on 07-31-2012 1:24 PM
Enviroments OK! But still don´t work...
-------------------------------------
C:\Users\Administrator>saprouter -r -K "p:CN=allianceonline, OU=0000628791, OU=S
AProuter, O=SAP, C=DE"
trcfile dev_rout
no logging active
*** ERROR => invalid lines in './saprouttab', see 'dev_rout' [nirout.cpp 9573]
WARNING: wildcard character used in route target
-------------------------------------------
But in my saprouttab there is no wildcard!!!!!!! I don´t understand!!
-------------------
SAPROUTTAB
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 3299
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 3389
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 50500
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 50504
# SNC connection to local system for R/3-Support
# R/3 Server: 192.168.1.1
# R/3 Instance: 00
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 3200
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 3389
# SNC connection to local WINDOWS system for WTS, if applicable
# Windows server: 192.168.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 3389
# SNC connection to local UNIX system for SAPtelnet, if applicable
# UNIX server: 192.168.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 23
# Access from local network to SAP
P 130.100.100.246 194.39.131.34 3299
------------------------------------------
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Felipe,
Note that
WARNING: wildcard character used in route target is a warning it is not a error it says that your routtab opening for many connections.
you need to check the part
*** ERROR => invalid lines in './saprouttab', see 'dev_rout' [nirout.cpp 9573]
nothing else. let analysis and revert back.
Hi,
Change the below entry only in saprouttab with your IP and rerun,
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
#SNC-connection from SAP to local R/3-System for Suport
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <IP r3 server> 3200
#SNC-connection from SAP to local R/3-System for WTS
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <IP r3 server> 5631
#SNC-connection from SAP to local R/3-System for saptelnet
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <IP r3 server> 23
#Access from your local Network to SAP R/3 Frontend (OSS)
P * 194.39.131.34 *
#All other connections will be denied
D * * *
Hope we will get it
Silam, i made changes and the same error show...
But one thing, i delete file DEV_ROUT when re-installled saprouter and now him isn´t create in saprouter folder... This is normal??
Regards...
PS: Silam and Juan, thanks for pacience, i´m a ABAPER but receive the hard mission of configure the SAPSERVER in my jobplace...
Silam, one advance, see my dev_rout:
---------------------------------------------------
trc file: "dev_rout", trc level: 1, release: "710"
---------------------------------------------------
Thu Aug 02 14:14:17 2012
SAP Network Interface Router, Version 39.3 (SP4)
command line arg 0: saprouter
command line arg 1: -r
command line arg 2: -K
command line arg 3: p:CN=allianceonline, OU=0000628791, OU=SAProuter, O=SAP, C=DE
SncInit(): Initializing Secure Network Communication (SNC)
PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)
SncInit(): Trying environment variable SNC_LIB as a
gssapi library name: "D:\usr\sap\saprouter\sapcrypto.dll".
File "D:\usr\sap\saprouter\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
main: pid = 1976, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: './saprouttab'
Oh God! Finally working!!! After last error of dev_rout, i just copied the file gssapi32.dll for the saprouter folder and BINGOOO!!
Silam and Juan thanks!!
Regards
Felipe
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I made the whole process again to obtain the certificate and was apparently all right, but still with errors ... See below if you guys can help me:
SAPROUTTAB
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 3299
# SNC connection to local system for R/3-Support
# R/3 Server: 192.168.1.1
# R/3 Instance: 00
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 3200
# SNC connection to local WINDOWS system for WTS, if applicable
# Windows server: 192.168.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 3389
# SNC connection to local UNIX system for SAPtelnet, if applicable
# UNIX server: 192.168.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 23
# SNC connection to local Portal system for URL access, if applicable
# Portal server: myserver.mydomain
# Port number: 50003
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" myserver.mydomain 50003
# Access from local network to SAP
P 130.100.100.246 194.39.131.34 3299
-----------------------------------------------------
DEV_ROUT
---------------------------------------------------
trc file: "dev_rout", trc level: 1, release: "710"
---------------------------------------------------
Wed Aug 01 13:40:34 2012
SAP Network Interface Router, Version 39.3 (SP4)
command line arg 0: d:\usr\sap\saprouter\saprouter.exe
command line arg 1: -r
command line arg 2: -R
command line arg 3: d:\usr\sap\saprouter\saprouttab
