on 11-22-2012 6:37 AM
Hi Experts,
Recently I am installing Solution Manager. I wanted to access my solution manager through SAP Router. So I have added Solution Manager Entry in saprouttab file in my router.
saprouttab I have added IP Address of my solution Manager system as follows
# command for allowing OSS access to SOLMAN. uncomment when required.
P 192.168.100.52 194.39.131.34 3299
# permission entries to check if connection is allowed at all
P * 192.168.100.52 *
When I try to access Solution Manager through router string from another network but I got error message as follows,
solman route permission denied (---to 192.168.100.52, sapdp00)
Location: SAProuter 38.10 on 'solman'
Time: ----
Component: NI(network interface)
Release: 700
Version: 38
Return Code: -94
Counter: 7916
Please help me out to solve this error
Thanks
Dear Mr. Amit,
You need to mention the Public I.P. & port used for SAP router in the sap route tab.
SAP support is mostly available through sap router. To download software through solman MOPZ needs to connect sap portal. In these cases your I.P needs to be registered at SAP.
Following Details has helped me to configure SAP Router several time successfully. Compare your installation & configuration accordingly.
---------------------------------------------------------------------------------------------------------------------------------------------
Step by Step Procedure for SAP Router SNC Configuration
Introduction
Step by Step configuration of SAP Router 7.00 on Unix Platform ( Same procedure can be used for
configuring SAP router on NT Platform )
Follow the below procedure to Configure Sap Router:
Perquisites for configuring SAP Router
Download SAP Cryptographic Binary from SAP Market Place
Cryptographic Binary can be download from below link
.
Download
.
SAP Cryptographic Software
After click on SAP Cryptographic Software you will get new browser window, where you have to select the
file and download the file depend upon the OS platform on which you have to configure SAP Router
Register IP and SAP Router Hostname with SAP
First of all get Public IP address from your network team, Public IP need to be configured to you local SAP
Router IP address. (This Task will done by your Network Team)
Also get port 3299 & 3298 open from SAP router ip host to SAP AG.
SAP router use port 3298 & 3299 for communication
Raise an OSS with SAP under component XX-SER-NET-NEW with Description of registering Public IP
address and Host name of SAP router with SAP.
Step by Step Procedure for SAP Router SNC Configuration
Steps for Configuring SAP Router
Create SAP Router Folder in /usr/sap
<sap router host> Goto location /usr/sap
Cd /usr/sap
Mkdir saprouter
Change owner of folder saprouter to <sid>adm:sapsys
Copy Downloaded Cryptographic Binary to saprouter folder and extract the binary using SAPCAR exe
# SAPCAR -xvf < Cryptographic Binary >
Provide <sid>adm:sapsys access to all the file present in folder SAP Router as well as chmod to 775
Set environmental variable SECUDIR=/usr/sap/saprouter
Generating the Registering the Key and Certificate
Go to the link https://websmp201.sap-ag.de/SAPROUTER-SNCADD
Click on Apply Now!
Copy the Distinguished name from above, which is required for executing below command
Once you copied Distinguished name from above link then click on Continue TAB
Generate the certificate Request on SAP router OS with the Following command:
# sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"
# sapgenpse get_pse –v -onlyreq -r certreq -p local.pse
You will get "<Your Distinguished Name>" from SAP market Place, when you login with S-USER. ( This is
generated after you raise an OSS with SAP for registering SAP router hostname )
After executing the above command you will get 2 additional files created in saprouter Folder i.e local.pse
and certreq
Certreq contain encrypted form of Key Request.
Step by Step Procedure for SAP Router SNC Configuration
Copy the content of certreq and paste the certificate request into the text area of the same form in the SAP
Service Marketplace
After Pasting the content click on REQUEST CERTIFICATE
In response you will receive the certificate signed by the CA in the Service Marketplace, cut & paste the text
to a local file named srcert
After coping the content of Import certificate to srcert file, copy the file in saprouter folder and provide the
necessary rights.
3.3 Importing the Certificate & Creating Credential
Once File is copied to saprouter folder, run the import command to install the certificate in SAP Router. (Run
he following import command)
# sapgenpse import_own_cert -c srcert -p local.pse
Creating the credential for User responsible to start SAP Router
After importing the certificate create Credential for user <sid>adm who will be responsible to start the stop
SAP Router (Run following command to do so)
# sapgenpse seclogin –p local.pse –O <sidadm>
Installation steps get completed after creating credential for <SID>adm
To confirm SAP Router is installed successfully, run the following command
Verifying the Configuration
# sapgenpse get_my_name -v -n Issuer
Out of the command should show
Name of the Issuer as : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
After confirming SAP router has been configured successfully set the following environment, which is
required read the cryptography will starting the SAP Router
Step by Step Procedure for SAP Router SNC Configuration
Post Configuration Activity
Set environmental variable SNC_LIB=/usr/sap/saprouter/ libsapcrypto.so
Now once configuration is done, there is one of the important post installation steps which are to create
SAPROUTTAB.
SAPROUTTAB is nothing but permission file which has information who should be communicate through
SAP Router
Create a file with name saprouttab and copy the same in /usr/sap/saprouter folder
Following is an example content of saprouttab
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC-connection from SAP to local system for R/3-Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" < sap server ip > < port >
# Access from your local Network to SAP
P < sap server ip > 194.39.131.34 3299
# All other connections will be denied
#D * * *
< Sap server ip > is nothing but ip address of the sap server which is need to be access via SAP Router
< Port > is nothing but the port of SAP Application for e.g. 3200 ( dispatcher port )
D * * * mean reject all the connection accept the entry of the server ip which mention in saprouttab
How to Start & Stop SAP Router
Now one of the import command thing for which we have done all above exercise.
i.e. how to start & stop Sap router
How to Start SAP Router
Run the following command to Start SAP Router
# saprouter -r -S 3299 -V 3 -K "p:CN=<saprouter hostname>, OU=< Customer number >,
OU=SAProuter,O=SAP, C=DE" &
Above value of CN is nothing but Distinguished name which you check on SAP Market Place earlier
Check the log file dev_rout in /usr/sap/saprouter folder which will give you exact idea of sap router
started
How to Stop SAP Router
Run the following command to Stop SAP Router
# saprouter –s
------------------------------------------------------------------------------------------------------------------------------------------
Related Content
http://service.sap.com/saprouter
http://service.sap.com/saprouter-sncdoc
http://help.sap.com/saphelp_nw70/helpdata/en/4f/992dbd446d11d189700000e8322d00/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/4f/992ce8446d11d189700000e8322d00/frameset.htm
SAP Notes
Note 30289: SAProuter Documentation
Note 525751: Installation of the SNC-SAPRouter as NT Service
Note 46902: Security aspects in remote access
Note 48243: Integrating SAProuter into a firewall
Note 33135: Guidelines for OSS1 (Version for SAPSERV3)
Note 35010: Service connections: Composite note
----------------------------------------------------------------------------------------------------------------------------------------------
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Mr. Amit,
You need to add your Public I.P. address entry in the route tab which is registered at SAP.
The same I.P. should bound to internal local I.P. also.
Add entry similar as follows with your correct details,
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.100.52 3299
Also verify the RFC SAPOSS consistancy.
Kind rgds,
Ashwin Mane
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for reply,
I have added what you have said to me but still I am unable to access my server.
Sorry but I cant understand your saying "You need to add your Public I.P. address entry in the route tab which is registered at SAP"
Should I compulsory need to register Solman Servers IP address to SAP??
Please tell me about this.
User | Count |
---|---|
76 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.