The SAP ECC 6.0 SQ1 Management Cockpit is a web-based dashboard for monitoring and operating the SAP ECC IDES demonstration environment running on Microsoft SQL Server hosted on a Windows Server VM (sap-sql-ides). Unlike the ECC EHP8 system (Oracle on Linux) and S/4HANA (HANA on Linux), this system runs on a Windows platform.
From a single page you can:
https://sapidesecc8.fivetran-internal-sales.com/sap_skills/docs/SAP_ECC6_SQ1.html
The System Information card displays static and dynamic information about the SAP server:
| Field | Description |
|---|---|
| Hostname | Server hostname: sap-sql-ides |
| SAP System | SAP ECC 6.0 IDES |
| SID | System ID: SQ1 |
| Instance Nr | Dialog instance: 00, ASCS instance: 01 |
| Client | SAP client 800 |
| Database | Microsoft SQL Server (instance SAP-SQL-IDES\SQ1) |
| OS | Windows Server 2022 Datacenter |
| Private IP | 10.128.15.222 (GCP VPC internal) |
| Public IP | 34.133.170.14 |
The Disk Space card shows all Windows drives with visual progress bars. Data is retrieved via the /sap_skills/api/sq1_disk_space endpoint which runs a WinRM PowerShell command to query disk info from the Windows VM.
| Bar Color | Usage Level | Action |
|---|---|---|
| Green | Below 70% | Normal — no action needed |
| Yellow | 70% – 85% | Monitor — plan cleanup soon |
| Red | Above 85% | Critical — free space immediately |
Each drive row shows: drive letter, usage percentage bar, total size, and available space. Click Refresh to update the data.
The Status section contains two cards that show the real-time state of the system components. Click Check Status to query both at once. The status auto-refreshes every 5 minutes.
| Card | What it monitors | Details |
|---|---|---|
| SAP Application Server | SAP NetWeaver ABAP stack | SID SQ1, instances D00 and ASCS01. Controlled via sapcontrol SOAP API. |
| SQL Server Database | Microsoft SQL Server instance | Instance SAP-SQL-IDES\SQ1. Shows database state, last backup time, and backup running status. |
The SAP card monitors the ABAP application server and displays:
The SQL Server card monitors the database instance and displays:
sqlcmd against sys.databasesmsdb.dbo.backupsetsys.dm_exec_requests with CROSS APPLY sys.dm_exec_sql_textD:\BackupEach card displays a colored dot and status text:
| Indicator | Meaning |
|---|---|
| Green dot + Active / ONLINE | The service is running and responding to queries |
| Red dot + Inactive / OFFLINE | The service is down or unreachable |
| Grey dot + Unknown | Status has not been checked yet (page just loaded, waiting for response) |
Since 2026-04-16, SQ1 backups run in two phases: a local SQL Server native backup on the Windows VM, followed by an upload to Google Cloud Storage in the shared sap-hana-backint bucket under the sql_server_backup/ prefix. SQL Server does not speak the HANA BACKINT protocol, so this two-phase flow provides equivalent off-host durability using gsutil.
| Component | Detail |
|---|---|
| Phase 1 (local) | SQL Server BACKUP DATABASE with COMPRESSION, CHECKSUM, INIT, FORMAT → D:\Backup\SQ1_<YYYYMMDD_HHMMSS>.bak |
| Phase 2 (GCS upload) | gsutil -m cp new .bak files → gs://sap-hana-backint/sql_server_backup/SQ1/full/, then prune local to newest 2 |
| Wrapper script | D:\Backup\scripts\run_backup.ps1 chains phase 1 → phase 2 |
| Scheduler | Windows Task Scheduler task SQ1_Weekly_Backup_GCS, runs as SYSTEM, Saturday 22:00 local |
| Auth | Service account JSON key at C:\ProgramData\gcs\internal-sales-sa.json + C:\ProgramData\gcs\boto.cfg (service_account = none to bypass limited GCE metadata scope) |
| Running Detection | sys.dm_exec_requests + sys.dm_exec_sql_text (phase 1), GCS object listing (phase 2) |
| Logs | D:\Backup\logs\phase1_*.log, phase2_*.log, run_*.log |
Executed on the SQL Server instance by D:\Backup\scripts\phase1_backup.ps1 via sqlcmd:
Flags: COMPRESSION trims size (typically ~3×), CHECKSUM detects in-flight corruption, INIT + FORMAT overwrites and rewrites the media header, STATS = 10 reports every 10%.
