The DBA Cockpit is a great tool for monitoring SAP systems on IBM Db2 for Linux, UNIX, and Windows (Db2 for LUW). It’s free and part of every ABAP-based SAP system.
The latest Db2 version 12.1, which was released by IBM in mid-November 2024, contains interesting features for SAP systems on Db2. Two weeks later, SAP certified Db2 12.1 for the use with SAP systems. So, as of November 29, 2024, you can install new SAP systems with Db2 12.1 or upgrade existing SAP systems to Db2 12.1 and explore the new features using the DBA Cockpit.
Prerequisites
To fully exploit Db2 12.1, the DBA Cockpit needs a handful of ABAP correction instructions. SAP Note 3532234 provides an overview of required and recommend SAP Notes.
Please install at least the required SAP Notes which address adaptations to Db2 12.1 of existing functionality of the DBA Cockpit. The recommended SAP Notes enhance the DBA Cockpit and exploit the features of Db2 12.1.
Overview
The following screens of the DBA Cockpit were enhanced due to new features in Db2 12.1:
Configuration -> OverviewConfiguration -> EncryptionBackup and Recovery -> OverviewBackup and Recovery -> Logging ParameterPerformance -> Transaction Log
Enhancements to Screen Configuration -> Overview
The screenshot below shows the configuration overview screen after applying SAP Note 3138304. The Database section is completely new, as is half of the Database Instance section, too.
As of Db2 12.1, Db2 Advanced Log Space Management (ALSM) has become the default für SAP customers. The screenshot shows the two parameters ALSM Enabled and ALSM Status. ALSM Enabled tells you whether the functionality of ALSM is enabled in general. This is done via the Db2 registry variable DB2_ADVANCED_LOG_SPACE_MGMT=ON. However, the database configuration must fulfil certain criteria to allow ALSM to become active. E.g. log archiving must be turned on. Otherwise, ALSM doesn’t work. Subsequently, ALSM Status tells you whether ALSM is active and in operating mode for your SAP database.
With Db2 12.1, a focus was set to auditing on Db2 level in addition to the auditing capabilities of the SAP application server. You can now easily see if instance-level audit or database-level audit is activated.
Prior to SAP Note 3138304, the screen Configuration -> Overview displayed the HADR configuration, too. This was changed and a separate new screen was created which can be reached via Configuration -> HADR. As before, the information regarding HADR is only displayed if HADR is configured for your database. Otherwise, the screen is suppressed.
Enhancements to Screen Configuration -> Encryption
The next change comes with SAP Note 3484724. Prior to this SAP Note, the screen Configuration -> Encryption displayed details regarding database encryption. As of SAP Note 3484724, the screen was renamed to Configuration -> Security and six tabs were added to the screen. The tab “Database Encryption” contains the same information as formerly displayed on the screen Configuration -> Encryption. I briefly explain the five new tabs below.
Communication Encryption Tab
Here, the configuration parameters are displayed which are related to encrypted communication between the SAP application server and the Db2 database.
You can see that the relevant parameters for encrypted client server communication are not set and therefore no encryption takes place. Please also check the Connection tab (see below) that contains a table with the column Connection Security. This column shows the current encryption state for each connection to Db2.
Trusted Context Tab
As already mentioned above, auditing has moved more into focus. Auditing might generate a large volume of audit records. As Db2 12.1, you can establish trusted connections based on a trusted context with a trusted procedure. It is now possible to define an audit exception that allows you to suppress trusted connections from auditing.
Exclusively for SAP customers, Db2 delivers the trusted procedure SAPTOOLS.TRUST_PROC, which builds, in combination with the SAP application server, the foundation for this new capability. By default, SAP configures the trusted context. In the screenshot above, you can see the trusted context. In the table, there’s the column Exception Type. If the column shows “Audit Exception”, it means the exception is configured. Note that the audit exception is not configured by default by SAP but needs to be configured by SAP customers if they want to use this audit feature. For more information, see Db2 Audit and Audit Exceptions in the database administration guide for SAP on IBM Db2 for Linux, UNIX, and Windows on SAP Help Portal.
