SAP PCE Customer Checklist For AWS - v1.8
SAP PCE Customer Checklist For AWS - v1.8
SAP PCE Customer Checklist For AWS - v1.8
The processes and details as described in this document are only valid for SAP S/4HANA private cloud edition services
operated by SAP as the delivery organization. These processes and details may be different if the services are delivered
by an SAP Partner / supplier.
The first section of this document contains the form which must be completed by you and returned to your Cloud
Architect in order to begin the build process of your systems. In the event you need further clarification or guidance on
any of the data being collected, please refer to the referenced section number for a more detailed description and
guidance.
Please note, SAP S/4HANA private cloud edition will be delivered on SAP HANA Enterprise Cloud (HEC) infrastructure.
Some documents in this checklist refer to “HANA Enterprise Cloud” or “HEC”, however these documents are also valid
for your S/4HANA private cloud edition installation.
*SAP clients will be delivered per default and can’t be changed prior system deployment
** only applicable if Best Practice Activation is in scope
Note: Only for GxP compliant PCE contracts. It’s important to involve GxP certified Cloud Architect and Advisory
specialist early enough to cover GxP relevant aspects, which might lead to a segregation of the Installation numbers, due
to the GxP/internal compliance and governance reasons and other points, which could affect delivery delays.
Back to Top
To create and operate your SAP S/4HANA private cloud edition systems, SAP requires an S-user that is assigned to your
software license/subscription for technical team. The SAP Team will be responsible for requesting license keys for new
systems, system data maintenance, entering Service and Incident requests as needed, and opening the Support
Connection (with prior approval) for application related support. Please refer to this link, if you want to learn more
about the authorizations concept.
Your company's Super Administrators can manage your S-users and S-user authorizations themselves. Note that for
security reasons, SAP is not allowed to create SAP Service Marketplace S-users for customers or assign authorizations to
such S-users besides the initial user.
Note: If your Super Administrator is not known, left the company or should be reassigned to another person, please
refer to the SAP Note 2596214 to get an information on how to solve this issue.
To create new S-users, the Super Administrator chooses the following path in the SAP Support Portal: Launchpad → User
Management → Request Users. Please fill in the information in the pop-up window and complete the form with
“Submit” button. Please assign the first name “SAP” and last name “Service” to this new S-user. When assigning
additional contact data such as phone number and/or e-mail address please DO NOT assign contact data of an SAP
employee. A customer email address is to be used for the initial activation of the Service S-User, recommendation is to
use a shared email account. The creation of the user can take up to 24 hours. Once the user has been created, the
administrator assigns the authorizations.
Note: When the PCE Service is initiated, a unique Installation Number for PCE is generated. This number may not be
available when you are creating the S-user for PCE. Therefore, create the S-user and assign the Authorizations at the
Customer level. Your PCE Engagement Lead (EL) will notify you when the Installation Number has been generated,
afterwards you can reassign the Authorizations based on your company’s policy.
Please set the authorizations “Display all incidents”, “Edit my Login Data”, “Software Download” for this S-User on a
Global authorization level, so SAP delivery and operating colleagues can use it. Please set all remaining authorizations
for this S-User on a Customer authorization level (or Installation if Installation Number is already available).
For a guidance of how to set authorizations to a S-User please check SAP Note 1511008.
*NOTE: If you want the PCE Technical S-User to process billable service requests on your behalf, please also assign this
authorization. You can add this right anytime if you see a requirement for this during the term of your contract.
Back to Top
Please find a detailed description regarding each of the items and deliver the requested information.
