If your SAP workloads operate on Azure, this automation can significantly reduce the efforts involved in kernel upgrades.

It's important to note that this article aims to demonstrate performing kernel upgrades using ACSS features and other Azure services. Exercise caution when using the provided scripts and logic to prevent any potential impact on the SAP system.

1. Azure Services

The following Azure services will be utilized to accomplish this kernel upgrade automation:

1.1. Azure Center for SAP Solutions

Azure Centre for SAP Solutions incorporates features for storing SAP system metadata. This metadata will be utilized by the automation to identify and execute pertinent actions during kernel upgrade operations. Additional details about this offering can be accessed here.

1.2. Automation Runbook

The Automation Runbook will serve as the primary executor for this process. All subordinate executions will occur from here, calling functions through HTTP. Further details about the Automation Runbook can be found here.

1.3. Storage Container

An Azure Storage Container will store the new SAP Kernel binaries. These binaries will be utilized by the automation to execute the kernel upgrade on the SAP Systems. Additional details about the Storage Container can be found here.

1.4. Function App

Within the Function App, Python code will execute tasks within the SAP VMs. You can deploy the code into Function Apps using VSCode or alternative methods. Additional details about the Function App can be found here.

2. Architectural Flow and Overview

• The Azure Automation Runbook, powered by PowerShell, utilizes the Az.Workloads module to retrieve inventory specifics from Azure Centre for SAP Solutions. This data includes deployment type, IP address, hostname, instance number, credentials, and more.
• Utilizing this data, the runbook generates a payload and executes HTTP POST calls to various function apps, aligning with the steps involved in the Kernel upgrade process.
• The Function App comprises distinct functions that the Automation Runbook calls for specific actions:
  • SapKerUpgBackupExe – Archives the current SAP System Kernel for potential future reference or rollback.
  • SapKerUpgUploadExe – Downloads necessary SAP Kernel upgrade components (e.g., SAPCAR, SAPEXE, SAPEXEDB, etc.) from the storage account and uploads them to the SAP System.
  • SapKerUpgSAPOPs – Manages the start and stop of SAP Services on the associated SAP VMs running ASCS and DIA instances.
  • SapKerUpgMain – Executes the Kernel switch by extracting SAR files to the Kernel directory using the SAPCAR utility.
  • SapKerUpgPostSteps – Performs post-upgrade actions such as saproot.sh, sapcpe, and others as required.
• The actual start and stop of SAP instances are facilitated via Azure Centre SAP Solution's PowerShell module (Az.Workloads) by the Automation Runbook, utilizing internal API calls directed to the SAP Systems accordingly.

3. Prerequisite, Deployment and Configuration (Automated Method)

3.1. Creation of Template Specs

The ARM Template is set up to create all necessary resources in an automated manner. You can access the JSON file directly through the import feature in Template Specs. You can find the JSON file here.

 

3.2. Deployment of the resources

Access the imported template specs from the previous step and initiate resource deployment by selecting the Deploy option:

Once you've selected "Deploy," ensure to provide the following details:

• Subscription: Choose the desired subscription where the resources will be created.
• Resource Group: Opt for either a new or existing resource group, preferably a new one dedicated solely to these resources.
• Region: Select the region for resource deployment.
• Resource Prefix: This text will serve as a prefix for all resource names.
• Managed Identity Name: Specify the name for the Managed Service Identity (MSI) to be created. By default, it's <prefix>-msi.
• Assign Role to MSI: Grant 'Automation Operator' and 'Reader and Data Access' roles to the MSI within the Resource Group.
• Sap Media Storage Account Name: Name of the Storage Account containing the media for SAP Kernel.
• Sap Media Container Name: Storage Container name from which Media for SAP Kernel will be retrieved.
• Automation Account Name: Specify the name for the Automation Account. By default, it's <prefix>-aa.
• Subnet Id: Provide the ID of the subnet for the function app integration. Ensure this subnet has complete access to the SAP System VMs and is delegated exclusively to 'Microsoft.Web/serverFarms’.

