cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

saprouter scn problem

Go to solution
Former Member

on ‎09-18-2014 6:46 AM

0 Kudos

Hello!

I am trying to make s sap router tunnel with this instruction:

How to setup SNC connection between SAProuters - Basis Corner - SCN Wiki

When I run niping I get an error:

I run sapgenpse get_pse -v -noreq -p local.pse "CN=saprouter" where saprouter is the name of the local user. Maybe I am wrong ?

What should I write in CN ? Maybe host\username ? In other instructions I see that peoples make the certificate like:

CN=sgw, OU=IT, O=FTVL, C=COM, but I don't know how to use it for the local user on host, like CN=username, O=computername, C=domainname. C=local

Thanks!

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-22-2014 11:57 AM
0 Kudos

I fixed it! Thanks for all! It was my mistake.

The problem was in sap route tab, I should use KT "p:CN=<name of certificate of REMOTE HOST">

So in KP too.

Show replies
Show replies

Answers (3)

Answers (3)

Sriram2009
Active Contributor
‎09-18-2014 7:22 AM
0 Kudos

Hi

Could you check with SAP KBA

2023501 - When using niping to test a SAPRouter, SAPRouter trace shows error "route from XXX expecte...


Regards

Show replies
Show replies
divyanshu_srivastava3
Active Contributor
‎09-18-2014 7:11 AM
0 Kudos

Hi Igor,

As you must have read this:



On SAProuter host1, run:


sapgenpse get_pse -v -noreq -p local.pse "CN=MYSAPROUTER1"


sapgenpse seclogin -p local.pse

Here you have to use the hosthame of the router from which you will generate the certificate and then exchange.

Regards,

Show replies
Show replies
Former Member
‎09-18-2014 7:54 AM
0 Kudos

I did it, but I got the same error.

After NIPING in dev_rout I see:

Thu Sep 18 10:53:11 2014

*** ERROR => SncPEstablishContext() failed for target='p:CN=<MYHOST>' [sncxxall.c 3585]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3551]

      GSS-API(maj): A token had an invalid signature

      GSS-API(min): The name is wrong

    Unable to establish the security context

    target="p:CN=<MYHOST>"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;000000000249FA20;789) [nisnc.c      1010]

former_member317844
Participant
‎09-18-2014 8:09 AM
0 Kudos

Hi Igor

do a normal ping -a <myhost> to check if you have nameresolution.

if ping dose not return a hostname, please ad this to the host file

Also make sure the Identity Center’s SNC is correct. Use the sapgenpse command get_my_name to obtain the Distinguished Name being used.

Regards

Former Member
‎09-18-2014 8:18 AM
0 Kudos

Hi Torben

Yes, ping is ok

divyanshu_srivastava3
Active Contributor
‎09-18-2014 8:25 AM
0 Kudos

May be you check the last option supplied by Torben.

Former Member
‎09-18-2014 8:36 AM
0 Kudos

Sapgenpse get_my_name -v -n Issuer:

first host:

Opening PSE "C:\saprouter\local.pse"...

PSE (v2) open ok.

Retrieving my certificate... ok.

Getting requested information... ok.

SSO for USER "saprouter"

  with PSE file "C:\saprouter\local.pse"

Issuer  : CN=<myhost>


second host:


Opening PSE "C:\saprouter\local.pse"...

PSE (v2) open ok.

Retrieving my certificate... ok.

Getting requested information... ok.

SSO for USER "saprouter"

  with PSE file "C:\saprouter\local.pse"

Issuer  : CN=<my_second_host>

former_member182657
Active Contributor
‎09-18-2014 6:52 AM
0 Kudos

Hi,

What should I write in CN ? Maybe host\username ?

Here you should use hostname instead of username for which you generated router certificate.

Regards,

Gaurav

Show replies
Show replies
Former Member
‎09-18-2014 7:40 AM
0 Kudos

Hi Gaurav

Full name (with domain name) or simple ?

Ask a Question