SAPRouter and Business Objects

Introduction

I've already explained how to install and configure SAP Router in your environment here. Also I've explained how to add your HANA system to SAPRouter here. In this post, I'll explain how to add your BOBJ environment to SAPRouter. This may look exactly the same as my previous post with lots of repetitions. But please bear with me, because there are some important distinctions.

Get the Details

1) Hostname or IP address of your BOBJ system E.g. 10.124.11.22

2) HTTP Port: It would normally be 8080

Set up routetab on SAP Router

1) Assuming you're using SNC, add the following to your routetab file (make sure it is above the deny line):

# SNC connection to local system for BOBJ Support

# BOBJ Server: 10.124.11.22

# HTTP Port: 8080

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.11.22 8080

2) Restart your SAP router service

Client Machine Setup

It is recommended to have a separate workstation which would establish the initial handshake between your SAP Router with SAP's SAP Router. Here are the steps:

1) Download "SAP Service Connector" and "SAP GUI" from service market place.

2) Install both the products.

Edit System at SAP support portal

1) Go to https://service.sap.com/sap/bc/bsp/spn/system_search/index.htm

2) Search for your system (the system you created to maintain license key etc. for your BOBJ server) and click on it.

3) Under "System" tab, you should see "SAP-Router" section. Click on "Edit System" at the bottom, and choose the hostname from the drop down (E.g. SAPROUTER01). Provide the service port (E.g. 3299).

4) Go to "Application Server" tab and click on "Create Server". 

5) Provide Hostname, IP Address, OS and OS Version etc. as relevant. You may provide 01 as the instance number if you've a one node environment. If you've multiple nodes, provide instance numbers accordingly.

6) Click on "Add Server"

7) If you've a multinode environment, then repeat steps 4 through 6 and continue to add servers until you've all the nodes accounted for. 

8) Click on "Save System"

9) Go to "System" tab

10) Click on "Maintain Service Connection" button under SAP-Router section. 

NOTE: Alternatively you may go to https://support.sap.com/remote-support/remote-connections.html, click on "Maintain Connections" and select your system.

11) On the "Service Connection" window, under "Set up Connection types" section, click on "HTTP Connect - URLAccess". 

12) Verify the details and click "Save". 

13) A new connection would appear under "Open/Close Connections". 

14) Expand the URLs section and add the URL to Tomcat for all nodes.

Service Type: HTTP Connect - URLAccess

Description: Access to Tomcat

URL: http://servername:8080/

15) Click on the connection "HTTP Connect - URLAccess" under "Open/Close Connections".

16) Provide how long you want to allow the connection to remain open, provide your contact details and finally the route string to your SAP Router. E.g.

/H/10.124.1.100/S/3299

NOTE: If you've opened a successful connection to any system previously, a lot of these details will not be asked (Route String, Start Service Connector etc.). You'll simply be asked to "Open Connection". Steps 17 through 21 won't be there for such scenarios.

17) Click on "Start Service Connector" button. It would download a file called "stfk.oez". The browser screen would change and would ask the following question:

Was the opening network connection successful? 

with a "Yes" and a "No" button. DO NOT click on anything yet.

18) Copy the file to the client workstation where "SAP Service Connector" is installed. Double click to open.

19) A dialog box would open and say "'SAP Connector 2.0' application was started". Click the "OK" button on the dialog box.

20) Another dialog box would open and say "The service connection has been opened successfully.". Click the "OK" button on the dialog box.

21) Go back to the portal and click on "Yes" to the following question:

Was the opening network connection successful? 

22) From now onward, you may click on the connection under "Open/Close Connections" and set a time period to open connection for the specified period.

Revisions

I expect to update this post quite often. Here is the revision log:

12/09/2014: Initial Version

SAPRouter and HANA

Introduction

In my previous post, I'd explained how to install and configure SAP Router in your environment. In this and subsequent posts, I'll explain how to add your SAP systems to the router for remote monitoring and management. In this post, I'll explain how to add SAP HANA system to SAP Router.

