(SM-2311) Huawei OBS (draft)
The person responsible for the setup should have general knowledge of Huawei OBS, SAP basis, and networking basics. You will need to deploy resources on Huawei OBS and create access credentials, import our transports to the SAP system, install JRE and JDBC drivers on SAP application servers, and make sure that SAP and Huawei OBS environments can communicate.
General Prerequisites
SAP NetWeaver release
Storage management requires SAP NW 7.01 SP15 or higher.
Open Ports
In a controlled network environment, it is common to have firewall rules in place. To enable communication between SAP systems and Huawei OBS, outbound communication from the SAP system to the following ports on the Huawei OBS side needs to be allowed:
Port | Type | Huawei OBS service |
---|---|---|
80/443 | http/https | Huawei OBS |
Example of a simple telnet connectivity test:
sapserver01:/ # telnet https://obs.ap-southeast-1.myhuaweicloud.com 443
Trying 3.5.139.101...
Connected to https://obs.ap-southeast-1.myhuaweicloud.com.
Escape character is '^]'.
^]
telnet> q
Connection closed.
Storage Management allows encrypted communication through the public internet with Huawei OBS, but for production deployment, it is recommended to have some kind of secure connectivity in place (VPN).
Refer to Huawei OBS documentation for more details.
Java connector
Java connector is a critical middleware component used for Huawei OBS storage. Follow the steps from the chapter Java Connector Setup to set it up before you continue.
Huawei OBS
This chapter describes the steps to establish a connection to Huawei OBS storage.
Huawei OBS storage is usually used in the following scenarios:
Landing zone for raw SAP data from SNP Glue™
Archiving storage for SNP OutBoard™ Data Tiering (SARA archives or tabular data when used as transparent binary storage)
Huawei OBS prerequisites
Huawei OBS bucket
You must identify a suitable Huawei OBS bucket on Huawei OBS or manually create a new one in your Huawei OBS subscription based on your requirements. We recommend keeping public access disabled and enabling server-side encryption for added security. Storage management supports both SSE-Huawei OBS and SSE-KMS server-side data encryption options.
Note down your Huawei OBS region, bucket name, and KMS key ID (optional) as this information will be required during storage setup.
If you use Customer Managed Key, make sure to update the Key Policy to allow key use for the user/role (Principal) accessing the Huawei OBS bucket.
Huawei OBS User for programmatic access
We recommend creating a distinct user for every SAP system connected to the Huawei OBS services to isolate each system's data. Refer to Huawei OBS documentation for best security practices.
A credentials pair needs to be generated (access_key_id, secret_key_id).
These credentials will be used in Storage Management for read/write access to the Huawei OBS bucket.
Root user
Never use the root account to provide access to your Huawei OBS subscription. Instead, create separate technical users for programmatic access with minimal authorizations. In the case of AssumeRole, the root account won't work, and the root account can not assume any role (restriction from Huawei Huawei OBS).
Huawei OBS Policy
Assign an appropriate policy to the technical user, so it can access the Huawei OBS bucket. Follow the policy of least privilege.
For a standard bucket without custom encryption keys, the following policy is sufficient.
Basic bucket policy
{
"Statement":[
{
"Sid":"test1",
"Effect":"Allow",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["*"],
"Resource":["examplebucket/*"]
},
{
"Sid":"test2",
"Effect":"Deny",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["DeleteObject"],
"Resource":["examplebucket/*"]
}
]
}
Huawei OBS storage in Storage Management
Storage Management facilitates transparent communication with different types of storages.
Create Huawei OBS storage through the transaction:
/DVD/SM_SETUP
Entries explained:
Storage ID: Name of the storage
Storage Type: Choose Huawei for Huawei OBS
Description: Extended description of the storage for easier identification
Huawei OBS Bucket name: Name of the existing bucket in Huawei OBS
Huawei OBS Region: Region where the bucket exists
Path Prefix: Path to the landing area within the Huawei OBS bucket
Custom endpoint: Mandatory parameter to specify the Huawei OBS VPC endpoint URL, for example: https://obs.ap-southeast-1.myhuaweicloud.com
Huawei OBS Credentials = None (option to choose for having Access key or None credential type): Special case, when authentication against Huawei OBS services is performed by default credentials provider chain. So basically when the user sets this option to None, the Java Connector and its Huawei OBS SDK are searching for Huawei OBS credentials on the hosting server. In the case of the scenario Assume Role = Assume Role, these credentials are needed to authenticate against the Huawei OBS Security Token Service.
Huawei OBS Credentials = Access key (option to choose for having Access key or None credential type)
Huawei OBS Access Key: Security information access_key_id - this option is required when Huawei OBS Credentials is set to Access key
Huawei OBS Secret Key: Security information secret_key_id - this option is required when Huawei OBS Credentials is set to Access key
Assume Role = None (option to choose from having Assume Role or None assume role type): Not using any external Huawei OBS role when accessing Huawei resources, the authenticated user uses its policies and attached permissions when accessing Huawei resource
Java connector RFC: TCP/IP RFC destination for communication with Java connector
Java call Repeat: Number of times failed calls should be retried
Repeat delay: Delay between retried calls
Huawei OBS KMS KeyID: Key ID of the key used to encrypt data on Huawei OBS (optional)
Compute hash: Calculate the hash of data
Complete the creation of the storage by confirming (F8).