Deploying a Standard SAP S/4HANA System on existing hosts with Ansible Automation
This guide provides comprehensive, step-by-step instructions for deploying a Standard SAP S/4HANA System on SUSE Linux Enterprise Server for SAP applications 16.
We will be executing playbooks on SUSE Linux Enterprise Server for SAP applications 16.0 and deploying on SUSE Linux Enterprise Server for SAP applications 16.0.
By leveraging Ansible for automation, you can achieve a resilient, scalable, and enterprise-grade environment with minimal manual intervention.
This guide requires existing hosts to be provisioned and SSH Keys distributed before executing the playbook.
This document is intended for system administrators, DevOps engineers, and SAP Basis consultants who have a working knowledge of Ansible and SAP principles.
By following this guide, you will:
- Prepare a control node.
- Configure Ansible variables for a custom deployment.
- Configure Ansible inventory.
- Execute a single playbook to deploy an SAP S/4HANA system.
- Achieve a fully functional SAP system ready for post-installation activities.
The resulting SAP S/4HANA system will consist of the following components:
- One SAP HANA server.
- One Primary Application Server (PAS).
Prepare Existing Hosts
Before running the Ansible playbooks, you must have existing hosts with a working SSH connection from the Ansible Control Node.
- Hosts with SUSE Linux Enterprise Server for SAP applications 16.0 installed.
- SSH Keys generated and distributed.
- Known hosts (ssh-keyscan) configured.
Prepare Control Node
The
sles_sap_automation pattern is available only on SUSE Linux Enterprise Server for SAP applications 16.The sles_sap_automation pattern provides the core tools for SAP automation on SUSE, including Ansible and a collection of SAP-specific roles and playbooks. Installing this pattern is the first step in preparing your control node.
sudo zypper install --type pattern sles_sap_automation
Validate that the pattern is installed with all its components.
sudo zypper info --type pattern sles_sap_automation
Refreshing service 'SUSE_Linux_Enterprise_Server_for_SAP_Applications_x86_64'.
Retrieving repository 'SLE-Product-SLES_SAP-16.0' metadata .........................................................................[done]
Building repository 'SLE-Product-SLES_SAP-16.0' cache ..............................................................................[done]
Loading repository data...
Reading installed packages...
Information for pattern sles_sap_automation:
--------------------------------------------
Repository : SLE-Product-SLES_SAP-16.0
Name : sles_sap_automation
Version : 16.0-160000.2.2
Arch : x86_64
Vendor : SUSE LLC
Installed : Yes
Visible to User : Yes
Summary : automation deployment
Description :
ansible playbooks and roles
Contents :
S | Name | Type | Dependency
---+------------------------------+---------+-----------
i | ansible | package | Required
i | ansible-linux-system-roles | package | Required
i | ansible-sap-infrastructure | package | Required
i | ansible-sap-install | package | Required
i | ansible-sap-operations | package | Required
i | ansible-sap-playbooks | package | Required
i+ | patterns-sap-automation | package | Required
i+ | patterns-sap-base_sap_server | package | Required
Generate and Distribute SSH Keys
Ansible requires SSH keys to securely communicate with the existing hosts. If you do not already have an SSH key pair for this purpose, generate one on your control node now:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/sap_rsa -N ""
Next, copy this public key to your existing target hosts so Ansible can connect without a password prompt. Replace the IP addresses below with the actual IPs of your database and application hosts:
ssh-copy-id -i ~/.ssh/sap_rsa.pub root@10.10.10.10
ssh-copy-id -i ~/.ssh/sap_rsa.pub root@10.10.10.11
You will use the absolute paths to these keys (e.g., /root/.ssh/sap_rsa) in the variable configuration steps below.
Prepare playbooks and variables
Ansible Playbooks are installed in /usr/share/ansible/playbooks. To prevent changes from being overwritten by future package updates, we will not modify these files directly.
