on 11-14-2008 3:04 PM
Hi
We need to configure SAProuter on HP Unix server, Could anyone provide me a document( step by step) with HP Unix commands to configure.
This is the first time I am doing this SAProuter installation.
Regards,
Kumar
- read the classic SAP note 30374 on SAProuter Installation.
- read the classis SAP note 30289 on SAProuter documentation
- visit http://service.sap.com/saprouter
If got problem, check on trace saprouter trace: dev_rout
Regards,
Vincent
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
SAP-ROUTER
Introduction:
SAP router is an SAP program that acts as an intermediate station in a network connection between SAP Systems, or between SAP Systems and external networks.
SAP router controls the access to your network at the application level and as such is a useful enhancement to an existing firewall system.
SAP router is an SAP program that acts to protect your SAP network against unauthorized access.
However, since particular types of connections need to penetrate this wall, an entry point or a hole has to be made in the firewall. SAP router assumes the control of this hole.
In short, SAP router provides you with the means of controlling access to your SAP system
General Steps for Troubleshooting:
1. Check whether router is up or not, try to ping the router to see for the connectivity.
2. If only one of the host is not getting connected then check the address entry in the saprouttab, weather its correct or not.
3. If then also the problem persists then check the trace in dev_rout file, which keeps a track of the sap router trace and also check the log file.
Some common errors & there remedy:
Error 1:
There is an error message of the following type in the SAP GUI:
Connection to partner 'sapserver:sapdp00' broken
The SAP GUI then closes immediately.
Causes
This error message can be caused by two factors:
1. There is a crash in the dispatcher process of the instance to which the client was connected. All connections are then automatically broken.
2. Network problems
a) Firewall idle timeout
b) VPN, WAN problems
c) Router problem
Solution
If the dispatcher crashes, it means that the entire instance terminates. In this case, put the message under the component BC-CST-DP for further analysis.
Network problems can be analyzed and solved by the customer's network department.
The trace of the affected dispatcher (dev_disp) and the error trace of the SAP GUI (errorlog.gui) can be used as sources of information.
For more details, reproduce the error and perform the following steps:
u2022 Increase the trace level of the dispatcher to 2 before the user logs on.
u2022 When the error occurs, confirm that you want to see a detailed error message.
If you require help analyzing the trace, send the following information to SAP Support:
u2022 dev_disp
u2022 errorlog.gui
u2022 User name
u2022 IP address of the user
u2022 Time when you reproduced the error
Error 2:
It may happen that when you try to log on to the OSS system using Transaction OSS1, the error message S1452 appears:
'Unable to connect to OSS message server. Default connection will be used'.
Causes
This error message can be caused by two factors:
1. Program u2018lgtstu2019 not installed.
2. Configuration not correct
Solution
If program u2018lgtstu2019 is not installed, install the program 'lgtst', which is available on the 2.2D CD, in the executables directory of your system.
/usr/sap/[SID]/SYS/exe/run
This program is used by Transaction OSS1 to establish the connection to the OSS message server and determine the logon groups available and the OSS application server with the best performance. When this program is missing, the connection to the message server cannot be established, i.e., the server cannot be determined.
The program 'lgtst' should be started manually only when problems occur.
To start the program manually, enter the following command at the shell level of the database or application server.
/usr/sap/[SID]/SYS/exe/run/lgtst
u2013H /H/[YS]/S/[YSS]/H/[sapservX]/S/sapdp99/H/oss001/S/sapmsO01
-S x -W 30000
Note:
a) This is one command with many parameters.
b) [SID] must be replaced by the system ID of your system.
c) [YS] must be replaced by the name of the computer on which the SAP
Router runs (YS = Your SAP Router).
d) [YSS] must be replaced by the service under which the SAP Router
runs, usually 'sapdp99' (YSS = Your SAP Routeru2019s Service).
e) If you are working with two SAP routers, repeat /H/[YS]/S/[YSS] with
the data of the second SAP router before the sapserv specifications.
f) [sapservx] must be replaced by the IP address of the server that you are
connected to.
g) Make sure that you replace [YS], [YSS] and [sapservx] with the same
data that you have configured in OSS1.
In cases where the program 'lgtst' has been installed correctly, but the connection to the message server cannot be built up, the configuration is not correct. The possible reasons are,
a) Technical OSS1 settings
b) Service entries missing in /etc/services
To find out the reason why the attempt to establish the connection to the message server has failed, run the transaction ST11, and then look for the entry
'dev_lg'. This file contains the error log. Click on dev_lg, if a line 'LOCATION' exists, the computer where the error occurred is described there. The problem is described in the line 'ERROR'.
