Kickstart script reference

Script overview

Simplify the deployment of the container hosting the SAP data connector by using the provided Kickstart script (available at Microsoft Sentinel solution for SAP® applications GitHub), which can also enable different modes of secrets storage, configure Secure Network Communications (SNC), and more.

Parameter reference

The following parameters are configurable. You can see examples of how these parameters are used in Deploy and configure the container hosting the SAP data connector agent.

Secret storage location

Parameter name: --keymode

Parameter values: kvmi, kvsi, cfgf

Required: No. kvmi is assumed by default.

Explanation: Specifies whether secrets (username, password, log analytics ID, and shared key) should be stored in local configuration file, or in Azure Key Vault. Also controls whether authentication to Azure Key Vault is done using the VM's Azure system-assigned managed identity or a Microsoft Entra registered-application identity.

If set to kvmi, Azure Key Vault is used to store secrets, and authentication to Azure Key Vault is done using the virtual machine's Azure system-assigned managed identity.

If set to kvsi, Azure Key Vault is used to store secrets, and authentication to Azure Key Vault is done using a Microsoft Entra registered-application identity. Usage of kvsi mode requires --appid, --appsecret, and --tenantid values.

If set to cfgf, the configuration file stored locally is used to store secrets.

ABAP server connection mode

Parameter name: --connectionmode

Parameter values: abap, mserv

Required: No. If not specified, the default is abap.

Explanation: Defines whether the data collector agent should connect to the ABAP server directly, or through a message server. Use abap to have the agent connect directly to the ABAP server, whose name you can define using the --abapserver parameter (though if you don't, you're still prompted for it). Use mserv to connect through a message server, in which case you must specify the --messageserverhost, --messageserverport, and --logongroup parameters.

Configuration folder location

Parameter name: --configpath

Parameter values: <path>

Required: No, /opt/sapcon/<SID> is assumed if not specified.

Explanation: By default kickstart initializes configuration file, metadata location to /opt/sapcon/<SID>. To set alternate location of configuration and metadata, use the --configpath parameter.

ABAP server address

Parameter name: --abapserver

Parameter values: <servername>

Required: No. If the parameter isn't specified and if the ABAP server connection mode parameter is set to abap, you're prompted for the server hostname/IP address.

Explanation: Used only if the connection mode is set to abap, this parameter contains the Fully Qualified Domain Name (FQDN), short name, or IP address of the ABAP server to connect to.

System instance number

Parameter name: --systemnr

Parameter values: <system number>

Required: No. If not specified, the user is prompted for the system number.

Explanation: Specifies the SAP system instance number to connect to.

System ID

Parameter name: --sid

Parameter values: <SID>

Required: No. If not specified, the user is prompted for the system ID.

Explanation: Specifies the SAP system ID to connect to.

Client number

Parameter name: --clientnumber

Parameter values: <client number>

Required: No. If not specified, the user is prompted for the client number.

Explanation: Specifies the client number to connect to.

Message Server Host

Parameter name: --messageserverhost

Parameter values: <servername>

Required: Yes, if ABAP server connection mode is set to mserv.

Explanation: Specifies the hostname/ip address of the message server to connect to. Can only be used if ABAP server connection mode is set to mserv.

Message Server Port

Parameter name: --messageserverport

Parameter values: <portnumber>

Required: Yes, if ABAP server connection mode is set to mserv.

Explanation: Specifies the service name (port) of the message server to connect to. Can only be used if ABAP server connection mode is set to mserv.

Logon group

Parameter name: --logongroup

Parameter values: <logon group>

Required: Yes, if ABAP server connection mode is set to mserv.

Explanation: Specifies the sign-in group to use when connecting to a message server. Can be used only if ABAP server connection mode is set to mserv. If the logon group name contains spaces, they should be passed in double quotes, as in the example --logongroup "my logon group".

Logon username

Parameter name: --sapusername

Parameter values: <username>

Required: No. If not supplied, the user is prompted for the username if they are not using SNC (X.509) for authentication.

Explanation: Username used to authenticate to ABAP server.

Logon password

Parameter name: --sappassword

Parameter values: <password>

Required: No. If not supplied, the user is prompted for the password, if they're not using SNC (X.509) for authentication. Password input is masked.

Explanation: Password used to authenticate to ABAP server.

NetWeaver SDK file location

Parameter name: --sdk

Parameter values: <filename>

Required: No. The script attempts to locate the nwrfc*.zip file in the current folder. If it isn't found, the user is prompted to supply a valid NetWeaver SDK archive file.

Explanation: NetWeaver SDK file path. A valid SDK is required for the data collector to operate. For more information, see Prerequisites for deploying Microsoft Sentinel solution for SAP® applications.

Enterprise Application ID

Parameter name: --appid

Parameter values: <guid>

Required: Yes, if Secret storage location is set to kvsi.

Explanation: When Azure Key Vault authentication mode is set to kvsi, authentication to key vault is done using an enterprise application (service principal) identity. This parameter specifies the application ID.

Enterprise Application secret

Parameter name: --appsecret

Parameter values: <secret>

Required: Yes, if Secret storage location is set to kvsi.

Explanation: When Azure Key Vault authentication mode is set to kvsi, authentication to key vault is done using an enterprise application (service principal) identity. This parameter specifies the application secret.

Tenant ID

Parameter name: --tenantid

Parameter values: <guid>

Required: Yes, if Secret storage location is set to kvsi.

