I have a few servers and desktops running on the cloud, some on Azure and some on AWS. I frequently need to RDP into these boxes. But it is not always possible if I am inside a firewall. Simple port redirection does not fool those firewalls. The SSL traffic is allowed almost in any organization. So, one of the best options is to tunnel the RDP inside the guise of SSL.
I found the following article very useful.
RDP SSL tunneling with stunnel
In fact, I recommend you proceed as outlined above in the article.
I've provided my comments as I use Windows on both ends (Server as well as client).
On the Server
1. Install stunnel
2. Provide necessary details to create the server-side certificate (stunnel.pem)
3. Make the changes to the configuration file as below:
; Debugging stuff (may be useful for troubleshooting)
debug = info
output = stunnel.log
; Microsoft CryptoAPI engine allows for authentication with private keys
; stored in the Windows certificate store
; Each section using this feature also needs the "engineId = capi" option
;engine = capi
; TLS front-end to a web server
[https]
accept = 443
connect = 3389
cert = stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0
On all the gateways / firewalls
1. Make sure that the traffic flows through and through on port 443 from client to server. Open necessary ports (or forward ports as necessary) along the way.
On the Client
1. Install Cygwin which comes with stunnel and socat
2. Create the certificate (again follow the instructions from the original article as I'll not repeat it here)
3. Make the changes to the configuration file as below:
; debug = 7
;foreground = yes
output = /etc/stunnel/tunnel.log
cert = /etc/stunnel/stunnel.pem
options = NO_SSLv2
[rdp]
client = yes
accept = 127.0.0.1:3399
connect = 127.0.0.1:81
4. On the Cygwin shell, run stunnel
5. And then run socat as follows:
socat -d -d TCP-LISTEN:81,reuseaddr,fork PROXY:<FQDN OF YOUR CORPORATE PROXY SERVER>:<FQDN OF YOUR REMOTE SERVER>:443,resolve,proxyport=<YOUR CORPORATE PROXY PORT>,proxyauth=<YOUR CORPORATE USERNAME>:<YOUR CORPORATE PASSWORD>
Traffic Flow
Here is the traffic flow:
1. You RDP to 127.0.0.1:3399
2. Your client stunnel which is listening at port 3389 encapsulates the RDP traffic in SSL and forwards to port 81 on the client
3. Your client socat which is listening at port 81 forwards the traffic to port 443 on the remote server while authenticating to the corporate proxy using your corporate username and password
4. Traffic flows through all the hops that you have between the client and server
5. Traffic lands on port 443 on the remote server where the server stunnel is listening at port 443
6. The server decapsulates the RDP traffic and forwards it to port 3389 on the server
Believe me, it works and there is no delay. I've tested it myself and can vouch for it. In fact, I am blogging this post from my desktop on Azure while behind a thick firewall. Happy RDPing.
Friday, August 14, 2015
Friday, June 26, 2015
Git and Visual Studio
It has been a while since I last blogged. Things were crazy at the work place for a while. For all these years my preferred IDE has been Microsoft's Visual Studio and with that I was enduring Visual SourceSafe initially. I had brief interaction with SourceGear Vault which came as a welcome releif. The arrival of TFS changed the ALM (Application Lifecycle Management) landscape a lot and till today remains my preferred sourcecode control system.
I have been hearing about distributed source control systems a lot lately. And when the opprutunity came, I tried to fit that with my IDE. In this blog, I am going to outline the steps involved.
When it comes to Git, there are a ton of options. TFS itself can act as a Git hub. Visual Stusio 2013 comes equipped with a Git client. I am not that fortunate. I still have Visual Studio 2012 Premium with Update 4. So the first step for me was to install the client. There are a few options available here. The most popular ones are:
1. Visual Studio Tools for Git (https://visualstudiogallery.msdn.microsoft.com/abafc7d6-dcaa-40f4-8a5e-d6724bdb980c)
2. Git Source Control Provider (https://visualstudiogallery.msdn.microsoft.com/63a7e40d-4d71-4fbb-a23b-d262124b8f4c)
I chose the first one as that product has been the base for client tools that constitutes the native client of VS 2013. So here we go:
STEPS
1. Download and install "Visual Studio Tools for Git" from https://visualstudiogallery.msdn.microsoft.com/abafc7d6-dcaa-40f4-8a5e-d6724bdb980c
NOTE: For some reason, this install didn't ask for priviledged access (UAC prompt for administrative access) on my workstation during the install and failed throwing a rather odd error that the minimum version required was "Visual Studio 2012 Update 2". I already had Update 4. After scratching my head for a while, I opened administrative command prompt and ran the MSI file as below:
msiexec /i "<Full Path of the Downloaded MSI File>"
The above step installed the client tool as intended.
2. Go to Tools --> Options --> Source Control and change the source control plug-in to "Microsoft Git Provider".
3. Open Visual Studio and open "Team Explorer" (View --> Team Explorer)
4. Click on "Install 3rd-party Git command prompt tools". This action would let you download and run msysgitVS.exe eventually installing Git GUI and Git Bash on you local workstation.
