How to migrate securely to SAP S/4HANA and the SAP Edge Integration Cell with SUSE
Thousands of companies must also master the transition to SAP Integration Suite in conjunction with SAP Edge Integration Cell, while meeting data protection and security requirements imposed by regulations such as NIS2. Solutions from SAP technology partner SUSE can help.
What happens after the discontinuation of SAP ERP ECC 6.0? This question has been on the minds of many SAP customers for years. With the end of support approaching, it is time to make a strategic decision. Some companies are combining the migration with a switch to RISE with SAP and will in future obtain the cloud version of SAP S/4HANA as a managed service from SAP. Other customers want to continue to operate their SAP environment themselves in the future - with a hyperscaler or in their own data center.
Whichever option a company chooses: The aim should always be to make the transition as smooth as possible and to benefit from a secure, scalable and highly available infrastructure for business-critical SAP applications in the future.
SUSE technology blueprint accelerates the transition
As a long-standing strategic technology partner of SAP, SUSE supports companies in their transition to the new ERP generation from SAP. Around 80 percent of all SAP HANA installations today run on SUSE Linux Enterprise Server (SLES) for SAP Applications - and SAP itself also operates the SAP S/4HANA Cloud offering on the SUSE operating system.
Best practices for migrating to SAP S/4HANA have also been gathered from hundreds of successful transformation projects and have now been incorporated into a technology blueprint. The seven-stage model covers all phases of implementation - from provisioning the operating system images and setting up a hardened, fail-safe infrastructure through to continuous optimization, monitoring and documentation of the environment. Companies can use this technology blueprint for both cloud and on-premises implementations, significantly accelerating the transition to SAP S/4HANA.
According to the experience of SAP and SUSE's joint customers, three aspects in particular are crucial for facilitating the transition and avoiding migration risks: extensive automation of operations, a highly available architecture and uncompromising security at all levels.
Automated infrastructure provisioning with SUSE Manager
When operating SAP S/4HANA, IT departments should spend as little time as possible on time-consuming manual activities. A high degree of automation relieves the burden on system administrators and at the same time enables companies to flexibly scale their new SAP environment as business requirements increase. Automated processes are also less prone to errors and therefore improve the reliability and stability of the SAP infrastructure.
Many companies that operate SAP S/4HANA themselves now use tools from SUSE to automate their operational processes. SUSE Manager acts as a central management platform. The solution standardizes configuration and patch management across all staging levels and works seamlessly with automation solutions such as Terraform, Salt and Ansible.
Trento and SAPtune optimize operations
With Trento, SUSE offers a tool for real-time monitoring and analysis of SAP S/4HANA systems. The solution provides detailed insights into the health and performance of the systems, allowing administrators to proactively respond to potential problems before they become serious.
In addition, Trento is implementing automated SAP best practices for the configuration and operation of SAP S/4HANA systems. These best practices help to maximize system stability and performance and ensure that the systems are optimally set up at all times. Trento can also independently identify vulnerabilities, configuration issues and performance bottlenecks and provide specific recommendations on how to resolve these issues.
Finally, with SAPtune, SUSE provides a tool that automates the optimization of system performance. This is achieved through customizable tuning profiles that have been specially developed for SAP S/4HANA. SAPtune's performance optimizations can be implemented without in-depth expert knowledge, which further reduces operational effort.
High availability thanks to automatic failover and live patching
SAP guarantees 99.9 percent availability for the SAP S/4HANA Cloud Public Edition. Companies that operate SAP S/4HANA themselves strive for similar values today. As a rule, any prolonged downtime would immediately have a significant impact on the company's business processes.
The Pacemaker-based SUSE High Availability (HA) Extension supports IT departments in achieving maximum availability and reliability when operating their SAP S/4HANA environments. Pacemaker manages and monitors the resources in a cluster and automatically switches services to another node if one node fails. Functions such as geo-clustering, cross-site data replication and rule-based failover ensure that business operations can be resumed quickly even after unforeseen events.
With SUSE Live Patching, kernel updates can be performed without rebooting the system. Companies can keep their environment up to date and be confident that their SAP S/4HANA environment will continue to run without interruption during updates. This function is particularly important for business-critical applications that rely on the continuous availability and stability of SAP S/4HANA systems.
Last but not least, SUSE Priority Support for SAP also contributes to the high availability of SAP S/4HANA. SUSE supports SAP customers around the clock with all technical questions about their infrastructure. SUSE's support specialists coordinate all requests with other manufacturers involved, such as hardware and software suppliers, and then quickly deliver a solution that provides immediate assistance. This also significantly reduces the risk of unplanned interruptions and longer outages.
BSI certification for NIS2 specification
For many companies, SAP S/4HANA is the heart of their corporate IT. The sensitive data and business processes that are processed using it must be comprehensively protected. Security should therefore be a top priority when planning the new infrastructure.
