Skip to Content
0

Firewall Ports for HANA 2.0 Tenant

Sep 28, 2017 at 08:21 AM

697

avatar image

Dear experts

We have a HANA 2.0 with a Tenant Database.

The hosts of the HANA 2.0 Installation has an internal IP Address.

Adding the System DB and the Tenant DB to HANA Studio inside our local network is possible.

Now we configured the firewall to allow external access and published ports 3xx13 - 3xx15 and configured a rule that routes the incoming traffic to the HANA 2.0 System (Firewall Rule Public IP Port 3xx13 - 3xx15 -> HANA Internal IP Address Port 3xx13- 3xx15)

Adding the system DB to the HANA Studio using the public IP Address is possible but adding the Tenant HT1 will not work because the internal IP address is being queried.

Of course that the internal IP Adress is not accessible outside our network.

A workaround would be to use a VPN but I was wondering if it’s douable without VPN (only configuring the firewall for external access).

Any thoughts ?

Cheers

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Bartosz Jarkowski Sep 28, 2017 at 08:43 AM
0

Please check following guide about the ports range for HANA tenant database:

https://help.sap.com/viewer/6b94445c94ae495c83a19646e7c3fd56/2.0.00/en-US/440f6efe693d4b82ade2d8b182eb1efb.html

You can also determine the ports used by the tenant, by executing following script (execute from tenant database):

SELECT SERVICE_NAME, PORT, SQL_PORT, (PORT + 2) HTTP_PORT FROM SYS.M_SERVICES WHERE
((SERVICE_NAME='indexserver' and COORDINATOR_TYPE= 'MASTER') or (SERVICE_NAME='xsengine'))
Share
10 |10000 characters needed characters left characters exceeded
Lars Breddemann
Sep 30, 2017 at 04:00 AM
0

This sounds a lot like the configuration issue that was faced by users of HANA Express Edition on Google Cloud.

Check https://blogs.sap.com/2017/03/08/google-app-engine-meets-sap-hana-express-edition/comment-page-1/#comment-369411

It boils down to setting a global.ini parameter for mapping 'localhost' to the desired IP address.

ALTER SYSTEM ALTER CONFIGURATION (‘global.ini’, ‘SYSTEM’)
SET (‘public_hostname_resolution’, ‘map_localhost’) = ‘xx.xx.xx.xx’ 
WITH RECONFIGURE;
Show 4 Share
10 |10000 characters needed characters left characters exceeded

Hi Lars

The comments describe perfectly the current issue.

I've used the mentioned SQL but the HANA Studio is still querying the Internal IP Address

Tried various combinations (also with use_default_route) but unfortunately no luck.

Any other ideas ?

0

Did you restart the instance after setting the parameter?

0

Yes; not only the tenant but the whole HANA Instance was restarted.

0

Ok, can you check what is actually set in the instance right now?

select * from "PUBLIC"."M_HOST_INFORMATION"
where key like 'net%';

select * from "PUBLIC"."M_INIFILE_CONTENTS" 
where  
    file_name='global.ini'
and section ='public_hostname_resolution';
0
Marian Canciu Oct 09, 2017 at 09:18 AM
0

I've attached 2 screenshots for better understanding (I had to mask the real info due to well known reasons)

m-host-information.png


Show 3 Share
10 |10000 characters needed characters left characters exceeded

Sorry, there might be a misunderstanding.

Can you set the parameter in section public_host_name_resolution to be called map_<actual hostname>?

ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM')
SET('public_hostname_resolution','map_<<hostname>>')='xx.xx.xx.xx' WITH RECONFIGURE;
0

On the SYSTEM DATABASE I executed:
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET('public_hostname_resolution','map_hostname')='xx.xx.xx.xx' WITH RECONFIGURE;
xx.xx.xx.xx = Public IP Address.

Unfortunately after a couple of moments the tenant is crashing. I think the tenant doesn't like this parameter ...

So I have to delete this parameter and then start the tenant.

0

Ok, at this point I think it would be easier to open a support issue - this back and forth via comments is not very efficient.

Also, if the tenant crashes, typically there's information on that in the corresponding indexserver tracefile. Reviewing that would be my next step of analysis.

0