Getting Started with Trento

Table of Contents

1. What is Trento?
2. Lifecycle
3. Requirements
- 3.1. Trento Server requirements
- 3.2. SAP requirements
- 3.3. Trento Agent requirements
- 3.4. Network requirements
- 3.5. Installation prerequisites
4. Installing Trento Server
- 4.1. Kubernetes deployment
- 4.2. systemd deployment
- 4.3. Automated deployment with Ansible
5. Installing Trento Agents
6. Prometheus integration
- 6.1. Requirements
- 6.2. Kubernetes deployment
- 6.3. systemd deployment
7. User management
8. Single Sign-On integration
- 8.1. User Roles and Authentication
- 8.2. Using OpenID Connect
- 8.3. Using OAuth 2.0
- 8.4. Using SAML
9. Activity Log
10. Performing configuration checks
11. Checks Customization
- 11.1. Overview of checks Customization
- 11.2. Target-specific Check Customization
- 11.3. Required permissions
- 11.4. Customizable checks
- 11.5. Check Customization Persistence
12. Using Trento Web
- 12.1. Getting the global health state
- 12.2. Viewing the status
- 12.3. Viewing the status of hosts
- 12.4. Viewing the Pacemaker cluster status
- 12.5. Viewing the SAP Systems status
- 12.6. Viewing the SAP HANA database status
13. Housekeeping
14. Managing tags
- 14.1. Adding tags to hosts, clusters, databases, and SAP Systems
- 14.2. Removing tags
- 14.3. Filter by tags
15. Integration with SUSE Multi-Linux Manager
16. Rotating API keys
17. Personal Access Tokens
- 17.1. Creating a Personal Access Token
- 17.2. Using a Personal Access Token
- 17.3. Deleting a Personal Access Token
- 17.4. Notes for user admins
18. Updating Trento Server
19. Updating a Trento Agent
20. Updating Trento Checks
21. Uninstalling Trento Server
22. Uninstalling a Trento Agent
23. Reporting an Issue
24. Problem Analysis
- 24.1. Trento Server
- 24.2. Scenario dump script
- 24.3. Pods descriptions and logs
25. Compatibility matrix between Trento Server and Trento Agents
26. Highlights of Trento versions
27. More information

1. What is Trento?

Trento is the official version of the Trento community project. It is a comprehensive monitoring solution consisting of two main components: the Trento Server and the Trento Agent. Trento provides the following functionality and features:

A user-friendly reactive Web interface for SAP Basis administrators.
Automated discovery of Pacemaker clusters using SAPHanaSR classic or angi as well as different fencing mechanisms, including diskless SBD.
Automated discovery of SAP systems running on ABAP or JAVA stacks and HANA databases.
Awareness of maintenance situations in a Pacemaker cluster at cluster, node, or resource level.
Configuration validation for SAP HANA Scale-Up Performance/Cost-optimized, SAP HANA Scale-out and ASCS/ERS clusters deployed on Azure, AWS, GCP or on-premises bare metal platforms, including KVM and Nutanix.
Useful information that offers insights about the execution of configuration checks.
Delivery of configuration checks decoupled from core functionality.
Email alerting for critical events in the monitored landscape.
Integration of saptune into the console and specific configuration checks at host and cluster levels.
Information about relevant patches and upgradable packages for registered hosts via integration with SUSE Multi-Linux Manager.
Monitoring of CPU and memory usage at the host level through basic integration with Prometheus.
API-based architecture to facilitate integration with other monitoring tools.
Rotating API key to protect communication from the Trento Agent to the Trento Server.
Housekeeping capabilities.

The Trento Server is an independent, distributed system designed to run on a Kubernetes cluster or as a regular systemd stack. The Trento Server provides a Web front-end for user interaction. The Trento Server consists of the following components:

The web component that acts as a control plane responsible for internal and external communications as well as rendering the UI.
The checks engine named wanda that orchestrates the execution of configuration checks.
A PostgreSQL database for data persistence.
The RabbitMQ message broker for communicating between the checks engine and the agents.
A Prometheus instance that retrieves the metrics collected by the Prometheus node exporter in the registered hosts. This Prometheus instance is optional in a systemd deployment.

The Trento Agent is a single background process (trento-agent) running on each monitored host of the SAP infrastructure.

See Architectural overview for additional details.

Figure 1. Architectural overview

2. Lifecycle

Trento is part of SUSE Linux Enterprise Server for SAP applications, and it is available since version 15 SP3. Trento’s two main components have the following product lifecycles:

Trento Agent

Delivery mechanism: RPM package for SUSE Linux Enterprise Server for SAP applications 15 SP3 and newer.
Supported runtime: Supported in SUSE Linux Enterprise Server for SAP applications 15 SP4 and newer, and SUSE Linux Enterprise Server for SAP applications 16.0, on x86_64 and ppc64le architectures.

Trento Server

Delivery mechanisms

A set of container images from the SUSE public registry together with a Helm chart that facilitates their installation or a set of RPM packages for SUSE Linux Enterprise Server for SAP applications 15 SP3 and newer.

Kubernetes deployment

The Trento Server runs on any current Cloud Native Computing Foundation (CNCF)-certified Kubernetes distribution based on a x86_64 architecture. Depending on your scenario and needs, SUSE supports several usage scenarios:

If you already use a CNCF-certified Kubernetes cluster, you can run the Trento Server in it.
If you don’t have a Kubernetes cluster, and need enterprise support, SUSE recommends SUSE SUSE Rancher Prime Kubernetes Engine (RKE) (RKE) version 1 or 2.
If you do not have a Kubernetes enterprise solution but you want to try Trento, SUSE Rancher’s K3s provides you with an easy way to get started. But keep in mind that K3s default installation process deploys a single node Kubernetes cluster, which is not a recommended setup for a stable Trento production instance.

systemd deployments

Supported in SUSE Linux Enterprise Server for SAP applications 15 SP4 and newer, and SUSE Linux Enterprise Server for SAP applications 16.0.

3. Requirements

This section describes requirements for the Trento Server and its Trento Agents.

3.1. Trento Server requirements

Running all the Trento Server components requires a minimum of 4 GB of RAM, two CPU cores and 64 GB of storage. When using K3s, such storage should be provided under /var/lib/rancher/k3s.

Trento is based on event-driven technology. Registered events are stored in a PostgreSQL database with a default retention period of 10 days. For each host registered with Trento, you need to allocate at least 1.5GB of space in the PostgreSQL database.

Trento Server supports different deployment scenarios: Kubernetes and systemd. A Kubernetes-based deployment of Trento Server is cloud-native and OS-agnostic. It can be performed on the following services:

RKE1 (Rancher Kubernetes Engine version 1)
RKE2
a Kubernetes service in a cloud provider
any other CNCF-certified Kubernetes running on x86_64 architecture

A production-ready Kubernetes-based deployment of Trento Server requires Kubernetes knowledge. The Helm chart is intended to be used by customers without in-house Kubernetes expertise, or as a way to try Trento with a minimum of effort. However, Helm chart delivers a basic deployment of the Trento Server with all the components running on a single node of the cluster.

3.2. SAP requirements

An SAP system must run on a HANA database to be discovered by Trento. In addition, the parameter dbs/hdb/dbname must be set in the DEFAULT profile of the SAP system to the correct database (tenant) name.

The agent must be installed in the following locations:

the host where the ASCS instance is running
a host where an application server instance is running
all the database hosts

3.3. Trento Agent requirements

The resource footprint of the Trento Agent is designed to not impact the performance of the host it runs on.

The Trento Agent component needs to interact with several low-level system components that are part of the SUSE Linux Enterprise Server for SAP applications distribution.

The hosts must have unique machine identifiers (ids) in order to be registered in Trento. This means that if a host in your environment is built as a clone of another one, make sure to change the machine’s identifier as part of the cloning process before starting the Trento Agent on it.

Similarly, the clusters must have unique authkeys in order to be registered in Trento.

3.4. Network requirements

The Web component of the Trento Server must be reachable from any Trento Agent host via HTTP (port TCP/80) or via HTTPS (port TCP/443) if SSL is enabled.
The checks engine component of the Trento Server must be reachable from any Trento Agent host via Advanced Message Queuing Protocol or AMQP (port TCP/5672).
The Prometheus component of the Trento Server, if it exists, must be able to reach the Node Exporter in the Trento Agent hosts.
The SAP Basis administrator must access to the Web component of the Trento Server via HTTP (port TCP/80) or via HTTPS (port TCP/443) if SSL is enabled.

3.5. Installation prerequisites

Trento Server For a Kubernetes-based deployment, you must have access to SUSE public registry for the deployment of Trento Server containers. For a systemd deployment, you must have a registered SUSE Linux Enterprise Server for SAP applications 15 (SP4 or higher) or SUSE Linux Enterprise Server for SAP applications 16.0 distribution.
Trento Agents A registered SUSE Linux Enterprise Server for SAP applications 15 (SP3 or higher) distribution.

4. Installing Trento Server

4.1. Kubernetes deployment

The subsection uses the following placeholders:

TRENTO_SERVER_HOSTNAME: the host name used by the end user to access the console.
ADMIN_PASSWORD: the password of the admin user created during the installation process.

The password must meet the following requirements:
- minimum length of 8 characters
- the password must not contain 3 identical numbers or letters in a row (for example, 111 or aaa)
- the password must not contain 4 sequential numbers or letters (for example, 1234, abcd, ABCD)

By default, the provided Helm chart uses Traefik as ingress class
Main usages are related to:

path rewriting
endpoint protection

Find traefik specific usages here, and in case another ingress controller is used, please adapt accordingly.

4.1.1. Installing Trento Server on an existing Kubernetes cluster

Trento Server consists of a several components delivered as container images and intended for deployment on a Kubernetes cluster. A manual production-ready deployment of these components requires Kubernetes knowledge. Customers without in-house Kubernetes expertise and who want to try Trento with a minimum of effort, can use the Trento Helm chart. This approach automates the deployment of all the required components on a single Kubernetes cluster node. You can use the Trento Helm chart to install Trento Server on a existing Kubernetes cluster as follows:

Install Helm:

curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash

Connect Helm to an existing Kubernetes cluster.

Use Helm to install Trento Server with the Trento Helm chart:

helm upgrade \
   --install trento-server oci://registry.suse.com/trento/trento-server \
   --set global.trentoWeb.origin=TRENTO_SERVER_HOSTNAME \
   --set trento-web.adminUser.password=ADMIN_PASSWORD

When using a Helm version lower than 3.8.0, an experimental flag must be set as follows:

HELM_EXPERIMENTAL_OCI=1 helm upgrade \
   --install trento-server oci://registry.suse.com/trento/trento-server \
   --set global.trentoWeb.origin=TRENTO_SERVER_HOSTNAME \
   --set trento-web.adminUser.password=ADMIN_PASSWORD

To verify that the Trento Server installation was successful, open the URL of the Trento Web (http://TRENTO_SERVER_HOSTNAME) from a workstation on the SAP administrator’s LAN.

4.1.2. Installing Trento Server on K3s

If you do not have a Kubernetes cluster, or have one but do not want to use it for Trento, SUSE Rancher’s K3s provides an alternative. To deploy Trento Server on K3s, you need a small server or VM (see Trento Server requirements for minimum requirements) and follow steps in Manually installing Trento on a Trento Server host.

The following procedure deploys Trento Server on a single-node K3s cluster. Note that this setup is not recommended for production use.

Manually installing Trento on a Trento Server host

Install K3s either as root or a non-root user.

