To keep the Hadoop connection in Storage management in operational status, periodic maintenance should be performed. This page discusses various events that can arise in the production environment after the initial setup, and their resolution.

Table of Contents:

Kerberos keytab expiration

User principals used to authenticate against a Hadoop cluster secured with Kerberos usually have limited validity (for example one year). The validity of the keytab should be checked after the initial setup and noted down to prevent any unnecessary downtime of the connection.

Symptoms

Extractions processed that previously worked are failing. Storage check-in /DVD/SM_SETUP is failing. In Java logs, error messages mentioning the keytab out of validity period, or errors authenticating the user from the keytab appear without changes to the setup.

Solution

The team that is responsible for user maintenance needs to unlock and set a new password for the technical user used for connection from SAP to Hadoop. After the user is valid again, a new keytab must be exported from the KDC. This keytab needs to replace the existing one stored on the SAP system - usually $DIR_GLOBAL/security/dvd_conn/<SID>.keytab. The name of the keytab file should be the same as the old one to avoid changes in the Storage management setup.

SSL certificate expiration

Server certificates used for encrypted communication to Hadoop services usually have limited validity. When the validity is reached, the certificates are regenerated on the Hadoop cluster.

Symptoms

After this validity is reached, scheduled replications will fail as well as a storage check-in /DVD/SM_SETUP.
Logs in the Java application display errors mentioning failure to establish trust, incomplete certificate chain, or other SSL errors.
SAP GUI should open a pop-up at every login a week before a certificate reaches the end of its validity to alert the users.

Solution

After the SSL certificates are regenerated on the Hadoop side, a new trust needs to be established on the Storage Management (SM) side. Since SM uses two interfaces (SAP HTTP RFC and Java), expired certificates must be replaced in STRUST and in Java truststore usually stored at $DIR_GLOBAL/security/dvd_conn/jssecacerts. Follow the Hadoop storage setup guide for details on securing the connection with SSL.

Addition of a new SAP application server

After a new SAP AS ABAP server is added to the SAP system, it will not be able to execute replication jobs to Hadoop in most environments.

Symptoms

After the AS ABAP is added, scheduled jobs that should start on this AS fail, while jobs on other AS finish successfully. When an administrator changes this AS using SM51, the storage check-in /DVD/SM_SETUP fails, while on other AS it runs correctly.

Solution

Storage Management setup needs to be performed on this application server. Make sure the following points are executed on this new application server:

SNP-specific folders that must exist, were created as they do on other application servers.
The system has Java installed on the same path as other application servers.
SAP Java Connector (SAP JCO, libsapjco3.so) is installed on the application server and $LD_LIBRARY_PATH of <SID>adm user leads to this library.
If Kerberos is used, ict/disable_cookie_urlencoding is set to 1 or 2.

Refer to the installation guide for details on the steps mentioned above.

Browser not supported