This guide will:
- Use the scenario directory
/usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_standard - For simplicity, this guide stores all customizations in the
/playbooksdirectory. Specifically, we will use/playbooks/S01as the dedicated directory for our system. - Define the minimally required variables and leave the predefined ones in place for simplified configuration.
Considerations for using Ansible Vault
For security, it is crucial to encrypt sensitive information like passwords and cloud credentials. Ansible Vault is the standard tool for this. You have a few options for organizing your encrypted variables:
- Encrypt all variables for the scenario.
- Split variables for reusability and encrypt only what is needed. Example:
- Cloud credentials and information encrypted in Vault
- Scenario passwords encrypted in Vault
- Scenario non-sensitive variables without using Vault.
In this guide, we will use a simplified variant for encrypting whole files.
Copy the default variable and inventory files for editing
Since we are using existing hosts, we will need only 2 variable files and 1 inventory file:
ansible_extravars.yml– Contains scenario-specific variables.optional/ansible_extravars_existing_hosts.yml– Contains platform-specific variables.optional/ansible_inventory_noninteractive.yml– Contains inventory definition of existing hosts.
The files for existing hosts are in sub-directory optional/ inside of the scenario directory.
cp /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_standard/ansible_extravars.yml /playbooks/S01/
cp /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_standard/optional/ansible_extravars_existing_hosts.yml /playbooks/S01/
cp /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_standard/optional/ansible_inventory_noninteractive.yml /playbooks/S01/
Updating the variable file ansible_extravars.yml
The following variable selects the desired topology from the sap_vm_provision_existing_hosts_host_specifications_dictionary:
- This dictionary contains predefined plans with storage definition and host specific variables.
- You can customize your deployment by editing an existing plan or creating a new one within this dictionary.
sap_vm_provision_host_specification_plan: "xsmall_256gb"
The value of the variable sap_software_product is a key predefined in the dictionary sap_software_install_dictionary. This dictionary follows the same rules as the one above, and it can be edited or created anew.
sap_software_product: "sap_s4hana_2023_distributed"
sap_install_media_detect_source_directory: "/software"
You have two options for providing the SAP installation media to the playbook:
1. Manual Download (Default):
By default, the playbook expects you to manually download all the required SAP installation files and place them in the directory defined by the sap_install_media_detect_source_directory variable.
2. Automated Download:
For a more automated setup, you can install the optional ansible-sap-launchpad package from the SUSE Package Hub. If this package is present, the playbook can automatically download the software from the SAP Launchpad. To enable this, you must provide your S-User credentials in the sap_id_user and sap_id_user_password variables.
For this guide, we use a master password for simplicity. In a production environment, you might choose to set individual passwords. You must provide values for the following password fields:
This guide does not include any plain-text passwords. You must define them when updating the variable files.
# Use a master password for SAP HANA installation (y/n) (String).
sap_hana_install_use_master_password: "y"
# The master password for SAP HANA (String).
sap_hana_install_master_password: ''
# Master password for the SAP system (String).
sap_swpm_master_password: ''
# Password for the DDIC user in client 000 (String).
sap_swpm_ddic_000_password: ''
# Password for the ABAP schema user (String).
sap_swpm_db_schema_abap_password: ''
# Password for the adm user in the database (String).
sap_swpm_db_sidadm_password: ''
# Password for the SYSTEM user in the SAP HANA database (String).
sap_swpm_db_system_password: ''
# Password for the SYSTEM user in the SAP HANA system database (String).
sap_swpm_db_systemdb_password: ''
Throughout the variable files, you will find the placeholder
ENTER_STRING_VALUE_HERE. You must replace all instances of this placeholder with the actual values from your environment.Updating the variable file ansible_extravars_existing_hosts.yml
Ansible automatically detects domain from the /etc/hosts file, but this variable can override it.
sap_general_preconfigure_domain: "{{ ansible_facts['domain'] }}"
The variables with path to SSH key that exists on control node and is updated in authorized_keys on existing hosts.