5. Open Git GUI (Start --> Git GUI) and then Help --> Show SSH Key. You should have "No keys found."
6. Click on "Generate Key".
7. Provide a passphrase. You would be requiring this passphrase at every commit and push phase, so provide one that you can easily remeber.
8. Once the key is generated, click "Copy to Clipboard" to copy the public part of the key and send it to your Git administrators to give you access to the repositories you need.
9. While you are waiting for the access, perform the following steps to setup your local environment.
10. Try to determine where the keys are stored locally on your computer. The easiest way is to open Git Bash (Start --> Git Bash) and then run the following commands:
cd
pwd
The first command takes to your home directory and the second provides the fullpath of the current directory. If you see /h it's H:, if you see /C/Users/xyz, it's C:\Users\xyz and so on and so forth.
11. Navigate to the folder above. You should see a .ssh folder (if you don't see the folder, then change your view option in explorer to show hidden files and folders). Locate id_rsa (which is the whole key) and id_rsa.pub (which is the public part of the key).
12. Determine your username. On the Git Bash, you should see the command prompt is in the format of xyz@abc where"xyz" is your username and "abc" is your machine name.
13. Open Visual Studio, go to Team Explorer (View --> Team Explorer) and then Settings --> Git Settings. Provide your user name (noted on the above step), email address and a default repository location and click "Update". I normally provide C:\git\repositories.
14. Once your Git administrators provide you acces, they will also provide a URL to connect to your assigned repository. The URL may be SSH or HTTPS based.
If it's HTTPS, you can directly connect to it by the steps below:
14.1.1. Click on Connect (View --> Team Explorer --> Connect)
14.1.2 Clone your repository to local by clicking on Clone under Local Git Repositories. Provide the URL in the format of https://github.com/abc/abc.git and the local path in the format of C:\git\repositories\abc where abc is the name of the repository.
14.1.3. You should now be able to perform commit/push/sync operations from Visual Studio directly.
If the URL is SSH, then additional steps are involved between the interaction of Git repository with Visual Studio. Also the push and sync actions cannot be performed from Visual Studio. In case of SSH, perform the following steps.
14.2.1 On Windows Explorer, create the path to store your local repository, e.g. C:\git\repositories\abc where abc is the name of the repository.
14.2.2 Open Git Bash (Start --> Git Bash) and navigate to your local folder.
cd /C/git/repositories/abc
14.2.3 Clone the repository by providing SSH URL in the format of ssh://git@github.com/abc.
git clone ssh://git@github.com/abc
14.2.4 On Visual Studio, click on Connect (View --> Team Explorer --> Connect).
14.2.5 Add the local repository. E.g. C:\git\repositories\abc
15. On the step above, you got connected to your Git repository and downloaded the latest version of the source code. Now it's time to perform the normal source control operations. If your repository is empty, you can start creating your solutions and projects underneith your local repository (e.g. C:\git\repositories\abc) the normal way. There is no "Add to Source Control" step as everything is tracked as you make changes. If your repository is not empy, then you can immediately start working on existing solutions and projects the normal way.
16. Unlike other source control systems, Git is distributed. So you have three areas:
a) Your local work area where your changes are tracked automatically e.g. C:\git\repositories\abc
b) Your local version control repository which is typically at C:\git\repositories\abc\.git
c) Your central version control repository which is typically at github.com or other servers
The steps involved are "commit" which commits changes from your local work area to your local version control repository and "push" which pushes those changes from your local version control repository to your central version control repository.
If the URL was in HTTPS format, you can commit and push from Visual Studio:
16.1.1 Right click on your solution, project or file and click on "Commit". Provide a comment. You now have option to "Commit" and then "Push" and then Sync as three steps or simply "Commit and Push" or "Commit and Sync" as a one step operation.
If the URL was in SSH format, you can only commit from Visual Studio. You will not be able to "Push" or "Sync" from Visual Studio as those steps would fail.
16.2.1 Right click on your solution, project or file and click on "Commit". Provide a comment and click on "Commit" only.
16.2.2 Open Git Bash (Start --> Git Bash) and navigate to your local folder.
cd /C/git/repositories/abc
16.2.3 In order to "push", provide the following command:
git push origin master
16.2.4 In order to "pull", provide the following command:
git pull ssh://git@github.com/abc
I have been hearing about distributed source control systems a lot lately. And when the opprutunity came, I tried to fit that with my IDE. In this blog, I am going to outline the steps involved.
