Scribd Logo
Upload

Welcome to Scribd!

  • 148 views

    Sap SNC Configuration

    Uploaded by

    mofibhai
    This document provides step-by-step instructions for configuring SNC encryption for an SAP router. It describes downloading cryptographic software, creating keys and certificates, configuring the saprouter.tab file, and debugging potential issues. The process includes generating keys, transmitting requests to SAP's certificate authority, importing signed certificates, and configuring the router startup to use the new SNC encryption settings.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    Sap SNC Configuration

    Uploaded by

    mofibhai
    148 views9 pages
    This document provides step-by-step instructions for configuring SNC encryption for an SAP router. It describes downloading cryptographic software, creating keys and certificates, configuring the saprouter.tab file, and debugging potential issues. The process includes generating keys, transmitting requests to SAP's certificate authority, importing signed certificates, and configuring the router startup to use the new SNC encryption settings.

    Original Description:

    SAP SNC Router

    Original Title

    Sap Snc Configuration

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides step-by-step instructions for configuring SNC encryption for an SAP router. It describes downloading cryptographic software, creating keys and certificates, configuring the saprouter.tab file, and debugging potential issues. The process includes generating keys, transmitting requests to SAP's certificate authority, importing signed certificates, and configuring the router startup to use the new SNC encryption settings.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    148 views9 pages

    Sap SNC Configuration

    Uploaded by

    mofibhai
    This document provides step-by-step instructions for configuring SNC encryption for an SAP router. It describes downloading cryptographic software, creating keys and certificates, configuring the saprouter.tab file, and debugging potential issues. The process includes generating keys, transmitting requests to SAP's certificate authority, importing signed certificates, and configuring the router startup to use the new SNC encryption settings.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 9

    AN ONE STOP GUIDE TO

    CONFIGURE SNC SAPROUTER
















    Joy V.Ramachandran
    Consultant SAP BASIS
    IVL India Pvt Ltd
    Technopark , Trivandrum
    Kerala India
    [email protected] ; [email protected]










    Contents


    SAP SNC CONFIGURATION........................................................................................ 3
    DOWNLOADING CRYPTOGRAPHIC SOFTWARE............................................ 3
    CREATING THE KEY.................................................................................................... 4
    TRANSMITTING THE KEY.......................................................................................... 4
    CREATING THE CERTIFICATE................................................................................. 6
    IMPORTING CERTIFICATE........................................................................................ 6
    START SNC SAP ROUTER ........................................................................................... 7
    In Unix............................................................................................................................ 7
    In windows..................................................................................................................... 7
    SAPROUTTAB ENTRIES............................................................................................... 8
    Example: ......................................................................................................................... 8
    DEBUGGING.................................................................................................................... 9
    Check whether certificate is installed correctly.............................................................. 9
    CHECK THE ENVIRONMENT VARIABLES ........................................................ 9
    UNIX........................................................................................................................... 9
    WINDOWS................................................................................................................. 9




























    SAP SNC CONFIGURATION

    DOWNLOADING CRYPTOGRAPHIC SOFTWARE

    Download the cryptographic software from service market place
    www.service.sap.com/tcs. As shown below.





    Extract the criptographic libraries and sapgenpse and ticket files in to the saprouter.exe
    location using

    # SAPCAR xvf < cryprographic car file>













    CREATING THE KEY


    Next goto www.service.sap.com/tcp get the distingush name . Then execute the following
    commands by copy paste the distinguished name

    /* CN & "OU " in the distingush name will be different for different organizations */


    #./sapgenpse get_pse -v -r certreq -p local.pse
    "CN=yourhostname , OU=123456, OU=SAProuter, O=SAP, C=DE "

    Got absolute PSE path
    "/usr/sap/C11/SYS/exe/run/local.pse".
    Please enter PIN:<press enter>
    Please reenter PIN:<press enter>
    Supplied distinguished name: "CN=YourHostName, OU=12345,
    OU=SAProuter, O=SAP,
    C=DE "
    Generating key (RSA, 1024-bits) ... succeeded.
    certificate creation... ok
    PSE update... ok
    PKRoot... ok
    Generating certificate request... ok.


