Installing the sapcrypto library and starting the SAProuter

Contents

u2022 Downloading necessary software components from SAP Service Marketplace

u2022 Creating the certificate request

u2022 Additional actions necessary before you can start saprouter

This section describes the necessary steps to download and install the sapcrypto library for use with saprouter. The saprouter must be started with the options described later in this section.

The license for the sapcrypto library covers saprouter connections between saprouters at SAP and the first saprouter on customer sites and backend connections within the customer`s network. For all other purposes the library CANNOT be used!

Downloading necessary software components from SAP Service Marketplace

1. Login to the SAP Service Marketplace with the Service Marketplace USERID which is assigned to your installation.

2. Change to the alias SAPROUTER-SNCADD. Before you can download the software components two preconditions must be met.

a. You must have been allowed to download the software. This authorization is added as soon as SAP has received a positive statement from the "Bundesausfuhramt". This procedure is necessary since the software falls under EU regulations.

b. For more information on how to obtain authorization if download is not possible see note 397175.

c. You must accept that you must follow the regulations imposed by the EU on the use and distribution of the cryptographic software components downloaded from the SAP Service Marketplace.

3. The acceptance of the terms and conditions is logged with your USERID and stored for reporting purposes to the "Bundesausfuhramt".

4. Accepting with the button on the web-based form takes you to the folder where you can download the Software components.

These are packed into a single CAR file sapcrypto.car

5. Copy the file to the direcory where the saprouter executable is located

6. You can get the file car.exe/sapcar.exe, which is necessary to unpack the archive from any Installation Kernel CD.

Executing the command car -xvf SAPCRYPTO.CAR will unpack the following files:

[lib]sapcrypto.[dll|so|sl]

sapgenpse[.exe]

ticket

Creating the certificate request

1. As user <snc>adm set the environment variables

SECUDIR = <directory_of_saprouter>

2. Change to the Shortlink SAPROUTER-SNCADD. From the list of SAProuters registered to your installation, choose the relevant "Distinguished Name"

3. Generate the certificate Request with the command

sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"

4. Alternatively use the two commands:

sapgenpse get_pse -v -noreq -p local.pse "<Your Distinguished Name>"

sapgenpse get_pse -v -onlyreq -r certreq -p local.pse

5. Display the output file "certreq" and with copy&paste insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name

6. In response you will receive the certificate signed by the CA in the Service Marketplace, cut&paste the text to a local file named srcert

7. With this in turn you can install the certificate in your saprouter by calling

sapgenpse import_own_cert -c srcert -p local.pse

8. now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user>, the credentials are created for the logged in user account)

sapgenpse seclogin -p local.pse -O <user_for _saprouter>

9. This will create a file called cred_v2 in the same directory.

For increased security please check that the file can only be accessed by the user running the SAProuter.

Do not allow any other access (not even from the same group)!

On UNIX this will mean permissions being set to 600 or even 400!

On NT check that the permissions are granted only to the user the service is running as!

1. Check if the certificate has been imported correctly

sapgenpse get_my_name -v -n Issuer

The name of the Issuer should be: CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

2. If this is not the case, delete the files cred_v2, local.pse and start over at Item 4. If the output still does not match please open a customer message in component XX-SER-NET-OSS stating the actions you have taken so far and the output of the commands

4.,7.,8. and 10.

Additional actions necessary before you can start saprouter

1. The environment variable SNC_LIB needs to be set for the user account SAProuter is running under.

SNC_LIB has the form

UNIX <path_to_libsecude>/<name_of_sapcrypto_library>

Windows NT, Windows 2000 <drive>:\<path_to_libsecude>\<name_of_sapcrypto_library>

2. Check if the environment of the user running saprouter contains the environment variable SNC_LIB

UNIX printenv

Windows NT System environment variable

3. start the saprouter with the following command line:

saprouter -r -S <port> -K "p:<Your Distingushed Name>"

-K tells the saprouter to start with loading the SNC library

the corresponding file ./saprouttab should contain at least the following entries

1. inbound connections MUST use SNC

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1> <port_number>

1. repeat this for the servers and port_numbers you will need to allow,

2. please make sure that all explicit ports are inserted in front of a

3. generic entry '*' for port_number

1. outbound connections to <sapservX> will use SNC

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <sapservX> <sapservX_inbound_port>

1. permission entries to check if connection is allowed at all

P <IP address of a local host> <IP address of sapserv2>

1. all other connections will be denied

D * * *

Example

For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34), the saprouttab should contain the following entries:

1. SNC-connection from and to SAP

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

1. SNC-connection from SAP to local R/3-System for Support

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-Instance>

1. SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503

1. SNC-connection from SAP to local R/3-System for saptelnet, if it is needed

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23

1. Access from the local Network to SAPNet - R/3 Frontend (OSS)

P <IP-addess of a local PC> 194.39.131.34 3299

1. deny all other connections

D * * *

Lalit Kumar

Hi,

1. what are the pre requisites for SAP Router

2. Do we require Public IP and what would be the use of this ip

3. how to configure the SAP Router

check SAP Note 30289 - SAProuter documentation

follow the links provide in notes. also check the document which is attached to note.

4. Can i install the SAP router on the same host on which we have Solution manager, is it advisable. or we should

go for a seperate host.

-> it's depends on you. we are configure our sap router on solman host.

regards,

kaushal