration, to a complete
outage.
To avoid this kind of problem, for large landscapes you can additionally create a con guration le within $DIR_NEW, containing
the maximum time range of an upgrade. In this case the various saphostexec processes of the different machines will plan the
upgrade in a random way within a well de ned time window.
Procedure
Create a le in $DIR_NEW called .delay.
<Value1> represents the number of minutes after an auto-upgrade is checked, and <Value2> the maximum value of
minutes after which the auto-upgrade is started.
The real upgrade delay value in minutes is given by: Delay = <Value1> + <randomValue> *<Value2>
Example
500
Auto-upgrade checks the version of the le contained in $DIR_NEW every 500 minutes.
Example
500random500
Auto-upgrade checks the version of the le contained in $DIR_NEW every 500 minutes.
Once the version of SAP Host Agent contained within $DIR_NEW is newer, the upgrade will be started within the next
500 minutes. The exact time when the upgrade is started is a random value between 1 and 500 minutes.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 18/36
12/20/2019
Related Information
Automated Upgrade of SAP Host Agent
Prerequisites
You must be logged on as a user with the appropriate authorizations:
IBM i As a user pro le with special authorities *SECADM and *ALLOBJ, for example as user pro le QSECOFR.
Procedure
1. You are on the host that you want to register in the SLD.
2. IBM i: Enter the command CALL PGM(QP2TERM) to start a PASE interactive terminal session .
Windows %ProgramFiles%\SAP\hostctrl\exe
(language-
dependent)
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 19/36
12/20/2019
Caution
You have to make sure that the SLD connection le is named slddest.cfg and that it is located in the DIR_GLOBAL
directory of SAP Host Agent. Otherwise the registration does not work.
Note
UNIX, IBM i: To be able to access its libraries, the sldreg program requires the path /usr/sap/hostctrl/exe in
the search path for libraries.
UNIX: For example, under Linux with a C shell, you can achieve this with the following command:
IBM i: From within QP2TERM, you can achieve this with the following command: export
LIBPATH=/usr/sap/hostctrl/exe:$LIBPATH
5. Enter the connection data for the SLD with which you want to register this host:
6. Con rm that you want to save this data in the encrypted le slddest.cfg.
The restart generates an XML le in the working directory of SAP Host Agent and transfers it to the SLD. This XML le
contains all of the information about the host that the SLD requires.
Results
You have registered the local host with an SLD.
Next Steps
You can check if the registration was performed successfully. To do this, call the start page of the SLD with the URL http://
<host>: <port>/sld, and choose Technical Systems. Choose AS Java In the Technical System Type drop-down list box. The
host that you have just registered is displayed.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 20/36
12/20/2019
Related Information
SAP Host Agent Con guration
The main steps for manual SSL con guration are as follows:
The following sections exemplarily describe SSL con guration on UNIX, Windows and IBM i.
You can also con gure SAP Host Agent SSL with a self-signed certi cate.
Prerequisites
You must be logged on as a member of the local Administrators group.
Context
In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default
.pse name, you can use the following value in the pro le le of SAP Host Agent ( host_profile):
Procedure
1. Prepare the environment for SAP Cryptographic Library:
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 21/36
12/20/2019
a. Open a command line prompt and change to the %ProgramFiles%\SAP\hostctrl\exe directory.
b. Create a subdirectory named sec and set the SECUDIR environment variable to refer to the new directory using the
following commands:
Note
Alternatively, you can also use another directory, but then you have to specify this directory in the
host_profile le, using the parameter SETENV_<XX> = SECUDIR =<another_directory>, where
<XX> is the appropriate index of the SETENVs you have already used.
If you are using a different name for the PSE, other than SAPSSLS.pse, you must con gure this as well in the
host_profile le, using the ssl/server_pse parameter.
Make sure that the SAP Host Agent's sapadm user has read access to the directory and the PSE.
Recommendation
Set up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.
c. Make sure that the les are readable and executable by user sapadm.
The server PSE contains the server certi cate, which is presented to the client when establishing the SSL connection, and
the names and public keys of the trusted certi cates. Trusted certi cates can be either certi cates issued by a Certi cation
Authority (CA) or individually trusted certi cates.
a. Create the server PSE, the server certi cate therein, and the Certi cate Signing Request (CSR) .
Example
%ProgramFiles%\SAP\hostctrl\exe> sapgenpse gen_pse -p SAPSSLS.pse -x passwd1 -r
This command creates a PSE le named SAPSSLS.pse (name is xed), which can be used to authenticate
myhost.wdf.sap.corp for incoming SSL connections. The access to the PSE le is protected with
passwd1. Use the -r option to direct the certi cate signing request to a le, or omit it if you intend to copy and
paste the CSR into a Web form.
