Step by Step for SNC SAPRouter Configuration

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com © 2010 SAP AG 1

Step by Step Procedure for SAP

Router SNC Configuration

Applies to:

SAP Router 7.0 configuration guide.

Summary

This document clearly explains the step-by-step procedure for the setting up of SAP router 7.0 with SNC technology on UNIX. It goes beyond the scope of the configuration guide for SAP Router and also explain what should done before starting configuration of SAP Router.

Author: Anil Bhandary

Company: Capgemini India

Created on: 22 June 2010

Author Bio

Anil Bhandary has around 3+ years of experience in software of SAP NetWeaver Technical consultant in the area of ECC, SRM, EP, MDM, XI and solution Manager. Currently working for capgemini.com

Step by Step Procedure for SAP Router SNC Configuration


Table of Contents

Introduction ......................................................................................................................................................... 3

Perquisites for configuring SAP Router .............................................................................................................. 3

Download SAP Cryptographic Binary from SAP Market Place....................................................................... 3

Register IP and sap router hostname with SAP ............................................................................................. 3

Steps for Configuring SAP Router ...................................................................................................................... 4

Create SAP Router Folder in /usr/sap ............................................................................................................ 4

Generating the Registering the Key and Certificate ....................................................................................... 4

3.3 Importing the Certificate & Creating Credential ........................................................................................ 5

Creating the credential for User responsible to start SAP Router .................................................................. 5

Verifying the Configuration .............................................................................................................................. 5

Post Configuration Activity .................................................................................................................................. 6

How to Start & Stop SAP Router ........................................................................................................................ 6

How to Start SAP Router ................................................................................................................................ 6

How to Stop SAP Router................................................................................................................................. 6

SAP Notes ....................................................................................................................................................... 7

Copyright............................................................................................................................................................. 8



Introduction

Step by Step configuration of SAP Router 7.00 on Unix Platform ( Same procedure can be used for configuring SAP router on NT Platform )

Follow the below procedure to Configure Sap Router:

Perquisites for configuring SAP Router

Download SAP Cryptographic Binary from SAP Market Place

Cryptographic Binary can be download from below link

http://service.sap.com/swdc

Download SAP Cryptographic Software

After click on SAP Cryptographic Software you will get new browser window, where you have to select the file and download the file depend upon the OS platform on which you have to configure SAP Router

Register IP and SAP Router Hostname with SAP

First of all get Public IP address from your network team, Public IP need to be configured to you local SAP Router IP address. (This Task will done by your Network Team)

Also get port 3299 & 3298 open from SAP router ip host to SAP AG.

SAP router use port 3298 & 3299 for communication

Raise an OSS with SAP under component XX-SER-NET-NEW with Description of registering Public IP address and Host name of SAP router with SAP. Use the ZSH shell in Linux to install and configure the SAPRouter

http://service.sap.com/swdc



Steps for Configuring SAP Router

Create SAP Router Folder in /usr/sap

<sap router host> Goto location /usr/sap

Cd /usr/sap

Mkdir saprouter

Change owner of folder saprouter to <sid>adm:sapsys

Copy Downloaded Cryptographic Binary to saprouter folder and extract the binary using SAPCAR exe

# SAPCAR -xvf < Cryptographic Binary >

Provide <sid>adm:sapsys access to all the file present in folder SAP Router as well as chmod to 775

Set environmental variable SECUDIR=/usr/sap/saprouter

Generating the Registering the Key and Certificate

Go to the link https://websmp201.sap-ag.de/SAPROUTER-SNCADD

Click on Apply Now!

Copy the Distinguished name from above, which is required for executing below command

Once you copied Distinguished name from above link then click on Continue TAB

Generate the certificate Request on SAP router OS with the Following command:-

# sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"

# sapgenpse get_pse –v -onlyreq -r certreq -p local.pse

You will get "<Your Distinguished Name>" from SAP market Place, when you login with S-USER. ( This is generated after you raise an OSS with SAP for registering SAP router hostname )

After executing the above command you will get 2 additional files created in saprouter Folder i.e local.pse and certreq

Certreq contain encrypted form of Key Request.

https://websmp201.sap-ag.de/SAPROUTER-SNCADD



Copy the content of certreq and paste the certificate request into the text area of the same form in the SAP Service Marketplace

After Pasting the content click on REQUEST CERTIFICATE

In response you will receive the certificate signed by the CA in the Service Marketplace, cut & paste the text to a local file named srcert

After coping the content of Import certificate to srcert file, copy the file in saprouter folder and provide the necessary rights.