Installing as user root:

curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_SELINUX_RPM=true sh

Installing as a non-root user:

curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_SELINUX_RPM=true sh -s - --write-kubeconfig-mode 644

Install Helm as root.

curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash

Set the KUBECONFIG environment variable for the same user that installed K3s:
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

With the same user that installed K3s, install Trento Server using the Helm chart:

helm upgrade \
   --install trento-server oci://registry.suse.com/trento/trento-server \
   --set global.trentoWeb.origin=TRENTO_SERVER_HOSTNAME \
   --set trento-web.adminUser.password=ADMIN_PASSWORD

When using a Helm version lower than 3.8.0, an experimental flag must be set as follows:

HELM_EXPERIMENTAL_OCI=1 helm upgrade \
   --install trento-server oci://registry.suse.com/trento/trento-server \
   --set global.trentoWeb.origin=TRENTO_SERVER_HOSTNAME \
   --set trento-web.adminUser.password=ADMIN_PASSWORD

Monitor the creation and start-up of the Trento Server pods, and wait until they are ready and running:
watch kubectl get pods
All pods must be in the ready and running state.
Log out of the Trento Server host.
To verify that the Trento Server installation was successful, open the URL of the Trento Web (http://TRENTO_SERVER_HOSTNAME) from a workstation on the SAP administrator’s LAN.

4.1.3. Deploying Trento Server on selected nodes

If you use a multi-node Kubernetes cluster, it is possible to deploy Trento Server images on selected nodes by specifying the field nodeSelector in the helm upgrade command as follows:

HELM_EXPERIMENTAL_OCI=1 helm upgrade \
   --install trento-server oci://registry.suse.com/trento/trento-server \
   --set global.trentoWeb.origin=TRENTO_SERVER_HOSTNAME \
   --set trento-web.adminUser.password=ADMIN_PASSWORD \
   --set prometheus.server.nodeSelector.LABEL=VALUE \
   --set postgresql.primary.nodeSelector.LABEL=VALUE \
   --set trento-web.nodeSelector.LABEL=VALUE \
   --set trento-runner.nodeSelector.LABEL=VALUE

4.1.4. Configuring event pruning

The event pruning feature allows administrators to manage how long registered events are stored in the database and how often the expired events are removed.

The following configuration options are available:

pruneEventsOlderThan: The number of days registered events are stored in the database. The default value is 10. Keep in mind that pruneEventsOlderThan can be set to 0. However, this deletes all events whenever the cron job runs, making it impossible to analyze and troubleshoot issues with the application
pruneEventsCronjobSchedule: The frequency of the cron job that deletes expired events. The default value is "0 0 * * *", which runs daily at midnight.

To modify the default values, execute the following Helm command:

helm ... \
    --set trento-web.pruneEventsOlderThan=<<EXPIRATION_IN_DAYS>> \
    --set trento-web.pruneEventsCronjobSchedule="<<NEW_SCHEDULE>>"

Replace the placeholders with the desired values:

EXPIRATION_IN_DAYS: Number of days to retain events in the database before pruning.
NEW_SCHEDULE: The cron rule specifying how frequently the pruning job is performed.

Example command to retain events for 30 days and schedule pruning daily at 3 AM:

helm upgrade \
  --install trento-server oci://registry.suse.com/trento/trento-server \
  --set global.trentoWeb.origin=TRENTO_SERVER_HOSTNAME \
  --set trento-web.adminUser.password=ADMIN_PASSWORD \
  --set trento-web.pruneEventsOlderThan=30 \
  --set trento-web.pruneEventsCronjobSchedule="0 3 * * *"

4.1.5. Enabling email alerts

Email alerting feature notifies the SAP Basis administrator about important changes in the SAP Landscape being monitored by Trento.

The reported events include the following:

Host heartbeat failed
Cluster health detected critical
Database health detected critical
SAP System health detected critical

This feature is disabled by default. It can be enabled at installation time or anytime at a later stage. In both cases, the procedure is the same and uses the following placeholders:

SMTP_SERVER: The SMTP server designated to send email alerts
SMTP_PORT: Port on the SMTP server
SMTP_USER: User name to access SMTP server
SMTP_PASSWORD: Password to access SMTP server
ALERTING_SENDER: Sender email for alert notifications
ALERTING_RECIPIENT: Recipient email for alert notifications.

The command to enable email alerts is as follows:

HELM_EXPERIMENTAL_OCI=1 helm upgrade \
   --install trento-server oci://registry.suse.com/trento/trento-server \
   --set global.trentoWeb.origin=TRENTO_SERVER_HOSTNAME \
   --set trento-web.adminUser.password=ADMIN_PASSWORD \
   --set trento-web.alerting.enabled=true \
   --set trento-web.alerting.smtpServer=SMTP_SERVER \
   --set trento-web.alerting.smtpPort=SMTP_PORT \
   --set trento-web.alerting.smtpUser=SMTP_USER \
   --set trento-web.alerting.smtpPassword=SMTP_PASSWORD \
   --set trento-web.alerting.sender=ALERTING_SENDER \
   --set trento-web.alerting.recipient=ALERTING_RECIPIENT

4.1.6. Enabling SSL

Ingress may be used to provide SSL termination for the Web component of Trento Server. This would allow to encrypt the communication from the agent to the server, which is already secured by the corresponding API key. It would also allow HTTPS access to the Web console with trusted certificates.

Configuration must be done in the tls section of the values.yaml file of the chart of the Trento Server Web component.

For details on the required Ingress setup and configuration, refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/. Particularly, refer to section https://kubernetes.io/docs/concepts/services-networking/ingress/#tls for details on the secret format in the YAML configuration file.

Additional steps are required on the Agent side.

4.2. systemd deployment

A systemd-based installation of the Trento Server using RPM packages can be performed manually on the latest supported versions of SUSE Linux Enterprise Server for SAP applications, from 15 SP4 up to 16. For installations on service packs other than the current one, make sure to update the repository URL as described in the relevant notes throughout this guide.

Supported versions:

SUSE Linux Enterprise Server for SAP applications 15: SP4–SP7
SUSE Linux Enterprise Server for SAP applications 16.0

4.2.1. List of dependencies

4.2.2. Install Trento dependencies

Install PostgreSQL

The current instructions are tested with the following PostgreSQL versions:

SUSE Linux Enterprise Server for SAP applications	PostgreSQL Version
15 SP4	14.10
15 SP5	15.5
15 SP6	16.9
15 SP7	17.5
16.0	17.6

Using a different version of PostgreSQL may require different steps or configurations, especially when changing the major number. For more details, refer to the official PostgreSQL documentation.

Install PostgreSQL server:
```
zypper in postgresql-server
```
Enable and start PostgreSQL server:
```
systemctl enable --now postgresql
```

Configure PostgreSQL

Start psql with the postgres user to open a connection to the database:
```
su - postgres
psql
```

Initialize the databases in the psql console:

CREATE DATABASE wanda;
CREATE DATABASE trento;
CREATE DATABASE trento_event_store;

Create the users:

CREATE USER wanda_user WITH PASSWORD 'wanda_password';
CREATE USER trento_user WITH PASSWORD 'web_password';

Grant required privileges to the users and close the connection:

\c wanda
GRANT ALL ON SCHEMA public TO wanda_user;
\c trento
GRANT ALL ON SCHEMA public TO trento_user;
\c trento_event_store;
GRANT ALL ON SCHEMA public TO trento_user;
\q

You can exit from the psql console and postgres user.

Allow the PostgreSQL database to receive connections to the respective databases and users. To do this, add the following to /var/lib/pgsql/data/pg_hba.conf:

host   wanda                      wanda_user    0.0.0.0/0     scram-sha-256
host   trento,trento_event_store  trento_user   0.0.0.0/0     scram-sha-256

The pg_hba.conf file works sequentially. This means that the rules on the top have preference over the ones below. The example above shows a permissive address range. So for this to work, the entires must be written at the top of the host entries. For further information, refer to the pg_hba.conf documentation.

Allow PostgreSQL to bind on all network interfaces in /var/lib/pgsql/data/postgresql.conf by changing the following line:
```
listen_addresses = '*'
```
Restart PostgreSQL to apply the changes:
```
systemctl restart postgresql
```

Install RabbitMQ

Install RabbitMQ server:
```
zypper install rabbitmq-server
```
Allow connections from external hosts by modifying /etc/rabbitmq/rabbitmq.conf, so the Trento-agent can reach RabbitMQ:
```
listeners.tcp.default = 5672
```

If firewalld is running, add a rule to firewalld:

firewall-cmd --zone=public --add-port=5672/tcp --permanent;
firewall-cmd --reload

Enable the RabbitMQ service:
```
systemctl enable --now rabbitmq-server
```

Configure RabbitMQ

To configure RabbitMQ for a production system, follow the official suggestions in the RabbitMQ guide.

Create a new RabbitMQ user:

rabbitmqctl add_user trento_user trento_user_password

Create a virtual host:
```
rabbitmqctl add_vhost vhost
```

Set permissions for the user on the virtual host:

rabbitmqctl set_permissions -p vhost trento_user ".*" ".*" ".*"

4.2.3. Install Trento using RPM packages

The trento-web and trento-wanda packages are available by default on supported SUSE Linux Enterprise Server for SAP applications distributions.

Install Trento web, wanda and checks:

zypper install trento-web trento-wanda

Create the configuration files

Both services depend on respective configuration files. They must be placed in /etc/trento/trento-web and /etc/trento/trento-wanda respectively, and examples of how to modify them are available in /etc/trento/trento-web.example and /etc/trento/trento-wanda.example.

You can create the content of the secret variables such as SECRET_KEY_BASE, ACCESS_TOKEN_ENC_SECRET and REFRESH_TOKEN_ENC_SECRET using openssl:

openssl rand -out /dev/stdout 48 | base64

Also ensure that a valid hostname, FQDN, or IP address is configured in TRENTO_WEB_ORIGIN when using HTTPS. Otherwise, WebSocket connections will fail, preventing real-time updates in the web interface.

trento-web configuration

# /etc/trento/trento-web
AMQP_URL=amqp://trento_user:trento_user_password@localhost:5672/vhost
DATABASE_URL=ecto://trento_user:web_password@localhost/trento
EVENTSTORE_URL=ecto://trento_user:web_password@localhost/trento_event_store
ENABLE_ALERTING=false
CHARTS_ENABLED=false
ADMIN_USER=admin
ADMIN_PASSWORD=trentodemo
ENABLE_API_KEY=true
PORT=4000
TRENTO_WEB_ORIGIN=trento.example.com
SECRET_KEY_BASE=some-secret
ACCESS_TOKEN_ENC_SECRET=some-secret
REFRESH_TOKEN_ENC_SECRET=some-secret
CHECKS_SERVICE_BASE_URL=/wanda
OAS_SERVER_URL=https://trento.example.com

The ADMIN_PASSWORD variable must must meet the following requiements:

minimum of 8 characters
the password not contain 3 consecutive identical numbers or letters (for example, 111 or aaa)
the password must not contain 4 consecutive numbers or letters (for example, 1234, abcd, ABCD)

The ENABLE_ALERTING enables the alerting system to receive email notifications. Set ENABLE_ALERTING to true and add additional variables to the /etc/trento/trento-web, to enable the feature.