D:\Backup\scripts\phase2_upload.ps1:
gs://sap-hana-backint/sql_server_backup/SQ1/full/.SQ1*.bak not already in GCS, runs gsutil -m cp with parallel_composite_upload_threshold=150M (large files split into parallel chunks).LastWriteTime DESC and keeps the newest 2. Older files are deleted only if gsutil stat confirms they exist in GCS — safety net to prevent deleting an un-uploaded file.GCS target layout (room for future diff/log if needed):
| Field | Value |
|---|---|
| Name | SQ1_Weekly_Backup_GCS |
| Trigger | Weekly, Saturday 22:00 local (America/Chicago — server TZ) |
| Action | powershell.exe -NoProfile -ExecutionPolicy Bypass -File D:\Backup\scripts\run_backup.ps1 -Database SQ1 -KeepLocal 2 |
| Principal | SYSTEM (no stored credential) |
| Execution time limit | 12 hours |
| Multiple instances | IgnoreNew |
Manage from any PowerShell shell on the VM:
The SQL Server Database card includes a Backup Now button to trigger an immediate full compressed backup (phase 1 only — does not run the GCS upload).
sql_server_backup/SQ1/full/ and the count in the bucket. To also push the new backup to GCS, run Start-ScheduledTask -TaskName SQ1_Weekly_Backup_GCS on the VM, or wait for the next Saturday run.sys.dm_exec_requests every time you click Check Status (and every 5 minutes automatically) to detect running BACKUP DATABASE operations and display the percent complete.
| Symptom | Cause | Fix |
|---|---|---|
ResumableUploadAbortException: 403 Provided scope(s) are not authorized |
gsutil using the VM metadata token (scopes include only devstorage.read_only) instead of the JSON key. |
Ensure C:\ProgramData\gcs\boto.cfg has [GoogleCompute] service_account = none plus gs_service_key_file; confirm BOTO_CONFIG and GOOGLE_APPLICATION_CREDENTIALS are set at Machine scope. |
Phase 1 BACKUP DATABASE rc=1, Operating system error 5 (Access is denied) |
SQL Server service account cannot write to D:\Backup\. |
Grant NT SERVICE\MSSQL$SQ1 Modify on D:\Backup\. |
Phase 2 exits with PRUNE-SKIP lines and local files keep growing |
gsutil stat returned non-zero on the object — likely the upload did not complete. |
Re-run phase2_upload.ps1 standalone (idempotent — skips files already in GCS); inspect D:\Backup\logs\phase2_*.log. |
Detached batch exits after first gsutil cp completes; no sentinel/RC line written |
Known quirk when launched via Invoke-CimMethod Win32_Process.Create from a WinRM session: the batch loses its console handle after the first child terminates. |
The scheduled task runs as SYSTEM with a real session and is not affected. For ad-hoc multi-file sequential uploads from a WinRM session, invoke each file in a separate WMI-detached batch. |
The SAP Application Server card has a green Start SAP button:
| Button | What it does | Mechanism |
|---|---|---|
| Start SAP | Starts both instances D00 and ASCS01 via the sapcontrol SOAP API | HTTP POST to sapcontrol on ports 50013 (D00) and 50113 (ASCS01) |
A confirmation dialog asks you to confirm before starting. If the service is already running, you will see an informational message.
