Scribd
Upload
6 views4 pages

SAP Router

This document provides detailed instructions for installing the sapcrypto library and starting the SAProuter, including downloading necessary software from the SAP Service Marketplace and creating a certificate request. It outlines the steps for configuring environment variables, generating a certificate, and ensuring proper permissions for security. Additionally, it describes how to start the SAProuter with the appropriate command line and configure the 'saprouttab' file for connections.

Uploaded by

pauline
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
6 views4 pages

SAP Router

This document provides detailed instructions for installing the sapcrypto library and starting the SAProuter, including downloading necessary software from the SAP Service Marketplace and creating a certificate request. It outlines the steps for configuring environment variables, generating a certificate, and ensuring proper permissions for security. Additionally, it describes how to start the SAProuter with the appropriate command line and configure the 'saprouttab' file for connections.

Uploaded by

pauline
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 4

Installing the sapcrypto library and

starting the SAProuter


Contents

 Downloading necessary software components from SAP Service Marketplace


 Creating the certificate request
 Additional actions necessary before you can start saprouter

This section describes the necessary steps to download and install the sapcrypto library
for use with saprouter. The saprouter must be started with the options described later in
this section.

The license for the sapcrypto library covers saprouter connections between saprouters
at SAP and the first saprouter on customer sites and backend connections within the
customer`s network. For all other purposes the library CANNOT be used!

Downloading necessary software components from SAP


Service Marketplace
1. Login to the SAP Service Marketplace with the Service Marketplace USERID
which is assigned to your installation.
2. Use the latest SAProuter version, which can be downloaded from SAP Service
Marketplace (alias /SWDC).
3. Change to the alias /SAPROUTER-SNCADD. Before you can download the
software components two preconditions must be met:
a. You must have been allowed to download the software. This authorization
is added as soon as SAP has received a positive statement from the
"Bundesausfuhramt" (German Federal Export Office). This procedure is
necessary since the software falls under EU regulations.
b. For more information on how to obtain authorization if download is not
possible see note 397175.
c. You must accept that you must follow the regulations imposed by the EU
on the use and distribution of the cryptographic software components
downloaded from the SAP Service Marketplace.
d. The acceptance of the terms and conditions is logged with your USERID
and stored for reporting purposes to the "Bundesausfuhramt".
4. Click on “Download Area” > “SAP Cryptographic Software” and select the
correct sapcrypto library for your SAProuter "<op-sys>". Save the file to the
directory where the SAProuter executable is located.
5. You can get the file car.exe/sapcar.exe, which is necessary to unpack the archive
from any Installation Kernel CD.
Executing the command car -xvf SAPCRYPTO.CAR will unpack the following
files:
[lib]sapcrypto.[dll|so|sl]
sapgenpse[.exe]
ticket

Creating the certificate request


1. As user <snc_adm> set the environment variables SNC_LIB and SECUDIR:

SECUDIR = <directory_of_saprouter>
UNIX SNC_LIB =
<path_to_libsecude>/<name_of_sapcrypto_library>
SECUDIR = <directory_of_saprouter>
WINDOWS NT, SNC_LIB = <drive>:\<path_to_libsecude>\ntia64\
2000, XP sapcrypto.dll or
or higher <drive>:\<path_to_libsecude>\ntintel\sapcrypto.dll or
<drive>:\<path_to_libsecude>\nt-x86_64\sapcrypto.dll
after configuring the variables in Windows, you have to
NOTE
reboot this server before you continue.
2. Change to the alias SAPROUTER-SNCADD. From the list of SAProuters
registered to your installation, choose the relevant “Distinguished Name”.
3. Generate the certificate Request with the command:
sapgenpse get_pse -v -r certreq -p local.pse “<Distinguished Name>”

Example:
sapgenpse get_pse -v -r certreq -p local.pse “CN=example, OU=0000123456,
OU=SAProuter, O=SAP, C=DE”

Alternatively use the two commands:


sapgenpse get_pse -v -noreq -p local.pse “<Distinguished Name>”
sapgenpse get_pse -v -onlyreq -r certreq -p local.pse

You will be asked twice for a PIN here. Please choose a PIN and document it, you
have to enter it identically both times. Then you will have to enter the same PIN
every time you want to use this PSE.
4. Display the output file "certreq" and with copy&paste (including the BEGIN and
END statement) insert the certificate request into the text area of the same form
on the SAP Service Marketplace from which you copied the Distinguished Name.
5. In response you will receive the certificate signed by the CA in the Service
Marketplace. Copy&paste the text to a new local file named "srcert", which must
be created in the same directory as the sapgenpse executable.
6. With this in turn you can install the certificate in your saprouter by calling:
sapgenpse import_own_cert -c srcert -p local.pse
7. Now you will have to create the credentials for the SAProuter with the same
program (if you omit -O <user_for_saprouter>, the credentials are created for the
logged in user account).
sapgenpse seclogin -p local.pse -O <user_for _saprouter>
Note: The account of the service user should always be entered in full
<domainname>\<username>
8. This will create a file called "cred_v2" in the same directory as "local.pse"
For increased security please check that the file can only be accessed by
the user running the SAProuter.

Do not allow any other access (not even from the same group)!
On UNIX this will mean permissions being set to 600 or even 400!
On WINDOWS check that the permissions are granted only to the
user the service is running as!
9. Check if the certificate has been imported successfully with the following
command:
sapgenpse get_my_name -v -n Issuer
The name of the Issuer should be:
CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
10. If this is not the case, delete the files "cred_v2"and "local.pse" and start over at
Item 3. If the output still does not match please open a customer message in
component XX-SER-NET stating the actions you have taken so far and the output
of the commands 3.,6.,7. and 9.

Additional actions necessary before you can start


SAProuter
1. Check if the environment of the user running SAProuter contains the environment
variable SNC_LIB and SECUDIR

UNIX printenv
WINDOWS NT,
User environment variable
2000, XP
2. Start the SAProuter with the following command line (to start the SAProuter as a
Windows service, please follow the steps described in SAP note 525751):

saprouter -r -S <port> -K "p:<Distingushed Name>"


-K tells the saprouter to start with loading the SNC library

Example
saprouter -r -K "p:CN=example, OU=0000123456, OU=SAProuter,
O=SAP, C=DE"
If you omit –S <port>, the process is being started on default Port ‘3299’.
3. The corresponding file "saprouttab" must contain at least the following entries

# Example saprouttab
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34
*

# SNC connection to local system for R/3-Support


# R/3 Server: 192.168.1.1
# R/3 Instance: 00
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.1
3200

# SNC connection to local WINDOWS system for WTS, if


applicable
# Windows server: 192.168.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.2
3389

# SNC connection to local UNIX system for SAPtelnet, if


applicable
# UNIX server: 192.168.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.3
23

# SNC connection to local Portal system for HTTP URL


access, if applicable
# Portal server: 192.168.1.4
# HTTP Port: 50003
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.4
50003

# Access from the local Network to SAP


P 192.168.*.* 194.39.131.34 3299

# Deny all other connections


D * * *

You might also like