# /etc/trento/trento-web
ENABLE_ALERTING=true
ALERT_SENDER=<<SENDER_EMAIL_ADDRESS>>
ALERT_RECIPIENT=<<RECIPIENT_EMAIL_ADDRESS>>
SMTP_SERVER=<<SMTP_SERVER_ADDRESS>>
SMTP_PORT=<<SMTP_PORT>>
SMTP_USER=<<SMTP_USER>>
SMTP_PASSWORD=<<SMTP_PASSWORD>>

trento-wanda configuration

# /etc/trento/trento-wanda
CORS_ORIGIN=http://localhost
AMQP_URL=amqp://trento_user:trento_user_password@localhost:5672/vhost
DATABASE_URL=ecto://wanda_user:wanda_password@localhost/wanda
PORT=4001
SECRET_KEY_BASE=some-secret
OAS_SERVER_URL=https://trento.example.com/wanda
AUTH_SERVER_URL=http://localhost:4000

Start the services

In some SUSE Linux Enterprise Server for SAP applications environments, SELinux may be enabled and set to enforcing mode by default. If Trento services fail to start or show permission-related errors, check the SELinux status:

getenforce

If SELinux is set to enforcing, switch it to permissive mode either temporarily or permanently:

Temporary change (until reboot):
```
setenforce 0
```
Permanent change (persists after reboot):

Edit /etc/selinux/config and set:
```
SELINUX=permissive
```

Enable and start the services:

systemctl enable --now trento-web trento-wanda

Monitor the services

Use journalctl to check if the services are up and running correctly. For example:

journalctl -fu trento-web

4.2.4. Check the health status of trento web and wanda

You can check if Trento web and wanda services function correctly by accessing accessing the healthz and readyz API.

Check Trento web health status using curl:

curl http://localhost:4000/api/readyz

curl http://localhost:4000/api/healthz

Check Trento wanda health status using curl:

curl http://localhost:4001/api/readyz

curl http://localhost:4001/api/healthz

If Trento web and wanda are ready, and the database connection is set up correctly, the output should be as follows:

{"ready":true}{"database":"pass"}

4.2.5. Install and configure NGINX

Install NGINX package:
```
zypper install nginx
```

If firewalld is running, add firewalld rules for HTTP and HTTPS:

firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --reload

Start and enable NGINX:
```
systemctl enable --now nginx
```

Create a /etc/nginx/conf.d/trento.conf Trento configuration file:

map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

upstream web {
  server 127.0.0.1:4000 max_fails=5 fail_timeout=60s;
}

upstream wanda {
  server 127.0.0.1:4001 max_fails=5 fail_timeout=60s;
}

server {
    # Redirect HTTP to HTTPS
    listen 80;
    server_name trento.example.com;
    return 301 https://$host$request_uri;
}

server {
    server_name trento.example.com;
    listen 443 ssl;

    ssl_certificate /etc/nginx/ssl/certs/trento.crt;
    ssl_certificate_key /etc/ssl/private/trento.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    # Wanda rule
    location /wanda/  {
        allow all;

        # Proxy Headers
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Cluster-Client-Ip $remote_addr;

        # Important Websocket Bits!
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Add final slash to replace the location path value by the value in proxy_pass
        # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
        proxy_pass http://wanda/;
    }

    # Web rule
    location / {
        # this endpoint should not be accessible publicly
        # it is internally used by wanda to introspect access tokens and personal access tokens
        location /api/session/token/introspect {
            deny all;
            return 404;
        }

        allow all;

        # Proxy Headers
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Cluster-Client-Ip $remote_addr;

        # The Important Websocket Bits!
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_pass http://web;
    }
}

4.2.6. Prepare SSL certificate for NGINX

Create or provide a certificate for NGINX to enable SSL for Trento.

Create a self-signed certificate

Generate a self-signed certificate:

Adjust subjectAltName = DNS:trento.example.com by replacing trento.example.com with your domain and change the value 5 to the number of days for which you need the certificate to be valid. For example, -days 365 for one year.

openssl req -newkey rsa:2048 --nodes -keyout trento.key -x509 -days 5 -out trento.crt -addext "subjectAltName = DNS:trento.example.com"

Copy the generated trento.key to a location accessible by NGINX:
```
cp trento.key /etc/ssl/private/trento.key
```
Create a directory for the generated trento.crt file. The directory must be accessible by NGINX:
```
mkdir -p /etc/nginx/ssl/certs/
```
Copy the generated trento.crt file to the created directory:
```
cp trento.crt /etc/nginx/ssl/certs/trento.crt
```
Check the NGINX configuration:
```
nginx -t
```
If the configuration is correct, the output should be as follows:
```
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
```
If there are issues with the configuration, the output indicates what needs to be adjusted.
Enable NGINX:
```
systemctl restart nginx
```

Create a signed certificate with Let’s Encrypt using PackageHub repository

Only available for SLE 15 SP4-SP7, for SLE 16.0 use alternatives or the Self-signed certificate option.

Enable the PackageHub repository (replace x.x with your OS version, for example 15.7):
```
SUSEConnect --product PackageHub/x.x/x86_64
zypper refresh
```

Install Certbot and its NGINX plugin:

Service Packs include version-specific Certbot NGINX plugin packages, for example python311-certbot-nginx or python3-certbot-nginx. Install the package available in the Service Pack you currently use.

zypper install certbot python311-certbot-nginx

Obtain a certificate and configure NGINX with Certbot:

Replace example.com with your domain. For more information, refer to Certbot instructions for NGINX
```
certbot --nginx -d trento.example.com
```
Certbot certificates are valid for 90 days. Refer to the above link for details on how to renew certificates.

4.2.7. Accessing the trento-web UI

Pin the browser to https://trento.example.com. You should be able to login using the credentials specified in the ADMIN_USER and ADMIN_PASSWORD environment variables.

4.3. Automated deployment with Ansible

An automated installation of Trento Server using on RPM packages or Docker images can be performed with a Ansible playbook. For further information, refer to the Trento Ansible project.

5. Installing Trento Agents

Before you can install a Trento Agent, you must obtain the API key of your Trento Server. Proceed as follows:

Open the URL of the Trento Web console. It prompts you for a user name and password:
Enter the credentials for the admin user (specified during installation of Trento Server).
Click Login.
When you are logged in, go to Settings:
Click the Copy button to copy the key to the clipboard.

Install the Trento Agent on an SAP host and register it with the Trento Server as follows:

Install the package:

> sudo zypper ref
> sudo zypper install trento-agent

Open the configuration file /etc/trento/agent.yaml and uncomment (remove the # character) the entries for facts-service-url, server-url and api-key. Update the values if necessary:
- facts-service-url: the address of the AMQP RabbitMQ service used for communication with the checks engine (wanda). The correct value of this parameter depends on how Trento Server was deployed.
  
  In a Kubernetes deployment, it is amqp://trento:trento@TRENTO_SERVER_HOSTNAME:5672/. If the default RabbitMQ username and password (trento:trento) were updated using Helm, the parameter must use a user-defined value.
  
  In a systemd deployment, the correct value is amqp://TRENTO_USER:TRENTO_USER_PASSWORD@TRENTO_SERVER_HOSTNAME:5672/vhost. If TRENTO_USER and TRENTO_USER_PASSWORD have been replaced with custom values, you must use them.
- server-url: URL for the Trento Server (http://TRENTO_SERVER_HOSTNAME)
- api-key: the API key retrieved from the Web console
- node-exporter-target: specifies IP address and port for node exporter as <ip_address>:<port>. In situations where the host has multiple IP addresses and/or the exporter is listening to a port different from the default one, configuring this settings enables Prometheus to connect to the correct IP address and port of the host.
If SSL termination has been enabled on the server side, you can encrypt the communication from the agent to the server as follows:
1. Provide an HTTPS URL instead of an HTTP one.
2. Import the certificate from the Certificate Authority that has issued your Trento Server SSL certificate into the Trento Agent host as follows:
  1. Copy the CA certificate in the PEM format to /etc/pki/trust/anchors/. If the CA certificate is in the CRT format, convert it to PEM using the following openssl command:
    
    openssl x509 -in mycert.crt -out mycert.pem -outform PEM
  2. Run the update-ca-certificates command.

Start the Trento Agent:

> sudo systemctl enable --now trento-agent

Check the status of the Trento Agent:

> sudo systemctl status trento-agent
● trento-agent.service - Trento Agent service
     Loaded: loaded (/usr/lib/systemd/system/trento-agent.service; enabled; vendor preset: disabled)
     Active: active (running) since Wed 2021-11-24 17:37:46 UTC; 4s ago
   Main PID: 22055 (trento)
      Tasks: 10
     CGroup: /system.slice/trento-agent.service
             ├─22055 /usr/bin/trento agent start --consul-config-dir=/srv/consul/consul.d
             └─22220 /usr/bin/ruby.ruby2.5 /usr/sbin/SUSEConnect -s

[...]

Repeat this procedure on all SAP hosts that you want to monitor.

6. Prometheus integration

Prometheus Server is a Trento Server component responsible for pulling the Memory and CPU utilization metrics collected by the node-exporter in the agent hosts and serving them to the web component. The web component renders the metrics as dynamic graphical charts in the details view of the registered hosts.

6.1. Requirements

The node-exporter must be installed and running in the agent hosts and Prometheus Server must be able to reach the agent hosts at the IP address and port that the node-exporter is bound to.

The IP address and port that Prometheus Server uses to reach the node-exporter can be changed by setting parameter node-exporter-target with value <ip_address>:<port> in the agent configuration file.

If the parameter is not set, Prometheus Server uses the lowest IPv4 address discovered in the host with default port 9100.

6.2. Kubernetes deployment

When using the Helm chart to deploy Trento Server on a Kubernetes cluster, an image of Prometheus Server is deployed automatically. No further actions are required by the user, other than ensuring that it can reach the node-exporter in the agent hosts.

In a Kubernetes cluster with multiple nodes, the user can select on which node to deploy the Prometheus Server by adding the following flag to the Helm installation command:

--set prometheus.server.nodeSelector.LABEL=<value>

Where <value> is the label assigned to the node where the user wants Prometheus Server to be deployed.

6.3. systemd deployment

In a systemd deployment of Trento Server, you can choose between using an existing installation of Prometheus Server, installing a dedicated Prometheus Server instance, or not using Prometheus Server at all.

6.3.1. Use an existing installation

If you already have an existing Prometheus Server that you want to use with Trento Server, you must set CHARTS_ENABLED=true and PROMETHEUS_URL pointing to the right address and port in the Trento Web configuration file. You must restart restart the Trento Web service to enable the changes.

The lowest required Prometheus Server version is 2.28.0.

Use the section Install Prometheus on SUSE Linux Enterprise Server for SAP applications 16.0 as a reference to adjust the Prometheus Server configuration.

6.3.2. Install Prometheus Server from SUSE Package Hub on SUSE Linux Enterprise Server for SAP applications 15.x

SUSE Package Hub packages are tested by SUSE but are not officially supported as part of the SUSE Linux Enterprise Server for SAP applications base product. Users should assess the suitability of these packages based on their own risk tolerance and support needs.

Enable the SUSE Package Hub repository (replace 15.x with the version of your operating system, for example 15.7):

SUSEConnect --product PackageHub/15.x/x86_64
zypper refresh

Now proceed with the same steps as in Install Prometheus on SUSE Linux Enterprise Server for SAP applications 16.0.

6.3.3. Install Prometheus on SUSE Linux Enterprise Server for SAP applications 16.0

Create the Prometheus user and group:

groupadd --system prometheus
useradd -s /sbin/nologin --system -g prometheus prometheus

Install Prometheus using Zypper:

zypper in golang-github-prometheus-prometheus

Configure Prometheus for Trento by replacing or updating the existing configuration at /etc/prometheus/prometheus.yml with:

global:
  scrape_interval: 30s
  evaluation_interval: 10s

scrape_configs:
  - job_name: "http_sd_hosts"
    honor_timestamps: true
    scrape_interval: 30s
    scrape_timeout: 30s
    scheme: http
    follow_redirects: true
    http_sd_configs:
      - follow_redirects: true
        refresh_interval: 1m
        url: http://localhost:4000/api/prometheus/targets

Note: the value of the url parameter above assumes that the Trento Web service is running in the same host as Prometheus Server.