When it comes to Git, there are a ton of options. TFS itself can act as a Git hub. Visual Stusio 2013 comes equipped with a Git client. I am not that fortunate. I still have Visual Studio 2012 Premium with Update 4. So the first step for me was to install the client. There are a few options available here. The most popular ones are:
1. Visual Studio Tools for Git (https://visualstudiogallery.msdn.microsoft.com/abafc7d6-dcaa-40f4-8a5e-d6724bdb980c)
2. Git Source Control Provider (https://visualstudiogallery.msdn.microsoft.com/63a7e40d-4d71-4fbb-a23b-d262124b8f4c)
I chose the first one as that product has been the base for client tools that constitutes the native client of VS 2013. So here we go:
STEPS
1. Download and install "Visual Studio Tools for Git" from https://visualstudiogallery.msdn.microsoft.com/abafc7d6-dcaa-40f4-8a5e-d6724bdb980c
NOTE: For some reason, this install didn't ask for priviledged access (UAC prompt for administrative access) on my workstation during the install and failed throwing a rather odd error that the minimum version required was "Visual Studio 2012 Update 2". I already had Update 4. After scratching my head for a while, I opened administrative command prompt and ran the MSI file as below:
msiexec /i "<Full Path of the Downloaded MSI File>"
The above step installed the client tool as intended.
2. Go to Tools --> Options --> Source Control and change the source control plug-in to "Microsoft Git Provider".
3. Open Visual Studio and open "Team Explorer" (View --> Team Explorer)
4. Click on "Install 3rd-party Git command prompt tools". This action would let you download and run msysgitVS.exe eventually installing Git GUI and Git Bash on you local workstation.
5. Open Git GUI (Start --> Git GUI) and then Help --> Show SSH Key. You should have "No keys found."
6. Click on "Generate Key".
7. Provide a passphrase. You would be requiring this passphrase at every commit and push phase, so provide one that you can easily remeber.
8. Once the key is generated, click "Copy to Clipboard" to copy the public part of the key and send it to your Git administrators to give you access to the repositories you need.
9. While you are waiting for the access, perform the following steps to setup your local environment.
10. Try to determine where the keys are stored locally on your computer. The easiest way is to open Git Bash (Start --> Git Bash) and then run the following commands:
cd
pwd
The first command takes to your home directory and the second provides the fullpath of the current directory. If you see /h it's H:, if you see /C/Users/xyz, it's C:\Users\xyz and so on and so forth.
11. Navigate to the folder above. You should see a .ssh folder (if you don't see the folder, then change your view option in explorer to show hidden files and folders). Locate id_rsa (which is the whole key) and id_rsa.pub (which is the public part of the key).
12. Determine your username. On the Git Bash, you should see the command prompt is in the format of xyz@abc where"xyz" is your username and "abc" is your machine name.
13. Open Visual Studio, go to Team Explorer (View --> Team Explorer) and then Settings --> Git Settings. Provide your user name (noted on the above step), email address and a default repository location and click "Update". I normally provide C:\git\repositories.
14. Once your Git administrators provide you acces, they will also provide a URL to connect to your assigned repository. The URL may be SSH or HTTPS based.
If it's HTTPS, you can directly connect to it by the steps below:
14.1.1. Click on Connect (View --> Team Explorer --> Connect)
14.1.2 Clone your repository to local by clicking on Clone under Local Git Repositories. Provide the URL in the format of https://github.com/abc/abc.git and the local path in the format of C:\git\repositories\abc where abc is the name of the repository.
14.1.3. You should now be able to perform commit/push/sync operations from Visual Studio directly.
If the URL is SSH, then additional steps are involved between the interaction of Git repository with Visual Studio. Also the push and sync actions cannot be performed from Visual Studio. In case of SSH, perform the following steps.
14.2.1 On Windows Explorer, create the path to store your local repository, e.g. C:\git\repositories\abc where abc is the name of the repository.
14.2.2 Open Git Bash (Start --> Git Bash) and navigate to your local folder.
cd /C/git/repositories/abc
14.2.3 Clone the repository by providing SSH URL in the format of ssh://git@github.com/abc.
git clone ssh://git@github.com/abc
14.2.4 On Visual Studio, click on Connect (View --> Team Explorer --> Connect).
14.2.5 Add the local repository. E.g. C:\git\repositories\abc
15. On the step above, you got connected to your Git repository and downloaded the latest version of the source code. Now it's time to perform the normal source control operations. If your repository is empty, you can start creating your solutions and projects underneith your local repository (e.g. C:\git\repositories\abc) the normal way. There is no "Add to Source Control" step as everything is tracked as you make changes. If your repository is not empy, then you can immediately start working on existing solutions and projects the normal way.
16. Unlike other source control systems, Git is distributed. So you have three areas:
a) Your local work area where your changes are tracked automatically e.g. C:\git\repositories\abc
b) Your local version control repository which is typically at C:\git\repositories\abc\.git
c) Your central version control repository which is typically at github.com or other servers
The steps involved are "commit" which commits changes from your local work area to your local version control repository and "push" which pushes those changes from your local version control repository to your central version control repository.
If the URL was in HTTPS format, you can commit and push from Visual Studio:
16.1.1 Right click on your solution, project or file and click on "Commit". Provide a comment. You now have option to "Commit" and then "Push" and then Sync as three steps or simply "Commit and Push" or "Commit and Sync" as a one step operation.
If the URL was in SSH format, you can only commit from Visual Studio. You will not be able to "Push" or "Sync" from Visual Studio as those steps would fail.
