Configure the database for Azure Application Consistent Snapshot tool

If you're deploying to a centralized virtual machine, you need to install and set up the SAP HANA client so that the AzAcSnap user can run hdbsql and hdbuserstore commands. You can download the SAP HANA client from the SAP Development Tools website.

The snapshot tools communicate with SAP HANA and need a user with appropriate permissions to initiate and release the database save point. The following example shows the setup of the SAP HANA 2.0 user and hdbuserstore for communication to the SAP HANA database.

The following example commands set up a user (AZACSNAP) in SYSTEMDB on an SAP HANA 2.0 database. Change the IP address, usernames, and passwords as appropriate.

1. Connect to SYSTEMDB:

   hdbsql -n <IP_address_of_host>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD>
   

   Welcome to the SAP HANA Database interactive terminal.
   
   Type: \h for help with commands
   \q to quit
   
   hdbsql SYSTEMDB=>
   

2. Create the user. This example creates the AZACSNAP user in SYSTEMDB:

   hdbsql SYSTEMDB=> CREATE USER AZACSNAP PASSWORD <AZACSNAP_PASSWORD_CHANGE_ME> NO FORCE_FIRST_PASSWORD_CHANGE;
   

3. Grant the user permissions. This example sets the permission for the AZACSNAP user to allow for performing a database-consistent storage snapshot:

   • For SAP HANA releases up to version 2.0 SPS 03:

     hdbsql SYSTEMDB=> GRANT BACKUP ADMIN, CATALOG READ TO AZACSNAP;
     

   • For SAP HANA releases from version 2.0 SPS 04, SAP added new fine-grained privileges:

     hdbsql SYSTEMDB=> GRANT BACKUP ADMIN, DATABASE BACKUP ADMIN, CATALOG READ TO AZACSNAP;
     

4. Optional: Prevent the user's password from expiring.

   Note

   Check with corporate policy before you make this change.

   The following example disables the password expiration for the AZACSNAP user. Without this change, the user's password could expire and prevent snapshots from being taken correctly.

   hdbsql SYSTEMDB=> ALTER USER AZACSNAP DISABLE PASSWORD LIFETIME;
   

5. Set up the SAP HANA Secure User Store (change the password). This example uses the hdbuserstore command from the Linux shell to set up the SAP HANA Secure User Store:

   hdbuserstore Set AZACSNAP <IP_address_of_host>:30013 AZACSNAP <AZACSNAP_PASSWORD_CHANGE_ME>
   

   Note

   This step to setup the SAP HANA Secure User Store KEY will need to be done for all SAP HANA databases AzAcSnap will communicate with. For example, if AzAcSnap is on client01 and you have the SAP HANA database server installed on the hosts dbserver01 and dbserver02, then the hdbuserstore Set command will need to be run twice to setup two keys on client01 so AzAcSnap can communicate with both servers.

6. Check that you correctly set up the SAP HANA Secure User Store. Use the hdbuserstore command to list the output, similar to the following example. More details on using hdbuserstore are available on the SAP website.

   hdbuserstore List
   

   DATA FILE : /home/azacsnap/.hdb/sapprdhdb80/SSFS_HDB.DAT
   KEY FILE : /home/azacsnap/.hdb/sapprdhdb80/SSFS_HDB.KEY
   
   KEY AZACSNAP
     ENV : <IP_address_of_host>:
     USER: AZACSNAP
   

   Note

   The value of the KEY field is used for the configuration question "What is the SAP HANA HDB User Store Key (e.g. hdbuserstore List)?".

Using SSL for communication with SAP HANA

AzAcSnap uses SAP HANA's hdbsql command to communicate with SAP HANA. Using hdbsql allows the use of SSL options to encrypt communication with SAP HANA.