Error 3:
At times it happens that you start up SAP GUI to connect to On-line Service system. But the SAP GUI prompts a screen to show you connection fail.
Causes
There are many possibilities in this case,
1. Local Router problem
2. Local Router Authorization check fails
3. Line provider problem
4. Local SAP Router problem
5. Remote Router problem
6. Remote Router Authorization setting problem
7. Remote SAP Router routing setting problem
8. Local setting problem
9. Server problem
Solution
First, find out the possible problem. Then try to contact with system administrator or connection provider to solve the problem.
a) partner not reached (host <hostname or IP> , service 32XX)
If <hostname or IP> is local machine
Check 1. Does hostname or IP is your SAP Router?
If not, change it.
If yes, check does your SAP Router start?
Does the service port right? default 3299.
Does the connection to SAP Router work?
If <hostname or IP> is SAPServX
Check connection
If error text show "Connection refused" mean the host is
not SAP Router or SAP Router do not start.
If error text show "Connection timed out" mean the host do
not exist or can not reach.
b) Route permission denied (hostIP1 to hostIP2, sapdpXX)
Check the services file on Local PC/SAP Server/SAPRouter
A line like
sapdpXX 32XX/tcp
(Ex. sapdp01 3201/tcp
sapdp00 3200/tcp)
should be add into services file.
The location of services file is --
Win95/98 %WINDIR%\services
WinNT/2000 %WINDIR%\System32\drivers\etc\services
UNIX/Linux /etc/services
c) Route permission denied (hostIP1 to hostIP2, 32XX)
this mean that the routing settings do not allow you to connect from
hostIP1 to hostIP2.
Please read the next line :
Location SAPRouter on hostname
If the hostname(or IP) is your local machine, please
Check is there password setting on SAPRouteTAB file.
If there is password, please verify do you use the correct pswd.
Or add the SAP routing permission into SAPRouteTAB file.
If the hostname (or IP) is relate to SAP (like sapservX)
Send the above message to SAP support team.
d) Check line connection:
Use ping or tracert (traceroute) to check connection.
Run these instructions under your router or SAPRouter.
For ex : Ping sapserv7
Tracert sapserv7 (use Traceroute under unix)
If the response is fail (timeout or other) then
connection build fail
Else connection to SAP successful.
e) Check connection between front-end and local SAPRouter.
If you want to connect from a workstation, you may need to check the
connection between your workstation to SAPRouter with 'Ping'.
f) For ISDN router
Check dial indicator, does router dial?
If router does not dial, please contact router vendor.
If router dials but fail, please check dialup number or contact ISDN
service provider. Maybe authorization fails, or line fail, or configuration
error.
If dialup connection is successful
: ping the remote router to check IP configuration
: ping to SAPServX to check connection
: collect the above information and contact with ISDN provider
: if all setting is right but fail to reach remote router, ask line provider to
reset gateway.
g) Server problem
if the connection check is Ok, but still there is some issue then try to take help from SAP to do further check.
Error 4:
Another situation can be that you are unable to start the router from command level.
Cause
This can be due to missing fields in the saprout table.
Solution
Check the entries in the file saprouttab
Also add this value in your saproutab P<tab><tab><tab>* to give full permission
Save the file without any extension.
Now try to start the sap router from the command prompt.
OR
1)Take a backup of your present saprouttab
2)Then remove all values inside saproutab file and add the following value
P<tab>*<tab><tab> to give full permission
Now save the file with out any extension and then try to restart the router.
Error 5:
This is a problem in which you are able to ping SAP server side IP but unable to ping through hostname of SAP server.
Cause
This situation occurs when the host name of the server is not identified
Solution
If you want to ping the SAP hostname, then add host name and IP address into
c:\windows\system32\drivers\etc\hosts file
Significance of SAP Router:
You can use SAP router to do the following:
u2022 Control and log the connections to your SAP System, e.g. from an SAP service center
u2022 Set up an indirect connection when programs involved in the connection cannot communicate with each other due to the network configuration. This may be due to:
1. Address conflicts when using non-registered IP addresses
2. Restrictions which exist for firewall systems
u2022 Improve network security by means of the following:
1. A password, which protects your connection and data from unauthorized external access
2. Allowing access from only particular SAP routers
3. Only allowing encrypted connections from a known partner (using the SNC layer)
u2022 Increase performance and stability by reducing the SAP System load within a local area network (LAN) when communicating with a wide area network (WAN)
Enhanced Network Security with SAP Router:
To provide independency from the various platforms, SAP has developed the intermediate layer NI (Network Interface) for all network connections. SAP router also provides connectivity using this layer.