Connections Tab
This tab shows whether a connection uses client-server encryption and whether the connection is treated as a trusted connection defined via the trusted context, as explained above.
“IMPLICIT” in column Trusted Context Type means that the connection is treated as trusted, which is the prerequisite for an audit exception.
Db2 Audit Tab
On this tab, you get an overview of the audit configuration. You can see whether instance-level or database-level auditing is active, and it shows the granularity of database auditing in the table below.
Find more information regarding Db2 audit in this blog post on SAP community: Using db2audit with SAP Applications
Users, Groups and Roles Tab
The Security screen is your central entry point to security-related configuration settings. The new tab Users, Groups and Roles provides you with authorization-related information: You can now see at a glance who has SECADM, DATAACCESS, or DBADM authority.
This screen can also be helpful to validate if separation of duties is configured in your database. For more information, see Role-Based Security Concept for Database Users in the database administration guide for SAP on IBM Db2 for Linux, UNIX, and Windows on SAP Help Portal.
Enhancements to Screen Backup and Recovery -> Overview
With Db2 12.1, the following additional information is available in the history file:
Size of backupIs backup encrypted?Compression library used during backupDoes backup include log files?
SAP Note 3482193 provides the necessary adjustments for this. The table in the screenshot below shows the new columns Logs Included, Encryption and Compression Library.
Column Backup Size already existed in the table. However, prior to Db2 12.1, the backup size was retrieved and parsed from the file db2diag.log. The retrieval could be slow depending on the size of db2diag.log. As of Db2 12.1, the backup size is selected from the history file, which is much faster compared to db2diag.log.
SAP Note 3521505 provides the same adjustments for archived log files that are displayed on the Archived Log Files tab on the same screen. As of Db2 12.1, you find the abbreviation “VE:” in the Comment column, which stands for “Validation Error”. This means that the checksum validation of the log file during arching failed. Archived log files with validation error are marked with a red background color in the table.
If you double-click a backup entry in the table on the Database Backup tab, you can display details of the backup.
The Backup Sequences tab displays the sequences of a backup in the case that you performed a backup to multiple target devices in parallel. As of Db2 12.1, the screen displays the size of each sequence. The sum of all sequence sizes is the backup size.
Enhancements to Screen Backup and Recovery -> Logging Parameter
In the previous section, I explained the term “Log File Validation Error”. Implementing SAP Note 3536120 enhances the section Log File Archiving Status with the Log File Validation field. The Log File Validation field shows the most recent log file number with a validation error. If no validation error happened in the past, “Success” is displayed.
Enhancements to Screen Performance -> Transaction Log
Finally, SAP Note 3526895 adds the Log File Validation field also to the screen Performance -> Transaction Log of the DBA Cockpit. Note, however, that SAP Note 3526895 is only available via support package and not via correction instructions. If you haven’t yet moved up so far to the corresponding support package, you can display the Log File Validation field by implementing the two other options described above.
Summary
Db2 12.1 introduced a wide range of features around monitoring, configuration, auditing and trusted connections. I highly recommend reading SAP Note 3532234 and installing the required and recommended SAP Notes listed.
If you’re using the DBA Cockpit with Db2 11.5 or lower, you can also benefit from the enhancements to the Configuration -> Overview, Configuration -> HADR and Configuration -> Security screens. There’s no need to wait until your system is upgraded to Db2 12.1. You can apply the correction instructions now and benefit from the enhancements right away.
Finally, I’d like to thank my SAP colleagues Karen Kuck and Oliver Brein who contributed a lot to this blog post.
Let us know in the comments if you’re using the new enhancements in the DBA Cockpit and what you think of them.
