Prerequisites #
Before you can start using Emory as your backup solution you will need to ensure that you have a Linke Console account with an active contract or trial, and also that your AWS Account and the EC2 instance where your SAP Database is running are prepared to be used as storage provider.
1. Create your Linke Console Account #

Create account in the Linke Console.
2. Check Supported Operating Systems #
Check in the following list the supported versions for your SAP Database platform.
Hana versions supported:
- HANA 1.0
- HANA 2.0
Check SAP OSS Notes for additional information:
2235581 - SAP HANA: Supported Operating Systems
2458043 - SAP HANA Multistreaming Backup to Backint does not work
Oracle versions supported:
- Oracle 12c
- Oracle 18c
- Oracle 19c
Check SAP OSS Notes for additional:
2478541 - Operating System Requirements for Oracle Database
2358420 - Oracle Database Support for Amazon Web Services EC2
ASE versions supported:
- Sybase 15.7
- Sybase 16.0
Check SAP OSS Notes for additional:
2115010 - How to find platform support information for ASE 15.7? - SAP ASE
2489781 - SAP ASE 16.0 SP03 Supported Operating Systems and Versions
2086750 - ASE versions supported on Amazon Web Services (AWS) via Amazon Machine Images (AMIs) - SAP ASE
3. Prepare your AWS Account #
Ensure Best Performance. To obtain the best performance of your backups it is highly recommended to set up S3 Private Endpoints on the VPC where your EC2 instance is running (There is no additional charge for using gateway endpoint). To ensure that you are using endpoint, see S3 Endpoints.
Before you can start performing your backups using Emory, ensure that the following resources exist in your EC2 instance.
-
S3 Bucket
Ensure that the bucket where your backups will be stored already exists.
Amazon S3 Bucket. If you don’t have a S3 Bucket yet, follow the guidelines described in the following guide to create one.
-
IAM Policy
Create or modify and IAM Policy to meet Emory requirements.
Amazon IAM Policies. If you need additional information, follow the guidelines described in the following guide to create/modify one.
Permission List
AWS Service AWS Permission Description Resource EC2 ec2:DescribeRegions List all available AWS Regions from the Configuration Wizard * EC2 ec2:DescribeInstances Retrieve EC2 Instance tags to be sent to LinkeIT Console (Optional) * S3 s3:ListAllMyBuckets List all Buckets in AWS Account from the Configuration Wizard * S3 s3:HeadBucket List all CloudFront distributions. * S3 s3:* Allow all operations in the bucket “arn:aws:s3:::<bucket_name>”, “arn:aws:s3:::<bucket_name>/*” KMS kms:ListKeys List all load balancers. * KMS kms:ListAliases Get the name of the S3 bucket containing ELB access logs. * KMS “kms:GetPublicKey” “kms:GenerateDataKey” “kms:Decrypt” “kms:Encrypt” “kms:GetKeyPolicy” Encrypt and decrypt your backups <kms_key_arn> SNS sns:Publish Inform about failed backups via AWS Simple Notification Service <sns_topic_arn> STS sts:AssumeRole Assume a Role from other AWS account <role_arn>
-
IAM Policies templates #
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeRegions" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:HeadBucket" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::<YOUR_BUCKET_NAME>/*", "arn:aws:s3:::<YOUR_BUCKET_NAME>" ] } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:GetPublicKey", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:DescribeKey", "kms:Verify" ], "Resource": [ "arn:aws:kms:eu-west-1:${AWS::AccountId}:key/<KEY_NAME>", "arn:aws:kms:eu-west-1:${AWS::AccountId}:alias/<ALIAS_NAME>" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "kms:ListKeys", "kms:GenerateRandom", "kms:ListAliases" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sns:Publish", "Resource": "arn:aws:sns:eu-west-1:${AWS::AccountId}:Emory-Topic-Name" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AssumeCrossAccountRole", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<REMOTE_AWS_ACCOUNT_ID>:role/<RemoteRole>" } ] }
-
Attach Policy to EC2
Ensure that the IAM Policies have been added to the EC2 instance profile of your SAP Database server.
Additional Information. Follow the guidelines described in the following guide to do it.
-
-
Remote Role Trusted Settings #
If you want to access to other AWS Account Resources (S3 & KMS or SNS Topic), after generating the IAM policies on remote account, you have to attach them to a Role that will be accessed from your EC2 Instances via STS:AssumeRole.
The role to be used on remote account must have a Trust Relationship that allow the resources to be accesed from remote Role, the one that you attach to your Database EC2 Instances.
Trust RelationShip entity
{ "Version": "2012-10-17", "Statement": [ { "Sid": "TrustingPolicy", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<DATABASE_SERVER_AWS_ACCOUNT>:role/<EC2InstanceRole>" }, "Action": "sts:AssumeRole" } ] }