PCE Template Product DEV DEV QAS QAS PRD App PRD
App DB SID App DB SID SID DB SID
SID SID
Additional Tenant S/4HANA SSx (1- HSx (1- n/a n/a n/a n/a
9) 9)
Additional Tenant Web Wxx n/a n/a n/a n/a n/a
Dispatcher (01-99)
Analytics BOBJ DBD n/a n/a n/a PBO n/a
Analytics Lumira DLU n/a n/a n/a PLU n/a
BW/4HANA BW/4HANA DBW HDB n/a n/a PBW HPB
BW/4HANA Web WB1 n/a n/a n/a WB2 / WB3 n/a
Dispatcher
CAR CAR DCA HDC QCA HQC PCA HPC
Cloud Connector Cloud DCL n/a n/a n/a PCL n/a
Connector
Convergent Charging Convergent DCC HCD QCC HCQ PCC HCP
Charging
DS-Agent CPI-DS Agent DSD n/a n/a n/a PDS / PDD n/a
EIM DP Agent EIM DP Agent DDP n/a n/a n/a PDP n/a
EWM EWM DEW HDW QEW HQW PEW HPW
EWM Web WW1 n/a WW2 n/a WW3 / n/a
Dispatcher WW4
Fiori Hub Fiori DFH n/a QFH n/a PFH n/a
Fiori Hub Web FW1 n/a FW2 n/a FW3 / FW4 n/a
Dispatcher
GTS GTS DGT HDG QGT HQG PGT HPG
Optimizer for S/4HANA Optimizer DOS n/a n/a n/a POS n/a
Embedded TM
PO PO DOP n/a QOP n/a POP n/a
S/4HANA S/4HANA DS4 HD4 QS4 HQ4 PS4 HP4
S/4HANA Web WS1 n/a n/a n/a WS3 / WS4 n/a
Dispatcher
SAC Agent SAC Agent DSA n/a n/a n/a PSA n/a
SLT SLT DSL n/a QSL n/a PSL n/a
Solution Manager Solman ABAP NSD HDS n/a n/a n/a n/a
Documentation
Solution Manager Solman JAVA DSJ n/a n/a n/a n/a n/a
Documentation
Solution Manager Full Solman ABAP DFS HFD n/a n/a PFS HFP
Solution Manager Full Solman JAVA DFJ n/a n/a n/a PFJ n/a
Transportation TM DPM HDP n/a n/a PTM HPP
Management
Transportation Web n/a n/a n/a n/a n/a n/a
Management Dispatcher
Transportation Optimizer DOE n/a n/a n/a POE n/a
Management
NOTE - Any change of SAP SIDs after provisioning will incur additional cost and downtime.
Back to Top
NOTE:
Production system will be the transport domain controller.
BW to be embedded in the production client as this is required for embedded analytics. Fiori will be activated on
production client (100).
Additional clients can be requested after system provisioning by raising a Service Request.
Back to Top
DE – German
EN - English
FR - French
ES – Spanish
IT - Italian
PT - Portuguese
RU – Russian
ZH – Chinese (simplified)
KR – Korean
JP – Japanese
AR – Arabic
Additional languages can be deployed after system setup by raising a service request.
Note! If you have chosen “Option 2 - USE BP activation during initial build” for Best Practice activation, you can add
additional system languages in the list above, so that they all will be installed during initial system provisioning.
Languages deployed after BestPractices activation will NOT be automatically available for already activated
BestPractices. It is highly recommended to define the languages prior BestPractices activation
For NON-PRODUCTIVE instances the provided downtime window must be specified as a one concrete day from Monday
to Friday in the month, e.g.: first Monday of a month, Third Friday each month, but once per month and not for the
weekends for DEV/QAS/TST/SBX Computing Environments.
For PRODUCTIVE instances the provided downtime window must be specified as a one concrete day on the weekends in
the month, e.g.: first Saturday of each month, third Sunday of each month etc., but once per month and only for
weekends for PROD Computing Environment.
Please fill in the information per SID to the matrix below or in case you want to have the same timeframe for all NON-
PROD instances and for all PROD the same as well, please describe it generally.
Service Organization Controls (SOC1) are a series of accounting standards that measure the control of financial
information for a service organization. They are covered under both the SSAE 16 and the ISAE 3402 professional
standards.
Back to Top
1. Option 1 – Decision is whether NOT CLEAR YET to use Best Practice Activation or NOT TO USE Best Practice
activation at all
That means that the customer does not include BP activation steps into initial system build process and a
standard system build will be foreseen. Empty freshly installed systems will be handed over to the customer.
If customer decides not to use BP content in their implementation project at all, no further steps required.
If the customer decides to activate Best Practices later 3, the customer needs to take into account that:
a. All required additional languages are installed in the systems 2 (if not, raise a Service Request via the
Service Request catalog)
b. BP questionnaire is filled in and raised as a Service Request via the Service Request catalog
c. The impact of these actions is that additional language installation and BP activation activities will lead
to deletion and recreation of working clients in the different tiers (e.g. DEV, QAS, PRD) in order to
enable proper translations of BF activated and of BP content imported and to adhere to the
requirements of S/4HANA BP Admin Guide. Clients deletion may result in any
configurations/developments done so far in the business clients being lost and need to be recreated.
