0% found this document useful (0 votes)
180 views9 pages

Sap SNC Configuration

Download as pdf or txt
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 9

AN ONE STOP GUIDE TO

CONFIGURE SNC SAPROUTER
















Joy V.Ramachandran
Consultant SAP BASIS
IVL India Pvt Ltd
Technopark , Trivandrum
Kerala India
[email protected] ; [email protected]










Contents


SAP SNC CONFIGURATION........................................................................................ 3
DOWNLOADING CRYPTOGRAPHIC SOFTWARE............................................ 3
CREATING THE KEY.................................................................................................... 4
TRANSMITTING THE KEY.......................................................................................... 4
CREATING THE CERTIFICATE................................................................................. 6
IMPORTING CERTIFICATE........................................................................................ 6
START SNC SAP ROUTER ........................................................................................... 7
In Unix............................................................................................................................ 7
In windows..................................................................................................................... 7
SAPROUTTAB ENTRIES............................................................................................... 8
Example: ......................................................................................................................... 8
DEBUGGING.................................................................................................................... 9
Check whether certificate is installed correctly.............................................................. 9
CHECK THE ENVIRONMENT VARIABLES ........................................................ 9
UNIX........................................................................................................................... 9
WINDOWS................................................................................................................. 9




























SAP SNC CONFIGURATION

DOWNLOADING CRYPTOGRAPHIC SOFTWARE

Download the cryptographic software from service market place
www.service.sap.com/tcs. As shown below.





Extract the criptographic libraries and sapgenpse and ticket files in to the saprouter.exe
location using

# SAPCAR xvf < cryprographic car file>













CREATING THE KEY


Next goto www.service.sap.com/tcp get the distingush name . Then execute the following
commands by copy paste the distinguished name

/* CN & "OU " in the distingush name will be different for different organizations */


#./sapgenpse get_pse -v -r certreq -p local.pse
"CN=yourhostname , OU=123456, OU=SAProuter, O=SAP, C=DE "

Got absolute PSE path
"/usr/sap/C11/SYS/exe/run/local.pse".
Please enter PIN:<press enter>
Please reenter PIN:<press enter>
Supplied distinguished name: "CN=YourHostName, OU=12345,
OU=SAProuter, O=SAP,
C=DE "
Generating key (RSA, 1024-bits) ... succeeded.
certificate creation... ok
PSE update... ok
PKRoot... ok
Generating certificate request... ok.


TRANSMITTING THE KEY

It will generate a key in "certreq " . Next step is copy this key to
www.service.sap.com/tcp against your SAP router registration . The ---- BEGIN
CERTIFICATE REQUEST to --- END CERTIFICATE REQUEST should also
be copied */


# cat certreq
-----BEGIN CERTIFICATE REQUEST-----
MIIBmDCCAQECAQAwWDELMAkGA1UEBhMCREUxDDAKBgNVBAoTA1NBUDESMBAGA1UE
CxMJU0FQcm91dGVyMRMwEQYDVQQLEwowMDAwNjMyNzY2MRIwEAYDVQQDEwltZnFz
YXBwcmQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP/sY2nK8NR85+HZne3d
7ZQITR2tdlCG8gbJ/88SWFcWrjmD5me8jR9x9ut8wISSVkWgKCCZ/fM74XRGlU4V
HQ/8hjht8bP93Uyf06hE9re//SszGlySNdhG3TMx/wslJW8PAk0KXGozjMJrKRVE
Pd4Upb7jKhGoTcyaqJNi7SILAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQA3mM3W
9qBgCXcoN/XGp6/odakIQzRsQ8PJYhu2ogEwDixu3bNWW3doiiglqCCsJdyAdzfi
/yY/bUk/SJxDWVXZzYfw5c0Y3wmbDhqqLw3mm7nbVWFn6q8cn9MNeF1FdlUIfY7O
Yq8Inb/ropL1eMnkT1hepa79HIfdmHoAdjXDGQ==
-----END CERTIFICATE REQUEST-----






Copy the above key and paste it like shown below




After Copying, click on the "Request Certificate" Button .

Next screen will display the certificate. Copy and paste the generated certificate in a new
file named 'srcert' in the same location of your saprouter .

N:B Do not forget to copy the BEGIN and END tags too.










CREATING THE CERTIFICATE


Windows users can use notepad and UNIX vi editor.
vi srcert < paste> <ESC><SHIFT> : x