Example
%ProgramFiles%\SAP\hostctrl\exe> sapgenpse seclogin -p SAPSSLS.pse -x passwd1 -
i. If you do not use individually trusted certi cates, send the certi cate signing request to an appropriate CA.
ii. Assuming that the CA replies to the request le with a CA-response- le which contains the signed certi cate
in the PKCS#7 format, you can use this le as an input for importing the signed certi cate into the server
PSE.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 22/36
12/20/2019
Example
%ProgramFiles%\SAP\hostctrl\exe> sapgenpse import_own_cert -p SAPSSLS.pse -x pa
(if the used format is PKCS#7).
Example
%ProgramFiles%\SAP\hostctrl\exe> sapgenpse get_my_name -p SAPSSLS.pse -x passwd
The client PSE contains the client certi cate that is sent to SAP Host Agent when establishing the SSL connection, and the
names and public keys of the trusted certi cates. For the client, trusted certi cates can only be certi cates that are issued
by a Certi cation Authority (CA).
The con guration steps are client-speci c, that is why we only describe them in a generic way. Follow the instructions in
the speci c client documentation.
Examples for possible clients are the SAP Management Console (SAP MC), the Diagnostics Agent in SAP Solution
Manager, or the SAP Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing
Controller (ACC)).
Results
Recommendation
If you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.
Related Information
SSL Con guration for the SAP Host Agent
Prerequisites
You are logged on as a user with root authorization.
Context
In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default
.pse name, you can use the following value in the pro le le of SAP Host Agent ( host_profile):
Procedure
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 23/36
12/20/2019
1. Prepare the Personal Security Environment (PSE) for the server:
The server PSE contains the server certi cate that is presented to the client when establishing the SSL connection, and the
names and public keys of the trusted certi cates. Trusted certi cates can be either certi cates issued by a Certi cation
Authority (CA) or individually trusted certi cates.
Proceed as follows:
Note
Alternatively, you can also use another directory, but then you have to specify this directory in the
host_profile le, using the parameter SETENV_<XX> = SECUDIR =<another_directory>, where
<XX> is the appropriate index of the SETENVs you have already used.
If you are using a different name for the PSE, other than SAPSSLS.pse, you must con gure this as well in the
host_profile le, using the ssl/server_pse parameter.
Make sure that the SAP Host Agent's sapadm user has read access to the directory and the PSE.
c. Set up the shared library search path ( LD_LIBRARY_PATH, LIBPATH or SHLIB_PATH) and SECUDIR
environment variables, and change to the exe directory of SAP Host Agent.
Example
On Linux and Solaris, the required commands are as follows:
export LD_LIBRARY_PATH=/usr/sap/hostctrl/exe/
export SECUDIR=/usr/sap/hostctrl/exe/sec
cd /usr/sap/hostctrl/exe
export SHLIB_PATH=/usr/sap/hostctrl/exe/
export SECUDIR=/usr/sap/hostctrl/exe/sec
cd /usr/sap/hostctrl/exe
export LIBPATH=/usr/sap/hostctrl/exe
export SECUDIR=/usr/sap/hostctrl/exe/sec
cd /usr/sap/hostctrl/exe
Recommendation
Set up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.
d. Create the server PSE, the server certi cate therein, and the Certi cate Signing Request (CSR).
Run the command as user sapadm so that the created les are owned by this user.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 24/36
12/20/2019
Example
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/
This command creates a PSE le named SAPSSLS.pse (name is xed), which can be used to authenticate
myhost.wdf.sap.corp for incoming SSL connections. The access to the PSE le is protected with a
password. Use the -r option to direct the certi cate signing request to a le, or omit it if you intend to copy and
paste the CSR into a web formular.
Example
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/
ii. Assuming that the CA replies to the request le with a CA-response- le which contains the signed certi cate
in the PKCS#7 format, you can use this le as an input for importing the signed certi cate into the server
PSE.
Example
If the used format is PKCS#7, the text le could be named myhost.p7b. We use this le name in the
following examples.
Example
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/
Example
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/
The client PSE contains the client certi cate that is sent to SAP Host Agent when the SSL connection is established, and
the names and public keys of the trusted certi cates from CA.
The con guration steps are client-speci c, that is why we only describe them in a generic way. Follow the instructions in
the speci c client documentation.
