SAP Router with SNC Configuration

Download SAP Cryptographic Binary from SAP Market Place
Cryptographic Binary can be download from below link
http://service.sap.com/swdc

  • Download
  • SAP Cryptographic Software

After click on SAP Cryptographic Software you will get new browser window, where you have to select the
file and download the file depend upon the OS platform on which you have to configure SAP Router

Register IP and SAP Router Hostname with SAP
First of all get Public IP address from your network team, Public IP need to be configured to you local SAP
Router IP address. (This Task will done by your Network Team)
Also get port 3299 & 3298 open from SAP router ip host to SAP AG.
SAP router use port 3298 & 3299 for communication
Raise an OSS with SAP under component XX-SER-NET-NEW with Description of registering Public IP
address and Host name of SAP router with SAP.

Create SAP Router Folder in C:\usr\sap
Goto location C:\usr\sap
Create saprouter folder with mkdir command
Copy downloaded Cryptographic Binary to saprouter folder and extract the binary using SAPCAR.exe

C:\usr\sap\saprouter>SAPCAR -xvf < Cryptographic Binary >

Set environmental variable SECUDIR=C:\usr\sap\saprouter
Set environmental variable SAPROUTTAB C:\usr\sap\saprouter

Generating the Registering the Key and Certificate
Go to the link https://websmp201.sap-ag.de/SAPROUTER-SNCADD

saprouter-sncadd

Click on Apply Now!

Copy the Distinguished name from above, which is required for executing below command Once you copied Distinguished name from above link then click on Continue TAB

Generate the certificate Request on SAP router OS with the Following command:

C:\usr\sap\saprouter>sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"
C:\usr\sap\saprouter>sapgenpse get_pse –v -onlyreq -r certreq -p local.pse

You will get “<Your Distinguished Name>” from SAP market Place, when you login with S-USER.
( This is generated after you raise an OSS with SAP for registering SAP router hostname )

After executing the above command you will get 2 additional files created in saprouter folder i.e local.pse and certreq
Certreq contain encrypted form of Key Request.
Copy the content of certreq and paste the certificate request into the text area of the same form in the SAP Service Marketplace
After Pasting the content click on REQUEST CERTIFICATE
In response you will receive the certificate signed by the CA in the Service Marketplace, cut & paste the text to a local file named srcert
After copying the content of import certificate to srcert file, copy the file in saprouter folder and provide the necessary rights.

Importing the Certificate & Creating Credential
Once file is copied to saprouter folder, run the import command to install the certificate in SAP Router. (Run the following import command)

C:\usr\sap\saprouter>sapgenpse import_own_cert -c srcert -p local.pse

Creating the credential for User responsible to start SAP Router
After importing the certificate create Credential for user <sid>adm who will be responsible to start and stop SAP Router (Run following command to do so)

C:\usr\sap\saprouter>sapgenpse seclogin –p local.pse –O <sidadm>

Installation steps get completed after creating credential for <SID>adm

Verifying the Configuration
To confirm SAP Router is installed successfully, run the following command

C:\usr\sap\saprouter>sapgenpse get_my_name -v -n Issuer

Out of the command should show

Name of the Issuer as : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

After confirming SAP router has been configured successfully set the following environment, which is required read the cryptography will starting the SAP Router

Post Configuration Activity
Set environmental variable SNC_LIB=C:\usr\sap\saprouter\ sapcrypto.dll
Now once configuration is done, there is one of the important post installation steps which are to create
SAPROUTTAB.
SAPROUTTAB is nothing but permission file which has information who should be communicate through SAP Router.
Create a file with name saprouttab and copy the same in C:\usr\sap\saprouter folder

Following is an example content of saprouttab

# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC-connection from SAP to local system for R/3-Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <SAP Server IP> <port>
# Access from your local Network to SAP
P <SAP Server IP> 194.39.131.34 3299
# All other connections will be denied
#D * * *

<SAP Server IP> is nothing but ip address of the SAP server which is need to be access via SAP Router.
<Port> is nothing but the port of SAP Application for e.g. 3200 (dispatcher port)
D * * * mean reject all the connection accept the entry of the server ip which mention in saprouttab.

How to Start & Stop SAP Router
Now one of the import command thing for which we have done all above exercise. i.e. how to start & stop Sap router

Run the following command to Start SAP Router

C:\usr\sap\saprouter>saprouter -r -S 3299 -V 3 -K "p:CN=<saprouter hostname>, OU=< Customer number >, OU=SAProuter,O=SAP, C=DE" &

Above value of CN is nothing but Distinguished name which you check on SAP Market Place earlier.
Check the log file dev_rout in C:\usr\sap\saprouter folder which will give you exact idea of SAP Router started

Run the following command to Stop SAP Router

C:\usr\sap\saprouter>saprouter –s

 

Example of a Route Permission Table with SNC
A route permission table using SNC could look like this:

P * * * pass
KT S:[email protected] host4 3333
KT S:[email protected] host9 *
KD S:[email protected] host9 *
KP S:[email protected] * * pass2
KS * host10 4444
KP * * *

This means:

  • Allow all connections if password pass is specified correctly.
  • Connections from this SAProuter to host4 (SNC name S:[email protected]), service 3333 should be SNC connections.
  • Connections from host9 (SNC name S:[email protected]) to this SAProuter should be SNC connections.
  • A SNC connection from [email protected] to host9 through this SAProuter should not be set up.
  • A SNC connection from S:[email protected] through this SAProuter (any target host) is allowed if the password pass2 is correct (unless the connection is to host9, since this is not allowed according to the previous entry – the first entry which “matches” is decisive).
  • All SAP to SAP connections (NI protocols) to host10, service 4444, which come in as SNC connections are passed on as non-SNC connections to host10 (no SNC host).
  • All SNC connections (for which the previous entries are not suitable) are allowed.

 

Sample saprouttab file

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" SAP_system_2_Local_IP 3389

#Connection to SAP
P	*	194.39.131.34	3289
P	*	194.39.131.34	3299
#P	*	194.39.131.34	*

# Columns:
# P/D	Source	Destination		Port	Password

# SAP System 1
P	*	SAP_System_1_Local_IP	3200	cipher1
P	*	SAP_System_1_Local_IP	3290	cipher1
P	*	SAP_System_1_Local_IP	3298	cipher1
P	*	SAP_System_1_Local_IP	3299	cipher1

# SAP System 2
P	*	SAP_System_2_Local_IP	3200	cipher1
P	*	SAP_System_2_Local_IP	3298	cipher1
P	*	SAP_System_2_Local_IP	3299	cipher1
P	*	SAP_System_2_Local_IP	8000	cipher1	# ITS Access
#P	*	SAP_System_2_Local_IP	3389	cipher1	# WTS Access
P	*	SAP_System_2_Local_IP	sapgw01	cipher1

#  SAP System 3
P	*	SAP_System_3_Local_IP	3299	cipher1
P	*	SAP_System_3_Local_IP	3291	cipher1
P	*	SAP_System_3_Local_IP	3201	cipher1

# SAP System 4
P	*	SAP_System_4_Local_IP	3203	cipher1
P	*	SAP_System_4_Local_IP	8000	cipher1

# SAP Portal WTS connection
P	*	SAP_Portal_Local_IP	3389	cipher1   # WTS Access from partners to SAP Portal

 
P	194.39.131.34	*	*		# Access from SAP Support to SAP Systems
P	194.39.131.34	*	3389	cipher1	# Access from SAP Support to Remote Desktop (Delete # in case you need it)