main: pid = 1220, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: 'd:\usr\sap\saprouter\saprouttab'
*** ERROR => SNC field without SNC active, skip line 2 [nirout.cpp 9264]
*** ERROR => SNC field without SNC active, skip line 6 [nirout.cpp 9264]
*** ERROR => SNC field without SNC active, skip line 10 [nirout.cpp 9264]
*** ERROR => SNC field without SNC active, skip line 14 [nirout.cpp 9264]
*** ERROR => SNC field without SNC active, skip line 18 [nirout.cpp 9264]
Wed Aug 01 13:44:39 2012
*** ERROR => NiBufIProcMsg: hdl 17 received rc=-94 (NIEROUT_PERM_DENIED) from peer [nibuf.cpp 2123]
Wed Aug 01 13:45:38 2012
*** ERROR => NiBufIProcMsg: hdl 18 received rc=-94 (NIEROUT_PERM_DENIED) from peer [nibuf.cpp 2123]
Wed Aug 01 13:49:58 2012
*** ERROR => NiBufIProcMsg: hdl 19 received rc=-94 (NIEROUT_PERM_DENIED) from peer [nibuf.cpp 2123]
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Silam, follow results:
C:\Users\Administrator>saprouter -r -V3 -K "p:CN=allianceonline, OU=0000628791,
OU=SAProuter,O=SAP, C=DE"
trcfile dev_rout
no logging active
*** ERROR => invalid lines in './saprouttab', see 'dev_rout' [nirout.cpp 9573]
WARNING: wildcard character used in route target
-------------------------------------------------------------------
C:\Users\Administrator>D:\usr\sap\saprouter\sapgenpse.exe get_my_name -v -n issu
er
Opening PSE "D:\usr\sap\saprouter\local.pse"...
PSE (v2) open ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "Administrator"
with PSE file "D:\usr\sap\saprouter\local.pse"
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
--------------------------------------------------------------------------------------------------------
MY SAPROUTTAB
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 3298
# SNC connection to local system for R/3-Support
# R/3 Server: 192.168.1.1
# R/3 Instance: 00
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 00
# SNC connection to local WINDOWS system for WTS, if applicable
# Windows server: 192.168.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 3389
# SNC connection to local UNIX system for SAPtelnet, if applicable
# UNIX server: 192.168.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 23
# SNC connection to local Portal system for URL access, if applicable
# Portal server: myserver.mydomain
# Port number: 50003
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" myserver.mydomain 50003
# Access from local network to SAP
P 130.100.*.* 194.39.131.34 3298
Regards
Hi Felipe,
For security reasons SAP recommends, that you do not use wildcards (*) for the target host (<dest-host>) and the target port (<dest-serv>) in P and S lines in the route permission table. If the table contains P or S lines, the SAProuter issues a warning message:
WARNING: wildcard character used in route target
So remove the same and specify the specific host.
But see, in my saprouttab no exists more wildcard, the message remains still:
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 3298
# SNC connection to local system for R/3-Support
# R/3 Server: 192.168.1.1
# R/3 Instance: 00
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 00
# SNC connection to local WINDOWS system for WTS, if applicable
# Windows server: 192.168.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 3389
# SNC connection to local UNIX system for SAPtelnet, if applicable
# UNIX server: 192.168.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 130.100.100.246 23
# SNC connection to local Portal system for URL access, if applicable
# Portal server: myserver.mydomain
# Port number: 50003
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" myserver.mydomain 50003
# Access from local network to SAP
P 130.100.100.246 194.39.131.34 3298
One question, the command line saprouter will start the service of windows saprouter?? Because, if i start service from task manager, this work without problems...
Juan, ping´s OK:
C:\Users\Administrator>ping 194.39.131.34
Pinging 194.39.131.34 with 32 bytes of data:
Reply from 194.39.131.34: bytes=32 time=233ms TTL=231
Reply from 194.39.131.34: bytes=32 time=234ms TTL=230
Reply from 194.39.131.34: bytes=32 time=246ms TTL=231
Reply from 194.39.131.34: bytes=32 time=234ms TTL=230
Ping statistics for 194.39.131.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 233ms, Maximum = 246ms, Average = 236ms
--------------------------------------
I saw that the service saprouter should work with a login of SNC_admin ... the user is that S000*** ? (the same user of market place)
Because, I used so: sapgenpse seclogin -p D:\usr\sap\saprouter\local.pse -O administrator
Perhaps this my problem..
No, the service Saprouter should run under the same user saprouter was installed with.
On the SAPRouter Documentation says
SAProuter should not run under the system account.
I see you installed it as Administrator, best practice is to create a local admin user and install the saprouter under it.
Regards, Juan
Hi Felipe,
Hope this helps
Hi Silam and Juan, I ran the command:
saprouter -r -R D:\usr\sap\saprouter\saprouttab -K "p:CN=<saprouter hostname>, OU=< Customer number >, OU=SAProuter, O=SAP, C=DE"
and obtain this is:
trcfile dev_rout
no logging active
my CMD stay stopped and dont return prompt...
