cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Router Issue in AS400

Go to solution
GML
Explorer

on ‎05-19-2015 2:03 AM

0 Kudos

Hi,

   I have updated nes SAPROUTER as per OSS note 1818735 for i-series system. When I try to start the saprouter, I am getting below error..

SncInit(): Initializing Secure Network Communication (SNC)

      IBM i with OS400 (st,ascii,SAP_UC/size_t/void* = 16/64/64)

      UserId="pr1adm" (126), envvar USER="PR1ADM"

SncInit(): Trying builtin default as a

      gssapi library name: "sncgss.o".

*** ERROR => DlLoadLib()==DLENOACCESS - dlopen("sncgss.o") FAILED

  " 0509-022 Cannot load module .

  0509-026 System error: A file or directory in the path name does not exist."  (errno=2,No such file or directory) [dlux.c       445]

*** ERROR => SncPDLInit()==SNCERR_INIT, Adapter #1 (sncgss.o) not loaded [sncxxdl.c  732]

<<- SncInit()==SNCERR_INIT

         sec_avail = "false"

*** ERROR => NiSncInit: SncInit failed (sncrc=-1) [nisnc.c      561]

*** ERROR => main: NiSncInit failed (rc=-17) [nirout.cpp   1368]

*****************************************************************************

*

*  ERROR       SNC processing failed:

*              SncInit

*

*  TIME        Mon May 18 20:50:33 2015

*  RELEASE     721

*  COMPONENT   NI (network interface)

*  VERSION     40

*  RC          -17

*  MODULE      nisnc.c

*  LINE        560

*  DETAIL      NiSncInit: sncrc=-1

*  COUNTER     4

*

*****************************************************************************

<<- ERROR: SncDone()==SNCERR_INIT_FIRST

ALL ENVIRONMENT VARIABLES are Set.

SECUDIR - /usr/sap/saprouter

SNC_LIB - /usr/sap/saprouter/libsapcrypto.o

Thanks.

Vel.

Thanks.

Vel

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-19-2015 9:07 AM
0 Kudos

Hello Gnanavel,

The error message you have seen typically occurs if the variable SNC_LIB is not set; saprouter then tries its default, which is sncgss.so. It should be set to <PATH to SAPCryptolib>/libsapcrypto.o when using the SAPCryptolib contained in the 721-Kernel.

Did you use the old version of SAP Note 1818735 or did you use the new version with the documentation appended in the pdf-file saprouter.pdf?

Regards,

Joachim Schneider, SAP on IBM i.

Show replies
Show replies
GML
Explorer
‎05-19-2015 1:06 PM
0 Kudos

Hi Joachim,

               Thanks for your valuable information. Yes, SAP mentioned pdf is complicated one, never tell go in simple ways. As per pdf I have entered the password for the certificate. I will redo again without password. I did follow the 05/11 pdf and yesterday SAP updated new one 05/18. I will follow the new one ( Only the program change is different from both pdf ).

Thanks

Vel.

Former Member
‎05-19-2015 3:40 PM
0 Kudos

Hello Vel,

yes, you are right it is not a simple setup:

(1) One should look up some information.

(2) One has to download several components: SAPEXE.SAR, SAPCAR

(3) One has to create a user runnng the saprouter

(4) On has to create two CL-Programs to run the SAPROUTER

(5) It is necessary to create a certificate request.

(6) One has to import SAP Root CA certificates.

Yes you are right, the document saprouter.pdf might appear to be complicated, maybee simply because it has become quite long.

The document tries to describe the necessary steps and also to give some background information; in my opinion the background information is necessary for several reasons

(a) One is workinbg wtih security related topics, where ist si necessary to understand what one is doing

(b) One needs some simple testing steps.

Volker's solution in effect does the steps 4, 5 and 6 above. He does not need 1, 2 and 3 because he assumes running the SAPROUTER as <sid>adm. Also he gives no background information, but only copy&paste commands.

Best Regards,

Joachim

One additional remark: It will be easier for us to give you support, when you follow our documentation.