Explanation: When Azure Key Vault authentication mode is set to kvsi, authentication to key vault is done using an enterprise application (service principal) identity. This parameter specifies the Microsoft Entra tenant ID.

Key Vault Name

Parameter name: --kvaultname

Parameter values: <key vaultname>

Required: No. If Secret storage location is set to kvsi or kvmi, the script prompts for the value if not supplied.

Explanation: If Secret storage location is set to kvsi or kvmi, the key vault name (in FQDN format) should be entered here.

Log Analytics workspace ID

Parameter name: --loganalyticswsid

Parameter values: <id>

Required: No. If not supplied, the script prompts for the workspace ID.

Explanation: Log Analytics workspace ID where the data collector sends the data to. To locate the workspace ID, locate the Log Analytics workspace in the Azure portal: open Microsoft Sentinel, select Settings in the Configuration section, select Workspace settings, then select Agents Management.

Log Analytics key

Parameter name: --loganalyticskey

Parameter values: <key>

Required: No. If not supplied, script prompts for the workspace key. Input is masked.

Explanation: Primary or secondary key of the Log Analytics workspace where the data collector sends the data to. To locate the workspace Primary or Secondary Key, locate the Log Analytics workspace in Azure portal: open Microsoft Sentinel, select Settings in the Configuration section, select Workspace settings, then select Agents Management.

Use X.509 (SNC) for authentication

Parameter name: --use-snc

Parameter values: None

Required: No. If not specified, the username and password is used for authentication. If specified, --cryptolib, --sapgenpse, combination of either --client-cert and --client-key, or --client-pfx and --client-pfx-passwd as well as --server-cert, and in certain cases --cacert switches is required.

Explanation: Specifies that X.509 authentication is used to connect to ABAP server, rather than username/password authentication. For more information, see Deploy the Microsoft Sentinel for SAP data connector by using SNC.

SAP Cryptographic library path

Parameter name: --cryptolib

Parameter values: <sapcryptolibfilename>

Required: Yes, if --use-snc is specified.

Explanation: Location and filename of SAP Cryptographic library (libsapcrypto.so).

SAPGENPSE tool path

Parameter name: --sapgenpse

Parameter values: <sapgenpsefilename>

Required: Yes, if --use-snc is specified.

Explanation: Location and filename of the sapgenpse tool for creation and management of PSE-files and SSO-credentials.

Client certificate public key path

Parameter name: --client-cert

Parameter values: <client certificate filename>

Required: Yes, if --use-snc and certificate is in .crt/.key base-64 format.

Explanation: Location and filename of the base-64 client public certificate. If client certificate is in .pfx format, use --client-pfx switch instead.

Client certificate private key path

Parameter name: --client-key

Parameter values: <client key filename>

Required: Yes, if --use-snc is specified and key is in .crt/.key base-64 format.

Explanation: Location and filename of the base-64 client private key. If client certificate is in .pfx format, use --client-pfx switch instead.

Issuing/root Certification Authority certificates

Parameter name: --cacert

Parameter values: <trusted ca cert>

Required: Yes, if --use-snc is specified and the certificate is issued by an enterprise certification authority.

Explanation: If the certificate is self-signed, it has no issuing CA, so there's no trust chain that needs to be validated. If the certificate is issued by an enterprise CA, the issuing CA certificate and any higher-level CA certificates need to be validated. Use separate instances of the --cacert switch for each CA in the trust chain, and supply the full filenames of the public certificates of the enterprise certificate authorities.

Client PFX certificate path

Parameter name: --client-pfx

Parameter values: <pfx filename>

Required: Yes, if --use-snc and key is in .pfx/.p12 format.

Explanation: Location and filename of the pfx client certificate.

Client PFX certificate password

Parameter name: --client-pfx-passwd

Parameter values: <password>

Required: Yes, if --use-snc is used, certificate is in .pfx/.p12 format, and certificate is protected by a password.

Explanation: PFX/P12 file password.

Server certificate

Parameter name: --server-cert

Parameter values: <server certificate filename>

Required: Yes, if --use-snc is used.

Explanation: ABAP server certificate full path and name.

HTTP proxy server URL

Parameter name: --http-proxy

Parameter values: <proxy url>

Required: No

Explanation: Containers that can't establish connection to Microsoft Azure services directly and require connection via a proxy server require --http-proxy switch to define proxy url for the container. Format of the proxy url is http://hostname:port.

Host Based Networking

Parameter name: --hostnetwork

Required: No.

Explanation: If this switch is specified, the agent uses host-based networking configuration. This can solve internal DNS resolution issues in some cases.

Confirm all prompts

Parameter name: --confirm-all-prompts

Parameter values: None

Required: No

Explanation: If the --confirm-all-prompts switch is specified, the script doesn't pause for any user confirmations and only prompts if user input is required. Use --confirm-all-prompts switch to achieve a zero-touch deployment.

Use preview build of the container

Parameter name: --preview

Parameter values: None

Required: No

Explanation: By default, container deployment kickstart script deploys the container with the :latest tag. Public preview features are published to the :latest-preview tag. To ensure container deployment script uses public preview version of the container, specify the --preview switch.

Next steps

Learn more about the Microsoft Sentinel solution for SAP® applications:

Troubleshooting:

Reference files:

For more information, see Microsoft Sentinel solutions.