cancel
Showing results for 
Search instead for 
Did you mean: 

saprouter Certificate Expired

Former Member
0 Kudos

It appears that our the certificate that our saprouter.exe uses has expired. I am not able to create connections to our saprouter from the Service Marketplace. I get the following in the dev_rout file in E:\usr\sap\saprouter

Mon Dec 10 15:18:39 2007

      • ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'

[sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3340]

GSS-API(maj): The referenced credentials have expired

GSS-API(min): Validity date of certificate is invalid

Unable to establish the security context

target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

      • ERROR => ErrISetSys: error info too large [err.c 931]

Mon Dec 10 15:18:39 2007

LOCATION SAProuter 38.0 on 'sapslm01'

ERROR GSS-API(maj): The referenced credentials have expired

GSS-API(min): Validity date of certificate is invalid

target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

TIME Mon Dec 10 15:18:39 2007

RELEASE 700

COMPONENT SNC (Secure Network Communication)

VERSION 5

RC -4

MODULE sncxxall.c

LINE 3340

DETAIL SncPEstablishContext

SYSTEM CALL gss_init_sec_context

ERRNO

ERRNO TEXT

DESCR MSG NO

DESCR VARGS GSS-API(maj): The referenced credentials have expired;;;;

;;;;GSS-API(min): Validity date of certificate is invalid;;;;

;;;;target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

DETAIL MSG N

DETAIL VARGS

COUNTER 72

<<- ERROR: SncProcessOutput()==SNCERR_GSSAPI

      • ERROR => NiSncIInitHdlSecurity: SncProcessOutput failed (rc=-4;00000000002A7050) [nisnc.c 1098]

      • ERROR => NiSnc2Connect C1/-1, 194.39.131.34 (rc=-17) [nirout.cpp 2811]

      • ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 'sapslm01.OII.DOM' failed (rc=-17) [nirout.cpp 2238]

How do I renew this certificate? I did not setup the saprouter and the person who did is no longer here. Please advise.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hello Drew,

For configuring the SAP router follow the steps below.

Step 1:

Download the SAP Router and SAP Cryptographic software from market place and place this under the folder usr\sap\saprouter. This folder is called as saprouter’s home folder. Extract these files with sapcar.

Step 2:

Apply for the certificate with the distinguished name of your company. This distinguished name can be found in service market place under the link

http://service.sap.com/saprouter-sncadd and the certificate for saprouter should be applied in the same link.

Step 3:

With this distinguished name generate the PSE file with sapgenpse program located in saprouter folder.

Step 4:

After generating certreq file in saprouter folder edit the file and copy the content of the file under the link http://service.sap.com/saprouter-sncadd

Step 5:

After copying click “Request Certificate” in right most corner which generates the required certificate.Copy the content of the generated file and paste it into a text file in saprouter folder. Rename the file into “srcert” and install the certificate using sapgenpse command.The PIN which we have given in the previous step should be correctly to install the certificate.

Step 6:

After installing the certificate successfully credentials were to be added to the certificate. Only the added credentials will be allowed to start the saprouter program.

Step 7:

After adding credentials we can check the installation of certificate with sapgenpse command.

Step 8:

After verifying the certificate the SAPRouter program will be started in port number 3299.

Note:

SAP Router table should be correctly defined for accessing the systems through SAP router.

regards,

Anandha Krishnan R

Former Member
0 Kudos

Hi,

Please apply new certificate as per following step.

3. Generate the certificate Request with the command:

  1. ./sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"

P.S: We can also get the distinguished name from SAP itself when we register for the remote service connection.

4. Display the output file "certreq" using the command:

  1. cat certreq

and with copy & paste insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.

1.3 Importing the certificate request

1. With this in turn you can install the certificate in your saprouter by calling

  1. ./sapgenpse import_own_cert -c srcert -p local.pse

1.4 Setting secured login to SAProuter

1. Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user>, the credentials are created for the logged in user account)

sapgenpse seclogin -p local.pse -O <user_for _saprouter>

2. This will create a file called cred_v2 in the same directory.

3. Check if the certificate has been imported correctly

  1. ./sapgenpse get_my_name -v -n Issuer

4. If this is not the case, delete the files cred_v2, local.pse and start over at Item 3 of 4.2 . If the output still does not match please open a customer message in component XX-SER-NET-OSS stating the actions you have taken so far and the output of the commands 3 of 4.2, 4.3, and 4.4.

Thanks,

Harshal

Former Member
0 Kudos

Thank you for your responses. With the help of Harshal and Anadha, I have managed to get a little bit further. But now I am running into another snag.

I am getting errors saying that I have an invalide PIN. See the contents of dev_rout:

Tue Dec 11 08:45:43 2007

      • ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'

[sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3340]

GSS-API(maj): Miscellaneous failure

GSS-API(min): Invalid password (PIN)

Unable to establish the security context

target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

<<- SncProcessOutput()==SNCERR_GSSAPI

      • ERROR => NiSncIInitHdlSecurity: SncProcessOutput failed (rc=-4;00000000002A7050) [nisnc.c 1098]

      • ERROR => NiSnc2Connect C1/-1, 194.39.131.34 (rc=-17) [nirout.cpp 2811]

      • ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 'oii_tia108' failed (rc=-17) [nirout.cpp 2238]

Nobody mentioned anything about a PIN, so when I ran sapgenpse, I just used the same PIN each time (123). But it was just a number I made up for completing the task. Is there a specific PIN I should be using? If so, how can I reset it or find out what it is?

Former Member
0 Kudos

I finally figured it out. I was logged into the wrong NT account when doing these commands. You need to be logged into the same account that the SAProuter service is set to start under.

Here were my steps to get it sucessfully working:

1. Logon to host with username and password of SAP router service credentials

2. Stop the Saprouter service

3. Make a backup of the folder E:\usr\sap\saprouter

3a. This can be deleted after a successful upgrade

4. Delete this 4 files in E:\usr\sap\saprouter

4a. certreq

4b. cred_V2

4c. localpse

4d. srcert

5. Generate the certificate request using the following command

5a. E:\usr\sap\saprouter>sapgenpse get_pse –v –r certreq –p local.pse "CN=sapslm01.oii.dom, OU=0000810973, OU=SAProuter, O=SAP, C=DE"

5b. Enter a PIN of 1234

6. Copy the contents of certreq to the clipboard

7. Go to http://www.service.sap.com/saprouter-sncadd

8. Paste the contents of the clipboard into the form

9. This will generate a new certificate, copy its contents into a file called srcert

9a. You will have to create srcert

10. Then import the certificated using the following command

10a. E:\usr\sap\saprouter>sapgenpse import_own_cert –c srcert –p local.pse

10b. Enter the PIN of 1234

11. The setup the logon using the following command

11a. E:\usr\sap\saprouter>sapgenpse seclogin –p local.pse

11b. This will create a file called cred_V2

12. Check if the certificate has been loaded correctly by using the following command

12a. E:\usr\sap\saprouter>sapgenpse get_my_name –v –n Issuer

13. Start the Saprouter service

Former Member
0 Kudos

Hi, Drew Henning

How to check the SAProuter license validation date.

After applying the new license.

BR,

Jai

Former Member
0 Kudos

Goto

http://service.sap.com/tcs----SAP Trust Center Services in Detail -


SAProuter Certificates----My Company's Certificates.

Regards,

Answers (1)

Answers (1)

Former Member
0 Kudos

How to Request license key?

<b>http://service.sap.com/licensekey</b>

regards,

tamilboy