Examples for possible clients are the SAP Management Console (SAP MC), the SAP Solution Manager Diagnostics Agent,
or the SAP Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing Controller
(ACC)).
Results
Recommendation
If you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 25/36
12/20/2019
Related Information
SSL Con guration for the SAP Host Agent
Prerequisites
You must be logged on as a user pro le with special authorities *SECADM and *ALLOBJ, for example as user pro le QSECOFR.
Context
In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default
.pse name, you can use the following value in the pro le le of SAP Host Agent ( host_profile):
Procedure
1. Prepare the Personal Security Environment (PSE) for the server:
The server PSE contains the server certi cate, which is presented to the client when establishing the SSL connection, and
the names and public keys of the trusted certi cates. Trusted certi cates can be either certi cates issued by a Certi cation
Authority (CA) or individually trusted certi cates.
a. You must temporarily enable the login for user SAPADM. To change the user pro le, enter the following command:
Note
The default password for user SAPADM is “sapofr”.
But to be able to log on with user SAPADM, you must rst change the pro le using the following command:
CHGUSRPRF USRPRF(SAPADM) INLMNU(*LIBL/MAIN)
Having nished your work, you can reset the previous state with CHGUSRPRF USRPRF(SAPADM)
INLMNU(*SIGNOFF).
If the password is no longer “sapofr”, you can set your own password with CHGUSRPRF USRPRF(SAPADM)
PASSWORD(<new_password>).
To be able to execute the CHGUSRPRF commands, you must be logged on as a user with QSECOFR
authorizations.
Note
Alternatively, you can also use another directory, but then you have to specify this directory in the
host_profile le, using the parameter SETENV_<XX> = SECUDIR =<another_directory>, where
<XX> is the appropriate index of the SETENVs you have already used.
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 26/36
12/20/2019
If you are using a different name for the PSE, other than SAPSSLS.pse, you must con gure this as well in the
host_profile le, using the ssl/server_pse parameter.
Make sure that the SAP Host Agent's sapadm user has read access to the directory and the PSE.
c. Change the owner and primary group of the PSE directory and set the appropriate authorities using the following
command:
d. Now log on as user SAPADM and execute the command CALL PGM(QP2TERM) before entering the commands of
the following steps.
e. Set up the shared library search path ( LIBPATH) and SECUDIR environment variables, and change to the exe
directory of SAP Host Agent.
export LIBPATH=/usr/sap/hostctrl/exe
export SECUDIR=/usr/sap/hostctrl/exe/sec
cd /usr/sap/hostctrl/exe
Recommendation
Set up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.
f. Create the server PSE, the server certi cate therein, and the Certi cate Signing Request (CSR) using the following
command:
This command creates the PSE le /usr/sap/hostctrl/exe/sec/SAPSSLS.pse (the name is xed), which
can be used to authenticate the host described by <DISTINGUISHED NAME> for incoming SSL connections.
Access to the PSE le is protected with password <PASSWORD> .
The CSR is written into the stream le <PKCS#10 requestfile> . You can ignore the warning
sapgenpse WARNING: Environment variable "USER" not defined!
Example
./sapgenpse gen_pse -p SAPSSLS.pse -x pass -r /tmp/myhost-csr.p10 "CN=myhost.my
g. Grant SAP Host Agent access to the server PSE using the following command:
Example
./sapgenpse seclogin -p SAPSSLS.pse -x pass -O sapadm
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 27/36
12/20/2019
i. Transfer the stream le containing the CSR (certi cate signing request) to a PC and send it to the
Certi cation Authority (CA) you are using.
ii. Assuming that the CA replies to the request le with a CA-response- le which contains the signed certi cate
in the PKCS#7 format, you can use this le as an input for importing the signed certi cate into the server
PSE. Transfer this text le to a stream le on your IBM i.
Example
The text le could be named myhost.p7b and transferred to the stream le /tmp/myhost.p7b. We
use this le name in the following examples.
i. Import the signed certi cate into the server PSE using the following command:
Example
./sapgenpse import_own_cert -p SAPSSLS.pse -x pass -c /tmp/myhost.p7b
j. Verify the server certi cate chain using the following command:
Example
./sapgenpse get_my_name -p SAPSSLS.pse -x pass -v
k. To reset the changes to user pro le SAPADM that you have made in step 1.a), leave program QP2TERM with function
key F3 and enter the following command:
l. Log on as a user pro le with special authorities *SECADM and *ALLOBJ, for example as user pro le QSECOFR and
execute the command CALL PGM(QP2TERM) before entering the command following which restarts SAP Host
Agent:
/usr/sap/hostctrl/exe/saphostexec -restart
The client PSE contains the client certi cate, which is sent to SAP Host Agent when the SSL connection is established, and
the names and public keys of the trusted certi cates from CA.
