AN ONE STOP GUIDE TO

CONFIGURE SNC SAPROUTER

J oy V.Ramachandr an
Consultant SAP BASIS
IVL India Pvt Ltd
Technopar k , Tr ivandr um
Ker ala India
joy.r [email protected] ; joy_r [email protected]

Contents

SAP SNC CONFIGURATION ........................................................................................ 3

DOWNLOADING CRYPTOGRAPHIC SOFTWARE ............................................ 3
CREATING THE KEY.................................................................................................... 4
TRANSMITTING THE KEY.......................................................................................... 4
CREATING THE CERTIFICATE ................................................................................. 6
IMPORTING CERTIFICATE ........................................................................................ 6
START SNC SAP ROUTER ........................................................................................... 7
In Unix............................................................................................................................ 7
In windows..................................................................................................................... 7
SAPROUTTAB ENTRIES............................................................................................... 8
Example: ......................................................................................................................... 8
DEBUGGING.................................................................................................................... 9
Check whether certificate is installed correctly .............................................................. 9
CHECK THE ENVIRONMENT VARIABLES ........................................................ 9
UNIX........................................................................................................................... 9
WINDOWS................................................................................................................. 9

SAP SNC CONFIGURATION

DOWNLOADING CRYPTOGRAPHIC SOFTWARE
Download the cryptographic software from service market place
www.service.sap.com/tcs. As shown below.

Extract the criptographic libraries and sapgenpse and ticket files in to the saprouter.exe
location using
# SAPCAR xvf < cryprographic car file>

CREATING THE KEY

Next goto www.service.sap.com/tcp get the distingush name . Then execute the following
commands by copy paste the distinguished name
/* CN & "OU " in the distingush name will be different for different organizations */
#./sapgenpse get_pse -v -r certreq -p local.pse
"CN=yourhostname , OU=123456, OU=SAProuter, O=SAP, C=DE "
Got absolute PSE path
"/usr/sap/C11/SYS/exe/run/local.pse".
Please enter PIN:<press enter>
Please reenter PIN:<press enter>
Supplied distinguished name: "CN=YourHostName, OU=12345,
OU=SAProuter, O=SAP,
C=DE "
Generating key (RSA, 1024-bits) ... succeeded.
certificate creation... ok
PSE update... ok
PKRoot... ok
Generating certificate request... ok.

TRANSMITTING THE KEY

It will generate a key in "certreq " . Next step is copy this key to
www.service.sap.com/tcp against your SAP router registration . The ---- BEGIN
CERTIFICATE REQUEST to --- END CERTIFICATE REQUEST should also
be copied */
# cat certreq
-----BEGIN CERTIFICATE REQUEST----MIIBmDCCAQECAQAwWDELMAkGA1UEBhMCREUxDDAKBgNVBAoTA1NBUDESMBAGA1UE
CxMJU0FQcm91dGVyMRMwEQYDVQQLEwowMDAwNjMyNzY2MRIwEAYDVQQDEwltZnFz
YXBwcmQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP/sY2nK8NR85+HZne3d
7ZQITR2tdlCG8gbJ/88SWFcWrjmD5me8jR9x9ut8wISSVkWgKCCZ/fM74XRGlU4V
HQ/8hjht8bP93Uyf06hE9re//SszGlySNdhG3TMx/wslJW8PAk0KXGozjMJrKRVE
Pd4Upb7jKhGoTcyaqJNi7SILAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQA3mM3W
9qBgCXcoN/XGp6/odakIQzRsQ8PJYhu2ogEwDixu3bNWW3doiiglqCCsJdyAdzfi
/yY/bUk/SJxDWVXZzYfw5c0Y3wmbDhqqLw3mm7nbVWFn6q8cn9MNeF1FdlUIfY7O
Yq8Inb/ropL1eMnkT1hepa79HIfdmHoAdjXDGQ==
-----END CERTIFICATE REQUEST-----

Copy the above key and paste it like shown below

After Copying, click on the "Request Certificate" Button .

Next screen will display the certificate. Copy and paste the generated certificate in a new
file named 'srcert' in the same location of your saprouter .
N:B Do not forget to copy the BEGIN and END tags too.

CREATING THE CERTIFICATE

Windows users can use notepad and UNIX vi editor.

