Maticblog879

Skip to end of metadataGo to start of metadata

Your SAProuter should be located in DMZ and you must open port 3299 for incoming and outgoing traffic between 144.36.54.31 and 194.39.131.34. From tcode OSS1 you will not be able to logon, but when you configure OSS1 correctly, you should be able to perform a connection test for RCF destination SAPOSS in tcode SM59. SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP systems, or between SAP systems and external networks. SAProuter controls the access to your network, and, as such, is a useful enhancement to an existing firewall system (port filter).

For SAProuter SNC connection between SAP SAProuter and your own SAProuter, please refer to the following link:

Install Windows Server 2016 on VMware Step by Step; Install Windows Server 2016 Step by Step Guide. Prepare the installation media (DVD, USB flash, etc) and start the installation process. If you don’t have the Windows Server 2016 installation software, click here and download the software from Microsoft website.

This document is talking about SNC connection between non-SAP SAProuters. In this example, COMMONCRYPTOLIB is used for SNC.

SNC Communication Between SAProuters

Procedure:

1. Download SAProuter and COMMONCRYPTOLIB from SAP Software Download Center https://support.sap.com/swdc and extract the files. Copy the extracted files to SAProuter host1 and SAProuter host2.

2. Set the environment variables SNC_LIB and SECUDIR.
   SNC_LIB = <path of COMMONCRYPTOLIB> (eg.Windows C:COMMONCRYPTOLIBsapcrypto.dll)
   SECUDIR = <Directory of SAProuter>/sec

3. Generate PSE file.

   In the extracted files of COMMONCRYPTOLIB, you can find sapgenpse tool and it can be used to generate PSE file.
   Here are commands for generating PSE files and credentials.
   On SAProuter host1, run:
   sapgenpse get_pse -v -noreq -p local.pse 'CN=MYSAPROUTER1'
   sapgenpse seclogin -p local.pse

   On SAProuter host2, run:
   sapgenpse get_pse -v -noreq -p local.pse 'CN=MYSAPROUTER2'
   sapgenpse seclogin -p local.pse

   After the commands are executed successfully, you will see local.pse and cred_v2 files are generated under the path you have set for environment variable SECUDIR.

4. Exchange certificates of the SAProuters to establish mutual trust relationship.
   Export own certificate on SAProuter host1, run command:
   sapgenpse export_own_cert -o router1.cer -p local.pse

   Copy router1.cer to SAProuter host2, and on SAProuter host2 run command:
   sapgenpse maintain_pk -a router1.cer -p local.pse

   Export own certificate on SAProuter host2, run:
   sapgenpse export_own_cert -o router2.cer -p local.pse

   Copy router2.cer to SAProuter host1, and on SAProuter host1 run command:
   sapgenpse maintain_pk -a router2.cer -p local.pse

5. Maintain Route Permission Table(saprouttab).

   On SAProuter host1, maintain saprouttab:

   # Allow Outbound connections to SAProuter host2 will use SNC
   KT 'p:CN=MYSAPROUTER2' <Host name or IP of SAProuter host2> 3299
   # Allow all inbound connections
   P * * *

   On SAProuter host2:

   # accept incoming connections from SAProuter1
   # with destination sapdp00 and 3298 on any host
   KP 'p:CN=MYSAPROUTER1' * sapdp00
   KP 'p:CN=MYSAPROUTER1' * 3298

6. Start SAProuter.

   On SAProuter host1 run command:
   saprouter -K p:CN=MYSAPROUTER1 -r

   On SAProuter host2 run command:
   Saprouter -K p:CN=MYSAPROUTER2 -r

7. Test connection.

   On SAProuter host2, start niping server with command:
   niping -s

   On SAProuter host1, run niping client:
   niping -c -H /H/localhost/S/3299/H/<Host name or IP of SAProuter host2>/S/3299/H/localhost

   If it returns information like below, the setup is finished successfully:

   Thu Oct 24 13:39:19 2013
   connect to server o.k.

   Thu Oct 24 13:39:22 2013
   send and receive 10 messages (len 1000)
   ------- times -----
   avg 241.648 ms
   max 251.283 ms
   min 238.070 ms
   tr 8.083 kB/s
   excluding max and min:
   av2 240.891 ms
   r2 8.108 kB/s

8. If you would like to use CA signed certificates instead of self-signed certificates, you need to perform the following steps:

1. Generate certificate request:
   sapgenpse get_pse -v -onlyreq -r certreq -p local.pse
2. Send certificate request(certreq) to CA.
3. After you get certificate response from CA, import it via command:
   sapgenpse import_own_cert -c srcert -r <root CA certificate> -p local.pse
4. Add root certificate of CA to certificate list of PSE file on partner host.
   If certificate of SAProuter on SAProuter host1 is signed by CA,you need to add the root CA certificate to PSE file on SAProuter host2 and vice versa.
   Command should be:
   sapgenpse maintain_pk -a <root CA certificate> -p local.pse
   

The first thing we need to do, is to send a customer message to SAP Support (component XX-SER-NET-OSS-NEW) and tell them to register the hostname and IP of our new Saprouter.