GML
Explorer
‎05-20-2015 12:59 AM
0 Kudos

Hi Joachim / Volker,

                          After starting the saprouter program in batch job, I am getting below error

                                                                             

>> CALL PGM(SAPROUTER/LOGON)                                                

    Current library changed to SAPROUTER.                                    

    Current directory changed.                                               

    Environment variable added.                                              

    Environment variable added.                                              

    Environment variable added.                                              

    Environment variable added.                                              

    Environment variable added.                                              

    Current directory changed.                                               

    Could not load dependent PASE for i module                               

      /usr/sap/saprouter/os4apilib.so.                                       

    Cannot load PASE for i module /usr/sap/saprouter/os4apilib.so.           

    Internal system error.  Error code is 85.                                

    Error loading PASE for i program /usr/sap/saprouter/saprouter.  See      

    previous messages.                                                     

    Application error.  CPFB9C0 unmonitored by SAPROUTER at statement        

    0000000176, instruction X'0000'.                                       

    Function check. CEE9901 unmonitored by LOGON at statement 0000002300,    

    instruction X'0000'.                                                   

    CEE9901 received by procedure LOGON. (C D I R)                 

Need your input further solving the issue..

Still no update from SAP for this message...

Thanks.

Vel

volker_gldenpfennig
Active Participant
‎05-20-2015 5:30 AM
0 Kudos

Hi Vel,

what should I say ?

looks like, that you might need to copy even more modules of the kernel ... this "dll" os4apilib.so is part of the kernel and could be copied as well ... you might see, why I suggested a different strategy above ...

Regards,

Volker Gueldenpfennig, consolut international ag

Former Member
‎05-20-2015 8:39 AM
0 Kudos


Hello Vel,

if you followed Volkers procedure please ask him for support.

If you followed the procedure described in SAP note 1818735 and there is a problem, please open an OSS-Message; if you have already opened a message please give me the incident number, i will pick it up and help you.

Best Regards,

Joachim

GML
Explorer
‎05-20-2015 1:13 PM
0 Kudos

Hi Joachim,

               Yes, I did open message with SAP ( 329501). Once again, I followed back new pdf 05/18 published in the OSS note yesterday night . Still I am encountering the same issue.

Thanks.

Vel.

GML
Explorer
‎05-20-2015 3:33 PM
0 Kudos

Hi Joachim,

               Thanks for picking up the ticket and I was able to start the SAPRouter now. Once again thanks again for all your valuable inputs to solve the issue.

Main issue was with ln -s for all mentioned files

Thanks.

vel.

Answers (1)

Answers (1)

volker_gldenpfennig
Active Participant
‎05-19-2015 6:03 AM
0 Kudos

Hi Vel,

as the saprouter is looking for the file sncgss.o, I cannot believe, that in that user context, the following variable is really as described:

SNC_LIB - /usr/sap/saprouter/libsapcrypto.o

but: I read the note and would say: I'm really sorry for you ;-(((

I would say, that it was not possible, to describe it even more complicated ... (in my eyes, it is correct, but really complicated)

Our documenation is a bit simpler for this, but would require an installed SAP system on the box, what should be the case in 99% of al cases ...

SAProuter SNC for PASE for iSeries - Version 2.05:

==================================================

Replace all occurrences of "EX6" to your "SID" ... !!!

Test the connection to SAP with Transaction SM59 RFC SAPOSS

Check for the SAP/Common-Cryptolib first:

- Up to 7.2x it is mostly libsapcrypto.o

- As of 7.4x it is mostly libsapcrypto.so

You can check as follows:

WRKLNKSAP DIR('/usr/sap/EX6/sys/exe/run/libsapcryp*')

Based on the results, you should leave it to libsapcrypto.so in this file

or replace all occurencens of "libsapcrypto.so" with "libsapcrypto.o"

for older kernels.