# Path to target host's SSH private key on the execution node (String).
# This SSH key has to be added to authorized_keys on managed node.
sap_vm_provision_ssh_host_private_key_file_path: "ENTER_STRING_VALUE_HERE"
Updating the inventory file ansible_inventory_noninteractive.yml
The inventory file contains a ready-made definition of existing hosts that is required for this scenario.
This example shows updated inventory file for these existing hosts:
- Database host:
s01hana- IP:
10.10.10.10 - SSH Key path:
/root/.ssh/sap_rsa - Simplified SSH arguments without Bastion host.
- IP:
- Application host:
s01pas- IP:
10.10.10.11 - SSH Key path:
/root/.ssh/sap_rsa - Simplified SSH arguments without Bastion host.
- IP:
---
hana_primary:
hosts:
s01hana:
ansible_host: "10.10.10.10"
ansible_port: 22
ansible_user: root
ansible_ssh_private_key_file: "/root/.ssh/sap_rsa"
ansible_ssh_common_args: >-
-o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no
nwas_ascs:
hosts:
s01pas:
ansible_host: "10.10.10.11"
ansible_port: 22
ansible_user: root
ansible_ssh_private_key_file: "/root/.ssh/sap_rsa"
ansible_ssh_common_args: >-
-o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no
Inventory file contains SSH arguments example with Bastion host, but our guide will not use it.
Test the Ansible Connection
Before moving on, verify that Ansible can successfully connect to your target hosts using the inventory and SSH keys you just configured.
sudo ansible -i ./ansible_inventory_noninteractive.yml all -m ansible.builtin.ping
A successful test will return a "ping": "pong" response for each host, confirming your SSH keys and inventory are correctly configured.
Encrypt files with Ansible Vault
Files can be encrypted either by using a prompt or a password file, which is easier for reusability in larger environments.
Encryption with Prompt
sudo ansible-vault encrypt ansible_extravars.yml ansible_extravars_existing_hosts.yml
Encryption with a Password File is easier for reusability, but it requires appropriate permissions and protection for security compliance.
echo "YourSecureVaultPassword" > password.key
chmod 600 password.key
sudo ansible-vault encrypt --vault-password-file password.key ansible_extravars.yml ansible_extravars_existing_hosts.yml
Executing Playbook
Now that your environment is prepared and your variables are defined, you can execute the main playbook. This command should be executed from your working directory for this system (e.g., /playbooks/S01). It will start the automated process of installing the SAP software. The `–vault-password-file` option tells Ansible how to decrypt your sensitive variables.
sudo ansible-playbook /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_standard/ansible_playbook.yml \
--extra-vars "@./ansible_extravars.yml" \
--extra-vars "@./ansible_extravars_existing_hosts.yml" \
--inventory "./ansible_inventory_noninteractive.yml" \
--vault-password-file password.key
The order in which you load extra variable files (--extra-vars) is important. Ansible processes them in the order they appear on the command line. If the same variable is defined in multiple files, the value from the last file loaded takes precedence.
In this command, we load the platform-specific file ansible_extravars_existing_hosts.yml last. This is a deliberate choice that allows you to override any general scenario settings from ansible_extravars.yml with platform-specific values for your existing hosts deployment.
Final Outcome and Next Steps
Upon successful completion of the steps outlined in this guide, you will have a fully operational Standard SAP S/4HANA system on existing hosts. The entire deployment will be automated through Ansible, ensuring consistency and repeatability.
Your new environment includes:
- An SAP HANA Database
- A Primary Application Server
Next Steps
With the technical installation complete, you can now proceed with post-installation tasks, such as:
- System Validation: Performing health checks and verifying functionality.
- SAP Configuration: Applying initial SAP basis configurations, such as STMS (SAP Transport Management System) and profile parameter tuning.
- Backup and Recovery: Implementing a robust backup and recovery strategy for the SAP HANA database and application servers.
- Monitoring: Integrating the new landscape with your existing monitoring solutions.
This automated approach not only accelerates the initial deployment but also provides a solid foundation for managing the lifecycle of your SAP systems.
Related Articles
