Troubleshooting AWS Systems Manager for SAP

Database registration failure

Problem – Registration of SAP HANA database on AWS Systems Manager for SAP fails with an error

Resolution – Use the following steps to resolve this error.

Problem – Application DiscoveryStatus: REGISTRATION_FAILED; StatusMessage: The database ARN specified in registration input does not match discovered database connection.

Resolution – The specified --database-arn does not match the database connection discovered on the SAP_ABAP instance. De-register the failed SAP ABAP application registration, and re-register with the correct --database-arn. For more information, see Register your SAP ABAP application with Systems Manager for SAP.

InvalidInstanceIdException

Problem – Error executing SSM document - InvalidInstanceIdException Instances [[<EC2_INSTANCE_ID>]] not in a valid state for account <ACCOUNT_ID> (Service: Ssm, Status Code: 400, Request ID: <REQUEST_ID>)

Resolution – Ensure that your Amazon EC2 instance is active, and that the SSM Agent has been installed. For more information, see Verify AWS Systems Manager (SSM Agent) is running. After verification, deregister, and then re-register your application.

AccessDeniedException

Problem – Discovered 1 SAP instances. {HDB: Unable to decrypt credentials <SECRET_NAME>: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::<ACCOUNT_ID>:assumed-role/<EC2_IAM_ROLE>/<INSTANCE_ID> is not authorized to perform: secretsmanager:GetSecretValue on resource: <SECRET_NAME> because no identity-based policy allows the secretsmanager:GetSecretValue action},{HDB: Failed to discover HANA database ports. Exception type: <class 'IndexError'>}, REGISTER_APPLICATION

Resolution – Ensure that your Amazon EC2 instance is setup correctly. For more information, see Set up required permissions for Amazon EC2 instance running SAP HANA database. The IAM role attached to your Amazon EC2 instance must have the permission to perform secretsmanager:GetSecretValue action. After verification, deregister, and then re-register your application.

ResourceNotFoundException

Problem – ERROR Discovered 1 SAP instances. {HDB: Unable to decrypt credentials <SECRET_NAME>: An error occurred (ResourceNotFoundException) when calling the GetSecretValue operation: Secrets Manager can't find the specified secret.},{HDB: Failed to discover HANA database ports. Exception type: <class 'IndexError'>}, REGISTER_APPLICATION

Resolution – Verify and ensure that you are using the correct SECRET_NAME. For more information, see Register SAP HANA database credentials in AWS Secrets Manager. After verification, deregister, and then re-register your application.

Problem – An error occurred (ResourceNotFoundException) when calling the RegisterApplication operation: Resource cannot be found

Resolution – The --database-arn provided in the registration input parameter does not exist. Ensure that the connected SAP HANA database has been registered as an application with Systems Manager for SAP. The database must be registered before registering the SAP ABAP application. For more information, see Register database.

Invalid control character

Problem – Invalid control character at: line 2 column 32 (char 34)

Resolution – Ensure that the JSON file that contains your SAP HANA database credentials is formatted correctly as a JSON file. Some characters may be pasted incorrectly after copying them from this file. Edit the file to remove line spaces, double quotes, spaces, and tabs. Add the formatted file content to your machine, terminal, and in your file editor. Save the changes to the file and retry registering your database.

Expecting ',' delimiter

Problem – Expecting ',' delimiter: line 1 column 36 (char 35)

Resolution- – Ensure that the JSON file that contains your SAP HANA database credentials is formatted correctly as a JSON file. Some characters may be pasted incorrectly after copying them from this file. Edit the file to remove line spaces, double quotes, spaces, and tabs. Add the formatted file content to your machine, terminal, and in your file editor. Save the changes to the file and retry registering your database.

Maximum limit of resources

Problem – The number of registered resources under your account <ACCOUNTID> has reached max limit

Resolution – With AWS Systems Manager for SAP, you can register up to 10 applications per AWS account. You can add up to 20 SAP HANA databases on each application. For more information, see Quotas for Systems Manager for SAP.

Unauthorized user

Problem – Error executing SSM document - SsmException User: arn:aws:sts::<ACCOUNT_ID>:assumed-role/AWSServiceRoleForAWSSSMForSAP/ssm-sap is not authorized to perform: ssm:SendCommand on resource: arn:aws:ec2:us-east-1:<ACCOUNT_ID>:instance/<INSTANCE_ID> because no identity-based policy allows the ssm:SendCommand action (Service: Ssm, Status Code: 400, Request ID: 25ec41f5-1fa8-4a1a-80ac-6b7e85088d74)

Resolution – Ensure that your Amazon EC2 instance has the SSMForSAPManaged tag with the value True. For more information, see Set up required permissions for Amazon EC2 instance running SAP HANA database.

REFRESH_FAILED; Database connection mismatch

Problem – Application DiscoveryStatus: REFRESH_FAILED; StatusMessage: The database ARN specified in registration input does not match discovered database connection.

Resolution – The specified --database-arn does not match the database connection discovered on the SAP_ABAP instance. Use the UpdateApplicationSettings API to provide the correct --database-arn of your SAP HANA database along with the --application-id of the SAP ABAP application.

aws ssm-sap update-application-settings --application-id --database-arn

Unsupported setup

Problem – SSM-SAP only supports single-node SAP_ABAP deployment.