In the OSI 7 layer model, the NI layer forms the upper part of the transport layer. NI uses TCP or UDP protocol also known as the SAP Protocol.
The test program niping, which tests the NI functions, belongs to the NI layer. A predefined number of data packages is simply sent from the client to the server, is returned by the server, and read again by the client. The program also outputs average transfer times.
This tool niping is a server and client for testing the SAP NI (Network Interface) Layer. As the name is similar to "ping", it does something similar, but just with the SAP network layer. So, you can test SAP router connections or other SAP connections with using this special ping - the niping.
Route Connections:
A route connection is a connection between two hosts via a network. The route is the sequence of intermediate stations used to set up the connection.
You can set up a connection between SAP systems with or without SAP router.
A) Connections without SAP router:
The following graphic shows a network connection from SAP to the
customer without SAP router
Here both the SAP LAN (local area network) as well as the customer LAN
are protected against unwanted access by firewalls. If a connection is to be set up between an SAP workstation and a customer workstation, a u201Choleu201D needs to be made in the firewall.
The more connections required to external hosts, the more holes (and therefore security gaps) the firewall contains.
If a connection is set up without SAP router, the following information is required:
1. IP address of the host or the logical name of the host on which the server process is running. The target host must therefore have a unique IP address.
2. Port number or the logical name of the port used by the process.
The server process must use an exclusive port number on its host. Also, this port number must be known to the client
B) Connections with SAP router:
The following graphic shows a network connection from SAP to the
customer with SAP router
SAP router only allows a network to be accessed from fixed points. The number of access points (u201Cholesu201D) is therefore reduced, since fewer direct lines are required for connections.
Each "hole" is guarded by a SAP router whose route permission table determines the routes that can be used and the passwords required for access. The hole in the firewall is therefore monitored.
Without SAP router, the IP addresses must be unique. This is not always possible, particularly in the case of a connection between two networks that do not normally have an external connection. SAP router enables two points with identical IP addresses to be connected.
Installing SAP Router:
SAP router is installed as a service on Windows. You will find the latest SAP router in the SAP Service Marketplace under:
Download SAP Software u2192 <Support Packages & Patches>
In the hierarchy choose:
SAP WEB AS u2192 SAP WEB AS <latest release> u2192 Binary Patches u2192 SAP KERNEL <Release/ 32/64-BIT [UNICODE]> u2192 <OS> u2192 Database independent.
Installation on Windows:
Prerequisites:
You have the latest version of SAP router (available from the SAP Service Marketplace and have read the u201Creadmeu201D file. The SAP router version must not be under 23.
Procedure:
1. Create the subdirectory saprouter in the directory <drive>:\usr\sap.
2. Download the latest version of the SAP router from SAP Service Marketplace. Read the readme file in this package. Copy the executables saprouter.exe and niping.exe to the directory you have just created.
3. If SAP router has already been entered as a service with srvany.exe, remove the definition of the service from the Registry and restart the host.
4. Define the service with the following command:
ntscmgr install SAProuter -b <drive>:\usr\sap \saprouter\saprouter.exe -p
u201Cservice -r <parameter>u201C
<parameter> can be replaced by other parameters with which SAP router is to be started. It is important that the parameters are within the character string enclosed in double quotation marks.
5. Define the general attributes of the service: In Control Panel u2192 Services, set the startup type to u201Cautomaticu201D and enter a user. SAP router should not run under the System Account.
6. To avoid the error message u201CThe description for Event ID (0)u201D in the Windows NT event log, you must enter the following in the registry: Under HKEY_LOCAL_MACHINE u2192 SYSTEM u2192 CurrentControlSet u2192 Services u2192 Eventlog u2192 Application, create the key saprouter and define the following values under it:
EventMessageFile (REG_SZ): ....\saprouter\saprouter.exe
Starting SAP Router:
Procedure:
Enter saprouter -r in the input field. This command starts SAP router. The allowed connections are listed in the Route Permission Table saprouttab.
Main SAP router commands and what they do:
saprouter Displays a complete list of SAP router parameters on the
screen
saprouter u2013r Starts SAP router.
saprouter u2013s Stops SAP router.
Testing SAP router Basic Functions:
Prerequisites:
You require the programs saprouter and niping as well as three open windows on one or more hosts.
Procedure:
1. Start SAP router in window 1 (on host1). To do this, enter the following command: saprouter -r
2. In window 2 (host2), start the test program niping to emulate a test server. Enter the following command: niping -s
3. In window 3, start the test program niping again with the following command: niping -c -H /H/host1/H/host2
This command tests the connection with SAP router. A host name is interpreted as a route (over one or more SAP routers to the server) if /H/ is added as a prefix to the host name.