(In our case it is system name (hostname) = ' **'and Public Ip =*******)
We have to register it with the official IP address (no internal IPs allowed), but it's allowed to use NAT in the firewall/router.
Ports to be allowed in firewall/router (for Secured connection).
• 32nn: R3 Support Connection
• 23: Telnet
• 1503: Netmeeting
• 5601: PC-Anywhere
• 3389: Windows Terminal Server (WTS)
After we've received a confirmation from SAP that our Saprouter has been registered, we are ready to configure the Saprouter.
2.1 Go to www.service.sap.com/downloads and down latest SAP Crypto Library
2.2 copy sapcar.exe from exe/run directory of SAP Server
2.3 uncar the dlls and sapgenpse.exe from this using sapcar -xvf xxxxxxxx.car

If our Saprouter directory is C:saprouter, these are the steps to follow.

STEP 1: Copy the unpacked files into C:saprouter

STEP 2: Set 2 environment variables: SECUDIR and SNC_LIB according to the
guide we've downloaded.

SECUDIR=C:Saprouter
SNC_LIB=C:Saproutersapcrypto.dll

STEP 3: To generate a certificate request, run the command -
sapgenpse get_pse -v -r C:usrsapsaproutercertreq -p C:saprouterlocal.pse '<Distinguished Name>'

[In our case Distinguished Name =CN=***, OU=*****, OU=SAProuter, O=SAP, C=DE available at system data maintaince and also at www.service.sap.com /saprouter-sncadd
In this step certreq and local.pse files are created at C:saprouter folder

Note: We will be asked for a PIN code. Just pick our own 4 numbers, but we'll have to use the same PIN every time we are asked to enter one. This number is important because, the same number should be provided in future when our Saprouter secure certificate validity expires, so remember the PIN code. (In our case it is PIN:****)]

STEP 4: Then we have to follow the guide and request the certificate from
http://service.sap.com/saprouter-sncadd-> SAProuter Certificate

You may apply for a SAProuter certificate from the SAP Trust Center Service of SAP service marketplace http://service.sap.com/saprouter-sncadd
> SAP Trust Center Service in Detail > SAProuter Certificates

SAProuter Certificate 'Apply Now'

STEP 5: Copy the contents of the certreq file and paste the contents in the place provided there.

STEP 6: Then, clicked the 'Continue' button.

STEP 7: This will generate a certificate details: then copy the contents and create a file srcert (without any extension) in C:Saprouter and copy the certificate details and paste it in this file.

STEP 8: Run the command -
sapgenpse import_own_cert -c C:saproutersrcert -p C:saprouterlocal.pse

(This will create files dev_rout etc. In C:saprouter folder then create a file saprouttab (Without any extension and copy the following contents the file.

STEP 9: To generate credentials for the user that's running the SAProuter
service, run command:

sapgenpse seclogin -p C:saprouterlocal.pse -O administrator

(this will create the file 'cred_v2' in C:saprouter folder )

STEP 10: Check the configuration by running command:

sapgenpse get_my_name -v -n Issuer
(This should always give the answer 'CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE')
sapgenpse get_my_name(to find the validity of license)
STEP 11: Create SAProuter service on Windows with the command :(download ntscmgr from Sap note 618053) and run the command -

ntscmgr install SAProuter -b C:saproutersaprouter.exe -p
'service -r -R C:saproutersaprouttab -W 60000 -K ^p:<Distinguished Name>^'

STEP 12: Edit the Windows Registry key as below: (regedit)

MyComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSAProuterImagePath --> Change both the (^) to (')

RECOMMENDED TO RESTART

STEP 13: Start the SAProuter service (there maintain logon user details as administrator and password.)

STEP 14: Enter the below parameters in OSS1 -> Menu - Technical Settings

a). Click on Change -

Saprouter at Customer Site:

Name:
IP Address:
Instance no:

Saprouter at SAP:

Name:
IP Address:
Instance no:

Angela Watson

Save the settings.

Now you can log on to SAPNet by clicking on Logon to SAPNet.

Use your OSS ID and password.

Controls:
Start router : saprouter -r
Stop router : saprouter -s
Soft shutdown: saprouter -p
Router info : saprouter -l (-L)
new routtab : saprouter -n
toggle trace : saprouter -t
cancel route : saprouter -c id
dump buffers : saprouter -d
flush ' : saprouter -f

Saprouter Installation Step By Step Ladder

'IT >SAP' 카테고리의 다른 글