Download SAP Cryptographic Binary from SAP Market Place
Cryptographic Binary can be download from below link
http://service.sap.com/swdc
- Download
- SAP Cryptographic Software
After click on SAP Cryptographic Software you will get new browser window, where you have to select the
file and download the file depend upon the OS platform on which you have to configure SAP Router
Register IP and SAP Router Hostname with SAP
First of all get Public IP address from your network team, Public IP need to be configured to you local SAP
Router IP address. (This Task will done by your Network Team)
Also get port 3299 & 3298 open from SAP router ip host to SAP AG.
SAP router use port 3298 & 3299 for communication
Raise an OSS with SAP under component XX-SER-NET-NEW with Description of registering Public IP
address and Host name of SAP router with SAP.
Create SAP Router Folder in C:\usr\sap
Goto location C:\usr\sap
Create saprouter folder with mkdir command
Copy downloaded Cryptographic Binary to saprouter folder and extract the binary using SAPCAR.exe
C:\usr\sap\saprouter>SAPCAR -xvf < Cryptographic Binary >
Set environmental variable SECUDIR=C:\usr\sap\saprouter
Set environmental variable SAPROUTTAB C:\usr\sap\saprouter
Generating the Registering the Key and Certificate
Go to the link https://websmp201.sap-ag.de/SAPROUTER-SNCADD
Click on Apply Now!
Copy the Distinguished name from above, which is required for executing below command Once you copied Distinguished name from above link then click on Continue TAB
Generate the certificate Request on SAP router OS with the Following command:
C:\usr\sap\saprouter>sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>" C:\usr\sap\saprouter>sapgenpse get_pse –v -onlyreq -r certreq -p local.pse
You will get “<Your Distinguished Name>” from SAP market Place, when you login with S-USER.
( This is generated after you raise an OSS with SAP for registering SAP router hostname )
After executing the above command you will get 2 additional files created in saprouter folder i.e local.pse and certreq
Certreq contain encrypted form of Key Request.
Copy the content of certreq and paste the certificate request into the text area of the same form in the SAP Service Marketplace
After Pasting the content click on REQUEST CERTIFICATE
In response you will receive the certificate signed by the CA in the Service Marketplace, cut & paste the text to a local file named srcert
After copying the content of import certificate to srcert file, copy the file in saprouter folder and provide the necessary rights.
Importing the Certificate & Creating Credential
Once file is copied to saprouter folder, run the import command to install the certificate in SAP Router. (Run the following import command)
C:\usr\sap\saprouter>sapgenpse import_own_cert -c srcert -p local.pse
Creating the credential for User responsible to start SAP Router
After importing the certificate create Credential for user <sid>adm who will be responsible to start and stop SAP Router (Run following command to do so)
C:\usr\sap\saprouter>sapgenpse seclogin –p local.pse –O <sidadm>
Installation steps get completed after creating credential for <SID>adm
Verifying the Configuration
To confirm SAP Router is installed successfully, run the following command
C:\usr\sap\saprouter>sapgenpse get_my_name -v -n Issuer
Out of the command should show
Name of the Issuer as : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
After confirming SAP router has been configured successfully set the following environment, which is required read the cryptography will starting the SAP Router
Post Configuration Activity
Set environmental variable SNC_LIB=C:\usr\sap\saprouter\ sapcrypto.dll
Now once configuration is done, there is one of the important post installation steps which are to create
SAPROUTTAB.
SAPROUTTAB is nothing but permission file which has information who should be communicate through SAP Router.
Create a file with name saprouttab and copy the same in C:\usr\sap\saprouter folder
Following is an example content of saprouttab
# SNC connection to and from SAP KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 * # SNC-connection from SAP to local system for R/3-Support KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <SAP Server IP> <port> # Access from your local Network to SAP P <SAP Server IP> 194.39.131.34 3299 # All other connections will be denied #D * * *
<SAP Server IP> is nothing but ip address of the SAP server which is need to be access via SAP Router.
<Port> is nothing but the port of SAP Application for e.g. 3200 (dispatcher port)
D * * * mean reject all the connection accept the entry of the server ip which mention in saprouttab.
How to Start & Stop SAP Router
Now one of the import command thing for which we have done all above exercise. i.e. how to start & stop Sap router
Run the following command to Start SAP Router
C:\usr\sap\saprouter>saprouter -r -S 3299 -V 3 -K "p:CN=<saprouter hostname>, OU=< Customer number >, OU=SAProuter,O=SAP, C=DE" &
Above value of CN is nothing but Distinguished name which you check on SAP Market Place earlier.
Check the log file dev_rout in C:\usr\sap\saprouter folder which will give you exact idea of SAP Router started
Run the following command to Stop SAP Router
C:\usr\sap\saprouter>saprouter –s
Example of a Route Permission Table with SNC
A route permission table using SNC could look like this:
| P | * | * | * | pass |
| KT | S:SR@host4 | host4 | 3333 | |
| KT | S:SR@host4 | host9 | * | |
| KD | S:SR@host4 | host9 | * | |
| KP | S:SR@host4 | * | * | pass2 |
| KS | * | host10 | 4444 | |
| KP | * | * | * |
This means:
- Allow all connections if password pass is specified correctly.
- Connections from this SAProuter to host4 (SNC name S:SR@host4), service 3333 should be SNC connections.
- Connections from host9 (SNC name S:SR@host9) to this SAProuter should be SNC connections.
- A SNC connection from SR@host4 to host9 through this SAProuter should not be set up.
- A SNC connection from S:SR@host4 through this SAProuter (any target host) is allowed if the password pass2 is correct (unless the connection is to host9, since this is not allowed according to the previous entry – the first entry which “matches” is decisive).
- All SAP to SAP connections (NI protocols) to host10, service 4444, which come in as SNC connections are passed on as non-SNC connections to host10 (no SNC host).
- All SNC connections (for which the previous entries are not suitable) are allowed.
Sample saprouttab file
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 * KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * * KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" SAP_system_2_Local_IP 3389 #Connection to SAP P * 194.39.131.34 3289 P * 194.39.131.34 3299 #P * 194.39.131.34 * # Columns: # P/D Source Destination Port Password # SAP System 1 P * SAP_System_1_Local_IP 3200 cipher1 P * SAP_System_1_Local_IP 3290 cipher1 P * SAP_System_1_Local_IP 3298 cipher1 P * SAP_System_1_Local_IP 3299 cipher1 # SAP System 2 P * SAP_System_2_Local_IP 3200 cipher1 P * SAP_System_2_Local_IP 3298 cipher1 P * SAP_System_2_Local_IP 3299 cipher1 P * SAP_System_2_Local_IP 8000 cipher1 # ITS Access #P * SAP_System_2_Local_IP 3389 cipher1 # WTS Access P * SAP_System_2_Local_IP sapgw01 cipher1 # SAP System 3 P * SAP_System_3_Local_IP 3299 cipher1 P * SAP_System_3_Local_IP 3291 cipher1 P * SAP_System_3_Local_IP 3201 cipher1 # SAP System 4 P * SAP_System_4_Local_IP 3203 cipher1 P * SAP_System_4_Local_IP 8000 cipher1 # SAP Portal WTS connection P * SAP_Portal_Local_IP 3389 cipher1 # WTS Access from partners to SAP Portal P 194.39.131.34 * * # Access from SAP Support to SAP Systems P 194.39.131.34 * 3389 cipher1 # Access from SAP Support to Remote Desktop (Delete # in case you need it)