AzAcSnap always uses the following options when you're using the azacsnap --ssl option:

• -e: Enables TLS/SSL encryption. The server chooses the highest available.
• -ssltrustcert: Specifies whether to validate the server's certificate.
• -sslhostnameincert "*": Specifies the host name that verifies the server's identity. When you specify "*" as the host name, the server's host name isn't validated.

SSL communication also requires key-store and trust-store files. It's possible for these files to be stored in default locations on a Linux installation. But to ensure that the correct key material is being used for the various SAP HANA systems (for the cases where different key-store and trust-store files are used for each SAP HANA system), AzAcSnap expects the key-store and trust-store files to be stored in the securityPath location. The AzAcSnap configuration file specifies this location.

Key-store files

If you're using multiple system identifiers (SIDs) with the same key material, it's easier to create links into the securityPath location as defined in the AzAcSnap configuration file. Ensure that these values exist for every SID that uses SSL.

• For openssl: ln $HOME/.ssl/key.pem <securityPath>/<SID>_keystore
• For commoncrypto: ln $SECUDIR/sapcli.pse <securityPath>/<SID>_keystore

If you're using multiple SIDs with different key material per SID, copy (or move and rename) the files into the securityPath location as defined in the SID's AzAcSnap configuration file.

• For openssl: mv key.pem <securityPath>/<SID>_keystore
• For commoncrypto: mv sapcli.pse <securityPath>/<SID>_keystore

When AzAcSnap calls hdbsql, it adds -sslkeystore=<securityPath>/<SID>_keystore to the hdbsql command line.

Trust-store files

If you're using multiple SIDs with the same key material, create hard links into the securityPath location as defined in the AzAcSnap configuration file. Ensure that these values exist for every SID that uses SSL.

• For openssl: ln $HOME/.ssl/trust.pem <securityPath>/<SID>_truststore
• For commoncrypto: ln $SECUDIR/sapcli.pse <securityPath>/<SID>_truststore

If you're using multiple SIDs with the different key material per SID, copy (or move and rename) the files into the securityPath location as defined in the SID's AzAcSnap configuration file.

• For openssl: mv trust.pem <securityPath>/<SID>_truststore
• For commoncrypto: mv sapcli.pse <securityPath>/<SID>_truststore

The <SID> component of the file names must be the SAP HANA system identifier in all uppercase (for example, H80 or PR1). When AzAcSnap calls hdbsql, it adds -ssltruststore=<securityPath>/<SID>_truststore to the command line.

If you run azacsnap -c test --test hana --ssl openssl, where SID is H80 in the configuration file, it executes the hdbsqlconnections as follows:

hdbsql \
    -e \
    -ssltrustcert \
    -sslhostnameincert "*" \
    -sslprovider openssl \
    -sslkeystore ./security/H80_keystore \
    -ssltruststore ./security/H80_truststore
    "sql statement"

In the preceding code, the backslash (\) character is a command-line line wrap to improve the clarity of the multiple parameters passed on the command line.

The snapshot tools communicate with the Oracle database and need a user with appropriate permissions to enable and disable backup mode.

After AzAcSnap puts the database in backup mode, AzAcSnap queries the Oracle database to get a list of files that have backup mode as active. This file list is sent into an external file. The external file is in the same location and basename as the log file, but with a .protected-tables file name extension. (The AzAcSnap log file details the output file name.)

The following example commands show the setup of the Oracle database user (AZACSNAP), the use of mkstore to create an Oracle wallet, and the sqlplus configuration files that are required for communication to the Oracle database. Change the IP address, usernames, and passwords as appropriate.

1. Connect to the Oracle database:

   su – oracle
   sqlplus / AS SYSDBA
   

   SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 1 01:34:05 2021
   Copyright (c) 1982, 2014, Oracle. All rights reserved.
   Connected to:
   Oracle Database 12c Standard Edition Release 12.1.0.2.0 - 64bit Production
   SQL>
   

2. Create the user. This example creates the azacsnap user:

   SQL> CREATE USER azacsnap IDENTIFIED BY password;
   

   User created.
   