16.2.1 Right click on your solution, project or file and click on "Commit". Provide a comment and click on "Commit" only.
16.2.2 Open Git Bash (Start --> Git Bash) and navigate to your local folder.
cd /C/git/repositories/abc
16.2.3 In order to "push", provide the following command:
git push origin master
16.2.4 In order to "pull", provide the following command:
git pull ssh://git@github.com/abc
Wednesday, December 10, 2014
SAPRouter and Business Objects
Introduction
I've already explained how to install and configure SAP Router in your environment here. Also I've explained how to add your HANA system to SAPRouter here. In this post, I'll explain how to add your BOBJ environment to SAPRouter. This may look exactly the same as my previous post with lots of repetitions. But please bear with me, because there are some important distinctions.
Get the Details
1) Hostname or IP address of your BOBJ system E.g. 10.124.11.22
2) HTTP Port: It would normally be 8080
Set up routetab on SAP Router
1) Assuming you're using SNC, add the following to your routetab file (make sure it is above the deny line):
# SNC connection to local system for BOBJ Support
# BOBJ Server: 10.124.11.22
# HTTP Port: 8080
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.11.22 8080
2) Restart your SAP router service
Client Machine Setup
It is recommended to have a separate workstation which would establish the initial handshake between your SAP Router with SAP's SAP Router. Here are the steps:
1) Download "SAP Service Connector" and "SAP GUI" from service market place.
2) Install both the products.
Edit System at SAP support portal
1) Go to https://service.sap.com/sap/bc/bsp/spn/system_search/index.htm
2) Search for your system (the system you created to maintain license key etc. for your BOBJ server) and click on it.
3) Under "System" tab, you should see "SAP-Router" section. Click on "Edit System" at the bottom, and choose the hostname from the drop down (E.g. SAPROUTER01). Provide the service port (E.g. 3299).
4) Go to "Application Server" tab and click on "Create Server".
5) Provide Hostname, IP Address, OS and OS Version etc. as relevant. You may provide 01 as the instance number if you've a one node environment. If you've multiple nodes, provide instance numbers accordingly.
6) Click on "Add Server"
7) If you've a multinode environment, then repeat steps 4 through 6 and continue to add servers until you've all the nodes accounted for.
8) Click on "Save System"
9) Go to "System" tab
10) Click on "Maintain Service Connection" button under SAP-Router section.
NOTE: Alternatively you may go to https://support.sap.com/remote-support/remote-connections.html, click on "Maintain Connections" and select your system.
11) On the "Service Connection" window, under "Set up Connection types" section, click on "HTTP Connect - URLAccess".
12) Verify the details and click "Save".
13) A new connection would appear under "Open/Close Connections".
14) Expand the URLs section and add the URL to Tomcat for all nodes.
Service Type: HTTP Connect - URLAccess
Description: Access to Tomcat
URL: http://servername:8080/
15) Click on the connection "HTTP Connect - URLAccess" under "Open/Close Connections".
16) Provide how long you want to allow the connection to remain open, provide your contact details and finally the route string to your SAP Router. E.g.
/H/10.124.1.100/S/3299
NOTE: If you've opened a successful connection to any system previously, a lot of these details will not be asked (Route String, Start Service Connector etc.). You'll simply be asked to "Open Connection". Steps 17 through 21 won't be there for such scenarios.
17) Click on "Start Service Connector" button. It would download a file called "stfk.oez". The browser screen would change and would ask the following question:
Was the opening network connection successful?
with a "Yes" and a "No" button. DO NOT click on anything yet.
18) Copy the file to the client workstation where "SAP Service Connector" is installed. Double click to open.
19) A dialog box would open and say "'SAP Connector 2.0' application was started". Click the "OK" button on the dialog box.
20) Another dialog box would open and say "The service connection has been opened successfully.". Click the "OK" button on the dialog box.
21) Go back to the portal and click on "Yes" to the following question:
Was the opening network connection successful?
22) From now onward, you may click on the connection under "Open/Close Connections" and set a time period to open connection for the specified period.
Revisions
I expect to update this post quite often. Here is the revision log:
12/09/2014: Initial Version
Tuesday, November 11, 2014
SAPRouter and HANA
Introduction
In my previous post, I'd explained how to install and configure SAP Router in your environment. In this and subsequent posts, I'll explain how to add your SAP systems to the router for remote monitoring and management. In this post, I'll explain how to add SAP HANA system to SAP Router.
Get the Details
1) Hostname or IP address of your HANA system E.g. 10.124.11.22
2) HANA instance ID E.g. 00
3) HTTP Port: It would be 5<Instance ID>13. E.g. 50013
4) JDBC Port: It would be 3<Instance ID>15. E.g. 30015
5) XS-Engine Port: It would be 80<Instance ID>. E.g. 8000
Set up routetab on SAP Router
1) Assuming you're using SNC, add the following to your routetab file (make sure it is above the deny line):
# SNC connection to local system for HANA Support
# HANA Server: 10.124.11.22
# HTTP Port: 50013
# JDBC Port: 30015
# XS-Engine Port: 8000
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.11.22 50013
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.11.22 30015
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.11.22 8000
2) Restart your SAP router service
Client Machine Setup
It is recommended to have a separate workstation which would establish the initial handshake between your SAP Router with SAP's SAP Router. Here are the steps:
1) Download "SAP Service Connector" and "SAP GUI" from service market place.
