Configure SAProuter with SNC

Below find the necessary steps to download and install the SAP Cryptographic Library for use with SAProuter.

For License conditions of SAP Cryptographic Library please refer to SAP Note 597059.

Certificates signed by a CA provided by SAP are being used only for the connection between SAProuters at SAP and the first SAProuter on customer sites.

For all other uses of SAPCRYPTOLIB for SNC in backend connections, customers are free to choose any CA of their preference or simply use self-signed certificates as proposed by SAP for SNC connections in general.

Download SAProuter

1. Login to the SAP Support Portal with the S-User ID which is assigned to your installation.

2. Use the latest SAProuter version, which can be downloaded from the SAP Software Download Center.     

On the Support Packages & Patches tab click:

A-Z Alphabetical List of Products > S > SAPROUTER >  SAPROUTER (latest versions) > select OS from drop-down > select saprouter_XXX-XXXXXXXX.sar > Download Basket button

Notes:

  • In Linux be sure to set environment variable $LIBPATH to SAProuter-directory if needed
  • In Windows, possibly also implement SAP Note 1553465
  • In OS400, follow all instructions in SAP Note 2173275

3. Download the latest SAP Cryptographic Library from the SAP Software Download Center.

On the Support Packages & Patches tab click:

A-Z Alphabetical List of Products > S > SAPCRYPTOLIB > COMMONCRYPTOLIB (latest version) > select OS from drop-down > select SAPCRYPTOLIBP_xxxx-xxxxxxxx.SAR > Download Basket button

4. Download the SAPCAR executable, which is necessary to unpack SAR archives, from any Installation Kernel CD or from the SAP Software Download Center.

On the Support Packages & Patches tab click:

A-Z Alphabetical List of Products > S > SAPCAR > SAPCAR (latest version)
>your preferred O.S. version > SAPCAR_xxx-xxxxxxxx.EXE

5. Execute the command SAPCAR_XXX-XXXXXXXX.EXE -xvf saprouter_XXX-XXXXXXXX.sar which will unpack the following files:

  • saprouter[.exe]
  • niping[.exe}]

6. Execute the command SAPCAR_XXX-XXXXXXXX.EXE -xvf SAPCRYPTOLIBP_XXXX-XXXXXXXX.SAR which will unpack the following files:

  • [lib]sapcrypto.[dll|so|sl]
  • sapgenpse[.exe]

Note:

  • SAP recommends that you unpack the SAPCRYPTOLIBP, SAPCAR and SAPROUTER files in the designated SAProuter directory.

Create the Credentials

1. Logged on as an administrator, set the environment variables SNC_LIB and SECUDIR:

UNIX
  • SECUDIR = <directory_of_SAProuter>
  • SNC_LIB = <path_to_libsecude>/<name_of_sapcrypto_library>
Windows NT, 2000, XP or higher
  • SECUDIR = <directory_of_SAProuter>
  • SNC_LIB = <drive>:\<path_to_libsecude>\sapcrypto.dll

Notes:

  • After configuring the variables in Windows, verify them with the command 'set'. In case the variables are not displayed as entered, reboot the server.
  • If the O.S. of SAProuter is OS400, implement SAP Note 2173275.

2. Go to the SAProuter application and from the list of SAProuters registered to your installation, choose the relevant SAProuter.

3. You then have two options:

3.1. Generate a PSE (preferred option):

a) You must provide a password, which will be used to create your SAProuter PSE;

b) Download the generated pse and save it as "local.pse" in the same directory as the sapgenpse executable.

c) Skip the next step 3.2, and continue with step 4.

3.2. Submit a CSR (to be used if 3.1 fails):

a) Generate the certificate request with the following command:

sapgenpse get_pse -v -a sha256WithRsaEncryption -s 4096 -r certreq -p local.pse -x <pse password> "<Distinguished Name>"

Example:

sapgenpse get_pse -v -a sha256WithRsaEncryption -s 4096 -r certreq -p local.pse -x examplePassword "CN=example, OU=0000123456, OU=SAProuter, O=SAP, C=DE"

Alternatively use either of these two commands:

  • sapgenpse get_pse -v -a sha256WithRsaEncryption -s 4096 -noreq -p local.pse -x <pse password> "<Distinguished Name>"
  • sapgenpse get_pse -v -onlyreq -r certreq -p local.pse -x <pse password>

b) Display the output file "certreq" and with copy & paste (including the BEGIN and END statement) insert the certificate request into the text area of the SAProuter application from which you copied the Distinguished Name.