Enable and start the Prometheus service:
```
systemctl enable --now prometheus
```
If firewalld is running, allow Prometheus to be accessible and add an exception to firewalld:
```
firewall-cmd --zone=public --add-port=9090/tcp --permanent
firewall-cmd --reload
```
Set CHARTS_ENABLED=true and PROMETHEUS_URL=http://localhost:9090 in the Trento Web configuration file and restart the Trento Web service.
```
systemctl restart trento-web
```
Note: the value of the PROMETHEUS_URL parameter above assumes that the Trento Web service is running in the same host as Prometheus Server.

6.3.4. Not using Prometheus Server

If you decide not to use Prometheus Server in your Trento installation, you must disable graphical charts in the UI by setting CHARTS_ENABLED=false in the Trento Web configuration file.

7. User management

Trento provides a local permission-based user management feature with optional multi-factor authentication. This feature enables segregation of duties in the Trento interface and ensures that only authorized users with the right permissions can access it.

User management actions are performed in the Users view in the left-hand side panel of the Trento Web.

By default, a newly created user is granted display access rights except for the Users view. Where available, a user with default access can configure filters and pagination settings matching their preferences.

To perform protected actions, the user must have additional permissions added to their user profile. Below is the list of currently available permissions:

all:users: grants full access to user management actions under the Users view
all:checks_selection: grants check selection capabilities for any target in the registered environment for which checks are available
all:checks_execution: grants check execution capabilities for any target in the registered environment for which checks are available and have been previously selected
all:tags: allows creation and deletion of the available tags
cleanup:all: allows triggering housekeeping actions on hosts where agents heartbeat is lost and SAP or HANA instances that are no longer found
all:settings: grants changing capabilities on any system settings under the Settings view
all:all: grants all the permissions above

Using the described permissions, it is possible to create the following types of users:

User managers: users with all:users permissions
SAP Basis administrator with Trento display-only access: users with default permissions
SAP Basis administrator with Trento configuration access: users with all:checks_selection, all:tags and all:settings permissions
SAP Basis administrator with Trento operation access: users with all:check_execution and cleanup:all permissions.

The default admin user created during the installation process is granted all:all permissions and cannot be modified or deleted. Use it only to create the first user manager (a user with all:users permissions who creates all the other required users). Once a user with all:users permissions is created, the default admin user must be treated as a fallback user in case all other access to the console is lost. If the password of the default admin user is lost, it can be reset by updating the Helm chart or the web component configuration, depending on which deployment method was used to install Trento Server.

User passwords, including the default admin user password, must follow the rules below:

Password must contain at least 8 characters
The same number or letter must not be repeated three or more times in a row (for example: 111 or aaa)
Password must not contain four consecutive numbers or letters (for example: 1234, abcd or ABCD)

The Create User and Edit User views provide a built-in password generation button that allows user managers to easily generate secure and compliant passwords. The user manager must provide the user with their password through an authorized secure channel.

A user can reset their password in the Profile view. In this view, they can also update their name and email address as well as activate multi-factor authentication using an authenticator app. Multi-factor authentication increases the security of a user account by requesting a temporary second password or code when logging in the console. User managers can disable multi-factor authentication for any given user that has it enabled. However, user managers cannot enable multi-factor authentication on their behalf. The default admin user cannot enable its own multi-factor authentication.

Security Tip for Multi-Factor Authentication

Since multi-factor authentication cannot be enabled for the default admin user, keeping its password safe is imperative. If the default admin user’s password is compromised, reset it immediately by updating the Helm chart or the web component configuration, depending on which deployment method was used to install Trento Server.

User managers can enable and disable users. When a user logged in the console is disabled by a user admin, their session is terminated immediately.

8. Single Sign-On integration

Trento can be integrated for Single Sign-On (SSO) with a third-party identity provider (IDP).

Trento cannot start with multiple SSO options together, so only one can be chosen.

The following protocols are supported:

OpenID Connect (OIDC)
Open Authorization 2.0 (OAuth 2)
Security Assertion Markup Language (SAML)

8.1. User Roles and Authentication

User authentication is entirely managed by the IDP, which is responsible for maintaining user accounts. A user, who does not exist on the IDP, is unable to access the Trento web console.

During the installation process, a default admin user is defined using the ADMIN_USER variable, which defaults to admin. If the authenticated user’s IDP username matches this admin user’s username, that user is automatically granted all:all permissions within Trento.

User permissions are entirely managed by Trento, they are not imported from the IDP. The permissions must be granted by some user with all:all or all:users rights (admin user initially). This means that only basic user information is retrieved from the external IDP.

8.2. Using OpenID Connect

Trento integrates with an IDP that uses the OIDC protocol to authenticate users accessing the Trento web console.

By default, OIDC is disabled.

8.2.1. Enabling OpenID Connect when using kubernetes deployment

To enable OIDC when using kubernetes deployment with helm, add the following variables to the previously documented helm installation command:

HELM_EXPERIMENTAL_OCI=1 helm ... \
   --set trento-web.oidc.enabled=true \
   --set trento-web.oidc.clientId=<OIDC_CLIENT_ID> \
   --set trento-web.oidc.clientSecret=<OIDC_CLIENT_SECRET> \
   --set trento-web.oidc.baseUrl=<OIDC_BASE_URL>

8.2.2. Enabling OpenID Connect when using RPM packages

To enable OIDC when using RPM packages, proceed as follows:

Open the file /etc/trento/trento-web.

Add the following environment variables to this file. Required variables are:

ENABLE_OIDC=true
OIDC_CLIENT_ID=<OIDC_CLIENT_ID>
OIDC_CLIENT_SECRET=<OIDC_CLIENT_SECRET>
OIDC_BASE_URL=<OIDC_BASE_URL>

Optionally, add the OIDC callback URL to the configuration. This can be useful if for some reason the default callback URL cannot be used, for example, if http is used instead of https. Use the next variable for that:
OIDC_CALLBACK_URL=<OIDC_CALLBACK_URL>
Restart the application.

8.2.3. Available variables for OpenID Connect

OIDC_CLIENT_ID: OIDC client id
OIDC_CLIENT_SECRET: OIDC client secret
OIDC_BASE_URL: OIDC base url
OIDC_CALLBACK_URL: OIDC callback url where the IDP is redirecting once the authentication is completed (default value: https://#{TRENTO_WEB_ORIGIN}/auth/oidc_callback)

8.3. Using OAuth 2.0

Trento integrates with an IDP that uses the OAuth 2 protocol to authenticate users accessing the Trento web console.

By default, OAuth 2.0 is disabled.

8.3.1. Enabling OAuth 2.0 when using kubernetes deployment

To enable OAuth 2.0 when using kubernetes deployment with helm, proceed as follows:

Add the following variables to the previously documented helm installation command:

HELM_EXPERIMENTAL_OCI=1 helm ... \
   --set trento-web.oauth2.enabled=true \
   --set trento-web.oauth2.clientId=<OAUTH2_CLIENT_ID> \
   --set trento-web.oauth2.clientSecret=<OAUTH2_CLIENT_SECRET> \
   --set trento-web.oauth2.baseUrl=<OAUTH2_BASE_URL> \
   --set trento-web.oauth2.authorizeUrl=<OAUTH2_AUTHORIZE_URL> \
   --set trento-web.oauth2.tokenUrl=<OAUTH2_TOKEN_URL> \
   --set trento-web.oauth2.userUrl=<OAUTH2_USER_URL>

Additionally, the following optional values are available:

HELM_EXPERIMENTAL_OCI=1 helm ... \
   --set trento-web.oauth2.scopes=<OAUTH2_SCOPES>

8.3.2. Enabling OAuth 2.0 when using RPM packages

To enable OAuth 2.0 when using RPM packages, proceed as follows:

Open the file /etc/trento/trento-web.

Add the following environment variables to this file. Required variables are:

# Required:
ENABLE_OAUTH2=true
OAUTH2_CLIENT_ID=<OAUTH2_CLIENT_ID>
OAUTH2_CLIENT_SECRET=<OAUTH2_CLIENT_SECRET>
OAUTH2_BASE_URL=<OAUTH2_BASE_URL>
OAUTH2_AUTHORIZE_URL=<OAUTH2_AUTHORIZE_URL>
OAUTH2_TOKEN_URL=<OAUTH2_TOKEN_URL>
OAUTH2_USER_URL=<OAUTH2_USER_URL>

# Optional:
OAUTH2_SCOPES=<OAUTH2_SCOPES>
OAUTH2_CALLBACK_URL=<OAUTH2_CALLBACK_URL>

Restart the application.

8.3.3. Available variables for OAuth 2.0

OAUTH2_CLIENT_ID: OAUTH2 client id
OAUTH2_CLIENT_SECRET: OAUTH2 client secret
OAUTH2_BASE_URL: OAUTH2 base url
OAUTH2_AUTHORIZE_URL: OAUTH2 authorization url
OAUTH2_TOKEN_URL: OAUTH2 token url
OAUTH2_USER_URL: OAUTH2 token url
OAUTH2_SCOPES: OAUTH2 scopes, used to define the user values sent to the SP. It must be adjusted depending on IDP provider requirements (default value: profile email)
OAUTH2_CALLBACK_URL: OAUTH2 callback url where the IDP is redirecting once the authentication is completed (default value: https://#{TRENTO_WEB_ORIGIN}/auth/oauth2_callback)

8.4. Using SAML

Trento integrates with an IDP that uses the SAML protocol to authenticate users accessing the Trento web console. Trento will behave as a Service Provider (SP) in this case.

Commonly, SAML protocol messages are signed with SSL. This is optional using Trento, and the signing is not required (even though it is recommended). If the IDP signs the messages, and expect signed messages back, certificates used by the SP (Trento in this case) must be provided to the IDP, the public certificate file in this case.

To use an existing SAML IDP, follow the next instructions to met the specific requirements. You need:

Obtain metadata content from the IDP
Start Trento to generate the certificates and get them (SAML must be enabled for this)
Provide the generated certificate to the IDP
Configure SAML IDP and user profiles

See the following subsections for details.

8.4.1. Obtaining metadata content from the IDP

The metadata.xml file defines the agreement between SP and IDP during SAML communications. It is used to identify the SAML client as well. The content of this file must be provided to Trento. Options SAML_METADATA_URL and SAML_METADATA_CONTENT are available for that.

If the SAML_METADATA_CONTENT option is being used, the content of this variable must be updated with the IDP metadata as single line string. On the other hand, if SAML_METADATA_URL is used, the new metadata is automatically fetched when Trento starts. If neither of these steps are completed, communication will fail because the message signatures will not be recognized.

If the used IDP has the endpoint to provide the metadata.xml file content, prefer the variable SAML_METADATA_URL. Trento will automatically fetch metadata when started.

8.4.2. Getting certificates from Trento

Trento provides a certificates set created during the installation. Regardless of the installation mode, when Trento is installed the first time and SAML is enabled the certificates are created and the public certificate file content is available in the https://#{TRENTO_WEB_ORIGIN}/api/public_keys route.

Use the following command to get the certificate content:

curl https://#{TRENTO_WEB_ORIGIN}/api/public_keys

Copy the content of the certificate from there and provide it to the IDP. This way, the IDP will sign its messages and verify the messages received from Trento.

To get the certificate using this route Trento must be configured to start with SAML enabled.

8.4.3. Configuring SAML IDP setup

Configure the existing IDP with the next minimum options to be able to connect with Trento as a Service Provider (SP).

Providing certificates

As commented previously, a set of certificates is needed to enable signed communication. Provide the certificate generated by Trento to the IDP (each IDP has a different way to do this). Make sure that the configured certificate is used for signing and encrypting messages.