3. Grant the user permissions. This example sets the permission for the azacsnap user to allow for putting the database in backup mode:

   SQL> GRANT CREATE SESSION TO azacsnap;
   

   Grant succeeded.
   

   SQL> GRANT SYSBACKUP TO azacsnap;
   

   Grant succeeded.
   

   SQL> connect azacsnap/password
   

   Connected.
   

   SQL> quit
   

4. Optional: Prevent the user's password from expiring. Without this change, the user's password could expire and prevent snapshots from being taken correctly.

   Note

   Check with corporate policy before you make this change.

   This example gets the password expiration for the AZACSNAP user:

   SQL> SELECT username,account_status,expiry_date,profile FROM dba_users WHERE username='AZACSNAP';
   

   USERNAME              ACCOUNT_STATUS                 EXPIRY_DA PROFILE
   --------------------- ------------------------------ --------- ------------------------------
   AZACSNAP              OPEN                           DD-MMM-YY DEFAULT
   

   There are a few methods for disabling password expiration in the Oracle database. Contact your database administrator for guidance. One method is to modify the DEFAULT user's profile so that the password lifetime is unlimited:

   SQL> ALTER PROFILE default LIMIT PASSWORD_LIFE_TIME unlimited;
   

   After you make this change to the database setting, there should be no password expiration date for users who have the DEFAULT profile:

   SQL> SELECT username, account_status,expiry_date,profile FROM dba_users WHERE username='AZACSNAP';
   

   USERNAME              ACCOUNT_STATUS                 EXPIRY_DA PROFILE
   --------------------- ------------------------------ --------- ------------------------------
   AZACSNAP              OPEN                                     DEFAULT
   

5. Set up the Oracle wallet (change the password).

   The Oracle wallet provides a method to manage database credentials across multiple domains. This capability uses a database connection string in the data-source definition, which is resolved with an entry in the wallet. When you use the Oracle wallet correctly, passwords in the data-source configuration are unnecessary.

   This setup makes it possible to use the Oracle Transparent Network Substrate (TNS) administrative file with a connection string alias, which hides details of the database connection string. If the connection information changes, it's a matter of changing the tnsnames.ora file instead of (potentially) many data-source definitions.

   Run the following commands on the Oracle database server. This example uses the mkstore command from the Linux shell to set up the Oracle wallet. These commands are run on the Oracle database server via unique user credentials to avoid any impact on the running database. This example creates a new user (azacsnap) and appropriately configures the environment variables.

   1. Get the Oracle environment variables to be used in setup. Run the following commands as the root user on the Oracle database server:

      su - oracle -c 'echo $ORACLE_SID'
      

      oratest1
      

      su - oracle -c 'echo $ORACLE_HOME'
      

      /u01/app/oracle/product/19.0.0/dbhome_1
      

   2. Create the Linux user to generate the Oracle wallet and associated *.ora files by using the output from the previous step.

      These examples use the bash shell. If you're using a different shell (for example, csh), be sure to set environment variables correctly.

      useradd -m azacsnap
      echo "export ORACLE_SID=oratest1" >> /home/azacsnap/.bash_profile
      echo "export ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1" >> /home/azacsnap/.bash_profile
      echo "export TNS_ADMIN=/home/azacsnap" >> /home/azacsnap/.bash_profile
      echo "export PATH=\$PATH:\$ORACLE_HOME/bin" >> /home/azacsnap/.bash_profile
      

   3. As the new Linux user (azacsnap), create the wallet and *.ora files.

      1. Switch to the user created in the previous step:

         sudo su - azacsnap
         

      2. Create the Oracle wallet:

         mkstore -wrl $TNS_ADMIN/.oracle_wallet/ -create
         

         Oracle Secret Store Tool Release 19.0.0.0.0 - Production
         Version 19.3.0.0.0
         Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
         
         Enter password: <wallet_password>
         Enter password again: <wallet_password>
         

