on 06-23-2008 7:06 AM
Hi Friends,
As i am going through the implementation phase, I have to install sap router which i am new at. Also i am doing it because i have to connect Maintenance Optimizer to Sap service Market place for which Router would be essentially required.
I have some questions to put forth.
1. what are the pre requisites for SAP Router
2. Do we require Public IP and what would be the use of this ip
3. how to configure the SAP Router
4. Can i install the SAP router on the same host on which we have Solution manager, is it advisable. or we should go for a seperate host.
Regards
Aayush
Installing the sapcrypto library and starting the SAProuter
Contents
u2022 Downloading necessary software components from SAP Service Marketplace
u2022 Creating the certificate request
u2022 Additional actions necessary before you can start saprouter
This section describes the necessary steps to download and install the sapcrypto library for use with saprouter. The saprouter must be started with the options described later in this section.
The license for the sapcrypto library covers saprouter connections between saprouters at SAP and the first saprouter on customer sites and backend connections within the customer`s network. For all other purposes the library CANNOT be used!
Downloading necessary software components from SAP Service Marketplace
1. Login to the SAP Service Marketplace with the Service Marketplace USERID which is assigned to your installation.
2. Change to the alias SAPROUTER-SNCADD. Before you can download the software components two preconditions must be met.
a. You must have been allowed to download the software. This authorization is added as soon as SAP has received a positive statement from the "Bundesausfuhramt". This procedure is necessary since the software falls under EU regulations.
b. For more information on how to obtain authorization if download is not possible see note 397175.
c. You must accept that you must follow the regulations imposed by the EU on the use and distribution of the cryptographic software components downloaded from the SAP Service Marketplace.
3. The acceptance of the terms and conditions is logged with your USERID and stored for reporting purposes to the "Bundesausfuhramt".
4. Accepting with the button on the web-based form takes you to the folder where you can download the Software components.
These are packed into a single CAR file sapcrypto.car
5. Copy the file to the direcory where the saprouter executable is located
6. You can get the file car.exe/sapcar.exe, which is necessary to unpack the archive from any Installation Kernel CD.
Executing the command car -xvf SAPCRYPTO.CAR will unpack the following files:
[lib]sapcrypto.[dll|so|sl]
sapgenpse[.exe]
ticket
Creating the certificate request
1. As user <snc>adm set the environment variables
SECUDIR = <directory_of_saprouter>
2. Change to the Shortlink SAPROUTER-SNCADD. From the list of SAProuters registered to your installation, choose the relevant "Distinguished Name"
3. Generate the certificate Request with the command
sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"
4. Alternatively use the two commands:
sapgenpse get_pse -v -noreq -p local.pse "<Your Distinguished Name>"
sapgenpse get_pse -v -onlyreq -r certreq -p local.pse
5. Display the output file "certreq" and with copy&paste insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name
6. In response you will receive the certificate signed by the CA in the Service Marketplace, cut&paste the text to a local file named srcert
7. With this in turn you can install the certificate in your saprouter by calling
sapgenpse import_own_cert -c srcert -p local.pse
8. now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user>, the credentials are created for the logged in user account)
sapgenpse seclogin -p local.pse -O <user_for _saprouter>
9. This will create a file called cred_v2 in the same directory.
For increased security please check that the file can only be accessed by the user running the SAProuter.
Do not allow any other access (not even from the same group)!
On UNIX this will mean permissions being set to 600 or even 400!
On NT check that the permissions are granted only to the user the service is running as!
1. Check if the certificate has been imported correctly
sapgenpse get_my_name -v -n Issuer
The name of the Issuer should be: CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
2. If this is not the case, delete the files cred_v2, local.pse and start over at Item 4. If the output still does not match please open a customer message in component XX-SER-NET-OSS stating the actions you have taken so far and the output of the commands
4.,7.,8. and 10.
Additional actions necessary before you can start saprouter
1. The environment variable SNC_LIB needs to be set for the user account SAProuter is running under.
SNC_LIB has the form
UNIX <path_to_libsecude>/<name_of_sapcrypto_library>
Windows NT, Windows 2000 <drive>:\<path_to_libsecude>\<name_of_sapcrypto_library>
2. Check if the environment of the user running saprouter contains the environment variable SNC_LIB
UNIX printenv
Windows NT System environment variable
3. start the saprouter with the following command line:
saprouter -r -S <port> -K "p:<Your Distingushed Name>"
-K tells the saprouter to start with loading the SNC library
the corresponding file ./saprouttab should contain at least the following entries
inbound connections MUST use SNC
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1> <port_number>
repeat this for the servers and port_numbers you will need to allow,
please make sure that all explicit ports are inserted in front of a
generic entry '*' for port_number
outbound connections to <sapservX> will use SNC
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <sapservX> <sapservX_inbound_port>
permission entries to check if connection is allowed at all
P <IP address of a local host> <IP address of sapserv2>
all other connections will be denied
D * * *
Example
For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34), the saprouttab should contain the following entries:
SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-Instance>
SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503
SNC-connection from SAP to local R/3-System for saptelnet, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
Access from the local Network to SAPNet - R/3 Frontend (OSS)
P <IP-addess of a local PC> 194.39.131.34 3299
deny all other connections
D * * *
Lalit Kumar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Great information so far, you can also register your saprouter with sap and not allow them into your system by controlling your firewall policies and saprouttab configuration. refer to sap note 48243 for more details on the firewall configurations. If you do not allow SAP into your network/saprouter you can still use Snote, MOPZ and Patch Management from solman. This will also allow EWA to be updated for SAP Support to help suggest and resolve issues from the reports.
Chad
Hi,
1. what are the pre requisites for SAP Router
2. Do we require Public IP and what would be the use of this ip
3. how to configure the SAP Router
check SAP Note 30289 - SAProuter documentation
follow the links provide in notes. also check the document which is attached to note.
4. Can i install the SAP router on the same host on which we have Solution manager, is it advisable. or we should
go for a seperate host.
-> it's depends on you. we are configure our sap router on solman host.
regards,
kaushal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
configure Maintenance Optimizer in Solution Manager.
to configure check following
https://websmp109.sap-ag.de/~sapdownload/011000358700000235502007E
regards,
kaushal
Hi kaushal,
I went thtough the documentation suggested by you,
But still its quite ambagious and confusing to follow...
i would appreciate if you can tell me step by step procedure to implement it.
I have downloaded the SAPROUTER.exe from service market place and has unczr it with SAPCAR... which gave me two files after the extraction i.e. niping.exe and saprouter.exe
Now what should i do after this, how should i maintain the rout tab
Also i would like to hear from your experience that we have SOLUTION MANAGER and Router would be connected to it.. so it means i have to just open a single connection (What all ip address do i have to maintain in the SAP ROUTE TAB)
Regards
Aayush
Edited by: Ayush Johri on Jun 24, 2008 2:28 PM
Hi
In additional of the above discussions, you can access and maintain the connection of to SAP from the http://service.sap.com/remoteconnections
Also, you can check from your desktop that SAPRouter and reqeusted server are accessible from the outside by defining the SAP Router string "/public_ip/S/3299" in your GUI and try to logon.
If success then remote consultant can connect you to solve your problem otherwise, you have to follow the steps as other expert advise you.
REgards
Anwer Waseem
SAP BASIS
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.