This tool assumes, you are on iSeries and want to make use

of the saprouter & CommonCryptoLib in each (new) kernel of each SID 😉

Further information for all platforms:

https://support.sap.com/remote-support/help/installing-saprouter.html

The following needs to be done once only and does NOT need to be done every year:

BUT: If you redo the certificate request, you need to wipe out the following files in /usr/sap/saprouter first:

- certreq

- cred_v2

- local.pse

http://support.sap.com/remote-support/saprouter/saprouter-certificates.html => Apply for a SAProuter certificate (ONLY in order to retrieve the correct "Distinguished Name" (DN) right now)

In this example:

Distinguished Name of SNC SAProuter (Parameter for SAPGENPSE):

(This is typically on the SAP site the server sapserv2 - otherwise, you have to change the saprouttab accordingly.)

CN=AURORA, OU=0000121933, OU=SAProuter, O=SAP, C=DE  

(You should replace all occurences of this in this document.)

EX6ADM ToDos:

Logon with EX6ADM:

MKDIR DIR('/usr/sap/saprouter')

CD DIR('/usr/sap/saprouter')

RMVENVVAR ENVVAR('SECUDIR')

ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')

RMVENVVAR ENVVAR('SNC_LIB')

ADDENVVAR  ENVVAR('SNC_LIB') VALUE('/usr/sap/EX6/sys/exe/run/libsapcrypto.so')                                        

As the command it pretty long, you might want to use QCMD:

CALL PGM(QCMD)

STRQSH     CMD('SAPGENPSE get_pse -v -a sha256WithRsaEncryption -s 2048 -x "" -r /usr/sap/saprouter/certreq -p /usr/sap/saprouter/local.pse "CN=AURORA, OU=0000121933, OU=SAProuter, O=SAP, C=DE"')

(PIN should stay always empty in order to keep it simple next year! (-x "" => No PIN ...))

============================================================================================

============================================================================================

As of here, you have to do the things every year:

/usr/sap/saprouter/certreq:

-----BEGIN CERTIFICATE REQUEST-----                            

MIIBnDCCAQUCAQAwXDELMAkGA1UEBhMCREUxDDAKBgNVBAoTA1NBUDESMBAGA1UE

CxMJU0FQcm91dGVyMRMwEQYDVQQLEwowMDAwMjUwMTc0MRYwFAYDVQQDFA1zbmNf

...

pF84rCeMNxzrkZjeMNNjQgOFGjmzo32bu4Zj4EH7HBcyDsmpmvfrKzmH27JFukyS

R/7PZ2Cq5wfRKkbGl9Ntdr1RsMoVsIPSzyWLTqtToA4=                   

-----END CERTIFICATE REQUEST-----                              

http://support.sap.com/remote-support/saprouter/saprouter-certificates.html => Apply for a SAProuter certificate

Put the /usr/sap/saprouter/certreq file to SAP (even the one from last year is OK) and receive the srcert file:

EDTF STMF('/usr/sap/saprouter/certreq')

/usr/sap/saprouter/srcert:

-----BEGIN CERTIFICATE-----

MIIH6AYJKoZIhvcNAQcCoIIH2TCCB9UCAQExADALBgkqhkiG9w0BBwGggge9MIICe

jCCAeOgAwIBAgIDAW8/MA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNVBAYTAkRFMQwwCg

...

hU4EAbX+3Bpde2AtBjp2PDLNx4eklgnSi45prDYNWGvZO2XkBNm7tPDAAsOyw9KZq

dbGH0l7LbzByc77aRGZx/EZGAr5shmwCk2zbjEA

-----END CERTIFICATE-----

Put the srcert file to /usr/sap/saprouter/srcert to iSeries:

- via \\iSeries-name\rootbin

- cut&paste via EDTF (in several chunks :-((( )

logon with EX6ADM :

(depending on the user, that is running the SAPRouter)

CD DIR('/usr/sap/saprouter')

CALL       PGM(SAPEX6IND/SAPINLPGM)

RMVENVVAR ENVVAR('SECUDIR')

ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')

RMVENVVAR ENVVAR('SNC_LIB')

ADDENVVAR  ENVVAR('SNC_LIB') VALUE('/usr/sap/EX6/sys/exe/run/libsapcrypto.so')                                        

STRQSH     CMD('SAPGENPSE import_own_cert -c srcert -p local.pse')

STRQSH     CMD('SAPGENPSE seclogin -p local.pse')

STRQSH     CMD('SAPGENPSE get_my_name -v -n Issuer')

STRQSH     CMD('SAPGENPSE get_my_name')

The following certificate is needed up to 07/18/2015 only:

(Note 2131531 - New Root Certification Authority for saprouter certificates)

(After this change you need to restart the SAProuter !)