In steps 3 data packages are sent to the server, and the server sends the data packages back.
To perform a self test for the local host:
Enter the command niping -t .If the self test is successful, the following message appears:
SELFTEST O.K. ***
Route Strings:
A route string describes the stations of a connection required between two hosts. A route string has the syntax:
/H/host/S/service/W/pass
It consists of any number of substrings in the form /H/host/S/service/W/pass.
H, S, and W must be uppercase!
A route string contains a substring for each SAP router and for the target server. Each substring contains the information required by SAP router to set up a connection in the route: the host name, the port name, and the password.
Syntax for substrings:
u2022 /H/ indicates the host name it must be at least two characters long.
u2022 /S/ indicates the port, it is an optional entry the default value is 3299
u2022 /W/ indicates the password for the connection between the predecessor and
successor on the route and is also optional (default is u201Cu201D, no password)
Route String Entry for SAP Router:
A route string describes a connection required between two hosts using one or more SAP routers. Each of these SAP routers then checks its Route Permission Table to see whether the connection between its predecessor and successor is allowed, and if it is, sets it up.
The following graphic shows an example of a connection between SAP and a customer system. In this example, a SAP employee working on sappc wants to log on to a customer application server yourapp, which provides or uses the service sapsrv.
The SAP service employee logs on to the SAP System, and sets up a connection between sappc and yourapp using the SAP router on sap_rout and the customeru2019s SAP router your_rout.
your_rout requires the password pass_to_app for connections with yourapp. The route string appears as follows:
/H/sap_rout/H/your_rout/W/pass_to_app/H/yourapp/S/sapsrv
This route string is interpreted by the SAP routers involved in the route as follows:
Host/address Service/port Password
Substring 1 /H/sap_rout /S/<default> <no password>
Substring 2 /H/your_rout /S/<default> /W/pass_to_app
Substring 3 /H/yourapp /S/sapsrv
The connection from sappc to the application server is set up in the following steps:
sappc (front end) Sets up the connection to SAP router sap_rout according to substring 1 and relays the route information.
sap_rout (SAP router
on SAP side) Uses the Route Permission Table to check whether the route u201Csappc to your_rout 3299u201D is allowed, sets up the connection to the customer SAP router on the host your_rout, and passes substring 2 and 3.
your_rout (SAP router on customer side)
Checks whether the route u201Csap_rout to yourapp,
sapsrvu201D is allowed. The password pass_to_app is also checked. SAP router then sets up the connection to the application server.
A SAP router always checks only the previous host name or the previous IP address and the next substring (/H/.../S/.../W/...) for host name or IP address, service and password. The last substring does not contain a password, since there is no successor in the route.
If the /S/ section is missing, the default port number of the SAP router is used.
If the /W/ section is missing, a password is not used.
Route Permission Table:
The route permission table contains the host names and port numbers of the predecessor and successor points on the route as well as the passwords required to set up the connection. It is used to specify which connections are allowed and which prohibited by SAP router.
Standard entries in a route permission table appear as follows:
P/S/D <source-host> <dest-host> <dest-serv> <password>
<source-host> and <dest-host> could be SAP routers.
The beginning of the line can be as follows:
P (permit) causes SAP router to set up the connection, can contain a password.
S (secure) only allows connections with the SAP Protocol, connections with other protocols (such as TCP) are not allowed.
D (deny) prevents the connection from being set up.
Error Diagnosis:
As a rule, always refer to the relevant notes in SAPNet if you experience problems with SAP router.
Note number Content
0012023 ERROR => NI_PONG in more than one package
0029684 STFK: Route permission denied
0062636 Sap router terminates on ending UNIX session
0063342 List: NI error codes
0139184 Sap router: Invalid DATA from C...
0155839 SAP router and the Year 2000
0163436 Check connection and raise a event when connect
0164937 NiPBind: service 'sap????' in use
0167857 niping -s error on Windows 95/8
0168937 AIX: Error code for accept exits server
0169398 Reliant: setup connection in the R/3 System fails
0180075 SAP router for Linux
0181896 AS/400: Signal handling in NI
0184896 NI: Error correction NI
0104576 Package filter between ITS and R/3
0042692 Test tool for RFC links: sapinfo
0066168 Required documents when analyzing RFC problems
0025917 Changes to /etc/hosts are not accepted
0147021 "Address already in use" due to TCP state
0053459 SAP programs for Linux
0085749 Using SAProuter with SNC for secure printing
0037211 ftp not via SAProuter : "connection refused"
The error messages output directly by SAP router are described under SAP router
Edited by: Chetan Seth on Nov 16, 2008 3:03 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.