on 12-10-2007 9:30 PM
It appears that our the certificate that our saprouter.exe uses has expired. I am not able to create connections to our saprouter from the Service Marketplace. I get the following in the dev_rout file in E:\usr\sap\saprouter
Mon Dec 10 15:18:39 2007
ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'
[sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3340]
GSS-API(maj): The referenced credentials have expired
GSS-API(min): Validity date of certificate is invalid
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
ERROR => ErrISetSys: error info too large [err.c 931]
Mon Dec 10 15:18:39 2007
LOCATION SAProuter 38.0 on 'sapslm01'
ERROR GSS-API(maj): The referenced credentials have expired
GSS-API(min): Validity date of certificate is invalid
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
TIME Mon Dec 10 15:18:39 2007
RELEASE 700
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -4
MODULE sncxxall.c
LINE 3340
DETAIL SncPEstablishContext
SYSTEM CALL gss_init_sec_context
ERRNO
ERRNO TEXT
DESCR MSG NO
DESCR VARGS GSS-API(maj): The referenced credentials have expired;;;;
;;;;GSS-API(min): Validity date of certificate is invalid;;;;
;;;;target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
DETAIL MSG N
DETAIL VARGS
COUNTER 72
<<- ERROR: SncProcessOutput()==SNCERR_GSSAPI
ERROR => NiSncIInitHdlSecurity: SncProcessOutput failed (rc=-4;00000000002A7050) [nisnc.c 1098]
ERROR => NiSnc2Connect C1/-1, 194.39.131.34 (rc=-17) [nirout.cpp 2811]
ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 'sapslm01.OII.DOM' failed (rc=-17) [nirout.cpp 2238]
How do I renew this certificate? I did not setup the saprouter and the person who did is no longer here. Please advise.
Hello Drew,
For configuring the SAP router follow the steps below.
Step 1:
Download the SAP Router and SAP Cryptographic software from market place and place this under the folder usr\sap\saprouter. This folder is called as saprouters home folder. Extract these files with sapcar.
Step 2:
Apply for the certificate with the distinguished name of your company. This distinguished name can be found in service market place under the link
http://service.sap.com/saprouter-sncadd and the certificate for saprouter should be applied in the same link.
Step 3:
With this distinguished name generate the PSE file with sapgenpse program located in saprouter folder.
Step 4:
After generating certreq file in saprouter folder edit the file and copy the content of the file under the link http://service.sap.com/saprouter-sncadd
Step 5:
After copying click Request Certificate in right most corner which generates the required certificate.Copy the content of the generated file and paste it into a text file in saprouter folder. Rename the file into srcert and install the certificate using sapgenpse command.The PIN which we have given in the previous step should be correctly to install the certificate.
Step 6:
After installing the certificate successfully credentials were to be added to the certificate. Only the added credentials will be allowed to start the saprouter program.
Step 7:
After adding credentials we can check the installation of certificate with sapgenpse command.
Step 8:
After verifying the certificate the SAPRouter program will be started in port number 3299.
Note:
SAP Router table should be correctly defined for accessing the systems through SAP router.
regards,
Anandha Krishnan R
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Please apply new certificate as per following step.
3. Generate the certificate Request with the command:
./sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"
P.S: We can also get the distinguished name from SAP itself when we register for the remote service connection.
4. Display the output file "certreq" using the command:
cat certreq
and with copy & paste insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.
1.3 Importing the certificate request
1. With this in turn you can install the certificate in your saprouter by calling
./sapgenpse import_own_cert -c srcert -p local.pse
1.4 Setting secured login to SAProuter
1. Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user>, the credentials are created for the logged in user account)
sapgenpse seclogin -p local.pse -O <user_for _saprouter>
2. This will create a file called cred_v2 in the same directory.
3. Check if the certificate has been imported correctly
./sapgenpse get_my_name -v -n Issuer
4. If this is not the case, delete the files cred_v2, local.pse and start over at Item 3 of 4.2 . If the output still does not match please open a customer message in component XX-SER-NET-OSS stating the actions you have taken so far and the output of the commands 3 of 4.2, 4.3, and 4.4.
Thanks,
Harshal
Thank you for your responses. With the help of Harshal and Anadha, I have managed to get a little bit further. But now I am running into another snag.
I am getting errors saying that I have an invalide PIN. See the contents of dev_rout:
Tue Dec 11 08:45:43 2007
ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'
[sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3340]
GSS-API(maj): Miscellaneous failure
GSS-API(min): Invalid password (PIN)
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
<<- SncProcessOutput()==SNCERR_GSSAPI
ERROR => NiSncIInitHdlSecurity: SncProcessOutput failed (rc=-4;00000000002A7050) [nisnc.c 1098]
ERROR => NiSnc2Connect C1/-1, 194.39.131.34 (rc=-17) [nirout.cpp 2811]
ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 'oii_tia108' failed (rc=-17) [nirout.cpp 2238]
Nobody mentioned anything about a PIN, so when I ran sapgenpse, I just used the same PIN each time (123). But it was just a number I made up for completing the task. Is there a specific PIN I should be using? If so, how can I reset it or find out what it is?
I finally figured it out. I was logged into the wrong NT account when doing these commands. You need to be logged into the same account that the SAProuter service is set to start under.
Here were my steps to get it sucessfully working:
1. Logon to host with username and password of SAP router service credentials
2. Stop the Saprouter service
3. Make a backup of the folder E:\usr\sap\saprouter
3a. This can be deleted after a successful upgrade
4. Delete this 4 files in E:\usr\sap\saprouter
4a. certreq
4b. cred_V2
4c. localpse
4d. srcert
5. Generate the certificate request using the following command
5a. E:\usr\sap\saprouter>sapgenpse get_pse v r certreq p local.pse "CN=sapslm01.oii.dom, OU=0000810973, OU=SAProuter, O=SAP, C=DE"
5b. Enter a PIN of 1234
6. Copy the contents of certreq to the clipboard
7. Go to http://www.service.sap.com/saprouter-sncadd
8. Paste the contents of the clipboard into the form
9. This will generate a new certificate, copy its contents into a file called srcert
9a. You will have to create srcert
10. Then import the certificated using the following command
10a. E:\usr\sap\saprouter>sapgenpse import_own_cert c srcert p local.pse
10b. Enter the PIN of 1234
11. The setup the logon using the following command
11a. E:\usr\sap\saprouter>sapgenpse seclogin p local.pse
11b. This will create a file called cred_V2
12. Check if the certificate has been loaded correctly by using the following command
12a. E:\usr\sap\saprouter>sapgenpse get_my_name v n Issuer
13. Start the Saprouter service
Goto
http://service.sap.com/tcs----SAP Trust Center Services in Detail -
Regards,
How to Request license key?
<b>http://service.sap.com/licensekey</b>
regards,
tamilboy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
25 | |
12 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.