Check the PSE for a certificate before:

STRQSH     CMD('SAPGENPSE maintain_pk -l -p /usr/sap/saprouter/local.pse')

Add the old saprouter certificate to the PSE:

smprootca.der: Either from V:\knowhow\SAP\WEBAS\saprouter\smprootca.der or from note 2131531

STRQSH     CMD('SAPGENPSE maintain_pk -a /usr/sap/saprouter/smprootca.der -p /usr/sap/saprouter/local.pse')

Check the PSE for a certificate afterwards:

STRQSH     CMD('SAPGENPSE maintain_pk -l -p /usr/sap/saprouter/local.pse')

CL-Programs to start the SAProuter automatically:

CRTLIB LIB(SAPROUTER) TEXT('SAProuter Lib for PASE SAProuter with sidadm')

CRTSRCPF FILE(SAPROUTER/QCLSRC)

EDTF FILE(SAPROUTER/QCLSRC) MBR(STRROUTSM)

CRTCLPGM PGM(SAPROUTER/STRROUTSM) SRCFILE(SAPROUTER/QCLSRC)

Source of STRROUTSM-CL-Pgm:

PGM                                                   

                                                      

SBMJOB     CMD(CALL PGM(SAPROUTER/STRROUTER)) JOB(SAPROUTSNC) + 

             JOBQ(QCTL) USER(EX6ADM) LOG(4 00 *SECLVL)             

                                                      

ENDPGM                                                

EDTF FILE(SAPROUTER/QCLSRC) MBR(STRROUTER)

CRTCLPGM PGM(SAPROUTER/STRROUTER) SRCFILE(SAPROUTER/QCLSRC)

Source of STRROUTER-CL-Pgm: (needs to run with EX6ADM):

PGM

CALL       PGM(SAPEX6IND/SAPINLPGM)

RMVENVVAR ENVVAR('SECUDIR')

MONMSG MSGID(CPF0000)

ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')

MONMSG MSGID(CPF0000)

RMVENVVAR ENVVAR('SNC_LIB')

MONMSG MSGID(CPF0000)

ADDENVVAR  ENVVAR('SNC_LIB') +                           

  VALUE('/usr/sap/EX6/sys/exe/run/libsapcrypto.so')                                       

MONMSG MSGID(CPF0000)

CD DIR('/usr/sap/saprouter')

STRQSH     CMD('SAPROUTER -r -S 3299 -R ./saprouttab -K +

  "p:CN=AURORA, OU=0000121933, OU=SAProuter, O=SAP, C=DE" -G +            

             ./saprouter.log -T ./saprouter_dev_rout.log')  

            

ENDPGM

Test the connection to SAP with Transaction SM59 RFC SAPOSS

Attention: The file needs to be "CR & LF" or "LF ONLY" BUT NOT "CR ONLY" => change it in EDTF with F15 accordingly !!!

EDTF '/usr/sap/saprouter/saprouttab'

# SNC-connection from and to SAP

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC-connection from SAP to local R/3-System for Support

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *

# SNC-connection from SAP to telnet in your network

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 23

# Access from the local Network to SAPNet - R/3 Frontend (OSS)

P * 194.39.131.34 3299

# deny all other connections

D * * *

Regards,

Volker Gueldenpfennig, consolut international ag

Show replies
Show replies
GML
Explorer
‎05-19-2015 2:08 PM
0 Kudos

Hi Volker,

              I did redo complete saprouter certificate as you mentioned with PR1ADM. All went fine, Only the saprouter program not yet created. I try to start manually at QSH -- saprouter -r -K 'p:Distinguished Name' . SAProuter didn't start , and got the message in dev_rout file as mentioned above in first message.


and

When I check with below command

WRKLNKSAP DIR('/usr/sap/PR1/sys/exe/run/libsapcryp*')

libsapcrypto.o 

Thanks.

Vel.

Ask a Question