search

SAP-docs / abap-platform-trial-image

End user documentation for ABAP Platform Trial image
Creative Commons Attribution 4.0 International
23 stars 9 forks source link

Migrate from instance SSFS to SAP HANA LSS #18

Closed joegoerlich closed 3 months ago

joegoerlich commented 4 months ago

As of the documentation new installations of HANA 2.0 SPS 07 should come with LSS enabled by default. In ABAP Developer Edition 2022 still SSFS is used and LSS is not installed. To switch to LSS I've updated the revision to Rev. 78 and installed the corresponding LSS.

When running the migration from SSFS to LSS, it's failing:

hdbadm@vhcala4hci:/usr/sap/HDB/HDB02> hdbnsutil -migrateSecureStore --target=LSS
unhandled ltt exception: exception 301154: lss exception: LSS refused connection (reason: Validation failed)

failed. trace file nameserver_vhcala4hci.00000.000.trc may contain more error details.
Performing Final Memory Release with 16 threads.
Finished Final Memory Release successfuly.

From the trace file I can not tell why this is failing. Any idea?

joegoerlich commented 3 months ago

I found the error message Library '/hana/shared/HDB/exe/linuxx86_64/HDB_2.00.078.00.1715149848_36529db386abe5812b5bae30f9c4dc9af62d1bab/hdbesatrconfig.so' is untrusted in the LSS trace file at /hana/shared/HDB/lss/data/trace/lss_vhcala4hci.000.trc.

As a quick fix I could solve this issue by changing the LSS usage mode to 'development', which turns off the validation of libraries running as \adm. To do so, I had to logon with user \crypt and issue the command lssfcg setSystemUsage development. Then I had to run hdbnsutil -migrateSecureStore --target=LSS again as user \adm. The following output showed the successful migration:

current root key store: SSFS
target root key store: LSS
starting migration
migrating SSFS to LSS
Preparing root key store migration
Creating tenant SYSTEMDB
Migrating database SYSTEMDB
Migrating root keys for SystemDB from SSFS to LSS
- 1 key(s) for purpose PERSISTENCE migrated
- 1 key(s) for purpose DPAPI migrated
- 1 key(s) for purpose LOG migrated
- 1 key(s) for purpose BACKUP migrated
- encryption config for purpose PERSISTENCE migrated
- encryption config for purpose LOG migrated
- encryption config for purpose BACKUP migrated
- encryption config control setting migrated
- root key backup password migrated
Creating tenant HDB
Migrating database HDB
Migrating root keys for SystemDB from SSFS to LSS
- 1 key(s) for purpose PERSISTENCE migrated
- 1 key(s) for purpose DPAPI migrated
- 1 key(s) for purpose LOG migrated
- 1 key(s) for purpose BACKUP migrated
- encryption config for purpose PERSISTENCE migrated
- encryption config for purpose LOG migrated
- encryption config for purpose BACKUP migrated
- encryption config control setting migrated
- root key backup password migrated
Finalizing root key store migration
Writing usage information to SSFS
Make SSFS read-only
Writing usage information to LSS
done.
Performing Final Memory Release with 16 threads.
Finished Final Memory Release successfuly.

Then I could start the ABAP instance.

Afterwards, the following SQL statement returns 'LSS is active':

SELECT ( CASE
           WHEN (SELECT Count(*)
                 FROM   "KEY_MANAGEMENT_CONFIGURATIONS") > 0 THEN
           'LSS is active'
           ELSE 'SSFS is active'
         END )
FROM   DUMMY;