Configure SAProuter

Starting SAProuter

To start SAProuter: from the UNIX prompt, enter saprouter -r.

This command starts SAProuter and loads the file saprouttab (router permission table), which defines access control. If this file does not exist, you need to create it.

A route permission table must be used as of version 25 of the SAProuter.

You can start SAProuter automatically when you start the system. In UNIX, for example, change your file /etc/rc accordingly.

The main SAProuter commands are:

  • saprouter: Display a complete list of the SAProuter parameters (all options and examples of a route permission table) on your screen
  • saprouter -r: Start SAProuter
  • saprouter -s: Stop SAProuter

Testing Basic SAProuter Functions

Before you work with SAProuter, you should check for any network problems.

You will need the programs saprouter and niping, and three open windows (shells) on one or more computers.

  1. Start SAProuter in window 1 (on host1) by entering the command: saprouter -r.

    This command starts SAProuter without parameters.

    Refer also to the online help for a complete list of SAProuter commands. To get online help, type saprouter.

  2. In window 2 (host2), start the test program niping to emulate a test server by entering the command: niping -s

  3. In window 3 (host3), start the test program niping to emulate a client by entering the command: niping -c -H host2

    This command tests the connection without the SAProuter, that is directly between host 2 and host 3.

  4. In window 3, restart the test program niping by entering the command: niping -c -H /H/host1/H/host2

    This command tests the connection with SAProuter. A host name is interpreted as a route (via one or more SAProuters to the server), if the host name is preceded with /H/.

    In steps 3 and 4 several data packets are sent to the server and then returned by the server.

Self-Test for the Local Host

To carry out a self-test for the local host:

  1. Stop all active niping servers and clients
  2. Enter the command niping -t

A list is displayed with function names, parameters and return codes.

The following message appears if the self-test is successful: "*** SELFTEST O.K. ***"

Define Passwords & Authorizations in SAProuter

You set passwords and access permissions for your system in user-defined files known as route permission tables. You use a standard text editor to create a route permission table.

You can allow access to and from specified application servers in your LAN via your SAProuter. You can also password protect the routes you define. To do this, you must create and configure a separate route permission table for each SAProuter in your network.

A route permission table contains the host names and port numbers of the preceding and subsequent point of the route, and any passwords required to make the connection.

Entries in a route permission table look like this:

< P/D> <source-host> <dest-host> <dest-serv> <password>

Here, <source-host> and <dest-host> could be SAProuters.

P(ermit) allows SAProuter to build the connection. P(ermit) entries can include a password. SAProuter checks that this password matches the password sent by the client.

D(eny) prevents the connection from being built.

You can also include comment lines, which must begin with ‘#'.

If a client of <source-host> wants to connect with <dest-host> <dest-serv> via a SAProuter, the SAProuter checks its route permission before making the connection. If the password and route that SAProuter receives are identical to the entries in the route permission table, SAProuter will make the connection. If the passwords are not identical, SAProuter will not make the connection.

If no route permission table was assigned explicitly to the SAProuter, ./saprouttab is used. If this file is not available, connections are made without a check, that is, all connections are allowed. 

You can include wildcards ("*") in hosts, ports and passwords.

You can include subnetworks in host routes.

Examples:

Address Description
156.56.*.* all host addresses beginning with 156.56
133.27.17.* all host addresses beginning with 133.27.17
156.56.1011xxxx all host addresses from 156.56.176.* to 156.56.191.*.
(This is a binary interpretation of the third byte of the address. ‘x' is a binary wildcard.)

You can display a sample route permission table on your screen. To do this, call the SAProuter online help: saprouter.

If there are several suitable entries, the first one is selected. This is important for the sequence of the permit/deny rules.

Additional SAProuter Options

Getting SAProuter information from remote computers

You can display a list of all currently active clients in an active SAProuter.

To get a list of the clients for an active SAProuter:

Enter the command: saprouter -l -H host -P password.

If required, you can define a password in the route permission table. If no host name is specified, the program will connect via localhost to the SAProuter on the same host. If the query does not come from the same host, the SAProuter checks whether its route permission table allows the combination: <other_host> localhost <router_service>. This entry can also include a password. The password is checked against the information password sent by the calling program. The host name can also contain a route.

Logging connections

  • connection from (client name / address) 
  • connection to (partner name / address) 
  • partner service 
  • start time 
  • end time 
  • connection requests rejected by the route permission table

Changing the name of the route permission table

When you start your SAProuter, you can enter a route permission table differing from the default setting "saprouttab" using the option -R: saprouter -r -R aclfile (aclfile is the name of the file contained in the route permission table). This is helpful when you need multiple route permission profiles.

Changing the timeout default value for connection setup

When you start your SAProuter, you can change the default timeout setting of five seconds for the connection setup using the option -W: saprouter -r -W timeout (timeout is the new timeout in milliseconds). Use this option if you have problems with dynamically established connections via ISDN or network providers.