(SM-2311) Huawei OBS (draft)

The person responsible for the setup should have general knowledge of Huawei OBS, SAP basis, and networking basics. You will need to deploy resources on Huawei OBS and create access credentials, import our transports to the SAP system, install JRE and JDBC drivers on SAP application servers, and make sure that SAP and Huawei OBS environments can communicate. 

General Prerequisites

SAP NetWeaver release

Storage management requires SAP NW 7.01 SP15 or higher.

Open Ports

In a controlled network environment, it is common to have firewall rules in place. To enable communication between SAP systems and Huawei OBS, outbound communication from the SAP system to the following ports on the Huawei OBS side needs to be allowed:

Port

Type

Huawei OBS service

Port

Type

Huawei OBS service

80/443

http/https

Huawei OBS

Example of a simple telnet connectivity test:

sapserver01:/ # telnet https://obs.ap-southeast-1.myhuaweicloud.com 443 Trying 3.5.139.101... Connected to https://obs.ap-southeast-1.myhuaweicloud.com. Escape character is '^]'. ^] telnet> q Connection closed.

Storage Management allows encrypted communication through the public internet with Huawei OBS, but for production deployment, it is recommended to have some kind of secure connectivity in place (VPN).

Refer to Huawei OBS documentation for more details.

Java connector

Java connector is a critical middleware component used for Huawei OBS storage. Follow the steps from the chapter Java Connector Setup to set it up before you continue.

Huawei OBS

This chapter describes the steps to establish a connection to Huawei OBS storage.

Huawei OBS storage is usually used in the following scenarios:

  • Landing zone for raw SAP data from SNP Glue™

  • Archiving storage for SNP OutBoard™ Data Tiering (SARA archives or tabular data when used as transparent binary storage)

Huawei OBS prerequisites

Huawei OBS bucket

You must identify a suitable Huawei OBS bucket on Huawei OBS or manually create a new one in your Huawei OBS subscription based on your requirements. We recommend keeping public access disabled and enabling server-side encryption for added security. Storage management supports both SSE-Huawei OBS and SSE-KMS server-side data encryption options.

Note down your Huawei OBS region, bucket name, and KMS key ID (optional) as this information will be required during storage setup.

If you use Customer Managed Key, make sure to update the Key Policy to allow key use for the user/role (Principal) accessing the Huawei OBS bucket.

Huawei OBS User for programmatic access

We recommend creating a distinct user for every SAP system connected to the Huawei OBS services to isolate each system's data. Refer to Huawei OBS documentation for best security practices. 

A credentials pair needs to be generated (access_key_idsecret_key_id).

These credentials will be used in Storage Management for read/write access to the Huawei OBS bucket.

Root user

Never use the root account to provide access to your Huawei OBS subscription. Instead, create separate technical users for programmatic access with minimal authorizations. In the case of AssumeRole, the root account won't work, and the root account can not assume any role (restriction from Huawei Huawei OBS).

Huawei OBS Policy

Assign an appropriate policy to the technical user, so it can access the Huawei OBS bucket. Follow the policy of least privilege. 

For a standard bucket without custom encryption keys, the following policy is sufficient.

Basic bucket policy
{ "Statement":[ { "Sid":"test1", "Effect":"Allow", "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]}, "Action":["*"], "Resource":["examplebucket/*"] }, { "Sid":"test2", "Effect":"Deny", "Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]}, "Action":["DeleteObject"], "Resource":["examplebucket/*"] } ] }

Huawei OBS storage in Storage Management

Storage Management facilitates transparent communication with different types of storages.

Create Huawei OBS storage through the transaction:

/DVD/SM_SETUP

Entries explained:

  • Storage ID: Name of the storage

  • Storage Type: Choose Huawei for Huawei OBS

  • Description: Extended description of the storage for easier identification

  • Huawei OBS Bucket name: Name of the existing bucket in Huawei OBS

  • Huawei OBS Region: Region where the bucket exists

  • Path Prefix: Path to the landing area within the Huawei OBS bucket

  • Custom endpoint: Mandatory parameter to specify the Huawei OBS VPC endpoint URL, for example: https://obs.ap-southeast-1.myhuaweicloud.com

  • Huawei OBS Credentials = None (option to choose for having Access key or None credential type): Special case, when authentication against Huawei OBS services is performed by default credentials provider chain. So basically when the user sets this option to None, the Java Connector and its Huawei OBS SDK are searching for Huawei OBS credentials on the hosting server. In the case of the scenario Assume Role = Assume Role, these credentials are needed to authenticate against the Huawei OBS Security Token Service.

  • Huawei OBS Credentials = Access key (option to choose for having Access key or None credential type)

    • Huawei OBS Access Key: Security information access_key_id - this option is required when Huawei OBS Credentials is set to Access key

    • Huawei OBS Secret Key: Security information secret_key_id - this option is required when Huawei OBS Credentials is set to Access key

  • Assume Role = None (option to choose from having Assume Role or None assume role type): Not using any external Huawei OBS role when accessing Huawei resources, the authenticated user uses its policies and attached permissions when accessing Huawei resource

  • Java connector RFC: TCP/IP RFC destination for communication with Java connector

  • Java call Repeat: Number of times failed calls should be retried

  • Repeat delay: Delay between retried calls

  • Huawei OBS KMS KeyID: Key ID of the key used to encrypt data on Huawei OBS (optional)

  • Compute hash: Calculate the hash of data

Complete the creation of the storage by confirming (F8).