Solved: sap router and cryptographic software

former_member829550 · ‎09-20-2012

hi all,

i am configuring sap router and i downloaded saprouter_4-20002415.sar for my sap system. ( OS:: Windows, SAP:: 7.1)

But when i look into the Cryptographic Software in market place i find Crytolib's for Installations, Updates and client encryption.

Among those, which one is for sap router.

Also, how to check the port 32xx port is open for connection and where should i check. ( any command in windows . i used NETSTAT to check port availability ).

I would appreciate any links or information about configuring sap router table and for other router configuration settings.

br,

mb

Former Member · ‎10-02-2012

Hi,

Here is the complete step.

1) First of all get Public IP address. Public IP need to be configured to you local SAP Router IP address.

2) Get port 3299 & 3298 open from SAP router ip host to SAP AG.

3) Create a Customer Message with the Following details. Open a customer message under the component XX-SER-NET Customer

Number, Hostname(on which SAPRouter is installed),Private IP Address, Public IP Address etc.

4) Create the subdirectory saprouter in the directory \usr\sap.

5) Now download the SAP ROUTER Software and Cryptographic Library Software. www.service.sap.com/saprouter-sncadd

6) Once the software is downloaded copy the saprouter and cryptographic software into E:\usr\sap\saprouter

eg: saprouter_15_XXXXX.sar, 9000XXXXX.sar

7) Uncar the file

😎 Set environmental variable

SECUDIR= <drive>:\usr\sap\saprouter

SNC_LIB =<drive>:\usr\sap\saprouter\nt-xxx\sapcrypto.dll

9) Generating the Registering the Key and Certificate

Go to the link https://websmp201.sap-ag.de/SAPROUTER-SNCADD

Click on Apply Now!

10) Copy the Distinguished name (eg CN=XXXXXX, OU=XXXXXXXXX, OU=SAProuter, O=SAP, C=DE)

11) Create saprouttab text file without any extension in saprouter folder (<drive>:\usr\sap\saprouter)

12) Now create a “certreq” textfile without any extension in the <drive>:\usr\sap\saprouter\nt-xxx

13) Generate the certificate Request on SAP router OS with the Following command (execute from <drive>:\usr\sap\saprouter

\nt-xxx)directory

sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"

sapgenpse get_pse –v -onlyreq -r certreq -p local.pse

You will be asked twice for a PIN here. Please choose a PIN and document it, you have to enter it identically both times. Then you

will have to enter the same PIN every time you want to use this PSE.

14) Display the output file "certreq" and with copy & paste (including the BEGIN and END statement) insert the certificate request into

the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.

15) In response you will receive the certificate signed by the CA in the Service Marketplace. copy the content

Create a “srcert” file without any extension in the same location (<drive>:\usr\sap\saprouter\nt-xxx) and paste it

16) Importing the Certificate & Creating Credential

Now Import the certificate using the below command

sapgenpse import_own_cert -c srcert -p local.pse (execute from <drive>:\usr\sap\saprouter\nt-xxx)

enter pin which you have already saved.

Out of the command should show

CA-Response successfully imported into PSE XXXX\saprouter\local.pse

17) Creating the credential for User responsible to start SAP Router

After importing the certificate create Credential for user <sid>adm who will be responsible to start the stop SAP Router

18) sapgenpse seclogin –p local.pse –O <sidadm> (entered in full <domainname>\<username>)

19) Verifying the Configuration

sapgenpse get_my_name -v -n Issuer

Out of the command should show

Name of the Issuer as : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

20) Post Configuration Activity. Now we need to maintain the details in the saprouttab file. SAPROUTTAB is nothing but permission file which has information who should be communicate through SAP Router

21) Following is an example content of saprouttab

---------------------------------------------------------------------------------------

# SNC connection to and from SAP

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC-connection from SAP to local system for R/3-Support

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" < sap server ip > < port >

# Access from your local Network to SAP

P < sap server ip > 194.39.131.34 3299

# All other connections will be denied

#D

-------------------------------------------------------------------------------------

< Sap server ip > is nothing but ip address of the sap server which is need to be access via SAP Router

< Port > is nothing but the port of SAP Application for e.g. 3200 ( dispatcher port )

D * * * mean reject all the connection accept the entry of the server ip which mention in saprouttab

22) How to Start & Stop SAP Router

saprouter -r -S 3299 -V 3 -K "p:CN=<saprouter hostname>, OU=< Customer number >,

OU=SAProuter,O=SAP, C=DE" &

23) How to Stop SAP Router

saprouter –s

24) If we want to create as a service go through Note 525751

ntscmgr install saprouter -b <path>\saprouter.exe -p "service -r -W 60000 -R

<path>\saprouttab -K ^p:<your_distinguished_name>^"

(eg : ntscmgr install saprouter -b <drive>\usr\sap\saprouter.exe -p "service -r -W 60000 -R

<drive>\usr\sap\saprouter\saprouttab -K ^p:CN=XXXXXX, OU=XXXXXXXXX, OU=SAProuter, O=SAP, C=DE^")

Thanks

Ramesh Nair

former_member829550 · ‎10-16-2012

thank you all for your help and for spending your precious time for my problem.

my problem got solved.