    TRANSMITTING THE KEY

    It will generate a key in "certreq " . Next step is copy this key to
    www.service.sap.com/tcp against your SAP router registration . The ---- BEGIN
    CERTIFICATE REQUEST to --- END CERTIFICATE REQUEST should also
    be copied */


    # cat certreq
    -----BEGIN CERTIFICATE REQUEST-----
    MIIBmDCCAQECAQAwWDELMAkGA1UEBhMCREUxDDAKBgNVBAoTA1NBUDESMBAGA1UE
    CxMJU0FQcm91dGVyMRMwEQYDVQQLEwowMDAwNjMyNzY2MRIwEAYDVQQDEwltZnFz
    YXBwcmQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP/sY2nK8NR85+HZne3d
    7ZQITR2tdlCG8gbJ/88SWFcWrjmD5me8jR9x9ut8wISSVkWgKCCZ/fM74XRGlU4V
    HQ/8hjht8bP93Uyf06hE9re//SszGlySNdhG3TMx/wslJW8PAk0KXGozjMJrKRVE
    Pd4Upb7jKhGoTcyaqJNi7SILAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQA3mM3W
    9qBgCXcoN/XGp6/odakIQzRsQ8PJYhu2ogEwDixu3bNWW3doiiglqCCsJdyAdzfi
    /yY/bUk/SJxDWVXZzYfw5c0Y3wmbDhqqLw3mm7nbVWFn6q8cn9MNeF1FdlUIfY7O
    Yq8Inb/ropL1eMnkT1hepa79HIfdmHoAdjXDGQ==
    -----END CERTIFICATE REQUEST-----






    Copy the above key and paste it like shown below




    After Copying, click on the "Request Certificate" Button .

    Next screen will display the certificate. Copy and paste the generated certificate in a new
    file named 'srcert' in the same location of your saprouter .

    N:B Do not forget to copy the BEGIN and END tags too.










    CREATING THE CERTIFICATE


    Windows users can use notepad and UNIX vi editor.
    vi srcert < paste> <ESC><SHIFT> : x

    # vi srcert
    -----BEGIN CERTIFICATE-----
    MIIHqAYJKoZIhvcNAQcCoIIHmTCCB5UCAQExADALBgkqhkiG9w0BBwGgggd9MIICd
    TCCAd6gAwIBAgICI1MwDQYJKoZIhvcNAQEEBQAwRjELMAkGA1UEBhMCREUxDDAKBg
    NVBAoTA1NBUDESMBAGA1UECxMJU0FQcm91dGVyMRUwEwYDVQQDEwxTQVByb3V0ZXI
    gQ0EwHhcNMDQwMTIxMDQwMDI0WhcNMDUwMTIxMDQwMDI0WjBYMQswCQYDVQQGEwJE
    RTEMMAoGA1UEChMDU0FQMRIwEAYDVQQLEwlTQVByb3V0ZXIxEzARBgNVBAsTCjAwM
    DA2MzI3NjYxEjAQBgNVBAMTCW1mcXNhcHByZDCBnzANBgkqhkiG9w0BAQEFAAOBjQ
    AwgYkCgYEA/+xjacrw1Hzn4dmd7d3tlAhNHa12UIbyBsn/zxJYVxauOYPmZ7yNH3H
    263zAhJJWRaAoIJn98zvhdEaVThUdD/yGOG3xs/3dTJ/TqET2t7/9KzMaXJI12Ebd
    MzH/CyUlbw8CTQpcajOMwmspFUQ93hSlvuMqEahNzJqok2LtIgsCAwEAAaNgMF4wD
    <- --------- LINES DELETED -----------------------------------
    hvcNAQEBBQADgY0AMIGJAoGBAP6a6fk9E5Is6WO84kyTjY08fMi2IsCzfC0NYkp3C
    Vb0cx04csKiZZwB/V+IOICtx+C4mUpxDeDnT07i6onBKLqs3Jj5opOABe3pOHABOk
    a+GiajTQ4MBHpgf7pb5zRAdqp7G6gx0bzGNIHxLx1U4jzbvZJF9xUIRJUBy44adK2
    /AgMBAAGjaTBnMA8GA1UdEwEB/wQFMAMBAf8wJQYDVR0RBB4wHIYaaHR0cDovL3Nl
    cnZpY2Uuc2FwLmNvbS9UQ1MwDgYDVR0PAQH/BAQDAgH2MB0GA1UdDgQWBBSivTpjU
    s0Z/L7oQ9Cu5YSgSffa/DAJBgUrDgMCHQUAA4GBAMgUUSEs6bZKH067xP+RWnJ4fP
    3l/qoydP3PZvCO4ThQHkhqMMhG+28J+jyWMijklAnJsJaWePBEBPbtLC5nKjNIZuW
    WZaGOinWz192FGAHnoN2z0dcUTUljZLJrY/9NrCbfpC2TEqBQf1+Sr82DlJL6wmCX
    Ejlpr1Kk/g7ZPYorMQA=
    -----END CERTIFICATE-----

    <ESC><SHIFT> : x


    IMPORTING CERTIFICATE

    Next step is to import this certificate using the below command syntax .

