To keep the Hadoop connection in Storage management in operational status, periodic maintenance should be performed. This page discusses various events that can arise in the production environment after the initial setup, and their resolution.

Kerberos keytab expiration

User principals used to authenticate against a Hadoop cluster secured with Kerberos usually have limited validity (for example 1 year). The validity of the keytab should be checked after the initial setup and noted down to prevent any unnecessary downtime of the connection.

Symptoms

Extractions processed which previously worked are failing. Storage check in /DVD/SM_SETUP is failing. In Java logs, error messages mentioning keytab out of validity period, or error authenticating user from keytab appears without changes to the setup.

Solution

The team that is responsible for the user maintenance needs to unlock and set a new password for the technical user used for connection from SAP to Hadoop. After the user is valid again, a new keytab must be exported from the KDC. This keytab needs to replace the existing one stored on the SAP system - usually $DIR_GLOBAL/security/dvd_conn/<SID>.keytab. The name of the keytab file should be the same as the old one to avoid changes in the Storage management setup.

SSL certificate expiration

Server certificates used for encrypted communication to Hadoop services usually have limited validity. When the validity is reached, the certificates are regenerated on the Hadoop cluster.

Symptoms

After this validity is reached, scheduled replications will fail as well as a storage check in /DVD/SM_SETUP.
Logs in the Datavard Java application display errors mentioning failure to establish trust, incomplete certificate chain, or other SSL errors.
SAP GUI should open a pop-up at every login a week before a certificate is reaching the end of its validity to alert the users.

Solution

After the SSL certificates are regenerated on the Hadoop side, a new trust needs to be established on the Storage Management (SM) side. Since SM uses two interfaces (SAP HTTP RFC and Java), expired certificates must be replaced in STRUST and in Java truststore usually stored at $DIR_GLOBAL/security/dvd_conn/jssecacerts. Please follow the Hadoop storage setup guide for details on securing the connection with SSL.

Addition of a new SAP application server

After a new SAP AS ABAP server is added to the SAP system, it will not be able to execute replication jobs to Hadoop in most environments.

Symptoms

After the AS ABAP is added, scheduled jobs that should start on this AS fail, while jobs on other AS finish successfully. When an administrator changes this AS using SM51, the storage check in /DVD/SM_SETUP fails, while on other AS it runs correctly.

Solution

Storage Management setup needs to be performed on this application server. Make sure the following points were executed on this new application server:

Datavard specific folders that must exist were created as they do on other application servers
System has Java installed on the same path as other application servers
SAP Java Connector (SAP JCO, libsapjco3.so) is installed on the application server and $LD_LIBRARY_PATH of <SID>adm user leads to this library
If Kerberos is used, ict/disable_cookie_urlencoding is set to '1' or '2'

Please refer to the installation guide for details on the steps mentioned above.

Browser not supported