      3. Add the connection string credentials to the Oracle wallet. In the following example command, AZACSNAP is the connection string that AzAcSnap will use, azacsnap is the Oracle database user, and AzPasswd1 is the Oracle user's database password.

         mkstore -wrl $TNS_ADMIN/.oracle_wallet/ -createCredential AZACSNAP azacsnap AzPasswd1
         

         Oracle Secret Store Tool Release 19.0.0.0.0 - Production
         Version 19.3.0.0.0
         Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
         
         Enter wallet password: <wallet_password>
         

      4. Create the tnsnames-ora file. In the following example command, set HOST to the IP address of the Oracle database server. Set SID to the Oracle database SID.

         echo "# Connection string
         AZACSNAP=\"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.1)(PORT=1521))(CONNECT_DATA=(SID=oratest1)))\"
         " > $TNS_ADMIN/tnsnames.ora
         

      5. Create the sqlnet.ora file:

         echo "SQLNET.WALLET_OVERRIDE = TRUE
         WALLET_LOCATION=(
             SOURCE=(METHOD=FILE)
             (METHOD_DATA=(DIRECTORY=\$TNS_ADMIN/.oracle_wallet))
         ) " > $TNS_ADMIN/sqlnet.ora
         

      6. Test the Oracle wallet:

         sqlplus /@AZACSNAP as SYSBACKUP
         

         SQL*Plus: Release 19.0.0.0.0 - Production on Wed Jan 12 00:25:32 2022
         Version 19.3.0.0.0
         
         Copyright (c) 1982, 2019, Oracle.  All rights reserved.
         
         
         Connected to:
         Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
         Version 19.3.0.0.0
         

         SELECT MACHINE FROM V$SESSION WHERE SID=1;
         

         MACHINE
         ----------------------------------------------------------------
         oradb-19c
         

         quit
         

         Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
         Version 19.3.0.0.0
         

      7. Create a ZIP file archive of the Oracle wallet and *.ora files:

         cd $TNS_ADMIN
         zip -r wallet.zip sqlnet.ora tnsnames.ora .oracle_wallet
         

           adding: sqlnet.ora (deflated 9%)
           adding: tnsnames.ora (deflated 7%)
           adding: .oracle_wallet/ (stored 0%)
           adding: .oracle_wallet/ewallet.p12.lck (stored 0%)
           adding: .oracle_wallet/ewallet.p12 (deflated 1%)
           adding: .oracle_wallet/cwallet.sso.lck (stored 0%)
           adding: .oracle_wallet/cwallet.sso (deflated 1%)
         

   4. Copy the ZIP file to the target system (for example, the centralized virtual machine running AzAcSnap).

      Important

      If you're deploying to a centralized virtual machine, you need to install and set up Oracle Instant Client on it so that the AzAcSnap user can run sqlplus commands. You can download Oracle Instant Client from the Oracle downloads page.

      For SQL*Plus to run correctly, download both the required package (for example, Basic Light Package) and the optional SQL*Plus tools package.

   5. Complete the following steps on the system running AzAcSnap:

      1. Deploy the ZIP file that you copied in the previous step.

         This step assumes that you already created the user running AzAcSnap (by default, azacsnap) by using the AzAcSnap installer.

         Note

         It's possible to use the TNS_ADMIN shell variable to allow for multiple Oracle targets by setting the unique shell variable value for each Oracle system as needed.

         export TNS_ADMIN=$HOME/ORACLE19c
         mkdir $TNS_ADMIN
         cd $TNS_ADMIN
         unzip ~/wallet.zip
         

         Archive:  wallet.zip
           inflating: sqlnet.ora
           inflating: tnsnames.ora
            creating: .oracle_wallet/
          extracting: .oracle_wallet/ewallet.p12.lck
           inflating: .oracle_wallet/ewallet.p12
          extracting: .oracle_wallet/cwallet.sso.lck
           inflating: .oracle_wallet/cwallet.sso
         

         Check that the files were extracted correctly:

         ls
         

         sqlnet.ora  tnsnames.ora  wallet.zip
         

         Assuming that you completed all the previous steps correctly, it should be possible to connect to the database by using the /@AZACSNAP connection string:

         sqlplus /@AZACSNAP as SYSBACKUP
         

         SQL*Plus: Release 21.0.0.0.0 - Production on Wed Jan 12 13:39:36 2022
         Version 21.1.0.0.0
         
         Copyright (c) 1982, 2020, Oracle.  All rights reserved.
         
