14.3 Transporting Security Packages to Other SAP HANA Systems
As stated earlier in this chapter, transporting your security model between systems leads to a more consistent implementation of the security model within the overall SAP HANA landscape. To use the SAP HANA transport system and achieve this goal, you must define repository-based roles within your security model. If your security model is based on standard roles created using SQL statements, you can’t transport it between SAP HANA instances.
When you transport delivery units between systems, all packages and development artifacts within the delivery unit are imported and activated within the target system. If existing objects with the same name exist, they’re overwritten. If objects exist in the target but not in the delivery unit, they’re marked for deletion. If objects exist in the delivery unit but not in the target, they’re created in the target. When a delivery unit is imported, that same delivery unit is created in the target, including all the packages and development artifacts associated with the delivery unit. Thus, delivery units are an excellent way to ensure that repository roles remain consistent.
SAP HANA provides two tools to aid in the promotion of security-related delivery units between instances. The first tool is SAP HANA application lifecycle management, which we introduced in Section 14.2.2. The second tool is SAP HANA Studio, which provides options to both export and import a delivery unit to a compressed file. The file generated can be imported into an SAP HANA system operating on a similar software version.
In this section, we’ll explore the process for transporting a delivery unit using SAP HANA application lifecycle management. We’ll also review the processes for exporting and importing delivery units using SAP HANA Studio.
14.3.1 Transporting a Delivery Unit with SAP HANA Application Lifecycle Management
To manage transporting or migrating content between systems, SAP developed the SAP HANA application lifecycle management web-based application. This application is hosted in the XS engine. When transporting objects to a new system, you must access the SAP HANA application lifecycle management instance on the target SAP HANA instance. SAP HANA application lifecycle management uses a pull methodology, meaning that the target SAP HANA application lifecycle management instance accesses the source SAP HANA application lifecycle management instance and pulls the delivery unit into the target’s local repository. Figure 14.9 shows an overview of this process.
Figure 14.9 High-Level SAP HANA Application Lifecycle Management Transport Process
As shown in Figure 14.9, the first step in the process requires that a developer or security administrator create content in the SAP HANA DEV instance. The second step of the process requires that the transport administrator assign the content to a delivery unit within the source instance. In the last step, the transport administrator will access the target SAP HANA application lifecycle management instance and pull the delivery unit from the source to the target.
As a reminder, you can access SAP HANA application lifecycle management using a URL specific to each instance, as follows:
-
https://<host_name>:43<instance number>/sap/hana/xs/lm
-
https://w5-3db-hana01.e-corp.root.local:4300/sap/hana/xs/lm
Or, if SSL isn’t configured:
-
http://<host_name>:80<instance number>/sap/hana/xs/lm
-
http://w5-3db-hana01.e-corp.root.local:8000/sap/hana/xs/lm
On the SAP HANA application lifecycle management instance Home page, you’ll see a series of tiles. Just above the tiles is a menu bar, as shown in Figure 14.10. The third tab in that menu bar is Transport; click this tab to start the transport process.
Figure 14.10 SAP HANA Application Lifecycle Management Home Page
The transport management window has three main tabs or menu options just under the main menu bar. The System tab is selected by default, and the Transports and Logs tabs are available as well, as shown in Figure 14.11.
Figure 14.11 Transport Management Window and System Option
Before the transport process can begin, you must register a source system in the SAP HANA application lifecycle management instance of the target system. To register a new system, click the + Register button just below the submenu bar. The Register System window will appear, as shown in Figure 14.12.
Figure 14.12 Register System Window in SAP HANA Application Lifecycle Management
In this window, enter the Host of the source SAP HANA instance. Enter the TCP/IP port for the source SAP HANA instance’s XS engine in the XS Engine HTTP(S) Port field. The Comment field is optional. Click Next once you’ve entered the correct information. A new window will appear labeled Configure Destination. This window explains that you must configure the connection and authentication details specific to the source SAP HANA instance. To configure these details, click the Maintain Destination button to open a new window titled HTTP Destination Details.
In this window, specify the connection details for the source system. Click the Authentication Details menu option to open its configuration page. On the Authentication Details page, click the Edit button at the bottom right. Now, you can specify the authentication details for the source. The most common option is to select the Authentication type of Basic. You can then use the User and Password fields to specify the logon credentials for the source system. The source system service account used will need the sap.hana.xs.lm.roles::Transport role granted at a minimum. Once the credentials are entered, click the Save button located at the bottom right. Close the HTTP Destination Details window by clicking the X located in the top-right corner of the window. Click Finish on the Register System window. Your source system should now be registered in the transport system list.
The next step in the process is to define a transport route. To create the transport route, click the submenu item titled Transports, as shown in Figure 14.13.
Figure 14.13 Transport Management Window and Transport Option
To create a new transport route, click the + Create button. The Create Transport Route window will appear, as shown in Figure 14.14.
Figure 14.14 Create Transport Route Window
Enter the Name of the transport route and choose the Source System. The Source System dropdown list will only contain registered systems. The target system value is fixed and can’t be changed. In the Content section, select the Delivery Units radio button and then select one or more source system delivery units to transport. Click the Create button at the bottom right.
With the transport route defined, you can now start the transport process, as shown in Figure 14.15. To transport a delivery unit, select the transport route in the list 1. Once selected, start the transport process by clicking the Start Transport button 2.
