This document provides step-by-step instructions for configuring SNC encryption for an SAP router. It describes downloading cryptographic software, creating keys and certificates, configuring the saprouter.tab file, and debugging potential issues. The process includes generating keys, transmitting requests to SAP's certificate authority, importing signed certificates, and configuring the router startup to use the new SNC encryption settings.
This document provides step-by-step instructions for configuring SNC encryption for an SAP router. It describes downloading cryptographic software, creating keys and certificates, configuring the saprouter.tab file, and debugging potential issues. The process includes generating keys, transmitting requests to SAP's certificate authority, importing signed certificates, and configuring the router startup to use the new SNC encryption settings.
This document provides step-by-step instructions for configuring SNC encryption for an SAP router. It describes downloading cryptographic software, creating keys and certificates, configuring the saprouter.tab file, and debugging potential issues. The process includes generating keys, transmitting requests to SAP's certificate authority, importing signed certificates, and configuring the router startup to use the new SNC encryption settings.
This document provides step-by-step instructions for configuring SNC encryption for an SAP router. It describes downloading cryptographic software, creating keys and certificates, configuring the saprouter.tab file, and debugging potential issues. The process includes generating keys, transmitting requests to SAP's certificate authority, importing signed certificates, and configuring the router startup to use the new SNC encryption settings.
Got absolute PSE path "/usr/sap/C11/SYS/exe/run/local.pse". Please enter PIN:<press enter> Please reenter PIN:<press enter> Supplied distinguished name: "CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE " Generating key (RSA, 1024-bits) ... succeeded. certificate creation... ok PSE update... ok PKRoot... ok Generating certificate request... ok.
TRANSMITTING THE KEY
It will generate a key in "certreq " . Next step is copy this key to www.service.sap.com/tcp against your SAP router registration . The ---- BEGIN CERTIFICATE REQUEST to --- END CERTIFICATE REQUEST should also be copied */
After Copying, click on the "Request Certificate" Button .
Next screen will display the certificate. Copy and paste the generated certificate in a new file named 'srcert' in the same location of your saprouter .
N:B Do not forget to copy the BEGIN and END tags too.
CREATING THE CERTIFICATE
Windows users can use notepad and UNIX vi editor. vi srcert < paste> <ESC><SHIFT> : x
CA-Response successfully imported into PSE "/usr/sap/MPS/SYS/exe/run/local.pse"
SETTING SECURED LOGIN TO SAPROUTER
Now specify the user who is allowed secure login to PSE
Use < sid> adm if you want to start saprouter with sap admin user. If you omit -O <user>, the credentials are created for the logged in user account who is running the below command )
running seclogin with USER="saprouterUser" creating credentials for yourself (USER="saprouterUser ")... Added SSO-credentials for PSE "/usr/sap/C11/SYS/exe/run/local.pse" "CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE"
N:B Check a file named cred_v2 is created in the same directory
START SNC SAP ROUTER
In Unix
In UNIX use the below sysntax to start sap router using SNC
N:B K option tells saprouter to load the SNC cryptographic library too.
SAPROUTTAB ENTRIES
For SNC SAPROUTER , the enries should not be the same as non-saprouter
./saprouttab should contain at least the following entries
# inbound connections MUST use SNC KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1> <port_number> # repeat this for the servers and port_numbers you will need to allow, # please make sure that all explicit ports are inserted in front of a # generic entry '*' for port_number
# outbound connections to <sapservX> will use SNC KT "p:CN=sapserv2 OU=SAProuter, O=SAP, C=DE" <sapservX> <sapservX_inbound_port>
# permission entries to check if connection is allowed at all P <IP address of a local host> <IP address of sapserv2> # all other connections will be denied D * * *
Example:
For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34), the saprouttab should contain the following entries:
# # SNC-connection from and to SAP KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC-connection from SAP to local R/3-System for Support KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3- Instance>
# SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503
# SNC-connection from SAP to local R/3-System for saptelnet, if it is needed KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
# Access from the local Network to SAPNet - R/3 Frontend (OSS) P <IP-addess of a local PC> 194.39.131.34 3299
# deny all other connections D * * *
DEBUGGING
Check whether certificate is installed correctly
# ./sapgenpse get_my_name -v -n issuer
Opening PSE "/usr/sap/C11/SYS/exe/run/local.pse"... PSE open ok. ok. Retrieving my certificate... ok. Getting requested information... ok. SSO for USER "UserID" with PSE file "/usr/sap/C11/SYS/exe/run/local.pse"
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
If any errors found in the above , you can do all the steps once again . But make sure that cred_v2, local.pse is deleted . If you whant to create the ket once again delete certreq file too before doing so.
CHECK THE ENVIRONMENT VARIABLES
Create the following entries are there in the .login ( dot login) script of the SNC saprouter user . ONLY THE BOLD AREAS