Resolution – Systems Manager for SAP currently only supports single-node SAP ABAP deployment registration. Your SAP ABAP application must be connected to a single-node SAP HANA instance that resides in the same Amazon EC2 instance. All components belonging to the SAP ABAP application (ASCS, dialog instances, etc.) must also reside on the same Amazon EC2 instance.

Input parameter errors

Problem – An error occurred (ValidationException) when calling the RegisterApplication operation: Credentials and/or instance number is not expected for SAP applications with type SAP_ABAP.

Resolution – --credentials and --sap-instance-number are inapplicable parameters for registering Systems Manager application of type SAP_ABAP. Remove both the parameters from the RegisterApplication call.

Problem – An error occurred (ValidationException) when calling the RegisterApplication operation: The SID and database ARN of ASCS or Application Server must be specified for SAP applications with type SAP_ABAP.

Resolution – The SID and ARN of ASCS of the connected SAP HANA database are required input parameters for registering SAP ABAP application. Ensure that the connected SAP HANA database has been registered as a Systems Manager application before registering SAP ABAP with Systems Manager for SAP. For more information, see Register your SAP ABAP application with Systems Manager for SAP.

Application status: FAILED

Problem – System configuration change detected. To continue using this application as a standalone, for operations like backup/restore through AWS Backup, deregister this application and register again.

Resolution – Systems Manager for SAP does not support moving a highly available (2 nodes) application to a single node system. You must re-register your primary application with the same application ID to ensure that the primary database is associated with the application, and that backup continuity is maintained. Use the following steps.

StartApplication AccessDeniedException

Problem – An error occurred (AccessDeniedException) when calling the StartApplication operation: User: arn:aws:sts::<account_id> :assumed-role/<role_name> is not authorized to perform: ssm-sap:StartApplication on resource: arn:aws:ssm-sap:<region>: <account_id>:HANA/<hana_application_id>

Possible cause – When the StartApplication operation is performed on an SAP ABAP application and the procedure includes starting its connected HANA application, you must have the necessary IAM permissions to run ssm-sap:StartApplication on the connected application. Without those permissions, the error message will occur.

Resolution – Add the permission ssm-sap:StartApplication against the HANA application to the role of the user calling StartApplication.

StartApplication ConflictException

Problem – Start Application can not be run on an already running application. Run ssm-sap start-application-refresh --application-id <ApplicationId> to ensure that the ssm-sap status reflects the current application state.

Possible cause – The application you attempted to start is already running.

Resolution – Refresh SAP application to ensure the ssm-sap status reflects the current application state.

StartApplication ValidationException

Problem – An error occurred (ValidationException) when calling the StartApplication operation: Caller lacks permissions to start Amazon EC2 instances

Possible cause – When the StartApplication operation includes starting the Amazon EC2 instances running the SAP application, you must have the necessary IAM permissions to run ec2:StartInstances on the corresponding Amazon EC2 instances. Without those permissions, the error message will occur.

Resolution – Add the permission ec2:StartInstances permission against the Amazon EC2 hosts of the SAP application to the role of the user calling StartApplication.

StopApplication AccessDeniedException

Problem – An error occurred (AccessDeniedException) when calling the StopApplication operation: User: arn:aws:sts::<account_id>:assumed-role/<role_name> is not authorized to perform: ssm-sap:StopApplication on resource:arn:aws:ssm-sap:<region>:<account_id>:HANA/<hana_application_id>

Possible cause – When the StopApplication operation is performed on an SAP ABAP application and the procedure includes starting its connected HANA application, you must have the necessary IAM permissions to run ssm-sap:StopApplication on the connected application. Without those permissions, the error message will occur.

Resolution – Add the permission ssm-sap:StopApplication against the HANA application to the role of the user calling StopApplication.

StopApplication ConflictException

Problem – An error occurred (ConflictException) when calling the StopApplication operation: The specified component is already stopped. or An error occurred (ConflictException) when calling the StopApplication operation: The specified component is not in a state that can be started or stopped.

Possible cause – If your application status or status of the components are stale, the StopApplication operation can result in these or similar ConflictExceptions.

Resolution –

Possible cause – If the SSMForSAPManaged:True tag has not been applied to the EC2 instance.

Resolution – Apply the SSMForSAPManaged:True tag to the EC2 instance.

StopApplication ValidationException

Problem – An error occurred (ValidationException) when calling the StopApplication operation: Caller lacks permissions to stop Amazon EC2 instances

Possible cause – When the StopApplication operation includes stopping the Amazon EC2 instances running the SAP application, you must have the necessary IAM permissions to run ec2:StopInstances on the corresponding EC2 instances. Without those permissions, the error message will occur.

Resolution – Add the permission ec2:StopInstances permission against the Amazon EC2 hosts of the SAP application to the role of the user calling StopApplication.

Unsupported sslenforce setup

Problem – HANA error code: 4321. HANA error message: connection failed: only secure connections are allowed

Resolution – Set sslenfore to flase in the global.ini file.