on 12-03-2007 8:32 AM
HI Experts,
SAP Router is installed in our Develpoment system can it be possible for us to install this on the solution manager System. Is this advisable to change the SAP router to a different machine. If so How is that possible?
Regards,
Vamshi.
Hi,
Please use the following step.
Installation Steps
1.1 Downloading necessary software components from SAP Service Marketplace:
1. SAProuter
Use the latest SAProuter version (37.x), which can be downloaded from
SAP Service Marketplace under the following link.
 Download
 Support Packages and Patches
 Entry by Application Group
 Additional Components
 SAPROUTER
 SAPROUTER 6.40
SAPROUTER 6.40
From the available list of SAProuters, select the SAProuter for your OS platform.
2. SNC Libraries (SAPcryptolib) download:
 Download
 SAP Cryptographic Software
Select the SAPcrytoLib libraries compatible with your Operating System.
Note: Please also download the SAPCAR.exe file from the above location to extract the SAProuter archive files.
3. Create a folder in /usr/sap with the name as: saprouter.
4. Extract both the files i.e. SAProuter.SAR and Cryptolib.CAR files into saprouter folder using the command:
SAPCAR -xvf SAProuterxxx.SAR
SAPCAR -xvf CRYPTOLIBxxx.CAR
1.2 Creating the certificate request
1. As user <snc>adm set the environment variables:
SECUDIR = /usr/sap/saprouter
SNC_LIB = /usr/sap/saprouter/libsapcrypto.so
2. Go to the Trust Center Service - Download Area and get the "Distinguished Name" for your SAProuter from the list of SAProuters registered for your installation.
3. Generate the certificate Request with the command:
./sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"
P.S: We can also get the distinguished name from SAP itself when we register for the remote service connection.
4. Display the output file "certreq" using the command:
cat certreq
and with copy & paste insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.
1.3 Importing the certificate request
1. With this in turn you can install the certificate in your saprouter by calling
./sapgenpse import_own_cert -c srcert -p local.pse
1.4 Setting secured login to SAProuter
1. Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user>, the credentials are created for the logged in user account)
sapgenpse seclogin -p local.pse -O <user_for _saprouter>
2. This will create a file called cred_v2 in the same directory.
3. Check if the certificate has been imported correctly
./sapgenpse get_my_name -v -n Issuer
4. If this is not the case, delete the files cred_v2, local.pse and start over at Item 3 of 4.2 . If the output still does not match please open a customer message in component XX-SER-NET-OSS stating the actions you have taken so far and the output of the commands 3 of 4.2, 4.3, and 4.4.
1.5 Additional actions necessary before you can start saprouter
1. Logon to the system as <sid>adm, here sa1adm.
2. The environment variables SECUDIR, SNC_LIB and USER needs to be set for the user account SAProuter is running under using the commands:
setenv SECUDIR <path_to_libsecude>
i.e. setenv SECUDIR /usr/sap/saprouter
setenv SNC_LIB <path_to_libsecude>/<name_of_sapcrypto_library>
i.e. setenv SNC_LIB /usr/sap/saprouter/libsapcrypto.so
setenv USER sa1adm
3. Check if the environment of the user running saprouter contains the environment variable SECUDIR, SNC_LIB and USER using : printenv
4. Start the saprouter with the following command line:
#./saprouter -r -S <port> -K "p:<Your Distingushed Name>"
-K tells the saprouter to start with loading the SNC library
Eg. ./saprouter -r -S 3299 -K "p:CN=nradev, OU=0000759188, OU=SAProuter, O=SAP, C=DE"
./saprouter -r -V 2 -K "p:CN=nradev, OU=0000759188, OU=SAProuter, O=SAP, C=DE"
./saprouter -r -R /usr/sap/saprouter/saprouttab -G log.txt -V 2 -K "p:CN=nradev, OU=0000759188, OU=SAProuter, O=SAP, C=DE"
5. The corresponding file ./saprouttab should contain at least the following entries
inbound connections MUST use SNC
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1> <port_number>
repeat this for the servers and port_numbers you will need to allow,
please make sure that all explicit ports are inserted in front of a
generic entry '*' for port_number
outbound connections to <sapservX> will use SNC
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <sapservX> <sapservX_inbound_port>
permission entries to check if connection is allowed at all
P <IP address of a local host> <IP address of sapserv2>
all other connections will be denied
D * * *
6. Example: For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34), the saprouttab should contain the following entries:
SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-Instance>
SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503
SNC-connection from SAP to local R/3-System for saptelnet, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
Access from the local Network to SAPNet - R/3 Frontend (OSS)
P <IP-addess of a local PC> 194.39.131.34 3299
deny all other connections
D * * *
Thanks,
Harshal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Harshal,
Thanks For your response,
We have 5 systems and for all of them will only one router will do or not
Do i need to request for new certificate for new installation.As you have
said in the above steps.Do we need to request only router certificate or
even cryptolib certificate?.
Regards,
Vamshi
Hi,
Yes what every the number of system one SAPRouter is sufficient you need to inform to SAP that your going to change your router with saprouter host name , ip address , public ip add and type of sap router then you will get the Distinguished name from SAP.
Follow the step and install the saprouter.
Thanks,
Harshal
The above steps helped to install my router sucesfully..
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Vamshi,
Yes, its pretty common that people change the location of the SAP Router to a new box....As far as i know. You'll need to install SAP Router in the SolMan box and then change the router config in all your systems to go throght the new SAP Router.
Regards
Juan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.