Configuring SAML user profile

Users provided by the SAML installation must have some few mandatory attributes to login in Trento. The required attributes are: username, email, first name and last name. All of them are mandatory, even though their field names are configurable.

By default, Trento expects the username, email, firstName and lastName attribute names. All these 4 attribute names are configurable using the next environment variables, following the same order: SAML_USERNAME_ATTR_NAME, SAML_EMAIL_ATTR_NAME, SAML_FIRSTNAME_ATTR_NAME and SAML_LASTNAME_ATTR_NAME.

Both IDP and Trento must know how these 4 fields are mapped. To do this, follow the next instructions:

Add the attributes if they don’t exist in the IDP user profile. If they already exist, don’t change the attributes and keep their original values.
Configure Trento to use the IDP attribute field names. To do this, set the SAML_USERNAME_ATTR_NAME, SAML_EMAIL_ATTR_NAME, SAML_FIRSTNAME_ATTR_NAME and SAML_LASTNAME_ATTR_NAME environment values with the values configured in the IDP. For example, if the IDP user profile username is defined as attr:username use SAML_USERNAME_ATTR_NAME=attr:username.

Checking SAML redirect URI

After a successful login, the IDP redirects the user’s session back to Trento and redirected at https://trento.example.com/sso/sp/consume/saml. To ensure seamless SSO, this URI must be configured as valid within the IDP.

8.4.4. Enabling SAML when using kubernetes deployment

To enable SAML when using kubernetes deployment with helm, proceed as follows:

Add the following variables to the previously documented helm installation command:

HELM_EXPERIMENTAL_OCI=1 helm ... \
   --set trento-web.saml.enabled=true \
   --set trento-web.saml.idpId=<SAML_IDP_ID> \
   --set trento-web.saml.spId=<SAML_SP_ID> \
   --set trento-web.saml.metadataUrl=<SAML_METADATA_URL>

To use the SAML_METADATA_CONTENT option rather than SAML_METADATA_URL use:

HELM_EXPERIMENTAL_OCI=1 helm ... \
   --set trento-web.saml.enabled=true \
   --set trento-web.saml.idpId=<SAML_IDP_ID> \
   --set trento-web.saml.spId=<SAML_SP_ID> \
   --set trento-web.saml.metadataContent=<SAML_METADATA_CONTENT>

Additionally, the following optional values are available:

HELM_EXPERIMENTAL_OCI=1 helm ... \
   --set trento-web.saml.idpNameIdFormat=<SAML_IDP_NAMEID_FORMAT> \
   --set trento-web.saml.spDir=<SAML_SP_DIR> \
   --set trento-web.saml.spEntityId=<SAML_SP_ENTITY_ID> \
   --set trento-web.saml.spContactName=<SAML_SP_CONTACT_NAME> \
   --set trento-web.saml.spContactEmail=<SAML_SP_CONTACT_EMAIL> \
   --set trento-web.saml.spOrgName=<SAML_SP_ORG_NAME> \
   --set trento-web.saml.spOrgDisplayName=<SAML_SP_ORG_DISPLAYNAME> \
   --set trento-web.saml.spOrgUrl=<SAML_SP_ORG_URL> \
   --set trento-web.saml.usernameAttrName=<SAML_USERNAME_ATTR_NAME> \
   --set trento-web.saml.emailAttrName=<SAML_EMAIL_ATTR_NAME> \
   --set trento-web.saml.firstNameAttrName=<SAML_FIRSTNAME_ATTR_NAME> \
   --set trento-web.saml.lastNameAttrName=<SAML_LASTNAME_ATTR_NAME> \
   --set trento-web.saml.signRequests=<SAML_SIGN_REQUESTS> \
   --set trento-web.saml.signMetadata=<SAML_SIGN_METADATA> \
   --set trento-web.saml.signedAssertion=<SAML_SIGNED_ASSERTION> \
   --set trento-web.saml.signedEnvelopes=<SAML_SIGNED_ENVELOPES>

8.4.5. Enabling SAML when using RPM packages

To enable SAML when using RPM packages, proceed as follows:

Open the file /etc/trento/trento-web.

Add the following environment variables to this file. Required variables are:

# Required:
ENABLE_SAML=true
SAML_IDP_ID=<SAML_IDP_ID>
SAML_SP_ID=<SAML_SP_ID>
# Only SAML_METADATA_URL or SAML_METADATA_CONTENT must by provided
SAML_METADATA_URL=<SAML_METADATA_URL>
SAML_METADATA_CONTENT=<SAML_METADATA_CONTENT>

# Optional:
SAML_IDP_NAMEID_FORMAT=<SAML_IDP_NAMEID_FORMAT>
SAML_SP_DIR=<SAML_SP_DIR>
SAML_SP_ENTITY_ID=<SAML_SP_ENTITY_ID>
SAML_SP_CONTACT_NAME=<SAML_SP_CONTACT_NAME>
SAML_SP_CONTACT_EMAIL=<SAML_SP_CONTACT_EMAIL>
SAML_SP_ORG_NAME=<SAML_SP_ORG_NAME>
SAML_SP_ORG_DISPLAYNAME=<SAML_SP_ORG_DISPLAYNAME>
SAML_SP_ORG_URL=<SAML_SP_ORG_URL>
SAML_USERNAME_ATTR_NAME=<SAML_USERNAME_ATTR_NAME>
SAML_EMAIL_ATTR_NAME=<SAML_EMAIL_ATTR_NAME>
SAML_FIRSTNAME_ATTR_NAME=<SAML_FIRSTNAME_ATTR_NAME>
SAML_LASTNAME_ATTR_NAME=<SAML_LASTNAME_ATTR_NAME>
SAML_SIGN_REQUESTS=<SAML_SIGN_REQUESTS>
SAML_SIGN_METADATA=<SAML_SIGN_METADATA>
SAML_SIGNED_ASSERTION=<SAML_SIGNED_ASSERTION>
SAML_SIGNED_ENVELOPES=<SAML_SIGNED_ENVELOPES>

Restart the application.

8.4.6. Available variables for SAML

SAML_IDP_ID: SAML IDP id
SAML_SP_ID: SAML SP id
SAML_METADATA_URL: URL to retrieve the SAML metadata xml file. One of SAML_METADATA_URL or SAML_METADATA_CONTENT is required
SAML_METADATA_CONTENT: One line string containing the SAML metadata xml file content (SAML_METADATA_URL has precedence over this)
SAML_IDP_NAMEID_FORMAT: SAML IDP name id format, used to interpret the attribute name. Whole urn string must be used (default value: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified)
SAML_SP_DIR: SAML SP directory, where SP specific required files (such as certificates and metadata file) are placed (default value: /etc/trento/saml)
SAML_SP_ENTITY_ID: SAML SP entity id. If it is not given, value from the metadata.xml file is used
SAML_SP_CONTACT_NAME: SAML SP contact name (default value: Trento SP Admin)
SAML_SP_CONTACT_EMAIL: SAML SP contact email (default value: admin@trento.suse.com)
SAML_SP_ORG_NAME: SAML SP organization name (default value: Trento SP)
SAML_SP_ORG_DISPLAYNAME: SAML SP organization display name (default value: SAML SP build with Trento)
SAML_SP_ORG_URL: SAML SP organization url (default value: https://www.trento-project.io/)
SAML_USERNAME_ATTR_NAME: SAML user profile "username" attribute field name. This attribute must exist in the IDP user (default value: username)
SAML_EMAIL_ATTR_NAME: SAML user profile "email" attribute field name. This attribute must exist in the IDP user (default value: email)
SAML_FIRSTNAME_ATTR_NAME: SAML user profile "first name" attribute field name. This attribute must exist in the IDP user (default value: firstName)
SAML_LASTNAME_ATTR_NAME: SAML user profile "last name" attribute field name. This attribute must exist in the IDP user (default value: lastName)
SAML_SIGN_REQUESTS: Sign SAML requests in the SP side (default value: true)
SAML_SIGN_METADATA: Sign SAML metadata documents in the SP side (default value: true)
SAML_SIGNED_ASSERTION: Require to receive SAML assertion signed from the IDP. Set to false if the IDP doesn’t sign the assertion (default value: true)
SAML_SIGNED_ENVELOPES: Require to receive SAML envelopes signed from the IDP. Set to false if the IDP doesn’t sign the envelopes (default value: true)

9. Activity Log

Trento collects system events and user actions in the Activity Log. It can be accessed from the left-hand side panel of the Trento console.

Each entry in the Activity Log includes the following:

A timestamp: the day and time (UTC timezone) the system event or the user action occurred
A message: type of the occurred event or user action
The user that triggered the event or performed the action. User system is used for events triggered by the system itself.
Severity status (Info, Warning, and Critical are selected by default)

Clicking on the chevron icon in the activity log entry opens a modal window containing the activity metadata.

It is possible to search the activity metadata of the activity log entries. You can use wildcards as well as the OR and AND logical operators for advanced search queries. The OR operator is applied by default, meaning that a query like term1 term2 term3 is treated as term1 OR term2 OR term3. You can combine multiple logical operators, keeping in mind that they are parsed from left to right.

The Activity Log allows you to filter by the type of event or user action (commonly referred to as resource type), by the user that triggered the event or performed the action, and by severity status. Only active users are available for filtering. The Activity Log also allows you to filter out entries that are newer and/or older than an specific date and time (UTC timezone).

Once a filter has been set, click Apply to filter out the undesired entries and Reset to remove all the filters.

Entries related to user management can only be displayed by users that have the all:all or all:users permissions. This includes the following:

Login attempts
User creations
User modifications
User deletions
Profile updates

The Activity Log features a privacy-related access level controlled through the activity_log:users permission. For users without this permission, user-related info in the Activity Log is redacted. Unprivileged users can only see their own user names as well as user system.

Entries in the Activity Log are sorted from newer to older. Click Refresh to update the Activity Log view with entries generated since they accessed the view or after the last refresh. You can also enable the auto-refresh feature by selecting the desired auto-refresh interval.

The pagination features at the bottom of the Activity Log allow you to specify the number of entries to display in a page, go to the next or previous page of the view, and jump to the last page and back to first one.

The default retention time for entries in the Activity Log is one month. This can be changed in the Activity Log section under Settings. Changing the retention time requires the all:settings permissions. Entries older than the specified retention time are deleted every day at midnight (UTC timezone).

10. Performing configuration checks

Trento provides configuration checks that ensure your infrastructure setup adheres to our or other vendor’s Best Practices, and it does not diverge with time. Configuration checks are available for HANA clusters, ASCS/ERS clusters and hosts. The following procedure is specific to a HANA cluster. The procedure for an ASCS/ERS cluster or a host would be exactly the same, except it starts from the corresponding Details view.

Log in to Trento
In the left panel, click Cluster.
In the list, search for a SAP HANA cluster.
Click the desired cluster name in the Name column. The Details view opens.

Figure 2. Pacemaker cluster details
Click the Settings button to change the cluster settings of the respective cluster. For checks to be executed, a checks selection must be made. Select the checks to be executed and click Select Checks for Execution.

Figure 3. Pacemaker Cluster Settings—Checks Selection
You can then either wait for Trento to execute the selected checks or trigger an execution immediately by clicking the button in the Checks Selection tab.
Investigate the result in the Checks Results view. Each row in the view displays a check ID, a short description of the check and the check execution result. Click on a row to open a section that provides information about the execution on each node of the cluster.

Figure 4. Check results for a cluster

The result of a check execution can be passing, warning, critical:
- Passing means that the checked configuration meets the recommendation.
- Warning means that the recommendation is not met but the configuration is not critical for the proper running of the cluster.
- Critical means that either the execution itself failed (for example, a timeout) or the recommendation is not met and is critical for the well-being of the cluster.
  