         
         Connected to:
         Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
         Version 19.3.0.0.0
         
         ```sql
         SQL> quit
         

         Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
         Version 19.3.0.0.0
         

      2. Test the setup with AzAcSnap

         After you configure AzAcSnap (for example, azacsnap -c configure --configuration new) with the Oracle connection string (for example, /@AZACSNAP), it should be possible to connect to the Oracle database.

         Check that the $TNS_ADMIN variable is set for the correct Oracle target system. The $TNS_ADMIN shell variable determines where to locate the Oracle wallet and *.ora files, so you must set it before you run the azacsnap command.

         ls -al $TNS_ADMIN
         

         total 16
         drwxrwxr-x.  3 orasnap orasnap   84 Jan 12 13:39 .
         drwx------. 18 orasnap sapsys  4096 Jan 12 13:39 ..
         drwx------.  2 orasnap orasnap   90 Jan 12 13:23 .oracle_wallet
         -rw-rw-r--.  1 orasnap orasnap  125 Jan 12 13:39 sqlnet.ora
         -rw-rw-r--.  1 orasnap orasnap  128 Jan 12 13:24 tnsnames.ora
         -rw-r--r--.  1 root    root    2569 Jan 12 13:28 wallet.zip
         

         Run the azacsnap test command:

         cd ~/bin
         azacsnap -c test --test oracle --configfile ORACLE.json
         

         BEGIN : Test process started for 'oracle'
         BEGIN : Oracle DB tests
         PASSED: Successful connectivity to Oracle DB version 1903000000
         END   : Test process complete for 'oracle'
         

         You must set up the $TNS_ADMIN variable correctly for azacsnap to run correctly. You can either add it to the user's .bash_profile file or export it before each run (for example, export TNS_ADMIN="/home/orasnap/ORACLE19c" ; cd /home/orasnap/bin ; ./azacsnap --configfile ORACLE19c.json -c backup --volume data --prefix hourly-ora19c --retention 12).

The snapshot tools issue commands to the IBM Db2 database by using the command-line processor db2 to enable and disable backup mode.

After AzAcSnap puts the database in backup mode, it queries the IBM Db2 database to get a list of protected paths, which are part of the database where backup mode is active. This list is sent into an external file, which is in the same location and basename as the log file but has a .\<DBName>-protected-paths extension. (The AzAcSnap log file details the output file name.)

AzAcSnap uses the IBM Db2 command-line processor db2 to issue SQL commands, such as SET WRITE SUSPEND or SET WRITE RESUME. So you should install AzAcSnap in one of the following ways:

• Install on the database server, and then complete the setup with Db2 local connectivity.
• Install on a centralized backup system, and then complete the setup with Db2 remote connectivity.

Db2 local connectivity

If you installed AzAcSnap on the database server, be sure to add the azacsnap user to the correct Linux group and import the Db2 instance user's profile. Use the following example setup.

azacsnap user permissions

The azacsnap user should belong to the same Db2 group as the database instance user. The following example gets the group membership of the IBM Db2 installation's database instance user db2tst:

id db2tst

uid=1101(db2tst) gid=1001(db2iadm1) groups=1001(db2iadm1)

From the output, you can confirm the db2tst user has been added to the db2iadm1 group. Add the azacsnap user to the group:

usermod -a -G db2iadm1 azacsnap

azacsnap user profile

The azacsnap user needs to be able to run the db2 command. By default, the db2 command isn't in the azacsnap user's $PATH information.