The con guration steps are client-speci c, that is why we only describe them in a generic way. Follow the instructions in
the speci c client documentation.
Examples for possible clients are the SAP Management Console (SAP MC), the Diagnostics Agent in SAP Solution
Manager, or the SAP Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing
Controller (ACC)).
Results
If you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.
Related Information
SSL Con guration for the SAP Host Agent
Context
The operating systems which are supported by Host Agent have built-in means of audit logging. On UNIX and Linux, SAP Host
Agent uses the syslog (/var/log/messages), and in Windows the Application Eventlog. The user can decide if audit
logging is done using OS means or provide a le to which all audit messages are written. Audit logging is disabled by default. You
can enable and con gure it using host_profile parameters.
Procedure
1. Edit the host_profile le.
For information about where you can nd this le, see the Pro le File section in Architectural Overview of SAP Host Agent.
Parameter Description
service/auditlogfile=<FILE_NAME> |If an audit log le is provided by the user, SAP Host Agent uses the <FILE_NAME>
log le in the SAP Host Agent’s work directory for audit logging. Eventlog and
Syslog are not used in this case. If the le does not exist, it is created by SAP Host
Agent.
service/auditlogfilesize=0...X If an audit log le is provided, the user can decide to which extent the log le is
allowed to grow. All sizes must be given in MB (Megabyte). If the con gured size is
exceeded, the current audit log le is saved to <FILENAME>.old and a new audit
log le is created. If the size is set to 0 or if the parameter is not con gured at all, the
audit log le can grow unlimitedly.
service/accesslogsize=0...X If this parameter is set, users can decide up to which extent the access.log can
grow.
All sizes must be given in MB (Megabyte). If the size is exceeded, the current
access.log is saved to <FILENAME>.old and a new audit access.log is
created. In case of size 0 or if the parameter is not given at all, the access.log can
grow without limitation.
3. Restart SAP Host Agent to activate the changed con guration settings.
Example
Audit logging output is always written in one line and can look like this:
Related Information
SAP Host Agent Con guration
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 29/36
12/20/2019
service/hostname = <host_name>
or
service/hostname = <IP_Address>
Example
service/hostname = 127.0.0.1
saphostexec -restart
SAP Host Agent should now bind only the speci ed IP address.
Example
On Linux, you can check this as follows:
/usr/sap/hostctrl/exe#
saphostexec -restart
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 30/36
12/20/2019
SAP Host Agent will still bind all available addresses, but as soon a client tries to connect, it is either refused or accepted
according to the ACL le con guration.
As of SAP Host Agent 721 PL25 , you can con gure that the operating system objects are monitored in the osfilter.conf le.
This le is located within the con guration directory of SAP Host Agent : /usr/sap/hostctrl/exe/config.d (on UNIX) or
C:\Program Files\SAP\hostctrl\exe\config.d (on Windows).
<ObjectType>[+/-]: <attribute>(<pattern>);...<attribute>(<pattern>)
There are 2 types of rule: Including rules speci ed by [+] and excluding rules speci ed by [-]
All lines starting with a # sign are ignored and considered as comment lines.
If neither rules nor a speci c <ObjectType> are speci ed , then all Objects of this type are included within the operating
system monitoring process.
As soon as one single rule is de ned, the matching process is executed according to the following rules:
Each <attribute> of one single rule (speci ed using the ';' separator) matches using an AND operator.
The rst matching exclude [-] rule excludes the object from the process without further processing.
This means in general that you choose between two generic approaches which return the same results:
1. De ne only include rules which matches the object you would like to monitor.
2. De ne include rules and exclude afterwards the object you want to exclude explicitly.
There are advantages and disadvantages when using approach 1 or 2. You can decide on the best approach only based on the
requirements of the use case.
Note
saposcol offered a similar functionality in the past. For more information, see SAP Note 498112 . See also SAP Note
1102124 for special requirements on Linux.