The SAP Application Server card has a red Stop SAP button. Stopping is a two-step authorization process:
| Button | What it does | Mechanism |
|---|---|---|
| Stop SAP | Stops both instances D00 and ASCS01 | HTTP POST to sapcontrol SOAP API with StopSystem command |
The Disk Space card shows all Windows drives with visual progress bars. Data is fetched from the /sap_skills/api/sq1_disk_space endpoint which runs a WinRM PowerShell command (Get-WmiObject Win32_LogicalDisk) on the Windows VM.
| Drive | Contains | Why it matters |
|---|---|---|
C:\ | Windows OS, SAP binaries, SQL Server binaries | If full, Windows and SAP services may fail to start |
D:\ | SQL Server database files, backup destination (D:\Backup) | Backups fail if insufficient space; database cannot grow if data drive is full |
INIT (overwrite), only one backup file exists at a time. However, the backup file size depends on the database size. Monitor available space on D:\ to ensure there is room for both the database files and the backup.
The SAP License card displays the validity of installed SAP licenses. License data is read from the SAPLIKEY table in the SQL Server database via WinRM sqlcmd queries.
| Column | Description |
|---|---|
| License Type | NetWeaver or Maintenance license |
| Valid From | Start date of the license period |
| Valid To | Expiry date (or "Permanent" if 9999-12-31) |
| Status | Valid (green), Expiring Soon (orange, < 30 days), or Expired (red) |
The license status auto-refreshes every 5 minutes along with the system status.
/sap_skills/api/sq1_license endpoint calls /usr/local/bin/sq1_license_query.py on sapidesecc8, which connects via WinRM to sap-sql-ides and queries the SAPLIKEY table using sqlcmd. The VALUE field contains encoded dates in the format 0008YYYYMMDD which are parsed to determine license validity.
SLICENSE to install a new license key. Contact the SAP Specialist team for license renewal.
The Links section provides quick access to external tools and documentation:
| Link | Description |
|---|---|
| GCP VM Settings | Google Cloud Compute Engine instance details for sap-sql-ides |
| GCP DNS | Google Cloud DNS zone for fivetran-internal-sales.com |
| Slab Technical Details | Slab documentation for the SQ1 demo environment with detailed technical specifications |
The cockpit follows a strict no-hardcoded-passwords policy. All credentials are stored in the encrypted vault on sapidesecc8 and retrieved at runtime.
| Credential | How it's used | Vault access |
|---|---|---|
| WinRM credentials | Used internally by API endpoints to execute remote PowerShell commands on sap-sql-ides | Auto-read by server-side scripts |
| Master password | Required for stop operations and manual backup triggers | Validates against vault encryption key |
pywinrm Python library. WinRM allows executing PowerShell commands remotely — this is how disk space, database status, backups, and license queries are performed.
| Problem | Cause | Solution |
|---|---|---|
| All status cards show "Error" | WinRM connection to sap-sql-ides failed, or the Windows VM is stopped | Check if the sap-sql-ides VM is running in GCP. Verify WinRM service is started on the Windows VM. The API endpoints on sapidesecc8 connect via WinRM to the Windows server. |
| SAP shows Inactive | SAP processes are stopped on the Windows server | Click "Start SAP". If it fails, RDP into the server and check the SAP Management Console (SAP MMC). |
| SQL Server shows OFFLINE or Unknown | SQL Server instance is stopped or sqlcmd cannot connect | RDP into sap-sql-ides and check SQL Server Configuration Manager. Ensure the SAP-SQL-IDES\SQ1 instance is running. |
| Backup Now returns "Error" | SQL Server instance is down, insufficient disk space on D:\, or WinRM timeout | Ensure SQL Server is ONLINE. Check D:\ disk space. If persistent, RDP and check SQL Server error log. |
| Backup Running stuck at a percentage | Backup is genuinely running (large database) or hung | SQL Server full backups can take time for large databases. If stuck for over an hour, RDP and check SQL Server Activity Monitor. |