2) Install both the products.
Edit System at SAP support portal
1) Go to https://service.sap.com/sap/bc/bsp/spn/system_search/index.htm
2) Search for your system (the system you created to maintain license key etc. for your HANA server) and click on it.
3) Under "System" tab, you should see "SAP-Router" section. Click on "Edit System" at the bottom, and choose the hostname from the drop down (E.g. SAPROUTER01). Provide the service port (E.g. 3299).
4) Go to "Other Servers/Hosts" tab and click on "Create Server".
5) Provide Hostname, IP Address, OS and OS Version etc. as relevant. Usage is typically "Other Server".
6) Click on "Add Server"
7) If you've a multinode environment, then repeat steps 4 through 6 and continue to add servers until you've all the nodes accounted for.
8) Go to "DB Server" tab. Provide Hostname, IP Address, OS and OS Version etc. as relevant.
NOTE: Since this tab only allows one DB server, if you have a multinode system, it is advisable to put a load balancer in front of your HANA nodes and provide the hostname and IP of the load balancer.
9) Click on "Save System"
10) Go to "System" tab
11) Click on "Maintain Service Connection" button under SAP-Router section.
NOTE: Alternatively you may go to https://support.sap.com/remote-support/remote-connections.html, click on "Maintain Connections" and select your system.
12) On the "Service Connection" window, under "Set up Connection types" section, click on "SAP HANA Database".
13) Refer to "Set up routetab on SAP Router" section and provide the same ports here.
14) Click "Save".
15) A new connection would appear under "Open/Close Connections". Click on the connection.
16) Provide how long you want to allow the connection to remain open, provide your contact details and finally the route string to your SAP Router. E.g.
/H/10.124.1.100/S/3299
NOTE: If you've opened a successful connection to any system previously, a lot of these details will not be asked (Route String, Start Service Connector etc.). You'll simply be asked to "Open Connection". Steps 17 through 21 won't be there for such scenarios.
NOTE: If you've opened a successful connection to any system previously, a lot of these details will not be asked (Route String, Start Service Connector etc.). You'll simply be asked to "Open Connection". Steps 17 through 21 won't be there for such scenarios.
17) Click on "Start Service Connector" button. It would download a file called "stfk.oez". The browser screen would change and would ask the following question:
Was the opening network connection successful?
with a "Yes" and a "No" button. DO NOT click on anything yet.
18) Copy the file to the client workstation where "SAP Service Connector" is installed. Double click to open.
19) A dialog box would open and say "'SAP Connector 2.0' application was started". Click the "OK" button on the dialog box.
20) Another dialog box would open and say "The service connection has been opened successfully.". Click the "OK" button on the dialog box.
21) Go back to the portal and click on "Yes" to the following question:
Was the opening network connection successful?
22) From now onward, you may click on the connection under "Open/Close Connections" and set a time period to open connection for the specified period.
23) You SAP technician can now use the connection to access your HANA system.
NOTE: A) It is advisable to have HANA Studio installed on the HANA server, so that the SAP support engineer can use it to connect to your HANA system.
B) It is also advisable to create a user in HANA with minimum privileges and supply the credentials by clicking on "Maintain Access Data" button under system maintenance. This allows SAP support engineers to log on to your HANA system remotely.
23) You SAP technician can now use the connection to access your HANA system.
NOTE: A) It is advisable to have HANA Studio installed on the HANA server, so that the SAP support engineer can use it to connect to your HANA system.
B) It is also advisable to create a user in HANA with minimum privileges and supply the credentials by clicking on "Maintain Access Data" button under system maintenance. This allows SAP support engineers to log on to your HANA system remotely.
Revisions
I expect to update this post quite often. Here is the revision log:
11/11/2014: Initial Version
12/09/2014: Some minor correction and an important note added under step #16
12/09/2014: Some minor correction and an important note added under step #16
Tuesday, November 4, 2014
SAPRouter Installation and Configuration
Introduction
SAPRouter is a software based proxy used for communications among SAP based systems on-premise or with SAP global support centers. If you have all your SAP systems on your internal network you may not need SAPRouter unless you want SAP global support centers getting remote access to you servers for troubleshooting and monitoring. That is why I highly recommend to have SAPRouter in place regardless of your network architecture.
Placement
You may place SAPRouter in your DMZ or inside your network and the choice is entirely yours. However, you must make sure that your firewall rules are changed accordingly to allow the following:
1) Your SAPRouter can connect to SAP global support centers on ports 3299 (TCP) and ICMP Ping (UDP). A list of IPs for the global support center is provide on SAP Note # 48243.
2) The SAP global support centers can connect to your SAPRouter on ports 3299 (TCP) and ICMP Ping (UDP). You must have a public IP routing to your SAPRouter preferably associated with a public DNS.
