Installation of PowerConnect for Splunk requires the following steps to be completed in the order listed below.
- If you wish to use HTTPS / SSL connection between SAP and Splunk please setup the SSL support in the ABAP engine using the steps listed here. (link to Setting up HTTPS / SSL support).
- Import the agent using TMS / SAINT
- Activate BC Sets
- Upload PowerConnect Roles
- Start the PowerConnect for Splunk control panel in SAP using tcode /BNWVS/MAIN
- Configure the connection between SAP and Splunk
- Load HDB Scripts (HANA only)
Setting up HTTPS / SSL support in SAP
By default, Splunk REST API listens on port 8089 and HEC on Port 8088 with SSL active. SAP supports SSL however some basic setup is needed to provide SSL functionality to the native HTTP client built in to the ICM to support HTTPS. You can disable SSL support in Splunk and use HTTP without SSL to communicate between SAP and Splunk however it is not recommended for a production environment, especially where Splunk traffic traverses a shared network or in a public or private cloud hosted solution for SAP or Splunk.
If you wish to enable SSL support in SAP ABAP, please follow the steps below.
Please note that the instructions below are for setting up SSL to Splunk with a default configuration that includes a self-signed certificate that is included into Splunk during installation.
If your Splunk Enterprise Server has a custom SSL certificate installed, the process is the same, however names you see in the examples will differ from the screen shots below.
If you connect to a Splunk server via a proxy server then you will need to install any certificates that may sign HTTPS requests that flow through it into SAP.
If you are unsure about how to configure SSL, or you get SSL chain-verify or peer verify errors in SAP log a support call. You will need a valid license and support agreement to get email and phone support.
- Ensure that System environment variable SECUDIR is set, this normally points to the /usr/sap/<SID>/<Instance>/sec directory.
- If further details are required for setting environment variables please refer to SAP OSS Note 1827566 – http://service.sap.com/sap/support/notes/1827566
- Download the latest SAP Crypro library from SAP Marketplace and unpack into the instance executable directory
- http://support.sap.com/swdc -> Support Packages and Patches -> My Application Components -> SAPCRYPTOLIB
- In transaction RZ10 set the following profile parameters into the Default.pfl profile parameters. A restart of you SAP system is required after saving updated profile.
- In transaction STRUSTSSO2 activate the following SSL nodes:
SSL Server Standard
SSL Client SSL Client (Anonymous)
SSL Client SSL Client (Standard)
Activate by right clicking on each node and selecting “Create” – The default entry can be used unless specific security policies must be adhered too.
Change Mode ->
Next we need to ensure the ROOT CA (or server self-signed certificate is installed in the ABAP system)
Start by connecting to the Splunk server on port 8089 using HTTPS this will show you the certificate in use.
Open the certificate information
This certificate is signed by the SplunkCommonCA and we need to import this CommonCA certificate into SAP so it trusts the certificate being issued by the Splunk server.
To do this highlight the SplunkCommonCA certificate and click View Certificate
Not we are looking at the SplunkCommonCA certificate that is the issuer of the certificate being sent by Splunk. If we configure SAP to trust this certificate, then it will also trust the certificates it has issued which include the one being sent to SAP by the Splunk Server (SplunkServerDefaultCert).
Next click Copy to file to export this certificate
Now we need to import this certificate into SAP. Start tcode STRUSTSSO2.
Highlight the hostname under node “SSL client SSL Client (Standard).
Click on the import button in the certificate section
Now enter the file path of the SplunkCommonCertificate saved in the previous step
Now the SplunkCommonCA certificate appears in the Certificate section, click on the Add to Certificate List button to add it to the Certificate List
Click Save in the toolbar to save this change
Repeat this change for the following 2 nodes
SSL server Standard
SSL client SSL Client (Anonymous)
Ensure Installation and Support Packages are unpacked into \usr\sap\trans\EPS\in directory
Client 000 -> Transaction Saint
From the main screen in transaction SAINT select “Start”
Highlight the PowerConnect Add-on
You will then see a list all packages being installed.
Select “No” for Modification Adjustment transport
Select the “Start Options” button”
Change to start in background
Select the “tick” to continue
Select the “tick” to start installation
Once installation is complete select “Finish”
The “BNWVS” add-on will now appear in installed add-on list
Activate BC Sets
Go to transaction SCPR20
In the BC Sets Field enter “\BNWVS\BCSET_500”
BC Set -> Activate
Create a transport for the BC Set activation – This transport will be imported into subsequent systems rather than running this transaction again.
The follow line will appear at the bottom of screen on complete.
To confirm successful activation view the logs by going to Goto -> Activation Logs
Add Transport to buffer
Ensure transport files are loaded into the usr\sap\trans\cofiles and \usr\sap\trans\data directories.
From the buffer of the system select Extras -> Other Requests -> Add
Select transport “N71K900223”
Select the “tick” and then “yes” to add to buffer
Select transport with the mouse and then from menu select Request -> Import
Ensure “Ignore Invalid Component Version” is selected.
Upload PowerConnect Roles
From menu Role -> Upload
Navigate to the directory where you have saved the roles and select one.
Confirm the import.
Carry out the same procedure for the other role.
From menu select Utilities -> Mass generation
In the role field enter “Z_BNWVS*”
Select Program -> Execute
Edit -> Select All
Roles -> Generate profile
Assign role Z_BNWVS_ADMIN_CHANGE to user who will administer PowerConnect and Z_BNWVS_BATCHUSER to user that will run the PowerConnect batch jobs.
Enter your PowerConnect license
Accept the user terms
Configure Splunk Connection
Enter Splunk Connection details
Enter either the hostname and port to the REST or HEC port and the target index
One of the two credential methods can be used, but we do recommend using HEC keys.
Enter HEC key
If using HEC select the “Event Collector” Radio button and enter the Token associated with your index.
Enter REST user details
If using REST select the “REST” radio button – specify username and password
On the next screen you can carry out a connection test to confirm SAP can access Splunk and the index exists.
Start Batch jobs
In the “Batch User” field enter the name of your background user and confirm.
Load HANA Scripts
If your SAP systems run on HANA you will need to upload the scripts to run extended querys.
Administrator -> Setup Metric -> BDB Queries
Select Upload file button
Navigate to where HDB_SCRIPTS.xml file has been save and select
Once uploaded select with scripts you want to run and then select “save” from the top menu