# vi srcert
-----BEGIN CERTIFICATE-----
MIIHqAYJKoZIhvcNAQcCoIIHmTCCB5UCAQExADALBgkqhkiG9w0BBwGgggd9MIICd
TCCAd6gAwIBAgICI1MwDQYJKoZIhvcNAQEEBQAwRjELMAkGA1UEBhMCREUxDDAKBg
NVBAoTA1NBUDESMBAGA1UECxMJU0FQcm91dGVyMRUwEwYDVQQDEwxTQVByb3V0ZXI
gQ0EwHhcNMDQwMTIxMDQwMDI0WhcNMDUwMTIxMDQwMDI0WjBYMQswCQYDVQQGEwJE
RTEMMAoGA1UEChMDU0FQMRIwEAYDVQQLEwlTQVByb3V0ZXIxEzARBgNVBAsTCjAwM
DA2MzI3NjYxEjAQBgNVBAMTCW1mcXNhcHByZDCBnzANBgkqhkiG9w0BAQEFAAOBjQ
AwgYkCgYEA/+xjacrw1Hzn4dmd7d3tlAhNHa12UIbyBsn/zxJYVxauOYPmZ7yNH3H
263zAhJJWRaAoIJn98zvhdEaVThUdD/yGOG3xs/3dTJ/TqET2t7/9KzMaXJI12Ebd
MzH/CyUlbw8CTQpcajOMwmspFUQ93hSlvuMqEahNzJqok2LtIgsCAwEAAaNgMF4wD
<- --------- LINES DELETED -----------------------------------
hvcNAQEBBQADgY0AMIGJAoGBAP6a6fk9E5Is6WO84kyTjY08fMi2IsCzfC0NYkp3C
Vb0cx04csKiZZwB/V+IOICtx+C4mUpxDeDnT07i6onBKLqs3Jj5opOABe3pOHABOk
a+GiajTQ4MBHpgf7pb5zRAdqp7G6gx0bzGNIHxLx1U4jzbvZJF9xUIRJUBy44adK2
/AgMBAAGjaTBnMA8GA1UdEwEB/wQFMAMBAf8wJQYDVR0RBB4wHIYaaHR0cDovL3Nl
cnZpY2Uuc2FwLmNvbS9UQ1MwDgYDVR0PAQH/BAQDAgH2MB0GA1UdDgQWBBSivTpjU
s0Z/L7oQ9Cu5YSgSffa/DAJBgUrDgMCHQUAA4GBAMgUUSEs6bZKH067xP+RWnJ4fP
3l/qoydP3PZvCO4ThQHkhqMMhG+28J+jyWMijklAnJsJaWePBEBPbtLC5nKjNIZuW
WZaGOinWz192FGAHnoN2z0dcUTUljZLJrY/9NrCbfpC2TEqBQf1+Sr82DlJL6wmCX
Ejlpr1Kk/g7ZPYorMQA=
-----END CERTIFICATE-----

<ESC><SHIFT> : x


IMPORTING CERTIFICATE

Next step is to import this certificate using the below command syntax .

# ./sapgenpse import_own_cert -c srcert -p local.pse

CA-Response successfully imported into PSE
"/usr/sap/MPS/SYS/exe/run/local.pse"














SETTING SECURED LOGIN TO SAPROUTER

Now specify the user who is allowed secure login to PSE

Use < sid> adm if you want to start saprouter with sap admin user. If you omit -O
<user>, the credentials are created for the logged in user account who is running the
below command )

# ./sapgenpse seclogin -p local.pse -O saprouterUser

running seclogin with USER="saprouterUser"
creating credentials for yourself (USER="saprouterUser
")...
Added SSO-credentials for PSE
"/usr/sap/C11/SYS/exe/run/local.pse"
"CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE"


N:B Check a file named cred_v2 is created in the same directory



START SNC SAP ROUTER

In Unix

In UNIX use the below sysntax to start sap router using SNC


# nohup ./saprouter -r -G routerlog -S 3299 -K
"p:CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE" &

In windows

In Windows use the below syntax

<Drive>:\SNC-SaprouterDirectory\ saprouter -r -G routerlog
-S 3299 K "p:CN=YourHostName, OU=12345, OU=SAProuter,
O=SAP, C=DE"

N:B K option tells saprouter to load the SNC cryptographic library too.








SAPROUTTAB ENTRIES

For SNC SAPROUTER , the enries should not be the same as non-saprouter

./saprouttab should contain at least the following entries

# inbound connections MUST use SNC
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1>
<port_number>
# repeat this for the servers and port_numbers you will need to allow,
# please make sure that all explicit ports are inserted in front of a
# generic entry '*' for port_number

# outbound connections to <sapservX> will use SNC
KT "p:CN=sapserv2 OU=SAProuter, O=SAP, C=DE" <sapservX>
<sapservX_inbound_port>

# permission entries to check if connection is allowed at all
P <IP address of a local host> <IP address of sapserv2>
# all other connections will be denied
D * * *


Example:

For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34),
the saprouttab should contain the following entries:

# # SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-
Instance>

# SNC-connection from SAP to local R/3-System for NetMeeting, if it is
needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503

# SNC-connection from SAP to local R/3-System for saptelnet, if it is
needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23

# Access from the local Network to SAPNet - R/3 Frontend (OSS)
P <IP-addess of a local PC> 194.39.131.34 3299

# deny all other connections
D * * *




DEBUGGING


Check whether certificate is installed correctly


# ./sapgenpse get_my_name -v -n issuer

Opening PSE "/usr/sap/C11/SYS/exe/run/local.pse"...
PSE open ok.
ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "UserID"
with PSE file "/usr/sap/C11/SYS/exe/run/local.pse"

Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

If any errors found in the above , you can do all the steps once again . But make sure that
cred_v2, local.pse is deleted . If you whant to create the ket once again delete certreq file
too before doing so.



CHECK THE ENVIRONMENT VARIABLES

Create the following entries are there in the .login ( dot login) script of the SNC
saprouter user . ONLY THE BOLD AREAS

UNIX

set path = ( /usr/bin /etc /usr/sbin /usr/ucb $HOME/bin /usr/bin/C11
/sbin /usr/SNC-saprouter/snc_library /usr/lib . )
setenv MAIL "/var/spool/mail/$LOGNAME"
setenv SECUDIR /usr/SNC-saprouter
setenv SNC_LIB "/usr/SNC-Saprouter/snc_library/libsapcrypto.o"
setenv LIBPATH
"/usr/lib:/lib:/usr/sap/C11/SYS/exe/run:/oracle/C11/92_64/lib:/usr/SNC-
saprouter/snc_library

WINDOWS

For windows create PATH, SECUDIR, SNC_LIB and LIBPATH in their environment
settings area.

You might also like