3) Your on-premise SAP systems can connect to your SAPRouter on ports 3299 (TCP) and ICMP Ping (UDP).
4) Your SAPRouter can connect to your on-premise SAP systems on any regular port (>1023).
Installation
The SAPRouter is available for most Windows and UNIX/Linux distributions. Here are the steps to install:
1. Download SAPRouter specific to your OS and distribution from the SAP support portal (https://support.sap.com).
NOTE: The following instructions are for Windows system only. But instructions for UNIX/Linux are not that different. Please follow this as a general guideline.
2. The above download may most probably be a .SAR file. You need to download a utility called SAPcar to extract the .SAR file. E.g. (for Windows)
sapcar.exe -xvf "saprouter_622-20010469.sar"
3. After the extraction, you would find the following three files:
1) niping.exe
2) saprouter.exe
3) patches.mf
4. Copy the files to a location on the server. E.g. Create D:\usr\sap\saprouter, D:\usr\sap\saprouter\logs and D:\usr\sap\saprouter\traces folders. Copy the above files to D:\usr\sap\saprouter.
5. Create an empty text file called saprouttab at D:\usr\sap\saprouter.
NOTE: Prior to Windows 2003 there were no native tools to manipulate windows services. That is when SAP recommended to use ntscmgr.exe. This tool is no longer supported on Windows 2003 and later systems.
6. The command to install the service is:
sc.exe create <NameOfTheService> binPath= "<PathToServiceExecutable> service -r <parameter>" type=own start=auto
For example, the following will install a windows service called SAProuter with autostart with log files rolling off at 1MB with trace verbose level set at 1 and restart count set at 3. For more information, you may refer to the SAProuter installation guide.
sc.exe create SAProuter binPath= "D:\usr\sap\saprouter\saprouter.exe service -r -G D:\usr\sap\saprouter\logs\saprouter.log -J 1048576 -T D:\usr\sap\saprouter\traces\saproutertrace.log -V 1 -E -Y 3" type= own start= auto
Smoke Test
1. After the service is installed, start the service.
2. Check the logfile at D:\usr\sap\saprouter\logs\ to verify that the service started successfully.
3. You now need two other machines to server as a test server and a test client. Copy niping.exe to both the machines.
4. On the box designated as the test server, start niping as follows:
niping -s
5. On the box designated as the test client, start niping to connect to the test server as follows:
niping -c -H testserverboxname
6. After the above ping test is successful, on the box designated as the test client, start niping to connect to the SAProuter via the test server as follows:
niping -c -H /H/saprouterboxname/H/testserverboxname
NOTE: Instead of box names, you may use IP addresses.
You may receive a "route permission denied" error while running the above test. We'll get back to it later.
7. On the box designated as the SAProuter, do a self test as follows:
niping -t
The result should be OK.
8. On the SAProuter box, stop the SAProuter service, open D:\usr\sap\saprouter\saprouttab with notepad and add the following entry:
S 10.124.*.*
where 10.124 is the subnet that your test client and server machines are.
9. Save the file and start the service again. Run the test from test client again:
niping -c -H /H/saprouterboxname/H/testserverboxname
The ping should be successful.
2. Download SAP Note 28976 (Remote connection data sheet) and fill it out. There are several connection types supported by SAP including VPN and dial-up. The simplest way is to configure it via secured connections on internet. If that is the case, fill out only the "Remote connection data sheet (Internet)" section.
3. Create an incident with SAP with component "XX-SER-NET-NEW". The short description should say "Remote Connection Data Sheet". Attach the filled out remote connection data sheet.
4. Once it has been worked by SAP, you would see that your SAP router is added to your organization's SAP router list. To check, go to https://support.sap.com/remote-support/saprouter/saprouter-certificates.html and click on "Apply Now" button on the right. You should see something like the following:
5. Click on "Continue" button. On the next screen, copy the distinguished name (DN) to notepad. The DN should look like:
CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE
6. Cancel this request for the time being, as we have more work to do as below.
Add your SAProuter to SAP
1. Work with your network team to create a public DNS and IP and have it NATed to your SAProuter box. Make sure the firewall rules as explained under "Placement" section are still in place. E.g.
DNS "A" Record
Public Address: saprouter01.example.com
IP: NNN.NNN.NNN.NNN
2. Download SAP Note 28976 (Remote connection data sheet) and fill it out. There are several connection types supported by SAP including VPN and dial-up. The simplest way is to configure it via secured connections on internet. If that is the case, fill out only the "Remote connection data sheet (Internet)" section.
3. Create an incident with SAP with component "XX-SER-NET-NEW". The short description should say "Remote Connection Data Sheet". Attach the filled out remote connection data sheet.