  Use the filter to narrow the list to specific results (for example, critical).
Click a check’s link to open a modal box with the check description. This displays an abstract and a possible solution to the problem. The References section contains links to the documentation from the different vendors for more context when necessary. Close the modal box by pressing the Esc key or click outside of the box.

For each unmet expected result, there is a detailed view with information about it: what facts were gathered, what values were expected, and what was the result of the evaluation. This helps to understand why a certain configuration check is failing:

Figure 5. Unmet expected result detail view

When checks for a given cluster have been selected, Trento executes them automatically every five minutes, updating the results. A spinning check execution result icon means that an execution is running.

11. Checks Customization

11.1. Overview of checks Customization

Trento makes it possible to adjust expected check values to match target-specific requirements. This can be done directly through the Trento Web console without modifying the original check or impacting other targets.

The Trento web console receives a check catalog from Wanda. In the check selection view of a specific target, you can see all available check categories. Click on a category to expand the list of checks associated with it. If you have the required permissions, a settings icon appears to the right of a customizable check. Click on the settings icon to open a modal window where you can adjust check values.

The check customization modal includes the following elements:

Selected Check ID.
Check description.
Warning message that neither Trento nor SUSE can be held responsible for system malfunctions caused by deviations in the target configuration from best practices.
A list of all customizable check values. Each value includes a value name with the original default check value and an input field with the current customized or default value.
The current target-specific provider.
Save, Reset and Close buttons at the bottom.

The Save button is disabled by default. The button is enabled when the user checks the warning and modifies a value. The custom values are stored in the Wanda’s database, so they persist across system reboots.

The Reset button is enabled only when the check has been customized. Use the button to reverse the changes.

A Modified Pill indicator next to the check ID indicates that the values have been customized. A Reset icon next to the Settings icon can be used to revert to default values.

11.2. Target-specific Check Customization

A check is always executed on a target, which can be a host or a cluster. Users can customize check values specific to the target environment to ensure optimal system performance. Customizations are target-specific, and they do not affect other targets or the original default check values.

11.3. Required permissions

Only admin users and users with the all:checks_customization permission can customize checks. The customization button in the Trento Web console is not shown for users without this permission. If a check has been modified, the modified Pill is shown for all users.

11.4. Customizable checks

All checks with the following value types are customizable:

String
Number
Boolean

User input is validated to ensure that the input value matches the expected type before allowing to save the custom values in Wanda’s database. If the input type is incorrect or mixed, the customization fails, triggering a toast notification, that checks customization failed and a warning message in the modal itself.

11.5. Check Customization Persistence

Customized check values are persistently stored in Wanda’s database. This ensures that any modifications made by users are consistently applied across subsequent executions. Additionally, customized values remain in effect even after system restarts or updates, ensuring continuous adherence to target-specific configurations.

12. Using Trento Web

The left sidebar in the Trento Web contains the following entries:

Dashboard Determine at a glance the health status of your SAP environment.
Hosts Overview of all registered hosts running the Trento Agent.
Clusters Overview of all discovered Pacemaker clusters.
SAP Systems Overview of all discovered SAP Systems; identified by the corresponding system IDs.
HANA Databases Overview of all discovered SAP HANA databases; identified by the corresponding system IDs.
Checks catalog Overview of the catalog of configuration checks that Trento may perform on the different targets (hosts or clusters), cluster types (HANA scale up, HANA scale out or ASCS/ERS) and supported platforms (Azure, AWS, GCP, Nutanix, on-premises/KVM or VMware).
Settings Allows you retrieve and manage the API key for the current installation, configure the connection data for a SUSE Multi-Linux Manager instance, and stablish the retention time for the entries in the activity log.
About Shows the current server version, a link to the GitHub repository of the Trento Web component, and the number of registered SUSE Linux Enterprise Server for SAP applications subscriptions that has been discovered.

12.1. Getting the global health state

The dashboard allows you to determine at a glance the health status of your SAP environment. It is the main page of the Trento Web, and you can always switch to it by clicking on Dashboard in the left sidebar.

The health status of a registered SAP system is the sum of its health status at three different layers representing the SAP architecture:

Hosts Reflects the heartbeat of the Trento Agent and the tuning status returned by saptune (where applicable).
Pacemaker Clusters The status based on the running status of the cluster and the results of the configuration checks.
Database Collects the status of the HANA instances as returned by sapcontrol.
Application instances Summarizes the status of the application instances as returned by sapcontrol.

In addition to the operating system layer, there is also information about the health status of the HA components, where they exist:

Database cluster The status based on the running status of the database cluster and the results of the selected configuration checks.
Application cluster The status based on the running status of the ASCS/ERS cluster and, eventually, the results of the selected configuration checks.

The dashboard groups systems in three different health boxes (see Dashboard with the global health state):

Figure 6. Dashboard with the global health state

Passing: Shows the number of systems with all layers with passing (green) status.
Warning: Shows the number of systems with at least one layer with warning (yellow) status and the rest with passing (green) status.
Critical: Shows the number of systems with at least one layer with critical (red) status.

The health boxes in the dashboard are clickable. Clicking on a box filters the dashboard by systems with the corresponding health status. In large SAP environments, this feature can help the SAP administrator to determine which systems are in a given status.

The icons representing the health summary of a particular layer contain links to the views in the Trento console that can help determine the source of the issue:

Hosts health icon: Link to the Hosts overview filtered by SID equal to the SAPSID and the DBSID of the corresponding SAP system.
Database cluster health icon: Link to the corresponding SAP HANA Cluster Details view.
Database health icon: Link to the corresponding HANA Database Details view.
Application cluster health icon: Link to the corresponding ASCS/ERS Cluster Details view.
Application Instances health icon: Link to the corresponding SAP System Details view.

Grey status is returned when either a component does not exist, or it is stopped (as returned by sapcontrol), or its status is unknown (for instance, if a command to determine the status fails).

Grey statuses are not yet counted in the calculation of the global health status.

12.2. Viewing the status

The status allows you to see if any of the systems need to be examined further.

The following subsection gives you an overview of specific parts of your SAP Landscape to show their state. Each status site shows an overview of the health states.

12.3. Viewing the status of hosts

To display the lists of registered hosts and their details, proceed as follows:

Log in to the Trento Web.
Click the Hosts entry in the left sidebar to show a summary of the state for all hosts.

Figure 7. Hosts entry
To look into the specific host details, click the host name in the respective column to open the corresponding Host details view. If the list is too long, shorten it using the filters.

Clicking on a host name opens the corresponding Host details view the following information:
- Hosts Details section shows the status of both the Trento Agent and the Node Exporter and provides the host name, the cluster name (when applicable), the Trento Agent version and the host IP addresses.
- saptune Summary section provides information generated by saptune. saptune comes with SUSE Linux Enterprise Server for SAP applications, and it allows SAP administrators to ensure that their SAP hosts are properly configured to run the corresponding SAP workloads. The integration of saptune in the Trento console gives the SAP administrator access to the saptune information even when they are not working at operating system level. The integration supports saptune 3.1.0 and higher, and includes the addition of the host tuning status in the aggregated health status of the host.
  
  Figure 8. saptune Summary section
  
  If an SAP workload is running on the host but no saptune or a version lower than 3.1.0 is installed, a warning is added to the aggregated health status of the host. When saptune version 3.1.0 or higher is installed, a details view shows detailed information about the saptune status:
  
  Figure 9. saptune details view
- Check Results summary section shows a summary of the checks execution results for the current host.
- Available Software Updates section shows a summary of the available patches and upgradable packages for the current host when settings for SUSE Multi-Linux Manager are maintained and the host is managed by the SUSE Multi-Linux Manager instance for which connection data has been provided. Refer to section Integration with SUSE Multi-Linux Manager. for further details.
- Monitoring dashboard shows the CPU and memory usage for the specific hosts.
- Provider Details section shows the name of the cloud provider, the name of the virtual machine, the name of the resource group it belongs to, the location, the size of the virtual machine, and other information.
- SAP Instances section lists the ID, SID, type, features, and instance number of any SAP instance running on the host (SAP NetWeaver or SAP HANA).
- SUSE Subscription Details section lists the different components or modules that are part of the subscription. For each component and module, the section shows the architecture, the version and type, the registration and subscription status as well as the start and end dates of the subscription.

12.4. Viewing the Pacemaker cluster status

To display a list of all available Pacemaker clusters and their details, proceed as follows:

Log in to the Trento Web.
Click the Clusters entry in the left sidebar to show a state summary for all Pacemaker clusters.

Figure 10. Pacemaker clusters
To view the specific Pacemaker cluster details, click the cluster name in the appropriate column to open the corresponding Pacemaker cluster details view. If the list is too long, shorten it using filters.

The detail views of a HANA cluster and an ASCS/ERS cluster are different:
- The Settings, Show Results, and Start Execution buttons are used to enable or disable checks and to start them. To execute specific checks, follow the instructions in Step 5 of the Performing configuration checks procedure.
- Top section displays the cloud provider, the cluster type, the HANA log replication mode, the DBSID, the cluster maintenance status, the HANA secondary sync state, the fencing type, when the CIB was last written, and the HANA log operation mode.
- The Checks Results section provides a summary of the check execution results for the particular cluster.
- The Pacemaker Site Details section is split in three subsections: one for each HANA site, and another one for cluster nodes without a HANA workload. For example, in case of a majority maker in a HANA scale out cluster, each HANA site subsection informs about the site role (Primary or Secondary or Failed) and lists the different nodes in the site. Each node entry displays the node status (Online or Maintenance or Other), the roles of the nameserver and indexserver services in that node, the local IPs and any assigned virtual IP address. To view the attributes of that node, the resources running on it and their statuses, click the Details button. Close the view using the key.
- The Stopped Resources section provides a summary of resources which have been stopped on the cluster.
- The SBD/Fencing section shows the status of each SBD device when applicable.
- A top section on the left shows the cloud provider, the cluster type, fencing type, when the CIB was last written and the cluster maintenance status.
- The next top-center multi-tab section shows the SAP SID, the Enqueue Server version, whether the ASCS and ERS are running on different hosts or not, and whether the instance filesystems are resource based or not. When multiple systems share the same cluster, there is a tab for each system in the cluster, and you can scroll left and right to go through the different systems.
- The Checks Results section shows a summary of the results of the last check execution, when applicable.
- The Node Details section shows the following for each node in the cluster: the node status (Online or Maintenance or Other), the host name, the role of the node in the cluster, the assigned virtual IP address and, in case of resource managed filesystems, the full mounting path. To view the attributes and resources associated to that particular node, click Details. Close the view using the key.
  
  This section is system-specific. It shows the information corresponding to the system selected in the multi-tab section above.
- The Stopped Resources section displays a summary of resources which have been stopped on the cluster.
- The SBD/Fencing section shows the status of each SBD device when applicable.

12.5. Viewing the SAP Systems status

To display a list of all available SAP Systems and their details, proceed as follows:

Log in to the Trento Web.
Click the SAP Systems entry in the left sidebar to show a state summary for all SAP Systems.

Figure 11. SAP Systems
To open the SAP System Details view, click the corresponding SID. This view provides the following:
- The name and type of the current SAP System.
- The Layout section lists all instances and their virtual host names, instance numbers, features (processes), HTTP and HTTPS ports, start priorities, and SAPControl statuses.
- The Hosts section shows the host name, the IP address, the cloud provider (when applicable), the cluster name (when applicable), and the Trento Agent version for each listed host. Click the host name to go to the corresponding Host details view.
  