• Function App Name: Name of the Function App which will be created, by default <prefix>app will be created.

Proceed with the deployment by selecting "Review + create."

3.3. Updating Function URL

The Function URL generates a unique code with each deployment, requiring manual updates to the Function URL. To do this, navigate to the Functions section within the Function App:

 

Paste the Function URL into the Automation runbook named 'sapkernelupgrade', which was created as part of the ARM template deployment. Repeat these actions for all the functions listed within the function app.

After making the changes, ensure to save and publish the Runbook.

3.4. Setup Authorization for Managed Identity

Grant the appropriate access permissions to the Managed Identity as specified.

3.5. Registration to ACSS

Since the Automation runbook will leverage ACSS features, the key prerequisite is to have the SAP system registered with ACSS. This can be achieved by either installing the SAP system with ACSS or by registering an existing SAP System.

3.5.1. Create Systems using ACSS

Utilize ACSS to create a new SAP System with the necessary configurations. You can find detailed instructions in our documentation available here. Systems created by ACSS have a structure resembling the following: -

3.5.2. Register Systems using ACSS

If you already have an SAP system installed on Azure and wish to utilize this automation, you can do so by following these steps:

3.5.2.1. Registration of SAP System

Begin by registering the existing system with ACSS. You can find a detailed process for this action here. The registered system will resemble the following: -

3.5.2.2. Create Key Vault

After registering the SAP system, proceed to establish a Key Vault within the managed resource group. Choose a name that represents the SAP SID. Once the Key Vault is established, add a secret named "<SID>-sid-sshkey" to the Key Vault, and input the SSH private key value for the root user across all SAP Virtual Machines.

3.6. Adding SAP's Kernel Media to Storage Account

Additionally, it's necessary to either create a new storage account or utilize an existing one. Afterwards, add the new SAP Kernel components to the container within the storage account. These components comprise SAP Kernel files obtained from the SAP Marketplace, including SAPEXE, SAPEXEDB, SAPCAR, and more. The Function Apps will utilize these stored SAP bits in the storage account to execute the kernel upgrade operation on the SAP System.

4. Execution

Initiate the automation runbook and furnish the following compulsory inputs:

• MSIAPPLICATIONID – This pertains to the application ID of the Managed Identity utilized for executing the automation runbook.
• SAPMEDIASTORAGEACCOUNTRGNAME – This designates the Resource Group name of the storage account housing the SAP Kernel Media.
• SAPMEDIASTORAGEACCOUNTNAME – Refers to the name of the storage account containing the new SAP Kernel Media.
• SAPMEDIASTORAGECONTAINERNAME – This denotes the name of the container storing the new SAP Kernel Media Files.
• SAPEXEFILES – Represents the names of the SAR files within the storage container. Multiple files can be provided by separating them with commas, for example, SAPEXE_100-80005374.SAR,SAPEXEDB_100-80005373.SAR.
• SAPCARFILE – Indicates the name of the SAPCAR files within the storage account. For instance, SAPCAR_1115-70006178.EXE.
• SAPSIDS – Represents the SAP System IDs targeted for the kernel upgrade, such as [‘KS1’,‘KD1’,’KH1’], etc.

Once the execution is initiated, we can observe the logs detailing the actions performed on the console.

Upon completion of the execution, all tasks are executed seamlessly, including the startup of SAP instances, without encountering any issues.

After the tasks are finished, you can verify the new Kernel patch version of the SAP System by accessing the overview of the central service instance within the SAP Solution for the SAP system on the ACSS screen in the Azure Portal.

5. Monitoring And Notifications

To monitor the automation runbook, configure alerts for the runs as outlined in our documentation Monitor Azure Automation runbooks with metric alerts | Microsoft Learn

To monitor the functions within the function app, set up monitoring and configure alerts using the desired metrics as detailed in the documentation Configure monitoring for Azure Functions | Microsoft Learn