4. Once it has been worked by SAP, you would see that your SAP router is added to your organization's SAP router list. To check, go to https://support.sap.com/remote-support/saprouter/saprouter-certificates.html and click on "Apply Now" button on the right. You should see something like the following:
SAProuter Name
|
Distinguished Name
(Parameter for SAPGENPSE)
|
Target (on SAP-side)
|
SAPROUTER01
|
CN=SAPROUTER01,
OU=0000123456, OU=SAProuter, O=SAP, C=DE
|
sapserv2
|
5. Click on "Continue" button. On the next screen, copy the distinguished name (DN) to notepad. The DN should look like:
CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE
6. Cancel this request for the time being, as we have more work to do as below.
Secure the connection
In order to secure connection between your SAProuter and SAP's SAProuter, you need to enable SNC (Secured Network Connection). There are several steps involved here.
Install SAP Cryptolib
Firstly, you need to install the SAP Cryptolib.
1. Download SAPCryptolib specific to your OS and distribution from the SAP support portal (https://support.sap.com).
NOTE: The following instructions are for Windows system only. But instructions for UNIX/Linux are not that different. Please follow this as a general guideline.
2. The above download may most probably be a .SAR file. You need to download a utility called SAPcar to extract the .SAR file. E.g. (for Windows)
sapcar.exe -xvf "SAPCRYPTOLIB_38-10010888.SAR"
3. After the extraction, you would find the following files/folders:
1) ntia64
2) ntintel
3) nt-x86_64
4) Changelog.txt
5) LEGAL.TXT
6) LICENSE.TXT
7) SIGNATURE.SMF
8) ticket
9) Ver555.pl38
10) WHICH.TXT
4) Changelog.txt
5) LEGAL.TXT
6) LICENSE.TXT
7) SIGNATURE.SMF
8) ticket
9) Ver555.pl38
10) WHICH.TXT
4. Copy the all these files/folders to a location on the server. E.g. Create D:\usr\sap\sapcryptolib and D:\usr\sap\sapcryptolib\certificates. Copy the above files/folders to D:\usr\sap\sapcryptolib.
5. Create a System Environment Variable called SECUDIR with the value D:\usr\sap\sapcryptolib\certificates.
6. Create another System Environment Variable called SNC_LIB pointing to the sapcrypto.dll to your specific processor architecture. E.g. D:\usr\sap\sapcryptolib\nt-x86_64\sapcrypto.dll
5. Create a System Environment Variable called SECUDIR with the value D:\usr\sap\sapcryptolib\certificates.
6. Create another System Environment Variable called SNC_LIB pointing to the sapcrypto.dll to your specific processor architecture. E.g. D:\usr\sap\sapcryptolib\nt-x86_64\sapcrypto.dll
Create a PSE (Personal Security Environment) and CSR (Certificate Signing Request)
1. On the command prompt, change directory to the cryptolib directory and then to specific processor architecture for your box. E.g.
cd D:\usr\sap\sapcryptolib\nt-x86_64
2. Run the sapgenpse with get_pse option with appropriate details. E.g.
sapgenpse get_pse -p "D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" -r "D:\usr\sap\sapcryptolib\certificates\saprouter01req.txt" -x "mypassword" "CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE"
where
"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"D:\usr\sap\sapcryptolib\certificates\saprouter01req.txt" is the complete path to the CSR file
"mypassword" is the password to protect the PSE
"CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE" is the distinguished name as copied from last step of "Adding your SAProuter to SAP" section from above.
3. Verify that the PSE and CSR has been created.
2. Click on "Continue" button. Copy the content of the CSR file generated above to the text box and click on "Request Certificate".
3. Copy the display on the screen including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" to Notepad on SAProuter box and save it as D:\usr\sap\sapcryptolib\certificates\saprouter01.cer.
4. On the command prompt, change directory to the cryptolib directory and then to specific process architecture for your box. E.g.
sapgenpse seclogin -p "D:\usr\sap\sapcryptolib\certificates\saprouter0101.pse" -O "example.com\saprouter" -x "mypassword"
where
"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"example.com\saprouter" is the domain account that will be used to run the service
"mypassword" is the password to protect the PSE
4. Verify that the credentials for SSO has been added properly
5. Login as the domain user (example.com\saprouter) to the box and run sapgenpse with get_my_name option to verify credentials. E.g.
sapgenpse get_my_name -v -n Issuer
It should display the issuer as follows (depending on your SAP location):
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
1. If you've followed the steps under "Smoke Test" section, you may have the following entry in D:\usr\sap\saprouter\saprouttab file:
In the following posts, I'll explain how to add different systems to SAP router.
"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"D:\usr\sap\sapcryptolib\certificates\saprouter01req.txt" is the complete path to the CSR file
"mypassword" is the password to protect the PSE
"CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE" is the distinguished name as copied from last step of "Adding your SAProuter to SAP" section from above.
3. Verify that the PSE and CSR has been created.
Request and Import Certificate for SAProuter
1. Go to https://support.sap.com/remote-support/saprouter/saprouter-certificates.html and click on "Apply Now" button on the right. You should see something like the following:
SAProuter Name
|
Distinguished Name (Parameter for SAPGENPSE)
|
Target (on SAP-side)
|
SAPROUTER01
|
CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE
|
sapserv2
|
2. Click on "Continue" button. Copy the content of the CSR file generated above to the text box and click on "Request Certificate".
