Creating an ABAP satellite system

To create an ABAP satellite system in Protect4S VM, you will need the following users in your satellite system:

• An ABAP user for every relevant client (mandatory).

• 1 database user (optional).

• An SAPcontrol (operating system) user for every application server (optional, but recommended).

!!! Keep in mind; even if you don't use a SAPcontrol user, still the connection is created so the ports 5XX13/5XX14 must be reachable!!!

In this example, an ABAP type system will be configured.

This brings up the following screen:

Again, all fields marked with a "*" are mandatory and must be filled before the data can be saved. After the data has been supplied, press the "Save" button in order to continue with the next screen.

After saving the System header data, a wizard containing the following steps will be started:

After a step has been completed, you can press the "Next" button to proceed with the wizard.

1. ABAP connection to main instance

In this first screen the connection data to the Central Instance (FQDN or Fully Qualified hostname) now known as Primary Application Server) must be supplied. This includes the Central Instance hostname, instance number, number of the Productive client, the SAP user name and password. If the system allows it, you may set the "Trusted system" flag and additionally SNC settings for encryption can be set by setting the "SNC active" flag and filling the "SNC partner" field.

You may also select an existing RFC destination in order to copy its: hostname, instance number and client to this screen.

When the Next button is pressed, the wizard will contact the System and determine what available clients exist.

2. ABAP Clients

The client data of the satellite system is retrieved and now the relevant SAP users in and their passwords may be supplied for the other clients. Although this is not mandatory, it is recommended to supply this data in order to get a better Scan result. When done, press the "Next" button.

3. ABAP database connection

Database connections are not mandatory, but in order to get the most out of Protect4S VM, it is recommended to create a database connection using the System connection wizard. For this connection you will need to create a database user in the database of the satellite system. See the chapter satellite system database user for details on how to create this DB user.

✔ If you choose not to create a database connection this implies that some specific database checks might fail with the error message “Unable to process the check by a technical error”.

✔ If the database connection is not available then in some cases a fallback mechanism is used to retreive database specific information. For example for ABAP systems an RFC is used for MSSQL and MAXDB. For HANA a fallback is implemented via the OS command HDBCLI. This will only work if the SAPControl connection user is the <sid>adm OS user and can access the hdbuserstore.

If SAP Hana is used as a Database and an encrypted connection need to be setup, you can use the following button to automatically fill the needed parameters in the connection:

For the setup of encrypted communication, the HANA database certificate must be imported in the applicable PSE in transaction STRUST of this SAP Solution Manager. Specifics of the PSE can be adjusted in the parameters field. By default it uses the SSL default client (SAPSSLC). In the exceptional case that HTTPS is required but you cannot or don't want to validate the certificate add this parameter to the connection (not recommended):

sslValidateCertificate=false

4. Operating system connections

In this step, the connections to each instance will be created. First the connection to the main instance is created by supplying the: hostname, SAP instance number, OS user name and password.

The wizard will discover all the other instances and it assumes that these will use the same user-ID and password.

After pressing the "Next" button, an overview of the various connections will be shown:

These connections will only be created after pressing the "Save" button.

The creation of connections runs in the background and may take up to a minute before all connections have been created.

Afterwards, the connections can be checked by using the "Check all connections" button:

Provided the "Edit mode" is switched on, it is always possible to update the user-ID and password information for a connection that is not working:

Additional RFC security

In order to add a layer of security to the used SAP RFC ABAP connection, it is advised to use the S_ICF object to specify any authorization value that is set in SM59 for the created RFC's. See the SAP documentation for more information.