3.3 Importing the Certificate & Creating Credential

Once File is copied to saprouter folder, run the import command to install the certificate in SAP Router. (Run he following import command)

# sapgenpse import_own_cert -c srcert -p local.pse

Creating the credential for User responsible to start SAP Router

After importing the certificate create Credential for user <sid>adm who will be responsible to start the stop SAP Router (Run following command to do so)

# sapgenpse seclogin –p local.pse –O <sidadm>

Installation steps get completed after creating credential for <SID>adm

To confirm SAP Router is installed successfully, run the following command

Verifying the Configuration

# sapgenpse get_my_name -v -n Issuer

Out of the command should show

Name of the Issuer as : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

After confirming SAP router has been configured successfully set the following environment, which is required read the cryptography will starting the SAP Router



Post Configuration Activity

Set environmental variable SNC_LIB=/usr/sap/saprouter/ libsapcrypto.so

Now once configuration is done, there is one of the important post installation steps which are to create SAPROUTTAB.

SAPROUTTAB is nothing but permission file which has information who should be communicate through SAP Router

Create a file with name saprouttab and copy the same in /usr/sap/saprouter folder

Following is an example content of saprouttab

# SNC connection to and from SAP

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC-connection from SAP to local system for R/3-Support

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" < sap server ip > < port >

# Access from your local Network to SAP

P < sap server ip > 194.39.131.34 3299

# All other connections will be denied

#D * * *

< Sap server ip > is nothing but ip address of the sap server which is need to be access via SAP Router

< Port > is nothing but the port of SAP Application for e.g. 3200 ( dispatcher port )

D * * * mean reject all the connection accept the entry of the server ip which mention in saprouttab

Adding Service in Services File

Add the following line in /etc/services File in all SAP Servers:

sapdp99 3299/tcp

How to Start & Stop SAP Router

Now one of the import command thing for which we have done all above exercise.

i.e. how to start & stop Sap router

How to Start SAP Router

Run the following command to Start SAP Router

# saprouter -r -S 3299 -V 3 -K "p:CN=<saprouter hostname>, OU=< Customer number >, OU=SAProuter,O=SAP, C=DE" &

Above value of CN is nothing but Distinguished name which you check on SAP Market Place earlier

Check the log file dev_rout in /usr/sap/saprouter folder which will give you exact idea of sap router started

How to Stop SAP Router

Run the following command to Stop SAP Router

# saprouter –s

How to Test SAP RouterRun the following commands to test the Connection#niping -c -H /H/<user SAPRouter internal IP>/H/<SAP SAPRouter IP>/H/<SAP SAPRouter IP>ex.: #niping -c -H /H/192.168.1.155/H/194.39.131.34/H/194.39.131.34#niping -c -O -H /H/<user SAPRouter internal IP>/S/sapdp99/H/<SAP SAPRouter IP>/S/sapdp99/H/OSS001/S/3301



Related Content

http://service.sap.com/saprouter

http://service.sap.com/saprouter-sncdoc

http://help.sap.com/saphelp_nw70/helpdata/en/4f/992dbd446d11d189700000e8322d00/content.htm

http://help.sap.com/saphelp_nw04/helpdata/en/4f/992ce8446d11d189700000e8322d00/frameset.htm

SAP Notes

Note 30289: SAProuter Documentation

Note 525751: Installation of the SNC-SAPRouter as NT Service

Note 46902: Security aspects in remote access

Note 48243: Integrating SAProuter into a firewall

Note 33135: Guidelines for OSS1 (Version for SAPSERV3)

Note 35010: Service connections: Composite note

http://service.sap.com/saprouter

http://service.sap.com/saprouter-sncdoc

http://help.sap.com/saphelp_nw70/helpdata/en/4f/992dbd446d11d189700000e8322d00/content.htm

http://help.sap.com/saphelp_nw04/helpdata/en/4f/992ce8446d11d189700000e8322d00/frameset.htm

https://service.sap.com/sap/support/notes/30289








Copyright

© Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Step by Step for SNC SAPRouter Configuration

Documents

Transcript of Step by Step for SNC SAPRouter Configuration