    # ./sapgenpse import_own_cert -c srcert -p local.pse

    CA-Response successfully imported into PSE
    "/usr/sap/MPS/SYS/exe/run/local.pse"














    SETTING SECURED LOGIN TO SAPROUTER

    Now specify the user who is allowed secure login to PSE

    Use < sid> adm if you want to start saprouter with sap admin user. If you omit -O
    <user>, the credentials are created for the logged in user account who is running the
    below command )

    # ./sapgenpse seclogin -p local.pse -O saprouterUser

    running seclogin with USER="saprouterUser"
    creating credentials for yourself (USER="saprouterUser
    ")...
    Added SSO-credentials for PSE
    "/usr/sap/C11/SYS/exe/run/local.pse"
    "CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE"


    N:B Check a file named cred_v2 is created in the same directory



    START SNC SAP ROUTER

    In Unix

    In UNIX use the below sysntax to start sap router using SNC


    # nohup ./saprouter -r -G routerlog -S 3299 -K
    "p:CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE" &

    In windows

    In Windows use the below syntax

    <Drive>:\SNC-SaprouterDirectory\ saprouter -r -G routerlog
    -S 3299 K "p:CN=YourHostName, OU=12345, OU=SAProuter,
    O=SAP, C=DE"

    N:B K option tells saprouter to load the SNC cryptographic library too.








    SAPROUTTAB ENTRIES

    For SNC SAPROUTER , the enries should not be the same as non-saprouter

    ./saprouttab should contain at least the following entries

    # inbound connections MUST use SNC
    KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1>
    <port_number>
    # repeat this for the servers and port_numbers you will need to allow,
    # please make sure that all explicit ports are inserted in front of a
    # generic entry '*' for port_number

    # outbound connections to <sapservX> will use SNC
    KT "p:CN=sapserv2 OU=SAProuter, O=SAP, C=DE" <sapservX>
    <sapservX_inbound_port>

    # permission entries to check if connection is allowed at all
    P <IP address of a local host> <IP address of sapserv2>
    # all other connections will be denied
    D * * *


    Example:

    For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34),
    the saprouttab should contain the following entries:

    # # SNC-connection from and to SAP
    KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

    # SNC-connection from SAP to local R/3-System for Support
    KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-
    Instance>

    # SNC-connection from SAP to local R/3-System for NetMeeting, if it is
    needed
    KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503

    # SNC-connection from SAP to local R/3-System for saptelnet, if it is
    needed
    KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23

    # Access from the local Network to SAPNet - R/3 Frontend (OSS)
    P <IP-addess of a local PC> 194.39.131.34 3299

    # deny all other connections
    D * * *




    DEBUGGING


    Check whether certificate is installed correctly


    # ./sapgenpse get_my_name -v -n issuer

    Opening PSE "/usr/sap/C11/SYS/exe/run/local.pse"...
    PSE open ok.
    ok.
    Retrieving my certificate... ok.
    Getting requested information... ok.
    SSO for USER "UserID"
    with PSE file "/usr/sap/C11/SYS/exe/run/local.pse"

    Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

    If any errors found in the above , you can do all the steps once again . But make sure that
    cred_v2, local.pse is deleted . If you whant to create the ket once again delete certreq file
    too before doing so.



    CHECK THE ENVIRONMENT VARIABLES

    Create the following entries are there in the .login ( dot login) script of the SNC
    saprouter user . ONLY THE BOLD AREAS

    UNIX

    set path = ( /usr/bin /etc /usr/sbin /usr/ucb $HOME/bin /usr/bin/C11
    /sbin /usr/SNC-saprouter/snc_library /usr/lib . )
    setenv MAIL "/var/spool/mail/$LOGNAME"
    setenv SECUDIR /usr/SNC-saprouter
    setenv SNC_LIB "/usr/SNC-Saprouter/snc_library/libsapcrypto.o"
    setenv LIBPATH
    "/usr/lib:/lib:/usr/sap/C11/SYS/exe/run:/oracle/C11/92_64/lib:/usr/SNC-
    saprouter/snc_library

    WINDOWS

    For windows create PATH, SECUDIR, SNC_LIB and LIBPATH in their environment
    settings area.

    You might also like