The DBA Cockpit is a great tool for monitoring SAP systems on IBM Db2 for Linux, UNIX, and Windows (Db2 for LUW). It’s free and part of every ABAP-based SAP system.The latest Db2 version 12.1, which was released by IBM in mid-November 2024, contains interesting features for SAP systems on Db2. Two weeks later, SAP certified Db2 12.1 for the use with SAP systems. So, as of November 29, 2024, you can install new SAP systems with Db2 12.1 or upgrade existing SAP systems to Db2 12.1 and explore the new features using the DBA Cockpit. PrerequisitesTo fully exploit Db2 12.1, the DBA Cockpit needs a handful of ABAP correction instructions. SAP Note 3532234 provides an overview of required and recommend SAP Notes.Please install at least the required SAP Notes which address adaptations to Db2 12.1 of existing functionality of the DBA Cockpit. The recommended SAP Notes enhance the DBA Cockpit and exploit the features of Db2 12.1.OverviewThe following screens of the DBA Cockpit were enhanced due to new features in Db2 12.1:Configuration -> OverviewConfiguration -> EncryptionBackup and Recovery -> OverviewBackup and Recovery -> Logging ParameterPerformance -> Transaction LogEnhancements to Screen Configuration -> Overview The screenshot below shows the configuration overview screen after applying SAP Note 3138304. The Database section is completely new, as is half of the Database Instance section, too.As of Db2 12.1, Db2 Advanced Log Space Management (ALSM) has become the default für SAP customers. The screenshot shows the two parameters ALSM Enabled and ALSM Status. ALSM Enabled tells you whether the functionality of ALSM is enabled in general. This is done via the Db2 registry variable DB2_ADVANCED_LOG_SPACE_MGMT=ON. However, the database configuration must fulfil certain criteria to allow ALSM to become active. E.g. log archiving must be turned on. Otherwise, ALSM doesn’t work. Subsequently, ALSM Status tells you whether ALSM is active and in operating mode for your SAP database.With Db2 12.1, a focus was set to auditing on Db2 level in addition to the auditing capabilities of the SAP application server. You can now easily see if instance-level audit or database-level audit is activated.Prior to SAP Note 3138304, the screen Configuration -> Overview displayed the HADR configuration, too. This was changed and a separate new screen was created which can be reached via Configuration -> HADR. As before, the information regarding HADR is only displayed if HADR is configured for your database. Otherwise, the screen is suppressed.Enhancements to Screen Configuration -> EncryptionThe next change comes with SAP Note 3484724. Prior to this SAP Note, the screen Configuration -> Encryption displayed details regarding database encryption. As of SAP Note 3484724, the screen was renamed to Configuration -> Security and six tabs were added to the screen. The tab “Database Encryption” contains the same information as formerly displayed on the screen Configuration -> Encryption. I briefly explain the five new tabs below.Communication Encryption TabHere, the configuration parameters are displayed which are related to encrypted communication between the SAP application server and the Db2 database.You can see that the relevant parameters for encrypted client server communication are not set and therefore no encryption takes place. Please also check the Connection tab (see below) that contains a table with the column Connection Security. This column shows the current encryption state for each connection to Db2.Trusted Context TabAs already mentioned above, auditing has moved more into focus. Auditing might generate a large volume of audit records. As Db2 12.1, you can establish trusted connections based on a trusted context with a trusted procedure. It is now possible to define an audit exception that allows you to suppress trusted connections from auditing. Exclusively for SAP customers, Db2 delivers the trusted procedure SAPTOOLS.TRUST_PROC, which builds, in combination with the SAP application server, the foundation for this new capability. By default, SAP configures the trusted context. In the screenshot above, you can see the trusted context. In the table, there’s the column Exception Type. If the column shows “Audit Exception”, it means the exception is configured. Note that the audit exception is not configured by default by SAP but needs to be configured by SAP customers if they want to use this audit feature. For more information, see Db2 Audit and Audit Exceptions in the database administration guide for SAP on IBM Db2 for