  Figure 12. SAP System Details

12.6. Viewing the SAP HANA database status

To display a list of all available SAP HANA databases and their details, proceed as follows:

Log in to the Trento Web.
Click the HANA databases entry in the left sidebar to show a summary of the state for all SAP HANA databases.

Figure 13. HANA databases
Click one of the SIDs to open the corresponding HANA Databases detail view. This view provides the following:
- The name and type of this SAP System.
- The Layout section lists all related SAP HANA instances with their virtual host names, instance numbers, features (roles), HTTP/HTTPS ports, start priorities, and SAPControl statuses.
- The Hosts section lists the hosts where all related instances are running. For each host, it shows the host name, the local IP address(es), the cloud provider (when applicable), the cluster name (when applicable), the system ID, and the Trento Agent version.
  
  Click on a host name to go to the corresponding Host details view.
  
  Figure 14. HANA Database details

13. Housekeeping

When the heartbeat of an agent fails, an option to clean-up the corresponding host is displayed in the Hosts overview and the corresponding Host details view.

Figure 15. Clean up button in Hosts overview

Figure 16. Clean up button in Host details view

Use the Clean up button to remove all the components discovered by the agent in the host (including the host itself and other components that might depend on the ones running on the host) from the console.

For example, when cleaning up the host where the primary application server of an SAP System is registered, the entire SAP System is removed from the console.

Similarly, when a registered application or SAP HANA instance is no longer discovered, an option to clean it up is displayed in the corresponding overview and the corresponding details view.

Figure 17. Clean up button SAP systems overview

trento-cleanup-sap-instance-details-view

Figure 18. Clean up button in SAP system details view

Use the Clean up button to remove the instance and any dependencies from the console.

For example, cleaning up the ASCS instance of an SAP system removes the entire SAP system from the console.

14. Managing tags

Tags are used to label specific objects with location, owner, etc. The objects can be hosts, clusters, databases or SAP systems. Tags make it easier to distinguish and show all these different objects, making your lists more readable and searchable. You can use any text you like to create your tags except blank spaces and special characters other than + - = . , _ : and @.

The following subsection shows how you can add, remove, and filter objects based on your tags.

14.1. Adding tags to hosts, clusters, databases, and SAP Systems

To add one or more tags to your objects, proceed as follows:

Log in to Trento.
In the Trento dashboard, go to the overview of the desired object. For example, the Hosts overview.
In the Hosts overview, search for the host you want to tag.
In the Tags column, click the Add Tag entry.
Enter the desired tag and press Enter.
Use the described steps to assign other tags to the same or a different host.

You can use the procedure to assign tags to other objects, such as Clusters, SAP Systems, or HANA Databases.

14.2. Removing tags

To remove existing tags, click the appropriate part in the dashboard:

Log in to Trento.
In the Trento dashboard, go to the overview of the desired object. For example, the Hosts overview.
In the Hosts overview, search for the host you want to remove a tag from.
In the Tags column, click the × icon to remove the tag.
Use the described steps to remove other tags from the same or a different host.

14.3. Filter by tags

Tags can be used to filter objects.

In the Trento dashboard, go to the desired overview.
In the second row, click the Filter tags drop-down list to view all existing tags.
Select one or more tags to display all hosts that have the selected tags.

To remove the filter, click the × icon from the same drop-down list.

15. Integration with SUSE Multi-Linux Manager

Trento can be inegrated with SUSE Multi-Linux Manager to provide the SAP administrator with information about relevant patches and upgradable packages for any host that is registered with both applications.

The user must enter the connection settings for SUSE Multi-Linux Manager in the Settings view:

Figure 19. SUSE Multi-Linux Manager settings

When the SUSE Multi-Linux Manager settings are configured, the SAP Basis administrator can test the connection by clicking the Test button. If the connection is successful, the Host Details view of each host managed by SUSE Multi-Linux Manager displays a summary of available patches and upgradable packages:

trento-summary-of-available-software-updates

Figure 20. Available software updates in the Host Details view

Click Relevant Patches to view a list of patches available for the host:

Figure 21. Available Patches overview

Click Upgradable Packages to view a list of packages that can be upgraded on that particular host:

Figure 22. Upgradable Packages overview

Click an advisory or patch link to access the corresponding details view with relevant information, such us whether it requires a reboot or not, associated vulnerabilities, or a list of affected hosts:

Figure 23. Advisory Details view

There are three types of patches or advisories: security advisories, bug fixes and feature enhancements. Security advisories are considered critical. If an advisory is available, the health of the host is set to critical. If there are available patches but none of them is a security one, the health of the host switches to warning. When a host cannot be found in SUSE Multi-Linux Manager, or there is a problem retrieving the data for it, its health is set to unknown.

You can clear the SUSE Multi-Linux Manager settings from the Settings view at any time. When you do this, all information about available software updates disappears from the console, and the status of the hosts is adjusted accordingly.

16. Rotating API keys

Communication from the Trento Agent to the Trento Server is secured by a API key that must be provided in the agent configuration file.

By default, the API key does not have an expiration date. You can set up a custom expiration date to increase the overall security of the setup and meet internal security requirements.

To do this, go to the Settings view and click the Generate Key button in the API Key section:

Figure 24. Checks catalog

Whenever a new key is generated, the configuration of all the reporting agents must be updated accordingly.

17. Personal Access Tokens

Trento allows users to create Personal Access Tokens (PATs) for authentication and authorization purposes in third-party integrations with the APIs exposed by its components:

Web
Wanda

17.1. Creating a Personal Access Token

Figure 25. Profile

Click Generate Token in the Personal Access Tokens section.
When prompted, provide a name and an expiration date, then click Generate Token.

Figure 26. Generate personal access token modal
Copy the generated token starting with trento_pat_. Keep in mind that the token is shown only once. If you lose the token, you must generate a new one.

Figure 27. Generated personal access token

17.2. Using a Personal Access Token

You can use the created Personal Access Token to authenticate API requests by including it in the Authorization header as a Bearer token.

$ curl -X GET "..." -H "Authorization: Bearer trento_pat_<rest_of_token>"

17.3. Deleting a Personal Access Token

To delete Personal Access Token, click its contextual Delete button in the Personal Access Tokens section of the profile.

Figure 28. Personal access tokens section

Confirm the deletion

Figure 29. Delete personal access token modal

17.4. Notes for user admins

User admins can delete tokens for other users. However, admins cannot create new tokens for other users.

To delete a token for another user, a user admin must perform the following steps:

navigate to the Users page
select a user
click a token’s contextual Delete button in the Personal Access Tokens section

18. Updating Trento Server

The procedure to update Trento Server depends on the chosen deployment option: Kubernetes or systemd.

Consider the following when performing an update:

Before updating Trento Server, ensure that all the Trento Agents in the environment are supported by the target version. For more information, see section Compatibility matrix between Trento Server and Trento Agents.
When updating Trento to version 2.4 or higher, the admin password may need to be adjusted to follow the rules described in the User Management section.

In a Kubernetes deployment, you can use Helm to update Trento Server:

helm upgrade \
   --install trento-server oci://registry.suse.com/trento/trento-server \
   --set global.trentoWeb.origin=TRENTO_SERVER_HOSTNAME \
   --set trento-web.adminUser.password=ADMIN_PASSWORD

If you have configured options like email alerting, the Helm command must be adjusted accordingly. In this case, consider the following:

Remember to set the helm experimental flag if you are using a version of Helm lower than 3.8.0.

When updating Trento to version 2.0.0 or higher, an additional flag must be set in the Helm command:

helm upgrade \
   --install trento-server oci://registry.suse.com/trento/trento-server \
   --set global.trentoWeb.origin=TRENTO_SERVER_HOSTNAME \
   --set trento-web.adminUser.password=ADMIN_PASSWORD \
   --set rabbitmq.auth.erlangCookie=$(openssl rand -hex 16)

When updating Trento to version 2.3 or higher, a new API key is generated and the configuration of all registered Trento Agents must be updated accordingly.

In a system deployment, you can use zypper to update Trento Server:

 zypper refresh
 zypper update trento-web
 zypper update trento-wanda
 systemctl restart trento-web
 systemctl restart trento-wanda

19. Updating a Trento Agent

To update the Trento Agent, follow the procedure below:

Log in to the Trento Agent host.
Stop the Trento Agent:
> sudo systemctl stop trento-agent

Install the new package:

> sudo zypper ref
> sudo zypper install trento-agent

Copy the file /etc/trento/agent.yaml.rpmsave to /etc/trento/agent.yaml. Make sure that entries facts-service-url, server-url, and api-key in /etc/trento/agent.yaml are correct.
Start the Trento Agent:
> sudo systemctl start trento-agent

Check the status of the Trento Agent:

sudo systemctl status trento-agent
● trento-agent.service - Trento Agent service
   Loaded: loaded (/usr/lib/systemd/system/trento-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-11-24 17:37:46 UTC; 4s ago
 Main PID: 22055 (trento)
    Tasks: 10
   CGroup: /system.slice/trento-agent.service
           ├─22055 /usr/bin/trento agent start --consul-config-dir=/srv/consul/consul.d
           └─22220 /usr/bin/ruby.ruby2.5 /usr/sbin/SUSEConnect -s

[...]

Check the version in the Hosts overview of the Trento Web (URL http://TRENTO_SERVER_HOSTNAME).
Repeat this procedure in all Trento Agent hosts.

20. Updating Trento Checks

Configuration checks are an integral part of the checks engine, but they are delivered separately. This allows customers to update the checks catalog in their setup whenever updates to existing checks and new checks are released, without waiting for a new version release cycle.

The procedure of updating the configuration checks depends on the Trento Server deployment type: Kubernetes or systemd.

In a Kubernetes deployment, checks are delivered as a container image, and you can use Helm with the following options to pull the latest image:

  helm ... \
 --set trento-wanda.checks.image.tag=latest \
 --set trento-wanda.checks.image.repository=registry.suse.com/trento/trento-checks  \
 --set trento-wanda.checks.image.pullPolicy=Always \
 ...

In a systemd deployment, checks are delivered as an RPM package, and you can use Zypper to update your checks catalog:

> sudo zypper ref
> sudo zypper update trento-checks

21. Uninstalling Trento Server

The procedure to uninstall the Trento Server depends on the deployment type: Kubernetes or systemd. The section covers Kubernetes deployments.

If Trento Server was deployed manually, you need to uninstall it manually. If Trento Server was deployed using the Helm chart, you can also use Helm to uninstall it as follows:

helm uninstall trento-server

22. Uninstalling a Trento Agent

To uninstall a Trento Agent, perform the following steps:

Log in to the Trento Agent host.
Stop the Trento Agent:
> sudo systemctl stop trento-agent
Remove the package:
> sudo zypper remove trento-agent

23. Reporting an Issue

SUSE customers with registered SUSE Linux Enterprise Server for SAP applications 15 (SP4 or higher) or SUSE Linux Enterprise Server for SAP applications 16.0 distributions can report Trento issues either directly in the SUSE Customer Center or through the corresponding vendor, depending on their licensing model. Problems must be reported under SUSE Linux Enterprise Server for SAP applications 15 and component trento.

When opening a support case for Trento, provide the relevant deployment option for Trento Server: Kubernetes, or systemd RPM installation.

In case of a Kubernetes deployment, provide the output of the Trento support script as explained in section Problem Analysis.

In case of a systemd deployment, provide the output of the Trento support plugin, as explained in section Problem Analysis.

For issues with a particular Trento Agent, or a component discovered by a particular Trento Agent, also provide the following:

status of the Trento Agent
journal of the Trento Agent
output of the command supportconfig in the Trento Agent host. See https://documentation.suse.com/sles/html/SLES-all/cha-adm-support.html#sec-admsupport-cli for information on how to run this command from command line.