Add the following code to the user's .bashrc file. Use your own IBM Db2 installation value for INSTHOME.

# The following four lines have been added to allow this user to run the DB2 command line processor.
INSTHOME="/db2inst/db2tst"
if [ -f ${INSTHOME}/sqllib/db2profile ]; then
    . ${INSTHOME}/sqllib/db2profile
fi

Test that the user can run the db2 command-line processor:

su - azacsnap
db2

(c) Copyright IBM Corporation 1993,2007
Command Line Processor for DB2 Client 11.5.7.0

You can issue database manager commands and SQL statements from the command
prompt. For example:
    db2 => connect to sample
    db2 => bind sample.bnd

For general help, type: ?.
For command help, type: ? command, where command can be
the first few keywords of a database manager command. For example:
 ? CATALOG DATABASE for help on the CATALOG DATABASE command
 ? CATALOG          for help on all of the CATALOG commands.

To exit db2 interactive mode, type QUIT at the command prompt. Outside
interactive mode, all commands must be prefixed with 'db2'.
To list the current command option settings, type LIST COMMAND OPTIONS.

For more detailed help, refer to the Online Reference Manual.

db2 => quit
DB20000I  The QUIT command completed successfully.

Now configure azacsnap to user localhost. After this preliminary test as the azacsnap user is working correctly, go on to configure (azacsnap -c configure) with serverAddress=localhost and test (azacsnap -c test --test db2) AzAcSnap database connectivity.

Db2 remote connectivity

If you installed AzAcSnap on a centralized backup system, use the following example setup to allow SSH access to the Db2 database instance.

Log in to the AzAcSnap system as the azacsnap user and generate a public/private SSH key pair:

ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/azacsnap/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/azacsnap/.ssh/id_rsa.
Your public key has been saved in /home/azacsnap/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:4cr+0yN8/dawBeHtdmlfPnlm1wRMTO/mNYxarwyEFLU azacsnap@db2-02
The key's randomart image is:
+---[RSA 2048]----+
|         ... o.  |
|          . . +. |
|        .. E + o.|
|       ....   B..|
|        S. . o *=|
|     . .  . o o=X|
|      o. . +  .XB|
|     .  + + + +oX|
|      ...+ . =.o+|
+----[SHA256]-----+

Get the contents of the public key:

cat .ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb4HedCPdIeft4DUp7jwSDUNef52zH8xVfu5sSErWUw3hhRQ7KV5sLqtxom7an2a0COeO13gjCiTpwfO7UXH47dUgbz+KfwDaBdQoZdsp8ed1WI6vgCRuY4sb+rY7eiqbJrLnJrmgdwZkV+HSOvZGnKEV4Y837UHn0BYcAckX8DiRl7gkrbZUPcpkQYHGy9bMmXO+tUuxLM0wBrzvGcPPZ azacsnap@db2-02

Log in to the IBM Db2 system as the Db2 instance user.

Add the contents of the AzAcSnap user's public key to the Db2 instance user's authorized_keys file:

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb4HedCPdIeft4DUp7jwSDUNef52zH8xVfu5sSErWUw3hhRQ7KV5sLqtxom7an2a0COeO13gjCiTpwfO7UXH47dUgbz+KfwDaBdQoZdsp8ed1WI6vgCRuY4sb+rY7eiqbJrLnJrmgdwZkV+HSOvZGnKEV4Y837UHn0BYcAckX8DiRl7gkrbZUPcpkQYHGy9bMmXO+tUuxLM0wBrzvGcPPZ azacsnap@db2-02" >> ~/.ssh/authorized_keys

Log in to the AzAcSnap system as the azacsnap user and test SSH access:

ssh <InstanceUser>@<ServerAddress>

[InstanceUser@ServerName ~]$

Test that the user can run the db2 command-line processor:

db2

(c) Copyright IBM Corporation 1993,2007
Command Line Processor for DB2 Client 11.5.7.0

You can issue database manager commands and SQL statements from the command
prompt. For example:
    db2 => connect to sample
    db2 => bind sample.bnd

For general help, type: ?.
For command help, type: ? command, where command can be
the first few keywords of a database manager command. For example:
 ? CATALOG DATABASE for help on the CATALOG DATABASE command
 ? CATALOG          for help on all of the CATALOG commands.