2. Option 2 – Decision is CLEAR TO USE Best Practice activation during initial system build
That means that the customer has decided to include BP tech preparation steps into initial system provisioning
(like additional language installation, business functions activation, client creations) as it’s prescribed in
S/4HANA BP Admin Guide. Thus, the customer must:
a. chose properly all additional languages2 to be used (see section 5.3 Languages)
b. fill in the Best Practices questionnaire prior to the start of the build process (attached below)
The following questionnaire must be filled in and signed off by customer if BP activation is requested. The document has
the following tabs:
2
If Best Practice Activation is required, then it’s a prerequisite for SAP to activate the respective Business Functions related to it during the system
build of the landscape. At its turn, the prerequisite for activating Business Functions, is that all language packs have been installed upfront. Please
note that the decision on the required languages for the entire implementation project is also very important: while you can still add language
packs after Business Function activation, the Business Functions and Best Practices related to those Business Functions will not receive the language
translations for these languages. That’s the reason why language packs must be installed upfront for all languages the implementation project will
need to include. (for more prerequisites of BP activation see S/4HANA BP Admin Guide)
3
In many cases the decision about BP activation cannot be taken during contract signature, or the consulting party has not been selected yet,
hence the decision cannot be based on input by the consulting party. In this case, SAP recommends to not fill in the BP questionnaire for Best
Practice activation yet, select “Option 2” and let the system build go through as a standard build. The freshly installed systems will be handed over
to the customer.
Back to Top
Please provide a network segment with a /22 network mask. For backup purposes an additional /27 network segment is
required.
NOTE: The following IP ranges cannot be assigned to your PCE network and must NOT be used in customer’s remote
network environment to avoid potential routing issues.
Reserved IP ranges
147.204.0.0 /161
169.145.0.0 /162
100.64.0.0 /103
198.18.0.0 /154
Back to Top
1
Global SAP reserved IP range
2
Global SAP reserved IP range
3
Reserved for ISPs Carrier-Grade NAT (CGN) purposes. RFC6598
4
Allocated for network tests. RFC5735
NOTE: To make sure that your network firewalls don’t block outbound traffic towards SAP systems, located in PCE,
please configure your network devices and security policies to allow connectivity on the ports relevant to your project.
This Link provides an information about SAP specific ports. By default, PCE doesn’t filter/restrict any inbound traffic for a
private connectivity from customer’s network.
8.1 Overview
The following section describes the connectivity options to the PCE VPC running at Amazon AWS. There are different
options how to establish a connection to your PCE@AWS environment. Please have a look on the attached document
and provide the necessary information, according to your PCE@AWS project.
NOTE: A process of configuring network integration requires to exchange certain information between SAP and a
customer.
Please follow the questionnaire for your preferred connectivity option, fill it in and share with your
EL.
This is very crucial to accomplish as soon as possible, to secure the timelines for network connectivity.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html
To connect to PCE environment running at AWS cloud via VPN, Site-to-Site VPN is a supported option. Please follow the
link to get more details about this possibility.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
Hint: Amazon also provides configuration snippets for each of the well-known VPN devices. These snippets can be
provided to simplify the configuration on customer side. The list is available here:
To use AWS Direct Connect in an AWS Direct Connect location, some options are possible and need to be decided.
Customer network must support Border Gateway Protocol (BGP) and BGP MD5 authentication.
Optionally Bidirectional Forwarding Detection (BFD) can be configured. Asynchronous BFD is automatically
enabled for AWS Direct Connect virtual interfaces however, will not take effect until configured on customer’s
router.
http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html
The AWS account ID that will be connected needs to be provided and after accepting the peering the VPC routing table
must be updated for this option.
Back to Top
The following documents provides an overview of the supported DNS options and DNS integrations scenarios for the SAP
S/4HANA private cloud edition
All servers/services in the PCE customer landscape have specific hostnames within customer’s DNS subdomain
(*.sap.customer.*), provided by the customer. It is mandatory the DNS zone for PCE is “non-overlapping” with
the ones from the customer on premise network. We ask for DNS subdomain.
Inbound Communication (from on-premise Network to PCE)
o DNS Zone Transferring is the only supported scenario , to exchange DNS data between customer’s
internal DNS servers and PCE DNS servers.
Outbound Communication (from PCE to on-premise Network)
o DNS Zone Forwarding is the PCE scenario.
o Customer’s internal DNS server. Customer is responsible for these servers and for administrating
customer domain (*.[customer].[*]) except the PCE Customer subdomain.
o PCE Customer DNS. SAP is responsible for the PCE DNS subdomain (*.sap.[customer].[*]) along as
managing PCE DNS servers.
NOTE: SAP PCE Support will configure outbound connectivity to the default customer domain if you provide the IP
addresses of your DNS servers as mentioned above. Also, if you have other on-premise domains you are already aware
of, that require outbound access from PCE. This can save time as we can configure these during the Onboarding process
NOTE: Customer must open port 53 for bi-directional communication on customer owned firewall for VPN/MPLS
connectivity between customer network and PCE.
Back to Top
Back to Top
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of
other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies
shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any
functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or
platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in
this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and
uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany
and other countries. All other product and service names mentioned are the trademarks of their respective companies. See www.sap.com/copyright for additional trademark
information and notices.