Linux, UNIX, and Windows on SAP Help Portal.Connections TabThis tab shows whether a connection uses client-server encryption and whether the connection is treated as a trusted connection defined via the trusted context, as explained above. “IMPLICIT” in column Trusted Context Type means that the connection is treated as trusted, which is the prerequisite for an audit exception. Db2 Audit TabOn this tab, you get an overview of the audit configuration. You can see whether instance-level or database-level auditing is active, and it shows the granularity of database auditing in the table below. Find more information regarding Db2 audit in this blog post on SAP community: Using db2audit with SAP ApplicationsUsers, Groups and Roles TabThe Security screen is your central entry point to security-related configuration settings. The new tab Users, Groups and Roles provides you with authorization-related information: You can now see at a glance who has SECADM, DATAACCESS, or DBADM authority. This screen can also be helpful to validate if separation of duties is configured in your database. For more information, see Role-Based Security Concept for Database Users in the database administration guide for SAP on IBM Db2 for Linux, UNIX, and Windows on SAP Help Portal.Enhancements to Screen Backup and Recovery -> OverviewWith Db2 12.1, the following additional information is available in the history file:Size of backupIs backup encrypted?Compression library used during backupDoes backup include log files?SAP Note 3482193 provides the necessary adjustments for this. The table in the screenshot below shows the new columns Logs Included, Encryption and Compression Library.Column Backup Size already existed in the table. However, prior to Db2 12.1, the backup size was retrieved and parsed from the file db2diag.log. The retrieval could be slow depending on the size of db2diag.log. As of Db2 12.1, the backup size is selected from the history file, which is much faster compared to db2diag.log. SAP Note 3521505 provides the same adjustments for archived log files that are displayed on the Archived Log Files tab on the same screen. As of Db2 12.1, you find the abbreviation “VE:” in the Comment column, which stands for “Validation Error”. This means that the checksum validation of the log file during arching failed. Archived log files with validation error are marked with a red background color in the table. If you double-click a backup entry in the table on the Database Backup tab, you can display details of the backup.The Backup Sequences tab displays the sequences of a backup in the case that you performed a backup to multiple target devices in parallel. As of Db2 12.1, the screen displays the size of each sequence. The sum of all sequence sizes is the backup size. Enhancements to Screen Backup and Recovery -> Logging ParameterIn the previous section, I explained the term “Log File Validation Error”. Implementing SAP Note 3536120 enhances the section Log File Archiving Status with the Log File Validation field. The Log File Validation field shows the most recent log file number with a validation error. If no validation error happened in the past, “Success” is displayed. Enhancements to Screen Performance -> Transaction LogFinally, SAP Note 3526895 adds the Log File Validation field also to the screen Performance -> Transaction Log of the DBA Cockpit. Note, however, that SAP Note 3526895 is only available via support package and not via correction instructions. If you haven’t yet moved up so far to the corresponding support package, you can display the Log File Validation field by implementing the two other options described above.SummaryDb2 12.1 introduced a wide range of features around monitoring, configuration, auditing and trusted connections. I highly recommend reading SAP Note 3532234 and installing the required and recommended SAP Notes listed.If you’re using the DBA Cockpit with Db2 11.5 or lower, you can also benefit from the enhancements to the Configuration -> Overview, Configuration -> HADR and Configuration -> Security screens. There’s no need to wait until your system is upgraded to Db2 12.1. You can apply the correction instructions now and benefit from the enhancements right away.Finally, I’d like to thank my SAP colleagues Karen Kuck and Oliver Brein who contributed a lot to this blog post.Let us know in the comments if you’re using the new enhancements in the DBA Cockpit and what you think of them. Read More Technology Blogs by SAP articles
#SAP
#SAPTechnologyblog
THE ULTIMATE MULTI-DIMENSIONAL MESSAGE FROM GENESIS PRAXIS!
