SAProuter

SAProuter is a software application that provides a remote connection between our customer's network and SAP. SAProuter can be used to:

  • Improve network security, e.g.by using a password or by only allowing encrypted connections from known sources
  • Control and log the connections to your SAP system
  • Set up an indirect connection when programs involved cannot communicate with each other due to the network configuration
  • Increase performance and stability by reducing the SAP system workload within a local area network (LAN) when communicating with a wide area network (WAN)

SAProuter can be used with traditional SAP products as well as analytics solutions and acquisitions. For a comprehensive list of which SAP Business Analytics products benefits from SAProuter connections, see SAP Note 1478974.

SAProuter controls access to your network on application level and is a useful enhancement to an existing firewall system (port filter).

Download SAProuter

Uses of SAProuter

You can use SAProuter to:

  • Establish an indirect connection if the network configuration does not allow the communicating programs to reach each other directly due to a lack of official IP addresses or firewall system restrictions.
  • Improve network security by password-protecting your connection and your data from unauthorized access from beyond your network boundaries and by allowing access only from a specified SAProuter.
  • Improve performance and stability by reducing the load on the SAP System within a local area network (LAN) when communicating with a wide area network (WAN).
  • Control and log network connections.  

You must use SAProuter to control and log the connections between SAP and your R/3 System.

SAProuter Prerequisites

The only pre-requisite for using SAProuter is a network connection from the customer's network to the SAP network.

In order to establish this it will be necessary to first coordinate with the SAP network team to prep your environment. To best facilitate this request it's vital that you ensure the following:

New Connection Requirements

  • You must have or be able to provide a contact that has a basic knowledge of the operating system, prior to logging a ticket for SAProuter network configuration
  • You will not require network experience but should have an internal contact that can be called upon to assist, should it become necessary
  • For establishing your VPN, you must be able to login to the SAProuter host, so you may need assistance from your IPSEC administrator
  • For IPSEC, you must have two public IPs available
  • SAP Note 28976 must be completed in order to register your new SAProuter installation

Existing Connection Requirements

  • You must be able to or have someone available who can log onto the SAProuter.
  • You must be able to login to the hardware for the physical connection to SAP.
  • You will need your network administrator to log on to the SAProuter host.

Security

It is key for SAP to offer the Services and Support for your solution in a safe, fast and auditable way. Therefore customers will profit from the following benefits:

  • Customers have full control about open connections
  • Various encryption mechanisms are available
  • Every remote connection to a customer system is logged

SAP, together with the network providers, strives to offer the highest possible security for accessing customer networks via WAN (wide area network) connections. Maximum security against unauthorized access to customer systems and local networks via a WAN connection is only guaranteed, however, if the customer also undertakes specific measures and observes all security guidelines.

Customers are primarily responsible for complying with all necessary security measures. SAP can only provide the highest security possible if customers consistently comply with all security measures.

More information about SAP's secure support offerings.

SAProuter Certificates

SAProuter is an SAP software program for controlling and monitoring communication between internal and external networks. Because SAP routes all accesses to internal systems and all maintenance connections via a corresponding SAProuter, the connection between SAP and the customer is reduced to a single SAProuter - SAProuter connection.

Encrypt your data transfer

Special server certificates can be issued to validate Internet connections set up for support purposes between your company and SAP using the SAProuter. In general, they are used for server authentication for encrypted data transfer within mySAP.com using the Generic Security Services API interface (GSS-API).

SAProuter certificates are available free of charge from the SAP Support Portal.

Apply for a SAProuter certificate

Processing Route Strings

A route is defined for SAProuter in the form of a route string, which must observe specific syntax rules. A route string contains an entry, or substring, for each SAProuter and for the target server. Each substring contains the information that SAProuter needs to make a connection in the route: the host name, the port name, and the password, if supplied.

A route string can look like this: /H/host/S/service/P/pass

Each substring begins with /H/, which indicates the host name. You can optionally specify a service after each host name. The service name is preceded by /S/. The substring can then include a password, which is preceded by /P/.

By default, route strings are sent without a password. The default value for service is "3299", and the default password is "" (empty).

The diagram below shows a sample connection between SAP and a customer system. In this example, an SAP service engineer working at sappc needs to log on to a customer application server yourapp, which offers or uses the service sapservice.

Dial-in of an SAP employee into a customer system

The SAP service engineer logs onto R/3 and connects sappc to yourapp via the SAProuter on saprouter and the customer's SAProuter yoursaprouter.

yoursaprouter requires the password pass_to_app for connections to yourapp.

The route string looks like this:  /H/saprouter/H/yoursaprouter/H/yourapp/S/
sapservice/P/pass_to_app

This route string is interpreted by SAProuter as follows:

  Host/Address Service/Port Password 
Substring 1 /H/saprouter /S/default  
Substring 2 /H/yoursaprouter /S/default <no password> 
Substring 3 /H/yourapp /S/sapservice /P/pass_to_app

The connection from sappc to the application server is made in the following stages:

sappc (frontend) builds the connection to the SAProuter on saprouter according to substring 1, and passes on the remainder of the route information. 
saprouter
(SAProuter)		 checks whether the route sappc to yoursaprouter, 3299 is permitted, builds the connection to the SAProuter on yoursaprouter, and passes on substring 3. 
yoursaprouter (SAProuter) checks whether the route saprouter to yourapp, sapservice is permitted. The password pass_to_app is also checked. SAProuter then builds the connection to the application server. 

SAProuter always checks only the previous host name or IP address and the next substring (/H/.../S/.../P/...) for the host name or IP address, service and password. No password is used in the first substring, since the client is accessing itself.

If the /S/ part is missing, the default SAProuter port number is used. 
If the /P/ part is missing, no password is used.

SAProuter Certificate FAQs

The S-user who requested the SAProuter certificate will receive a notification 30 days prior the certificate's expiration in his maintained email inbox.

In the SAProuter Certificate application, select the desired SAProuter and click the “View SAProuter Certificates” button.

 

The S-user can access the User Profile application in order to change their e-mail address. The SAProuter certificate notification will be sent to the user's e-mail maintained there.

No. The SAProuter certificate notification will be sent to the S-user's e-mail maintained in the user profile.

In the Manage Notifications application under the “SAProuter Certificate” option.

 

In the SAProuter Certificate application, select the desired SAProuter and click the “View SAProuter Certificates” button. 

The SAProuter certificates are displayed together with the expiry dates only if you have generated a manual certificate request (CSR) in the SAP for Me (see 3.2 under Create the Credentials on the Install SAProuter page). However, if you have downloaded the generated PSE file from the SAP Support Portal in accordance with point 3.1 on that page, no certificate will be displayed under your customer number, as this is a secured file which contents are not saved by SAP.

SAProuter certificates are issued with the sha256 algorithm and 4096 key length. These cannot be changed.