What i did (solution)::

I deleted all the previous existing RFC connections and created new RFC's.

and i made my router service to run on local system user (It worked for me though against the router documentation).

Also, my company' firewall redirected ip's which were going to SAP which was later corrected.

Otherwise, everything was ok from my side. (like routtab settings, port settings, hoststring, router cert, etc.,)

br,

bhupesh

former_member829550 · ‎10-02-2012

Actually, I have a WAn Ip (19x.2xx.xxx.1xx) and a Lan IP (1x.2x.xx,xx) to my solman where saprouter has been installed.

I made the saprouttab settings as,

#SNC connection to and from sap
KT "p:CN=sapserv3, OU=SAProuter, O=SAP, C=DE" 194.111.125.35 *

# SNC connection to local system for R/3-Support
KP "p:CN=sapserv3, OU=SAProuter, O=SAP, C=DE" 19x.2xx.xxx.1xx 3299

#SNC connection to local Windows Systems for R/3-Support , DEV, Test
KP "p:CN=sapserv3, OU=SAProuter, O=SAP, C=DE" 1x.2x.xx.* 3299

#SNC connection to local Windows Systems for R/3-Support PRD
#KP "p:CN=sapserv3, OU=SAProuter, O=SAP, C=DE" 10.2x.xx.xx 3201

#SNC connection to local system for saptelnet
KP "p:CN=sapserv3, OU=SAProuter, O=SAP, C=DE" 10.2x.xx.xx 23

#SNC connection to local system for NetMeeting
KP "p:CN=sapserv3, OU=SAProuter, O=SAP, C=DE" 1x.2x.xx.xx 1503

#Access from the local Network to SAP
P 19x.2xx.xxx.1xx 194.111.125.35 3299

#Deny All Other Connections
D * * *

I created the saprouter service and made it automatic. I also assigned the user .\sapadm to the router service.

In services.msc, saprouter service---> Properties----> General Tab i have the path as
d:\usr\sap\saprouter\saprouter.exe service -r -W 60000 -R d:\usr\sap\saprouter\saprouttab -K p:CN=rpsmpd01,

IN HKLM--> System--> CurrentControlSet--> services--> saprouter i have settings like

Imagepath = d:\usr\sap\saprouter\saprouter.exe service -r -W 60000 -R d:\usr\sap\saprouter\saprouttab -K p:CN=rpsmpd01,

ObjectName = .\sapadm

But when i start the saprouter service it flashes a error as::

Error 1069: The service did not start due to logon failure.

what could be the problem. I did all the steps same as sncc-conn of service market place.

Are my saprouttab connections ok and how to start the service.

br,

mb.

MaheshKumar · ‎09-25-2012

Hi Bhupesh,

Can you go through Note 525751 - Installation of the SNC SAPRouter as NT Service

MaheshKumar · ‎09-24-2012

Hi

Could you please go through following link. Its very helpful

http://scn.sap.com/community/netweaver-administrator/blog/2012/06/17/detailed-sap-router-installatio...

Regards

Mahesh Kumar

Former Member · ‎09-20-2012

You need the media id: 20008851.

go to service.sap.com and on download section click on browse download catalog and follow this path:

SAP Cryptographic Software > SAPCryptolib for Installation > SAPCRYPTOLIB 5.5.5

and choose your operational system

You can test if some port is open/active calling telnet in windows command prompt.

( If you use Windows 7 you need to activate telnet client in Control Panel ) see google for more info.

Ex of telnet usage:

telnet 127.0.0.1 32XX

if no error occurs the service on the requested port is ok and listening for connections.

command line arg 0:	saprouter
command line arg 1:	-r
command line arg 2:	-G
command line arg 3:	log_file2

sap router and cryptographic software

Accepted Solutions (1)

Accepted Solutions (1)

Answers (5)

Answers (5)

Re: visual code studio command run failed with err...

Re: Getting a clipboard alert while importing Exce...

SAP CX extract data to Datasphere

SAP Analytics Cloud - %Subtotal in Hierarchies

Re: Getting a clipboard alert while importing Exce...