Filesystem
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 31/36
12/20/2019
In general, the Filesystem object supports the following attributes : mount , device , type
You can nd all attributes executing the command mount or df on Linux, for example:
Sample Code
root@lu0140:/usr/sap/hostctrl/exe# df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
udev devtmpfs 65940396 0 65940396 0% /dev
tmpfs tmpfs 13192852 68016 13124836 1% /run
/dev/mapper/ubuntu--vg-root ext4 829098112 375847356 411111928 48% /
tmpfs tmpfs 65964240 20804 65943436 1% /dev/shm
tmpfs tmpfs 5120 4 5116 1% /run/lock
tmpfs tmpfs 65964240 0 65964240 0% /sys/fs/cgroup
/dev/sda1 ext2 482922 286209 171779 63% /boot
tmpfs tmpfs 13192852 88 13192764 1% /run/user/1000
tmpfs tmpfs 13192852 0 13192852 0% /run/user/997
tmpfs tmpfs 13192852 0 13192852 0% /run/user/11950
Sample Code
#
# Syntax:
# <ObjectType>[+/-]: <attribute>(<pattern>);...<attribute>(<pattern>)
# + = include,
# - = exclude,
# <ObjectType> = Filesystem, Process
# <attribute> :
# Filesystem -> mount, device, type (or Mount, Device, Type for case-sensitive match)
# Process -> cmd, args, user, group, uid
# <pattern> : support !, *, ?
# ! only @ begin of the pattern negate the match
# * match any character (0 or many occurrence)
# ? match 1 occurrence of any charachter
# In general all [+] filter are aggregated using the or operation
# but as soon a [-] match the FileSystem is excluded without any additional check!
#
# If no filter is set all objects are selected.
# As soon 1 single filter, for the ObjectType, is set nothing except the matching rule is selecte
Filesystem[+]: mount(*)
Filesystem[-]: type(proc)
Filesystem[-]: type(tmp*)
Filesystem[-]: type(sys*)
Filesystem[-]: type(cgroup*)
$ ./convertoscolfilter
Usage:
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 32/36
12/20/2019
-fs <path to sapocol dev_filter>
[-out <path to the output file:] [default osfilter.conf]
By default, the tool prints the converted lter in stdout. You can override this behavior by providing the argument -out with the
<path> to be used.
If the le provided to -out already exists, a new le called <path>.new is created. Then the tool prints the following message:
Prerequisites
IBM i You must be logged on as a user pro le with special authorities *SECADM and *ALLOBJ, for example as user pro le
QSECOFR.
Context
On Windows, you can also unistall the SAP Host Agent using Control Panel Programs and Features .
Procedure
1. IBM i only: Enter the command CALL PGM(QP2TERM) to start a PASE interactive terminal session.
Results
This command stops the executables and services of SAP Host Agent and deletes the following:
Related Information
SAP Host Agent
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 33/36
12/20/2019
SAP Host Agent Reference - Command Line Options of the saphostexec Executable
SAP Host Agent Reference - Command Line Options of the hostexecstart Executable
Related Information
SAP Host Agent
Prerequisites
You are logged on as a user with the required authorization:
IBM i As a user pro le with special authorities *SECADM and *ALLOBJ, for example as user pro le
QSECOFR
Features
You call the program from the command line with the following syntax:
where <ProfilePath> is path to the pro le le ( host_profile) of SAP Host Agent. By default the host_profile le is
located in the executable directory.
You can execute saphostexec with the following command line options:
Option Meaning
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 34/36
12/20/2019
Option Meaning
Recommendation
Use the additional parameter -verify to verify the content of the installation package
against the SAP digital signature.
Without further parameters you run this option with the saphostexec executable from
the extracted SAPHOSTAGENT<PL-target version>.SAR archive.
When you run SAPhostexec -upgrade from the hostctrl directory of the existing
SAP Host Agent installation, you use the -archive parameter to provide the direct path
to the archive with the required target release version without manually extracting the
archive before.
-verify
It is recommended that you use the additional parameter -verify parameter to check
the content of the installation package against the SAP digital signature.
-version Returns the version of SAP Host Agent with detailed information
Related Information
SAP Host Agent Reference
Prerequisites
You have to be member of group sapsys, for example <sapsid>adm, to be able to execute the program.
Features
You call the program from the command line with the following syntax:
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 35/36
12/20/2019
You can execute hostexecstart with the following command line options:
Option Meaning
-upgrade <path to downloaded Upgrades SAP Host Agent using the path to the downloaded SAPHOSTAGENT <PL>.SAR
SAPHOSTAGENT<PL>.SAR>
-status Returns the information whether SAP Host Agent is running or not running
-version Returns the version of SAP Host Agent with detailed information
Related Information
SAP Host Agent Reference
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=21890361&topics=48c6f9627a004da5e10000000a… 36/36