vi srcert < paste> <ESC><SHIFT> : x
# vi srcert
-----BEGIN CERTIFICATE----MIIHqAYJKoZIhvcNAQcCoIIHmTCCB5UCAQExADALBgkqhkiG9w0BBwGgggd9MIICd
TCCAd6gAwIBAgICI1MwDQYJKoZIhvcNAQEEBQAwRjELMAkGA1UEBhMCREUxDDAKBg
NVBAoTA1NBUDESMBAGA1UECxMJU0FQcm91dGVyMRUwEwYDVQQDEwxTQVByb3V0ZXI
gQ0EwHhcNMDQwMTIxMDQwMDI0WhcNMDUwMTIxMDQwMDI0WjBYMQswCQYDVQQGEwJE
RTEMMAoGA1UEChMDU0FQMRIwEAYDVQQLEwlTQVByb3V0ZXIxEzARBgNVBAsTCjAwM
DA2MzI3NjYxEjAQBgNVBAMTCW1mcXNhcHByZDCBnzANBgkqhkiG9w0BAQEFAAOBjQ
AwgYkCgYEA/+xjacrw1Hzn4dmd7d3tlAhNHa12UIbyBsn/zxJYVxauOYPmZ7yNH3H
263zAhJJWRaAoIJn98zvhdEaVThUdD/yGOG3xs/3dTJ/TqET2t7/9KzMaXJI12Ebd
MzH/CyUlbw8CTQpcajOMwmspFUQ93hSlvuMqEahNzJqok2LtIgsCAwEAAaNgMF4wD
<- --------- LINES DELETED ----------------------------------hvcNAQEBBQADgY0AMIGJAoGBAP6a6fk9E5Is6WO84kyTjY08fMi2IsCzfC0NYkp3C
Vb0cx04csKiZZwB/V+IOICtx+C4mUpxDeDnT07i6onBKLqs3Jj5opOABe3pOHABOk
a+GiajTQ4MBHpgf7pb5zRAdqp7G6gx0bzGNIHxLx1U4jzbvZJF9xUIRJUBy44adK2
/AgMBAAGjaTBnMA8GA1UdEwEB/wQFMAMBAf8wJQYDVR0RBB4wHIYaaHR0cDovL3Nl
cnZpY2Uuc2FwLmNvbS9UQ1MwDgYDVR0PAQH/BAQDAgH2MB0GA1UdDgQWBBSivTpjU
s0Z/L7oQ9Cu5YSgSffa/DAJBgUrDgMCHQUAA4GBAMgUUSEs6bZKH067xP+RWnJ4fP
3l/qoydP3PZvCO4ThQHkhqMMhG+28J+jyWMijklAnJsJaWePBEBPbtLC5nKjNIZuW
WZaGOinWz192FGAHnoN2z0dcUTUljZLJrY/9NrCbfpC2TEqBQf1+Sr82DlJL6wmCX
Ejlpr1Kk/g7ZPYorMQA=
-----END CERTIFICATE-----

<ESC><SHIFT> : x

IMPORTING CERTIFICATE
Next step is to import this certificate using the below command syntax .
# ./sapgenpse import_own_cert -c srcert -p local.pse
CA-Response successfully imported into PSE
"/usr/sap/MPS/SYS/exe/run/local.pse"

SETTING SECURED LOGIN TO SAPROUTER

Now specify the user who is allowed secure login to PSE
Use < sid> adm if you want to start saprouter with sap admin user. If you omit -O
<user>, the credentials are created for the logged in user account who is running the
below command )
# ./sapgenpse seclogin -p local.pse -O saprouterUser
running seclogin with USER="saprouterUser"
creating credentials for yourself (USER="saprouterUser
")...
Added SSO-credentials for PSE
"/usr/sap/C11/SYS/exe/run/local.pse"
"CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE"

N:B Check a file named cred_v2 is created in the same directory

START SNC SAP ROUTER

In Unix
In UNIX use the below sysntax to start sap router using SNC
# nohup ./saprouter -r -G routerlog -S 3299 -K
"p:CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE" &
In windows
In Windows use the below syntax
<Drive>:\SNC-SaprouterDirectory\ saprouter -r -G routerlog
-S 3299 K "p:CN=YourHostName, OU=12345, OU=SAProuter,
O=SAP, C=DE"
N:B K option tells saprouter to load the SNC cryptographic library too.

SAPROUTTAB ENTRIES
For SNC SAPROUTER , the enries should not be the same as non-saprouter
./saprouttab should contain at least the following entries
# inbound connections MUST use SNC
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1>
<port_number>
# repeat this for the servers and port_numbers you will need to allow,
# please make sure that all explicit ports are inserted in front of a
# generic entry '*' for port_number
# outbound connections to <sapservX> will use SNC
KT "p:CN=sapserv2 OU=SAProuter, O=SAP, C=DE" <sapservX>
<sapservX_inbound_port>
#
P
#
D

permission entries to check if connection is allowed at all

<IP address of a local host> <IP address of sapserv2>
all other connections will be denied
* * *

Example:
For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34),
the saprouttab should contain the following entries:
# # SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3Instance>
# SNC-connection from SAP to local R/3-System for NetMeeting, if it is
needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503
# SNC-connection from SAP to local R/3-System for saptelnet, if it is
needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
# Access from the local Network to SAPNet - R/3 Frontend (OSS)
P <IP-addess of a local PC> 194.39.131.34 3299
# deny all other connections
D * * *

DEBUGGING

Check whether certificate is installed correctly

# ./sapgenpse get_my_name -v -n issuer
Opening PSE "/usr/sap/C11/SYS/exe/run/local.pse"...
PSE open ok.
ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "UserID"
with PSE file "/usr/sap/C11/SYS/exe/run/local.pse"
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
If any errors found in the above , you can do all the steps once again . But make sure that
cred_v2, local.pse is deleted . If you whant to create the ket once again delete certreq file
too before doing so.

CHECK THE ENVIRONMENT VARIABLES

Create the following entries are there in the .login ( dot login) script of the SNC
saprouter user . ONLY THE BOLD AREAS
UNIX
set path = ( /usr/bin /etc /usr/sbin /usr/ucb $HOME/bin /usr/bin/C11
/sbin /usr/SNC-saprouter/snc_library /usr/lib . )
setenv MAIL "/var/spool/mail/$LOGNAME"
setenv SECUDIR /usr/SNC-saprouter
setenv SNC_LIB "/usr/SNC-Saprouter/snc_library/libsapcrypto.o"
setenv LIBPATH
"/usr/lib:/lib:/usr/sap/C11/SYS/exe/run:/oracle/C11/92_64/lib:/usr/SNCsaprouter/snc_library

WINDOWS
For windows create PATH, SECUDIR, SNC_LIB and LIBPATH in their environment
settings area.