To exit db2 interactive mode, type QUIT at the command prompt. Outside
interactive mode, all commands must be prefixed with 'db2'.
To list the current command option settings, type LIST COMMAND OPTIONS.

For more detailed help, refer to the Online Reference Manual.

db2 => quit
DB20000I  The QUIT command completed successfully.

[prj@db2-02 ~]$ exit

logout
Connection to <serverAddress> closed.

The snapshot tools issue commands to the Microsoft SQL Server database directly to enable and disable backup mode.

AzAcSnap connects directly to Microsoft SQL Server using the provided connect-string to issue SQL commands, such as ALTER SERVER CONFIGURATION SET SUSPEND_FOR_SNAPSHOT_BACKUP = ON or ALTER SERVER CONFIGURATION SET SUSPEND_FOR_SNAPSHOT_BACKUP = OFF. The connect-string will determine if the installation is on the database server or a centralized "backup" server. Typical installations of AzAcSnap would be onto the database server to ensure features such as flushing file buffers can work as expected. If AzAcSnap has been installed onto the database server, then be sure the user running azacsnap has the required permissions.

azacsnap user permissions

Refer to Get started with Azure Application Consistent Snapshot tool The azacsnap user should have permissions to put Microsoft SQL Server into backup mode, and have permissions to flush I/O buffers to the volumes configured.

Configure (.\azacsnap.exe -c configure) with the correct values for Microsoft SQL Server and test (.\azacsnap.exe -c test --test mssql) azacsnap database connectivity. Run the azacsnap test command

.\azacsnap.exe -c test --test mssql

BEGIN : Test process started for 'mssql'
BEGIN : Database tests
PASSED: Successful connectivity to MSSQL version 16.00.1115
END   : Test process complete for 'mssql'

Configure SAP HANA

There are changes that you can apply to SAP HANA to help protect the log backups and catalog. By default, basepath_logbackup and basepath_catalogbackup are set so that SAP HANA will put related files into the $(DIR_INSTANCE)/backup/log directory. It's unlikely that this location is on a volume that AzAcSnap is configured to snapshot, so storage snapshots won't protect these files.

The following hdbsql command examples demonstrate setting the log and catalog paths to locations on storage volumes that AzAcSnap can snapshot. Be sure to check that the values on the command line match the local SAP HANA configuration.

Configure the log backup location

This example shows a change to the basepath_logbackup parameter:

hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'basepath_logbackup') = '/hana/logbackups/H80' WITH RECONFIGURE"

Configure the catalog backup location

This example shows a change to the basepath_catalogbackup parameter. First, ensure that the basepath_catalogbackup path exists on the file system. If not, create the path with the same ownership as the directory.

ls -ld /hana/logbackups/H80/catalog

drwxr-x--- 4 h80adm sapsys 4096 Jan 17 06:55 /hana/logbackups/H80/catalog

If you need to create the path, the following example creates the path and sets the correct ownership and permissions. You need to run these commands as root.

mkdir /hana/logbackups/H80/catalog
chown --reference=/hana/shared/H80/HDB00 /hana/logbackups/H80/catalog
chmod --reference=/hana/shared/H80/HDB00 /hana/logbackups/H80/catalog
ls -ld /hana/logbackups/H80/catalog

drwxr-x--- 4 h80adm sapsys 4096 Jan 17 06:55 /hana/logbackups/H80/catalog

The following example changes the SAP HANA setting:

hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'basepath_catalogbackup') = '/hana/logbackups/H80/catalog' WITH RECONFIGURE"

Check log and catalog backup locations

After you make the changes to the log and catalog backup locations, confirm that the settings are correct by using the following command.

