SAProuter is a software application that provides a remote connection between our customer's network and SAP. SAProuter can be used to:
SAProuter can be used with traditional SAP products as well as analytics solutions and offerings acquired from Sybase. For a comprehensive list of which SAP Business Analytics products benefits from SAProuter connections, see SAP Note 1478974.
SAProuter controls access to your network on application level and is a useful enhancement to an existing firewall system (port filter).
You must use SAProuter to control and log the connections between SAP and your R/3 System.
The only pre-requisite for using SAProuter is a network connection from the customer's network to the SAP network.
In order to establish this it will be necessary to first coordinate with the SAP network team to prep your environment. To best facilitate this request it's vital that you ensure the following:
It is key for SAP to offer the Services and Support for your solution in a safe, fast and auditable way. Therefore customers will profit from the following benefits:
SAP, together with the network providers, strives to offer the highest possible security for accessing customer networks via WAN (wide area network) connections. Maximum security against unauthorized access to customer systems and local networks via a WAN connection is only guaranteed, however, if the customer also undertakes specific measures and observes all security guidelines.
Customers are primarily responsible for complying with all necessary security measures. SAP can only provide the highest security possible if customers consistently comply with all security measures.
SAProuter is an SAP software program for controlling and monitoring communication between internal and external networks. Because SAP routes all accesses to internal systems and all maintenance connections via a corresponding SAProuter, the connection between SAP and the customer is reduced to a single SAProuter - SAProuter connection.
Special server certificates can be issued to validate Internet connections set up for support purposes between your company and SAP using the SAProuter. In general, they are used for server authentication for encrypted data transfer within mySAP.com using the Generic Security Services API interface (GSS-API).
SAProuter certificates are available free of charge from the SAP Support Portal.
A route is defined for SAProuter in the form of a route string, which must observe specific syntax rules. A route string contains an entry, or substring, for each SAProuter and for the target server. Each substring contains the information that SAProuter needs to make a connection in the route: the host name, the port name, and the password, if supplied.
A route string can look like this: /H/host/S/service/P/pass
Each substring begins with /H/, which indicates the host name. You can optionally specify a service after each host name. The service name is preceded by /S/. The substring can then include a password, which is preceded by /P/.
By default, route strings are sent without a password. The default value for service is "3299", and the default password is "" (empty).
The diagram below shows a sample connection between SAP and a customer system. In this example, an SAP service engineer working at sappc needs to log on to a customer application server yourapp, which offers or uses the service sapservice.
The SAP service engineer logs onto R/3 and connects sappc to yourapp via the SAProuter on saprouter and the customer's SAProuter yoursaprouter.
yoursaprouter requires the password pass_to_app for connections to yourapp.
The route string looks like this: /H/saprouter/H/yoursaprouter/H/yourapp/S/
This route string is interpreted by SAProuter as follows:
|Substring 2||/H/yoursaprouter||/S/default||<no password>|
The connection from sappc to the application server is made in the following stages:
|sappc (frontend)||builds the connection to the SAProuter on saprouter according to substring 1, and passes on the remainder of the route information.|
|checks whether the route sappc to yoursaprouter, 3299 is permitted, builds the connection to the SAProuter on yoursaprouter, and passes on substring 3.|
|yoursaprouter||(SAProuter) checks whether the route saprouter to yourapp, sapservice is permitted. The password pass_to_app is also checked. SAProuter then builds the connection to the application server.|
SAProuter always checks only the previous host name or IP address and the next substring (/H/.../S/.../P/...) for the host name or IP address, service and password. No password is used in the first substring, since the client is accessing itself.
If the /S/ part is missing, the default SAProuter port number is used.
If the /P/ part is missing, no password is used.
The S-user who requested the SAProuter certificate will receive a notification 30 days prior the certificate's expiration in his maintained email inbox.
In the SAProuter Certificate application, select the desired SAProuter and click the “View SAProuter Certificates” button.
The S-user can access the User Profile application in order to change their e-mail address. The SAProuter certificate notification will be sent to the user's e-mail maintained there.
No. The SAProuter certificate notification will be sent to the S-user's e-mail maintained in the user profile.
In the Manage Notifications application under the “SAPRouter Certificate” option.
In the SAProuter Certificate application, select the desired SAProuter and click the “View SAProuter Certificates” button. Select the desired SAProuter certificate and click the “Certificate Details” button.
The SAProuter certificates are displayed together with the expiry dates only if you have generated a manual certificate request (CSR) in the SAP ONE Support Launchpad (see 3.2 under Create the Credentials on the Install SAProuter page). However, if you have downloaded the generated PSE file from the SAP Support Portal in accordance with point 3.1 on that page, no certificate will be displayed under your customer number, as this is a secured file which contents are not saved by SAP.
SAProuter certificates are issued with the sha256 algorithm and 2048 key length. These cannot be changed.