24. Problem Analysis

24.1. Trento Server

There are two tools you can use to collect information and data that can be useful when troubleshooting and analyzing issues with Trento Server.

24.1.1. Trento support plugin

The Trento support plugin consists of the trento-support.sh script and the support plugin itself. The tool automates the collection of logs and relevant runtime information on the server side. It can be used in two different scenarios:

A deployment on K3s
A systemd deployment

24.1.2. Using the Trento support plugin with a K3s deployment

Using the plugin with a K3s deployment requires a SUSE Linux Enterprise Server for SAP applications 15 SP3 or higher host with the following setup:

Packages jq and yq are installed
Helm is installed
kubectl is installed and connected to the Kubernetes cluster where Trento Server is running

To use the plugin, proceed as follows:

Install the Trento support plugin:

# zypper ref
# zypper install supportutils-plugin-trento

Run the trento-support.sh script:

# trento-support.sh --output file-tgz --collect all

Send the generated archive file to support for analysis.

The script accepts the following options:

-o, --output Output type (stdout, file, file-tgz)
-c, --collect Collection options (configuration, base, kubernetes, all)
-r, --release-name Release name to use for the chart installation. Default is trento-server
-n, --namespace Kubernetes namespace used when installing the chart.Default is default
--help Shows help messages

24.1.3. Using the Trento support plugin with a systemd deployment

To use the plugin in this scenario, proceed as follows:

Install the Trento support plugin:

# zypper ref
# zypper install supportutils-plugin-trento

Execute supportconfig as described in https://documentation.suse.com/sles/html/SLES-all/cha-adm-support.html\#sec-admsupport-cli. The supportconfig tool will call the Trento support plugin.
Send the generated output to support for analysis.

24.2. Scenario dump script

A scenario dump is a dump of the Trento database. It helps the Trento team to recreate the scenario to test it.

A script is available in the Trento upstream project. The script helps generate a scenario dump when the server is running on a Kubernetes cluster. Using this script requires a host with the following setup:

kubectl is installed and connected to the Kubernetes cluster where Trento Server is running.

To generate the dump, proceed as follows:

Download the latest version of the dump script:

> wget https://raw.githubusercontent.com/trento-project/web/main/hack/dump_scenario_from_k8.sh

Make the script executable:
> chmod +x dump_scenario_from_k8.sh
Make sure that kubectl is connected to the Kubernetes cluster where Trento Server is running and run the script:
> ./dump_scenario_from_k8.sh -n SCENARIO_NAME -p PATH
Go to PATH/scenarios/SCENARIO_NAME, package all the generated JSON files, and send the package to support for analysis.

24.3. Pods descriptions and logs

In case of a deployment on K3s, the descriptions and logs of the Trento Server pods can be useful for analysis and troubleshooting purposes (in addition to the output of the trento-support.sh script and the dump scenario script). These descriptions and logs can be obtained with the kubectl command. For this to work, you need a host with kubectl is installed and connected to the K3s cluster running Trento Server.

List the pods running in Kubernetes cluster and their statuses. Run the command below to view Trento Server pods:

> kubectl get pods

NAME                                               READY   STATUS    RESTARTS   AGE
trento-server-postgresql-0                         1/1     Running   0          87m
trento-server-prometheus-server-7b5c9474bc-wmv8s   2/2     Running   0          87m
trento-server-rabbitmq-0                           1/1     Running   0          87m
trento-server-wanda-67ffbb79dc-7t6xw               1/1     Running   0          87m
trento-server-web-7df8f65794-vdbhs                 1/1     Running   0          87m

Retrieve the description of a pod as follows:
> kubectl describe pod POD_NAME
Retrieve the log of a pod as follows:
> kubectl logs POD_NAME
Monitor the log of a pod as follows:
> kubectl logs POD_NAME --follow

25. Compatibility matrix between Trento Server and Trento Agents

Table 1. Compatibility matrix between Trento Server and Trento Agents
Trento Agent	Trento Server
	1.0	1.1	1.2	2.0	2.1	2.2	2.3	2.4	2.5
1.0	✓	✓	✓
1.1		✓	✓
1.2			✓
2.0				✓	✓	✓	✓	✓	✓
2.1					✓	✓	✓	✓	✓
2.2						✓	✓	✓	✓
2.3							✓	✓	✓
2.4								✓	✓
2.5									✓

26. Highlights of Trento versions

Below is a list of the most important user-facing features in the different versions of Trento. For a more detailed information about the changes included in each new version, visit https://github.com/trento-project.

For changes in the Trento Helm Chart, visit https://github.com/trento-project/helm-charts/releases.
For changes in the Trento Server Web component, visit https://github.com/trento-project/web/releases.
For changes in the Trento Server old checks engine component (runner), visit https://github.com/trento-project/runner/releases.
For changes in the Trento Server new checks engine component (wanda), visit https://github.com/trento-project/wanda/releases.
For changes it the Trento checks, visit https://github.com/trento-project/checks/releases.
For changes in the Trento Agent, visit https://github.com/trento-project/agent/releases.

Version 2.5.0 (released on 2025/08/07)

Includes Helm chart 2.5.0, Web Component 2.4.0, checks engine (wanda) 1.5.0, configuration checks 1.1.0 and agent 2.5.0, with the following highlights:

Discovery of HANA scale-up cost-optimized clusters
Checks customization
Enhanced activity log (search by metadata, auto refresh capabilities, severity information and permission-based access level)
A more flexible Prometheus integration
Discovery optimization in edge-case scenarios
Major updates to the Checks Catalog

Version 2.4.0 (released on 2024/12/06)

Consisting of Helm chart 2.4.0, Web component 2.4.0, checks engine (wanda) 1.4.0, configuration checks 1.0.0 and agent 2.4.0.

New permission-based user management system with optional MFA.
SSO and third-party IDP integration via OIDC, OAUTH2 and SAML protocols.
Contextual, detailed overview of available patches and upgradable packages in the SUSE Multi-Linux Manager integration.
Inception of the Activity Log, allowing users to browse a single centralized event log for their entire SAP landscape.
Trento Checks delivery is now decoupled from the core platform, and the Checks themselves have been relicensed from Apache 2.0 to GPL 3.0
Enhanced discovery capabilities including clusters using angi architecture and SAP systems running on JAVA stacks.
New HANA scale-out cluster configuration checks.
More ASCS/ERS cluster configuration checks.

Version 2.3.2 (released on 2024/09/01)

Consisting of Helm chart 2.3.2, Web component 2.3.2, checks engine (wanda) 1.3.0 and agent 2.3.0.

Fix for bug in the web component causing it to crash upon certain events after update from an earlier version.

Version 2.3.1 (released on 2024/06/18)

Consisting of Helm chart 2.3.1, Web component 2.3.1, checks engine (wanda) 1.3.0 and agent 2.3.0.

non-K8s installation of Trento Server.
Enhanced discovery capabilities, including improved support HANA multi-tenant architecture, HANA scale out cluster discovery, discovery of clsluters using diskless SBD and maintenance awareness.
Information about available patches and upgradable packages for each registered hosts via integration with SUSE Multi-Linux Manager.
Rotating API key.
Saptune configuration checks.
Simpler, more secure architecture without Grafana.
Revamped metric visualization.
Enhanced Checks Catalog view with dynamic filtering capabilities.

Version 2.2.0 (released on 2023/12/04)

Consisting of Helm chart 2.2.0, Web component 2.2.0, checks engine (wanda) 1.2.0 and agent 2.2.0.

saptune Web integration.
Intance clean-up capabilities.
Ability to run host-level configuration checks.

Version 2.1.0 (released on 2023/08/02)

Consisting of Helm chart 2.1.0, Web component 2.1.0, checks engine (wanda) 1.1.0 and agent 2.1.0.

ASCS/ERS cluster discovery, from single-sid, two-node scenarios to multi-sid, multi-node setups. The discovery covers both versions of the enqueue server, ENSA1 and ENSA2, and both scenarios with resource managed instance filesystems and simple mount setups.
Host clean-up capabilities, allowing users to get rid of hosts that are no longer part of their SAP environment.
New checks results view that leverages the potential of the new checks engine (wanda) and provides the user with insightful information about the check execution.

Version 2.0.0 (released on 2023/04/26)

Consisting of Helm chart 2.0.0, Web component 2.0.0, checks engine (wanda) 1.0.0 and agent 2.0.0.

A brand-new safer, faster, ligher SSH-less configuration checks engine (wanda) which not only opens the door to configuration checks for other HA scenarios (ASCS/ER, HANA scale-up cost optimized, SAP HANA scale-out) and other targes in the environment (hosts, SAP HANA databases, SAP NetWeaver instances), but also will allow customization of existing checks and addition of custom checks.
Addition of VMware to the list of known platforms.
Versioned external APIs for both the Web and the checks engine (wanda) components. The full list of available APIs can be found at https://www.trento-project.io/web/swaggerui/ and https://www.trento-project.io/wanda/swaggerui/ respectively.

Version 1.2.0 (released on 2022/11/04)

Consisting of Helm chart 1.2.0, Web component 1.2.0, checks engine (runner) 1.1.0 and agent 1.1.0.

Configuration checks for HANA scale-up performance optimized two-node clusters on on-premise bare metal platforms, including KVM and Nutanix.
A dynamic dashboard that allows you to determine, at a glance, the overall health status of your SAP environment.

Version 1.1.0 (released on 2022/07/14)

Consisting of Helm chart 1.1.0, Web component 1.1.0, checks engine (runner) 1.0.1 and agent 1.1.0.

Fix for major bug in the checks engine that prevented the Web component to load properly.

Version 1.0.0 (general availability, released on 2022/04/29)

Consisting of Helm chart 1.0.0, Web component 1.0.0, checks engine (runner) 1.0.0 and agent 1.0.0.

Clean, simple Web console designed with SAP basis in mind. It reacts in real time to changes happening in the backend environment thanks to the event-driven technology behind it.
Automated discovery of SAP systems, SAP instances and SAP HANA scale-up two-node clusters
Configuration checks for SAP HANA scale-up performance optimized two-node clusters on Azure, AWS and GCP.
Basic integration with Grafana and Prometheus to provide graphic dashboards about CPU and memory utilization in each discovered host.
Basic alert emails for critical events happening in the monitored environment.

27. More information

Official project website: https://www.trento-project.io/
Trento project: https://github.com/trento-project/web

Trento Agent	Trento Server
	1.0	1.1	1.2	2.0	2.1	2.2	2.3	2.4	2.5
1.0	✓	✓	✓
1.1		✓	✓
1.2			✓
2.0				✓	✓	✓	✓	✓	✓
2.1					✓	✓	✓	✓	✓
2.2						✓	✓	✓	✓
2.3							✓	✓	✓
2.4								✓	✓
2.5									✓

Trento Agent	Trento Server
	1.0	1.1	1.2	2.0	2.1	2.2	2.3	2.4	2.5
1.0	✓	✓	✓
1.1		✓	✓
1.2			✓
2.0				✓	✓	✓	✓	✓	✓
2.1					✓	✓	✓	✓	✓
2.2						✓	✓	✓	✓
2.3							✓	✓	✓
2.4								✓	✓
2.5									✓

Trento Agent	Trento Server
	1.0	1.1	1.2	2.0	2.1	2.2	2.3	2.4	2.5
1.0	✓	✓	✓
1.1		✓	✓
1.2			✓
2.0				✓	✓	✓	✓	✓	✓
2.1					✓	✓	✓	✓	✓
2.2						✓	✓	✓	✓
2.3							✓	✓	✓
2.4								✓	✓
2.5									✓