Best Practices for Deploying HP-UX Secure Resource Partitions (SRP) for SAP Whitepaper

For systems not using saphostctrl, follow these guidelines:

1. If saposcol is running, login to the SRP compartment as root in which saposcol is running and

stop the process by calling “saposcol –k”

2. Create a new SRP compartment with own IP and LAN interface. The default SRP settings can

be used for this. Select an existing root user for the compartment login.

3. Customize the rule file DEFAULT_SAPOSCOL.h and include it in the SRP compartment.

4. Login to the SAPOSCOL SRP compartment as root user and start saposcol by calling

“/sapmnt/<SID>/exe/saposcol”

As described in the section of this white paper, “Known limitations”, different problems are related

with the saposcol executable. The DEFAULT_SAPOSCOL.h rule file is configured in such as way that

no SRP compartment may start or stop saposcol, leading to display issues of the saposcol status in

transaction ST06.

If it is necessary to view the actual status in ST06 and accept the risk of one SAP system stopping

saposcol for all systems installed on this host, modify the include file for saposcol in the following

way:

 Add the entry “send signal <SAPOSCOL-compartment” in the SRP compartment rule file for each

SRP compartment that requires execution rights for saposcol

 Delete the entry “perm none /sapmnt/_SAP_SID_/exe/saposcol” in the respective SRP

compartment rule files

 Set the new rules with the command “setrules”

For systems using saphostctrl, follow these guidelines:

Starting with NetWeaver 7.10, a new monitoring tool was introduced by SAP, the SAPHOST agent. It

controls the start and stop of an executable such as saposcol. It is also run only once on a system and

therefore must be included in a separate SPR compartment.

1. If saphostctrl is already running, stop it as root user from the compartment it was started from

with the command:

/usr/sap/hostctrl/exe/saphostexec –stop

2. Create a new SRP compartment with its own IP Address and LAN interface. The default SRP

settings can be used for the other settings

Customize the rule file DEFAULT_SAPHOST.h and include it in the compartment.

3. Create an empty sapservice file, e.g. /usr/sap/sapservice_saphostctrl

4. To enable the automatic startup of the sapstartsrv service after an SRP compartment start, the

sapinit script has to be relocated.

o Copy the file /sbin/init.d/sapinit or any other sapinit file from another SAP SRP

compartment to the init.d directory of your compartment:

cp /sbin/init.d/sapinit /var/hpsrp/<compartment>/sbin/init.d

o In the sapinit file, edit the value for the parameter PATH. Change the value from

“/sbin” to “/var/hpsrp/<compartment>/sbin”

o Change the value of SAPSERVICE_PATH to the new sapservice name, in this case

“/usr/sap/sapservice_saphostctrl”

o Create a logical link to enable the automatic start of the sapstartsrv process:

ln –s /var/hpsrp/<SAPOSCOL-compartment>/sbin/init.d/sapinit /var/hpsrp/<

SAPOSCOL-compartment/sbin/rc<n>.d/SAPINIT