In this example, the settings appear as SYSTEM settings. This query also returns the DEFAULT settings for comparison.

hdbsql -jaxC -n <HANA_ip_address> - i 00 -U AZACSNAP "select * from sys.m_inifile_contents where (key = 'basepath_databackup' or key ='basepath_datavolumes' or key = 'basepath_logbackup' or key = 'basepath_logvolumes' or key = 'basepath_catalogbackup')"

global.ini,DEFAULT,,,persistence,basepath_catalogbackup,$(DIR_INSTANCE)/backup/log
global.ini,DEFAULT,,,persistence,basepath_databackup,$(DIR_INSTANCE)/backup/data
global.ini,DEFAULT,,,persistence,basepath_datavolumes,$(DIR_GLOBAL)/hdb/data
global.ini,DEFAULT,,,persistence,basepath_logbackup,$(DIR_INSTANCE)/backup/log
global.ini,DEFAULT,,,persistence,basepath_logvolumes,$(DIR_GLOBAL)/hdb/log
global.ini,SYSTEM,,,persistence,basepath_catalogbackup,/hana/logbackups/H80/catalog
global.ini,SYSTEM,,,persistence,basepath_datavolumes,/hana/data/H80
global.ini,SYSTEM,,,persistence,basepath_logbackup,/hana/logbackups/H80
global.ini,SYSTEM,,,persistence,basepath_logvolumes,/hana/log/H80

Configure the log backup time-out

The default setting for SAP HANA to perform a log backup is 900 seconds (15 minutes). We recommend that you reduce this value to 300 seconds (5 minutes). Then it's possible to run regular backups of these files (for example, every 10 minutes). You can take these backups by adding the log_backup volumes to the OTHER volume section of the configuration file.

hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'log_backup_timeout_s') = '300' WITH RECONFIGURE"

Check the log backup time-out

After you make the change to the log backup time-out, ensure that the time-out is set by using the following command.

In this example, the settings are displayed as SYSTEM settings. This query also returns the DEFAULT settings for comparison.

hdbsql -jaxC -n <HANA_ip_address> - i 00 -U AZACSNAP "select * from sys.m_inifile_contents where key like '%log_backup_timeout%' "

global.ini,DEFAULT,,,persistence,log_backup_timeout_s,900
global.ini,SYSTEM,,,persistence,log_backup_timeout_s,300

Apply the following changes to the Oracle database to allow for monitoring by the database administrator:

1. Set up Oracle alert logging.

   Use the following Oracle SQL commands while you're connected to the database as SYSDBA to create a stored procedure under the default Oracle SYSBACKUP database account. These SQL commands allow AzAcSnap to send messages to:

   • Standard output by using the PUT_LINE procedure in the DBMS_OUTPUT package.
   • The Oracle database alert.log file by using the KSDWRT procedure in the DBMS_SYSTEM package.

   sqlplus / As SYSDBA
   

   GRANT EXECUTE ON DBMS_SYSTEM TO SYSBACKUP;
   CREATE PROCEDURE sysbackup.azmessage(in_msg IN VARCHAR2)
   AS
       v_timestamp VARCHAR2(32);
   BEGIN
       SELECT TO_CHAR(SYSDATE, 'YYYY-MM-DD HH24:MI:SS')
           INTO v_timestamp FROM DUAL;
       SYS.DBMS_SYSTEM.KSDWRT(SYS.DBMS_SYSTEM.ALERT_FILE, in_msg);
   END azmessage;
   /
   SHOW ERRORS
   QUIT
   

No special database configuration is required for Db2 because you're using the instance user's local operating system environment.

No special database configuration is required for Microsoft SQL Server as we are using the User's local operating system environment.