Hi,

Please use the following step.

Installation Steps

1.1 Downloading necessary software components from SAP Service Marketplace:

1. SAProuter

Use the latest SAProuter version (37.x), which can be downloaded from

SAP Service Marketplace under the following link.

http://service.sap.com/swdc

 Download

 Support Packages and Patches

 Entry by Application Group

 Additional Components

 SAPROUTER

 SAPROUTER 6.40

SAPROUTER 6.40

From the available list of SAProuters, select the SAProuter for your OS platform.

2. SNC Libraries (SAPcryptolib) download:

http://service.sap.com/swdc

 Download

 SAP Cryptographic Software

Select the SAPcrytoLib libraries compatible with your Operating System.

Note: Please also download the SAPCAR.exe file from the above location to extract the SAProuter archive files.

3. Create a folder in /usr/sap with the name as: saprouter.

4. Extract both the files i.e. SAProuter.SAR and Cryptolib.CAR files into saprouter folder using the command:

SAPCAR -xvf SAProuterxxx.SAR

SAPCAR -xvf CRYPTOLIBxxx.CAR

1.2 Creating the certificate request

1. As user <snc>adm set the environment variables:

SECUDIR = /usr/sap/saprouter

SNC_LIB = /usr/sap/saprouter/libsapcrypto.so

2. Go to the Trust Center Service - Download Area and get the "Distinguished Name" for your SAProuter from the list of SAProuters registered for your installation.

3. Generate the certificate Request with the command:

1. ./sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"

P.S: We can also get the distinguished name from SAP itself when we register for the remote service connection.

4. Display the output file "certreq" using the command:

1. cat certreq

and with copy & paste insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.

1.3 Importing the certificate request

1. With this in turn you can install the certificate in your saprouter by calling

1. ./sapgenpse import_own_cert -c srcert -p local.pse

1.4 Setting secured login to SAProuter

1. Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user>, the credentials are created for the logged in user account)

sapgenpse seclogin -p local.pse -O <user_for _saprouter>

2. This will create a file called cred_v2 in the same directory.

3. Check if the certificate has been imported correctly

1. ./sapgenpse get_my_name -v -n Issuer

4. If this is not the case, delete the files cred_v2, local.pse and start over at Item 3 of 4.2 . If the output still does not match please open a customer message in component XX-SER-NET-OSS stating the actions you have taken so far and the output of the commands 3 of 4.2, 4.3, and 4.4.

1.5 Additional actions necessary before you can start saprouter

1. Logon to the system as <sid>adm, here sa1adm.

2. The environment variables SECUDIR, SNC_LIB and USER needs to be set for the user account SAProuter is running under using the commands:

setenv SECUDIR <path_to_libsecude>

i.e. setenv SECUDIR /usr/sap/saprouter

setenv SNC_LIB <path_to_libsecude>/<name_of_sapcrypto_library>

i.e. setenv SNC_LIB /usr/sap/saprouter/libsapcrypto.so

setenv USER sa1adm

3. Check if the environment of the user running saprouter contains the environment variable SECUDIR, SNC_LIB and USER using : printenv

4. Start the saprouter with the following command line:

#./saprouter -r -S <port> -K "p:<Your Distingushed Name>"

-K tells the saprouter to start with loading the SNC library

Eg. ./saprouter -r -S 3299 -K "p:CN=nradev, OU=0000759188, OU=SAProuter, O=SAP, C=DE"

./saprouter -r -V 2 -K "p:CN=nradev, OU=0000759188, OU=SAProuter, O=SAP, C=DE"

./saprouter -r -R /usr/sap/saprouter/saprouttab -G log.txt -V 2 -K "p:CN=nradev, OU=0000759188, OU=SAProuter, O=SAP, C=DE"

5. The corresponding file ./saprouttab should contain at least the following entries

1. inbound connections MUST use SNC

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1> <port_number>

1. repeat this for the servers and port_numbers you will need to allow,

2. please make sure that all explicit ports are inserted in front of a

3. generic entry '*' for port_number

1. outbound connections to <sapservX> will use SNC

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <sapservX> <sapservX_inbound_port>

1. permission entries to check if connection is allowed at all

P <IP address of a local host> <IP address of sapserv2>

1. all other connections will be denied

D * * *

6. Example: For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34), the saprouttab should contain the following entries:

1. SNC-connection from and to SAP

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

1. SNC-connection from SAP to local R/3-System for Support

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-Instance>

1. SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503

1. SNC-connection from SAP to local R/3-System for saptelnet, if it is needed

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23

1. Access from the local Network to SAPNet - R/3 Frontend (OSS)

P <IP-addess of a local PC> 194.39.131.34 3299

1. deny all other connections

D * * *

Thanks,

Harshal