c) In response you will receive the certificate signed by the CA in a new text area in the SAProuter application. Copy & paste the text to a new local file named "srcert", which must be created in the same directory as the sapgenpse executable.

d) With this in turn you can install the certificate in your SAProuter by calling:

sapgenpse import_own_cert -c srcert -p local.pse -x <pse password>

4. Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user_for_SAProuter>, the credentials are created for the logged in user account):

sapgenpse seclogin -p local.pse -x <pse password> -O <user_for _SAProuter>

Note: If you chose to generate a new PSE previously and you are replacing an old PSE file, then make sure to delete the old credential first:

sapgenpse seclogin -d <number of the old credential>

5. This will create a file called "cred_v2" in the same directory as "local.pse"

Notes:

  • The account of the service user should always be entered in full <domainname>\<username>.
  • For increased security, check that the file can only be accessed by the user running SAProuter.
  • On UNIX, do not allow any other access (not even from the same group) as this will mean permissions being set to 600 or even 400.
  • On Windows check that the permissions are granted only to the user the service is running as.

6. Check if the certificate has been imported successfully with the following command:

sapgenpse get_my_name -v -n Issuer

The name of the issuer should be:

CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE

7. If this is not the case, delete the files "cred_v2", "local.pse", "srcert" and "certreq" and start over at item 2. If the output still does not match, create a case using component XX-SER-NET stating the actions you have taken so far and the output of the sapgenpse commands executed.

Required Actions Before Starting SAProuter

Check if the environment of the account running SAProuter contains the environment variables SNC_LIB and SECUDIR

UNIX - printenv

Windows - System environment variable

The corresponding file saprouttab, a local file that must be created manually and is normally created in the main SAProuter-directory, must contain at least the following entries :
 

Example SAPROUTTAB for SNC connections registered to sapserv2 in Germany

# SNC connection to and from SAP

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

 

# SNC connection to local system for R/3-Support

# R/3 Server: 192.168.1.1

# R/3 Instance: 00

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.1 3200 (optional SAProuter password)

 

# SNC connection to local WINDOWS system for WTS, if applicable

# Windows server: 192.168.1.2

# Default WTS port: 3389

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.2 3389 (optional SAProuter password)

 

# SNC connection to local UNIX system for SAPtelnet, if applicable

# UNIX server: 192.168.1.3

# Default Telnet port: 23

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.3 23 (optional SAProuter password)

 

# SNC connection to local Portal system for URL access, if applicable

# Portal server: myserver.mydomain

# Port number: 50003

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" myserver.mydomain 50003

 

# Access from the local Network to SAP

P 192.168.*.* 194.39.131.34 3299

 

# deny all other connections

D * * *

 

Example SAPROUTTAB for SNC connections registered to sapserv9 in Singapore

# SNC connection to and from SAP

KT "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 169.145.197.110 *

 

# SNC connection to local system for R/3-Support

# R/3 Server: 192.168.1.

# R/3 Instance: 00

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.1.1 3200 (optional SAProuter password)

 

# SNC connection to local WINDOWS system for WTS, if applicable

# Windows server: 192.168.1.2

# Default WTS port: 3389

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.1.2 3389 (optional SAProuter password)

 

# SNC connection to local UNIX system for SAPtelnet, if applicable

# UNIX server: 192.168.1.3

# Default Telnet port: 23

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.1.3 23 (optional SAProuter password)

 

# SNC connection to local Portal system for URL access, if applicable

# Portal server: myserver.mydomain

# Port number: 50003

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" myserver.mydomain 50003

 

# Access from the local Network to SAP

P 192.168.*.* 169.145.197.110 3299

 

# deny all other connections

D * * *

 

Start the SAProuter with the following command line (to start the SAProuter as a Windows service, follow the steps described in SAP Note 525751):

-K tells the SAProuter to start with loading the SNC library

<Distinguished Name> : you can find this parameter on the certification webpage after you click the Apply Now button.
 

Example

saprouter -r -K "p:CN=example, OU=0000123456, OU=SAProuter, O=SAP, C=DE"

If you omit -S , the process is being started on default Port 3299.

Note:

If the O.S. of SAProuter is OS400, implement SAP Note 1818735

 

If SAProuter fails to start, also implement C-runtime packages as described here: C-runtimes needed to run SAP executables.