Any idea?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
---------------------------------------------------
trc file: "dev_rout", trc level: 1, release: "710"
---------------------------------------------------
Tue Jul 31 16:01:59 2012
SAP Network Interface Router, Version 39.3 (SP4)
command line arg 0: d:\usr\sap\saprouter\saprouter.exe
command line arg 1: -r
command line arg 2: -R
command line arg 3: d:\usr\sap\saprouter\saprouttab
main: pid = 5676, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: 'd:\usr\sap\saprouter\saprouttab'
*** ERROR => SNC field without SNC active, skip line 2 [nirout.cpp 9264]
*** ERROR => SNC field without SNC active, skip line 5 [nirout.cpp 9264]
Hi,
Can you chage the saprouttab as below and try again,
# Outbound connections to <sapservX> will use SNC
KT "p:CN=YYY, OU=saprouter, O=SAP, C=DE" 194.39.131.34 *
# Inbound connections MUST use SNC
KP "p:CN=YYYY, OU=SAProuter, O=SAP, C=DE" <your_server1> <port_number>
# Repeat this for the servers and port_numbers you will need to
# allow. Please make sure that all explicit ports are inserted in
# front of a generic entry '*' for port_number
# Permission entries to check if connection is allowed at all
P <IP address of a local host> <IP address of sapservX>
# All other connections will be denied
D * * *
Silam, saprouttab changed and return to start:
trcfile dev_rout
no logging active
routtab cannot open './saprouttab': EXIT PROGRAM !!!
(running without saproutab is no longer supported for security reasons)
Could not open permission table
---------------------------------------------------
I executed niping e obtain this:
niping.exe -c -H /H/200.162.xx.yyy/H/194.39.131.34/H/194.39.131.34
ERROR partner '200.162.xx.yyy:3299' not reached
TIME Tue Jul 31 16:17:09 2012
RELEASE 720
COMPONENT NI (network interface)
VERSION 40
RC -10
MODULE nixxi.cpp
LINE 3286
DETAIL NiPConnect2: 200.162.xx.yyy:3299
SYSTEM CALL connect
ERRNO 10061
ERRNO TEXT WSAECONNREFUSED: Connection refused
COUNTER 1
In windows theres usually a very common problem, People edit the saprouttab with Notepad and save it as a .txt file, check that your saprouttab does not have an extention.
Regards, Juan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
TRy using the full path when starting the router.
saprouter -R <full path>\saprouttab -K <DN>
http://help.sap.com/saphelp_nwpi71/helpdata/en/48/6e2ef629540e27e10000000a421937/frameset.htm
Regards, Juan
Hi SIlam, follow my dev_rout:
---------------------------------------------------
trc file: "dev_rout", trc level: 1, release: "710"
---------------------------------------------------
Tue Jul 31 13:53:17 2012
SAP Network Interface Router, Version 39.3 (SP4)
command line arg 0: d:\usr\sap\saprouter\saprouter.exe
command line arg 1: -r
command line arg 2: -R
command line arg 3: d:\usr\sap\saprouter\saprouttab
main: pid = 1504, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: 'd:\usr\sap\saprouter\saprouttab'
*** ERROR => SNC field without SNC active, skip line 2 [nirout.cpp 9264]
*** ERROR => SNC field without SNC active, skip line 5 [nirout.cpp 9264]
Juan, follow... In YYY is my domain ... MYIPEXTERNAL = my ip external...
----------------------------------------------------------------------------------------------
# Outbound connections to <sapservX> will use SNC
KT "p:CN=YYY, OU=0000XXXXXX, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# Inbound connections MUST use SNC
KP "p:CN=YYY, OU=0000XXXXXX, OU=SAProuter, O=SAP, C=DE" MYIPEXTERNAL *
# Repeat this for the servers and port_numbers you will need to
# allow. Please make sure that all explicit ports are inserted in
# front of a generic entry '*' for port_number
# Permission entries to check if connection is allowed at all
P MYIPEXTERNAL 194.39.131.34 *
# All other connections will be denied
D * * *
Ok, let me say, as per the list of files on the directory i can see you havent registered and trade certificates with SAP, read the guide on http://service.sap.com/saprouter.
Regards,
Juan
Hi Felipe,
Have you configure the saprouttab correctly ?
http://help.sap.com/saphelp_nw70/helpdata/en/4f/992dab446d11d189700000e8322d00/frameset.htm
https://websmp107.sap-ag.de/internetconnection
Also try omit the "./" Since you are in the same directory the "saprouttab" resides
Hope this helps.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
82 | |
10 | |
10 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.