Figure 14.15 Selecting Transport Package and Starting Transport Process
Once the Start Transport button is clicked, the Start the Transport window will appear to confirm the start action. Click the OK button to start the transport process. The window will disappear, and you’ll return to the transport route-listing page.
To view the status of the transport request, click the submenu item labeled Logs. You’ll see the current and historical status of transports initiated within the system. If any issues have arisen, the Status column will show a red triangle. If the transport is complete, the Status column will show a green square.
14.3.2 Exporting a Delivery Unit to a File
In addition to using SAP HANA application lifecycle management to export a delivery unit in Section 14.2.3, you can also use SAP HANA Studio. This functionality is not available in the SAP HANA cockpit, so we’ll explain how SAP HANA Studio can be used in this chapter. SAP HANA Studio provides an interface to export a delivery unit to a compressed file. This compressed file can be imported back into the SAP HANA repository later. Developers often use this export process to serve as a backup of their code. However, this functionality also can be used for lifecycle management, even though SAP HANA application lifecycle management is the preferred tool to manage transports between SAP HANA instances.
To start the process, switch to the administration console perspective within SAP HANA Studio. From the menu bar, choose File • Export. The Export window will appear. Within the Select an Export Wizard section, expand SAP HANA Content, and then choose Delivery Unit. Click Next to continue. The Select Source System window will appear. In the list of systems, select the system that will serve as the source of the delivery unit. Click Next to continue. The Export Through Delivery Unit window will appear with the subtitle Select Delivery Unit. This window is used to specify the delivery unit export options, as shown in Figure 14.16.
Figure 14.16 Export Options in SAP HANA Studio
In this window, use the Delivery Unit dropdown list to choose the delivery unit for export. The export tool will include all development artifacts associated with the packages listed in the section labeled List of Packages. However, you also have the option of exporting development artifacts based on their activation date. Use the Filter by time checkbox to enable the time-based filters. With the Filter by time checkbox selected, choose a Time Internal using the provided dropdown list. The dropdown list provides the following intervals: Last Week, Last Month, and Time Range. Choose Time Range to specify custom From and To dates.
When exporting the delivery unit file, you can choose to place the file on the server or download the file to SAP HANA Studio’s client system. Typically, you’ll export to the client system because most developers don’t have access to the SAP HANA server’s file system. Click Export to Client in the Export Location section. In the Location field, specify the local file path where the delivery unit file will be downloaded. The File Name field will be prepopulated with a file name based on the current time, system, and delivery unit name. You can change the name, but be sure to retain the file extension .tgz. Click Next to continue. A Summary page will appear with an overview of the export settings. Click Finish to start the export process. Once completed, a file will appear in the configured path. Once created, the file can be used as a backup or as an import source.
14.3.3 Importing a Delivery Unit from a File
In addition to using SAP HANA application lifecycle management to import a delivery unit in Section 14.2.3, you can also use SAP HANA Studio. This functionality is not available in the SAP HANA cockpit, so we’ll explain how SAP HANA Studio can be used in this chapter. SAP HANA Studio provides an interface to import a delivery unit file into a package repository. The tool will import all development artifacts found in the file and activate them within the repository. The file can be imported into an SAP HANA instance, assuming that the export source and import source share a similar SAP HANA software version.
To start the import process, switch to the administration console perspective in SAP HANA Studio. From the menu bar, choose File • Import. The Import window will appear. Within the Select an Import Wizard section, expand SAP HANA Content and then choose Delivery Unit. Click Next to continue. A new popup window will appear titled Target System. In the list of systems, select the system that will serve as the import target for the delivery unit file. Click Next to continue. The Import Through Delivery Unit window will appear, as shown in Figure 14.17.
Figure 14.17 Import Options in SAP HANA Studio
To configure the import options, start by choosing the import file location. Choose the Client location for files stored on the SAP HANA Studio client system. Click the Browse button to specify the path of the file. In the Actions section, choose from the following options: Select the Overwrite inactive versions checkbox to import the delivery unit content even if another version of the content already exists in the target. Select the Activate objects checkbox to have the import wizard activate the newly imported development artifacts. If this option isn’t selected, the objects will be imported without activation.
In the Activate Mode dropdown list, decide how the wizard should handle inconsistencies. The Activate and ignore the inconsistencies in affected objects mode will activate the objects directly found in the delivery unit file even if their activation causes existing development artifacts to become inconsistent. The Stop activation in case of inconsistencies in affected objects option will stop the activation process if any inconsistencies are detected during import. The default option is to Activate and ignore the inconsistencies in imported objects and in their affected objects. With this option selected, the import wizard will attempt to activate development artifacts found in the delivery unit file even if some of the artifacts and their affected objects fail to import.
The Object import simulation section contains a listing of the development artifacts that will be imported. In addition, you’ll see the anticipated activation status based on a review of the target repository. Note that objects might fail to import even if the simulation indicates that no errors will arise. Click Finish to import the objects.
To monitor the status of the import job, locate the Job Log tab, as shown in Figure 14.18, which will appear at the bottom of the window once the import process is started. Within the Job Log tab, the import job type name will be listed as Import (Delivery Unit). Use the Status column to determine the import status.
Figure 14.18 Job Log Tab in SAP HANA Studio
If errors arise, double-click the Job Status row to open the Job Details window, which will provide a detailed import status for each development artifact included in the delivery unit. Identified issues will need to be resolved, and the import process will need to be repeated once issues are resolved.