| Stop button says "Wrong master password" | Incorrect master password entered | Retry with the correct master password. Contact SAP Specialist team if forgotten. |
| Disk Space shows "Error loading" | WinRM connection failed or PowerShell Get-WmiObject timed out | Try clicking "Refresh". Check if the Windows VM is accessible. WinRM may need to be restarted on the Windows server. |
| License card shows "Error" | SAPLIKEY query via sqlcmd failed or WinRM timeout | Ensure SQL Server is ONLINE. The license query uses sqlcmd to read the SAPLIKEY table in the SQ1 database. |
| License shows Expired | SAP license has passed its validity date | Use SAP transaction SLICENSE to install a new license. Contact the SAP Specialist team for renewal. |
| Page returns 404 | HTML file missing from server | Re-deploy: scp SAP_ECC6_SQ1.html root@sapidesecc8:/usr/sap/sap_skills/docs/ |
| sapcontrol Start/Stop fails | SOAP API unreachable on ports 50013/50113 | RDP into the Windows VM and verify SAP services are registered. Check Windows Firewall rules for ports 50013 and 50113. |
The cockpit page is a static HTML file served by the Python HTTPS server on sapidesecc8 (port 443). All dynamic data comes from API endpoints running on sapidesecc8, which in turn communicate with the Windows VM sap-sql-ides via two channels:
| API Endpoint | Method | Purpose | Auth |
|---|---|---|---|
/sap_skills/api/sq1_system_status |
GET | SAP status (sapcontrol SOAP), SQL Server state (sys.databases), last backup (msdb.dbo.backupset), backup running (sys.dm_exec_requests) |
None |
/sap_skills/api/sq1_disk_space |
GET | Windows disk usage via WinRM PowerShell (Get-WmiObject Win32_LogicalDisk) |
None |
/sap_skills/api/sq1_sap_control |
POST | Start/stop SAP via sapcontrol SOAP API (ports 50013/50113) | Master password for stop |
/sap_skills/api/sq1_trigger_backup |
POST | Full compressed SQL Server backup to D:\Backup via WinRM |
Master password |
/sap_skills/api/sq1_license |
GET | SAP license validity from SAPLIKEY table via WinRM sqlcmd | None |
| Script | Purpose |
|---|---|
/usr/local/bin/sq1_db_query.py | Queries SQL Server state, last backup, and backup running status via WinRM PowerShell |
/usr/local/bin/sq1_trigger_backup.py | Triggers full compressed SQL Server backup via WinRM PowerShell |
/usr/local/bin/sq1_license_query.py | Queries SAPLIKEY table via WinRM sqlcmd for license validity |
The SQL Console provides an interactive web-based interface for executing SQL queries directly against the Microsoft SQL Server database on the SQ1 system. Queries are executed remotely via SSH from the web server (sapidesecc8) to the Windows VM (sap-sql-ides, IP 10.128.0.51) using sqlcmd.
sq1adm@10.128.0.51 and runs sqlcmd against instance localhost\SQ1. Results are returned as pipe-delimited text, parsed into table format, and displayed in the browser. No database ports are exposed to the network.
| Database | User | Auth Method | Description |
|---|---|---|---|
SQ1 | sq1adm | Windows Auth (-E) | SAP system admin — full access to SAP schema |
SQ1 | sq1 | SQL Auth (-U/-P) | SAP schema owner — direct access to SAP tables |
SQ1 | fivetran | SQL Auth (-U/-P) | Read-only user for data extraction |
master | sq1adm | Windows Auth (-E) | SQL Server system database |
sapidessq1_db. Windows Auth users (sq1adm) authenticate via the OS — no password needed.
T000 not t000).EXECUTE AS USER = 'schema'; ... ; REVERT to set the execution context.Ctrl+Enter to execute queries instantly.| Query | Description |
|---|---|
SELECT * FROM T000 | List all SAP clients |
SELECT TOP 10 * FROM USR02 | First 10 SAP users with lock/validity info |
SELECT NAME, CREAT_DB FROM TADIR WHERE PGMID = 'R3TR' AND OBJECT = 'TABL' | List tables in the repository |
SELECT @@VERSION | SQL Server version info |
SELECT NAME, STATE_DESC FROM SYS.DATABASES | List all databases and their state |
SELECT DB_NAME() AS CURRENT_DB, SCHEMA_NAME() AS CURRENT_SCHEMA | Current database and schema context |
EXEC SP_SPACEUSED | Database space usage summary |
TOP N instead of LIMIT N. Use SYS. prefix for system views. Stored procedures are called with EXEC.