The live patching function of SUSE is an important tool for minimizing security risks in the SAP infrastructure. Companies can apply security patches for the kernel during operation and do not have to wait until the next maintenance window if a security vulnerability is discovered. This increases the security of the SAP S/4HANA environment and protects against potential attacks and data loss.
SAP users also benefit from the fact that SUSE Linux Enterprise Server has been certified to Common Criteria EAL 4+ by the German Federal Office for Information Security (BSI). This was based on a comprehensive evaluation of the product and all development and security update processes. The Evaluation Assurance Level 4 augmented by ALC_FLR.3 (EAL4+) confirms that SLES fulfills the highest security requirements for the product and the entire supply chain for critical infrastructures.
With this officially recognized certification, users of SLES for SAP Applications also save themselves the trouble of having to evaluate their software supply chain themselves and can prove at any time that their supply chain security has been independently audited. This is an important prerequisite for meeting new legal requirements such as NIS2 and the EU Cyber Resilience Act, to which many SAP customers are currently subject.
Security for SAP S/4HANA
To strengthen cyber resilience, SUSE has also published a Hardening Guide for SLES. This provides instructions and best practices for improving the security of the operating system and covers areas such as user and password management, system and network services, file system and device security as well as logging and auditing.
With SUSE Manager, the security policies and best practices of the Hardening Guide can be automatically applied to all servers in the SAP S/4HANA environment. This makes it very easy to ensure that all systems comply with the security requirements described in the Hardening Guide.
For security control, SUSE Manager can also perform regular OpenSCAP scans on all managed systems. The scan examines the system for known vulnerabilities in installed packages and configurations, based on databases such as CVE (Common Vulnerabilities and Exposures).
The scan also verifies that the system complies with customer-defined security standards and best practices, such as the organization's security requirements or industry-specific standards (such as PCI-DSS, HIPAA). OpenSCAP evaluates the system configurations and compares them with the recommended settings to ensure that the security requirements are implemented correctly.
After the scan, SUSE Manager generates detailed reports on found vulnerabilities, configuration deviations and compliance violations. These reports help administrators to identify and implement necessary security measures. The reports can also be used as evidence for audits or other compliance checks.
SAP's Edge Integration Cell for sensitive data
By 2027, many SAP customers will not only have to migrate to SAP S/4HANA - a successor solution will also be required for SAP PI/PO. The middleware solutions for orchestrating and integrating processes are to be replaced by the SAP Integration Suite in future.
However, not all customers are ready to switch to a fully cloud-based integration solution and want to retain control of sensitive data and interfaces in-house in the future. Organizations from highly regulated industries may also be obliged to do so by compliance or legal requirements. SAP has developed the Edge Integration Cell for these customers.
The Edge Integration Cell is a hybrid solution for the SAP Integration Suite that enables companies to run APIs and integration services locally in their own data center or in a private cloud environment. Developers design their integration flows with the Integration Designer in the cloud and then make them available in a runtime environment in their own network. This enables companies to prevent sensitive data from leaving their network.
Technologically, the first version of the SAP Edge Integration Cell is based on the SUSE solution stack. The containerized application runs in a Kubernetes environment that is managed with Rancher Prime. SUSE Linux Enterprise (SLE) Micro is used as the operating system. The SAP Edge Integration Cell also uses other open source components such as MetalLB, Redis, PostgreSQL and the cloud-native distributed storage platform Longhorn.
Comprehensive protection of the entire software supply chain
Users of the Edge Integration Cell also benefit from all the security advantages of the SUSE solution stack and are thus able, for example, to prepare the Edge Integration Cell for NIS2 requirements. SLE Micro meets the security standard of the Common Criteria EAL 4+-certified SLES operating system thanks to the common code base - including the independently validated software supply chain.
Rancher Prime - the container management platform from the Edge Integration Cell - also has a secure software supply chain. The solution was recently certified according to Supply-chain Levels for Software Artifacts (SLSA). This framework developed by Google aims to ensure the integrity of software when creating binaries. Measures such as an automated build process and complete documentation of origin (Software Bill of Material = SBOM) protect the software from manipulation and enable secure traceability of the source code.
Basis for cloud-native integration scenarios in the SAP environment
The system architecture of the SAP Edge Integration Cell is not only designed for maximum security, but also for high availability. Large SAP customers often operate more than 1000 integration services via the component, sometimes processing more than a million transactions every day. A failure of the Edge Integration Cell would therefore bring a large number of business processes to a standstill.
With Rancher Prime, SAP customers can easily set up a highly available Kubernetes environment for operating the containerized application and flexibly scale the number of nodes as performance requirements increase.
Incidentally, the secure and highly available Kubernetes infrastructure can not only be used for the SAP Edge Integration Cell. Other containerized applications in the SAP environment - self-developed tools as well as third-party apps - can also be provided via the same solution stack. SUSE thus facilitates the seamless connection of any cloud-native applications to SAP systems and creates a future-proof architecture for new integration scenarios.
Product information
To the partner entry: