Setting Up An Snc-Based Saprouter Connection For Employee Central Payroll Systems
Setting Up An Snc-Based Saprouter Connection For Employee Central Payroll Systems
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Change History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5 Start SAProuter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1 Linux/Unix-Based Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.2 Windows-Based Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.3 Network Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
This document describes the steps required to set up a secure connection using SNC (Secure Network
Communications) between an Employee Central Payroll customer and SAP. SAProuter connectivity is primarily
needed for the back-end access to Employee Central Payroll systems via SAP GUI. However, it can also be used
for RFC/ALE-based integrations. For integration scenarios, where it is possible SAP recommends that you use Web
Services instead of RFC to be less dependent on the SAProuter connection.
Caution
SAProuter connectivity cannot be used for integration scenarios with HTTP/HTTPS connections.
Supported Scenarios
• SAP GUI communication through the SAProuter (to the message server and/or SAP dispatcher).
• RFC communication between systems or between RFC client and Gateway
• Support connections from SAP to customers. For support purposes SAP enables the transfer of other
protocols through special, proprietary precautions, but these are not appropriate for production operation
and are not released.
• Communication between server components with HTTP-based protocols through the SAProuter (e.g. Web
service calls through HTTP)
• Communication from a user interface such as the browser or the Business Client through SAProuter to an
application server (e.g. Web Dynpro or BSP-based applications)
• Binary protocols (e.g. terminal server, X-server) between communication partners
Learn about changes to the documentation for Setting Up an SNC-Based SAProuter Connection for Employee
Central Payroll Systems hosted on AZURE/GCP in recent releases.
2H 2022
1H 2022
Added We’ve added information about new data Install and Configure SAPRouter [page
centers. 8]
The technical setup consists of at least SAProuter on the customer side, as well as a load balanced SAProuter on
the SAP side. Note that all network devices at SAP are set up as a high availability cluster. For simplicity, the firewall
and Load Balancer are represented as single devices in the figure below.
SAPRouter
SAProuter is a software application that provides Application Level Gateway (ALG) functionality for SAP application
protocols. Typically, SAProuter is used to provide a remote connection to the SAP support infrastructure. For
Employee Central Payroll connectivity, SAProuter is used only as an Application Level Gateway.
SAPRouter must be configured with a public IP address owned by your company. This helps to avoid IP address
conflicts with other customers. As most customers use private IP addresses on their internal systems, this can be
achieved by applying Network Address Translation (NAT).
SAPRouter Registration
Ensure that SAProuter is provisioned in the DMZ network that should have a public IP address assigned to it. Follow
the guidelines below to get SAProuter registered with SAP. Request SAProuter registration by creating a support
ticket for component XX-SER-NET-NEW with the template filled in as shown below:
Register SAProuter using the details below which will be used to connect “Employee Central Payroll Systems hosted in <Azure/
GCP>”
Host name of the SAProuter computer (*): ___<any unique hostname_________ (Note : hostname should not be SAPRouter or
SAPRouter CA.)
Regards, XXXXXX
While SAP is performing SAProuter registration, follow the steps described in Install and Configure SAPRouter.
SAP has built Disaster Recovery systems at SAP DR sites for every corresponding Employee Central Payroll
Production system. In case of any disaster situation at SAP Production site, customer must be able to connect
to payroll system located in DR site via DR SAPRouter to continue with business run, until Production system
become available. The same configuration details submitted for Production site SAPRouter would be used for DR
site SAProuter configuration too. In case you have separate SAProuter for SAP DR site, please follow same process
mentioned in section "SAPRouter Registration" to configure your another SAProuter with SAP.
SNC is used to make network connections using the Internet, in particular WAN connections, secure. It provides
reliable authentication as well as encryption of the data to be transferred.
SAProuter allows SNC connections to be set up. The route permission table can be used to specify precisely
whether SNC connections are allowed, and if so, which ones.
Prerequisites
Note
Note
US region has 2 Datacenters, XM2-USA-Virginia & XM3-USA-Virginia, Please refer your provisioning handover
email to find your allocated system DC in US region. If you are not sure, please raise a case to component
LOD-EC-GCP-PY-OPS
This section covers the procedure for installing and configuring SAProuter and includes information for both Linux/
Unix and Windows hosts.
Context
Procedure
Depending on the operating system, the following steps must be executed from the command line
interface.
3. Make sure that all downloaded files have the same path. For example, the path from step 1 above: /usr/sap
4. Extract all the files in the same path using the following commands:
• SAPCAR -xvf <SAPCRYPTOLIBP_xxxx-xxxxxxxx.SAR>
• SAPCAR -xvf < saprouter_XXX-XXXXXXXX.sar>
Note
For Windows ensure that downloaded SAPCAR_XXX-XXXXX.EXE file is being used to unchar the .SAR file.
S * payroll.sapsf.com 3200.3399
D***
S * payroll49.sapsf.com 3200.3399
D***
S * payroll41.sapsf.com 3200.3399
D***
S * payroll43.sapsf.com 3200.3399
D***
S * payroll64-osk.sapsf.com 3200.3399
D***
S * payroll65-osk.sapsf.com 3200.3399
D***
S * payroll55.sapsf.eu 3200.3399
D***
S * payroll56.sapsf.eu 3200.3399
D***
S * payroll50.sapsf.eu 3200.3399
D***
S * payroll51.sapsf.eu 3200.3399
D***
S * payroll66-osk.sapsf.eu 3200.3399
D***
S * payroll67-osk.sapsf.eu 3200.3399
D***
S * payroll22-osk.sapsf.eu 3200.3399
D***
S * payroll23-osk.sapsf.com 3200.3399
D***
Context
Before starting the SAProuter service, ensure that SAProuter registration is completed via the request described in
section about the SAProuter Registration. Once it’s registered, please do the following:
Procedure
This command ensures that the issuer of the certificate is from SAProuter CA. For more information, refer to
the SAProuter page https://support.sap.com/en/tools/connectivity-tools/saprouter.html .
nohup SAProuter -r -K "p:<Full distinguished name of the applied certificate>” & Note that this command can
be used to run the service in the background.
Note
To start SAPRouter in Windows-Based hosts, follow the instructions provided in SAP Note 525751 .
To check whether the connection to SAP is working, log on to the command line of the SAProuter server, navigate
to the dedicated SAProuter directory and execute the following commands based on the location of your system.
XME-Canada: Toronto
XM2-USA: Virginia
US West 2 – Washington
XM3-USA: Virginia
US West 2: Washington
XGB-Germany: Frankfurt
Osaka
Note
SAP will be enabling monitoring for the connection between SAPRouter at SAP side and SAPRouter at
customer side. This will periodically check the connection to customer SAPRouter and alert in case of
connectivity errors. Customer must allow incoming traffic from SAP's SAPRouter to customer's SAPRouter
to enable the monitoring. The connection won’t be monitored if customers don’t allow the inbound access from
SAP's SAPRouter to customer's SAPRouter.
SAP Logon is used to initiate a user session to your Employee Central Payroll system. Not all logon pads are
available for cloud customers.
To install the SAP GUI for Windows for Employee Central Payroll systems, go to the SAP ONE Support
Launchpad . GUI versions are backward compatible. The supported version of GUI that can be used for Employee
Central Payroll systems available are SAP GUI FOR WINDOWS 7.50 CORE and SAP GUI FOR WINDOWS 7.60 CORE.
Customers can download either version.
To complete your SAP Logon configuration, you need the information regarding Application Server Name and
System ID that has been provided to you in the system handover mail.
The SAProuter String value depends on both the IP address of your SAProuter as well as the location of your
SAP Payroll systems. As mentioned in the following picture, configure the settings to achieve logon load balance
connectivity:
Setting Description
System ID SID
Group/Server PUBLIC
Instance number 00
Note
Make sure that the following line is added into your SAP GUI service file in your window host:
Note
In case of SAP GUI for Java, make sure that the following string is maintained for connection type server group:
The integration between SAP S/4HANA Cloud and SAP SuccessFactors Employee Central Payroll is done via Web
service and doesn’t require an SAProuter connectivity.
For more information about the procedure, refer to Overview of the Integration Between Employee Central Payroll
and SAP S/4HANA Finance.
For more information about the configuration, refer to Setting Up Payroll Processing with SAP SuccessFactors
Employee Central Payroll (1NL) .
Note
Because these configuration steps are customer-specific, they can’t be delivered by SAP and must be carried
out by the customer.
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements
with SAP) to this:
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you
agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and
phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example
code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities, genders,
and abilities.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.