3. Copy the display on the screen including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" to Notepad on SAProuter box and save it as D:\usr\sap\sapcryptolib\certificates\saprouter01.cer.
4. On the command prompt, change directory to the cryptolib directory and then to specific process architecture for your box. E.g.
cd D:\usr\sap\sapcryptolib\nt-x86_64
5. Run the sapgenpse with import_own_cert option with appropriate details. E.g.
sapgenpse get_pse -p "D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" -c "D:\usr\sap\sapcryptolib\certificates\saprouter01.cer" -x "mypassword"
where
"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"D:\usr\sap\sapcryptolib\certificates\saprouter01.cer" is the complete path to the Certificate downloaded from SAP
"mypassword" is the password to protect the PSE
6. Verify that the certificate is properly imported to PSE.
"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"D:\usr\sap\sapcryptolib\certificates\saprouter01.cer" is the complete path to the Certificate downloaded from SAP
"mypassword" is the password to protect the PSE
6. Verify that the certificate is properly imported to PSE.
Create Service Account and its Credentials
So far, the SAProuter service has been running under "Local System" account. Now it is time to create a service account to run the service.
1. Work with your Domain Administrators to create a domain account. E.g. example.com\saprouter.
2. On the command prompt, change directory to the cryptolib directory and then to specific process architecture for your box. E.g.
cd D:\usr\sap\sapcryptolib\nt-x86_64
3. Run the sapgenpse with seclogin option with appropriate details. E.g.
sapgenpse seclogin -p "D:\usr\sap\sapcryptolib\certificates\saprouter0101.pse" -O "example.com\saprouter" -x "mypassword"
where
"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"example.com\saprouter" is the domain account that will be used to run the service
"mypassword" is the password to protect the PSE
4. Verify that the credentials for SSO has been added properly
5. Login as the domain user (example.com\saprouter) to the box and run sapgenpse with get_my_name option to verify credentials. E.g.
sapgenpse get_my_name -v -n Issuer
It should display the issuer as follows (depending on your SAP location):
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
Change Service User and Options
When we first installed the service (step #6 of "Installation"), we had created it without SNC. Now is the time to delete the service and recreate using SNC.
1. Delete the SAProuter service by providing the following command:
sc.exe delete SAProuter
2. Recreate the service with SNC
sc.exe create SAProuter binPath= "D:\usr\sap\saprouter\saprouter.exe service -r -K """p:CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE""" -G D:\usr\sap\saprouter\logs\saprouter.log -J 1048576 -T D:\usr\sap\saprouter\traces\saproutertrace.log -V 1 -E -Y 3" type= own start= auto
The only parameter added from the last time is -K """p:CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE"""
NOTE: The option for -K should be enclosed by 3 double-quotes to serve as one double quote as a parameter to sc.exe. Also the distinguished name should be mentioned as p:distingushed name.
3. Modify the service to run as the domain account instead of default local system account. Start the service.
4. Perform a round of smoke test as explained under "Smoke Testing" section.
Change Route Table to allow access from SAP
1. If you've followed the steps under "Smoke Test" section, you may have the following entry in D:\usr\sap\saprouter\saprouttab file:
S 10.124.*.*
where 10.124 is the subnet where your SAP servers are (BOBJ, BODS, ABAP etc.)
2. If you've requested SNC over internet, most likely you've been assigned sapserv2 as SAP's router. The following is an example of how the saprouttab file must be set up:
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC connection to local system for R/3-Support
# R/3 Server: 10.124.1.1
# R/3 Port: 3200
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.1 3200
# SNC connection to local WINDOWS system for WTS, if applicable
# Windows server: 10.124.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.2 3389
# SNC connection to local UNIX system for SAPtelnet, if applicable
# UNIX server: 10.124.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.3 23
# SNC connection to local Portal system for URL access, if applicable
# Portal server: 10.124.1.4
# Port number: 50003
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.4 50003
# Access from the local Network to SAP
P 10.124.*.* 194.39.131.34 3299
# deny all other connections
D * * *
where 10.124 is the subnet where your SAP servers are (BOBJ, BODS, ABAP etc.)
2. If you've requested SNC over internet, most likely you've been assigned sapserv2 as SAP's router. The following is an example of how the saprouttab file must be set up:
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC connection to local system for R/3-Support
# R/3 Server: 10.124.1.1
# R/3 Port: 3200
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.1 3200
# SNC connection to local WINDOWS system for WTS, if applicable
# Windows server: 10.124.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.2 3389
# SNC connection to local UNIX system for SAPtelnet, if applicable
# UNIX server: 10.124.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.3 23
# SNC connection to local Portal system for URL access, if applicable
# Portal server: 10.124.1.4
# Port number: 50003
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.4 50003
# Access from the local Network to SAP
P 10.124.*.* 194.39.131.34 3299
# deny all other connections
D * * *
Revisions
I expect to update this post quite often. Here is the revision log:
11/04/2014: Initial Version
Subscribe to:
Comments (Atom)