Get the Details

1) Hostname or IP address of your HANA system E.g. 10.124.11.22

2) HANA instance ID E.g. 00

3) HTTP Port: It would be 5<Instance ID>13. E.g. 50013

4) JDBC Port: It would be 3<Instance ID>15. E.g. 30015

5) XS-Engine Port: It would be 80<Instance ID>. E.g. 8000

Set up routetab on SAP Router

1) Assuming you're using SNC, add the following to your routetab file (make sure it is above the deny line):

# SNC connection to local system for HANA Support

# HANA Server: 10.124.11.22

# HTTP Port: 50013

# JDBC Port: 30015

# XS-Engine Port: 8000

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.11.22 50013

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.11.22 30015

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.11.22 8000

2) Restart your SAP router service

Client Machine Setup

It is recommended to have a separate workstation which would establish the initial handshake between your SAP Router with SAP's SAP Router. Here are the steps:

1) Download "SAP Service Connector" and "SAP GUI" from service market place.

2) Install both the products.

Edit System at SAP support portal

1) Go to https://service.sap.com/sap/bc/bsp/spn/system_search/index.htm

2) Search for your system (the system you created to maintain license key etc. for your HANA server) and click on it.

3) Under "System" tab, you should see "SAP-Router" section. Click on "Edit System" at the bottom, and choose the hostname from the drop down (E.g. SAPROUTER01). Provide the service port (E.g. 3299).

4) Go to "Other Servers/Hosts" tab and click on "Create Server". 

5) Provide Hostname, IP Address, OS and OS Version etc. as relevant. Usage is typically "Other Server".

6) Click on "Add Server"

7) If you've a multinode environment, then repeat steps 4 through 6 and continue to add servers until you've all the nodes accounted for. 

8) Go to "DB Server" tab. Provide Hostname, IP Address, OS and OS Version etc. as relevant.

NOTE: Since this tab only allows one DB server, if you have a multinode system, it is advisable to put a load balancer in front of your HANA nodes and provide the hostname and IP of the load balancer. 

9) Click on "Save System"

10) Go to "System" tab

11) Click on "Maintain Service Connection" button under SAP-Router section. 

NOTE: Alternatively you may go to https://support.sap.com/remote-support/remote-connections.html, click on "Maintain Connections" and select your system.

12) On the "Service Connection" window, under "Set up Connection types" section, click on "SAP HANA Database".

13) Refer to "Set up routetab on SAP Router" section and provide the same ports here.

14) Click "Save". 

15) A new connection would appear under "Open/Close Connections". Click on the connection.

16) Provide how long you want to allow the connection to remain open, provide your contact details and finally the route string to your SAP Router. E.g.

/H/10.124.1.100/S/3299

NOTE: If you've opened a successful connection to any system previously, a lot of these details will not be asked (Route String, Start Service Connector etc.). You'll simply be asked to "Open Connection". Steps 17 through 21 won't be there for such scenarios.

17) Click on "Start Service Connector" button. It would download a file called "stfk.oez". The browser screen would change and would ask the following question:

Was the opening network connection successful? 

with a "Yes" and a "No" button. DO NOT click on anything yet.

18) Copy the file to the client workstation where "SAP Service Connector" is installed. Double click to open.

19) A dialog box would open and say "'SAP Connector 2.0' application was started". Click the "OK" button on the dialog box.

20) Another dialog box would open and say "The service connection has been opened successfully.". Click the "OK" button on the dialog box.

21) Go back to the portal and click on "Yes" to the following question:

Was the opening network connection successful? 

22) From now onward, you may click on the connection under "Open/Close Connections" and set a time period to open connection for the specified period.

23) You SAP technician can now use the connection to access your HANA system.

NOTE: A) It is advisable to have HANA Studio installed on the HANA server, so that the SAP support engineer can use it to connect to your HANA system.

B) It is also advisable to create a user in HANA with minimum privileges and supply the credentials by clicking on "Maintain Access Data" button under system maintenance. This allows SAP support engineers to log on to your HANA system remotely. 

Revisions

I expect to update this post quite often. Here is the revision log:

11/11/2014: Initial Version
12/09/2014: Some minor correction and an important note added under step #16

SAPRouter Installation and Configuration

Introduction

SAPRouter is a software based proxy used for communications among SAP based systems on-premise or with SAP global support centers. If you have all your SAP systems on your internal network you may not need SAPRouter unless you want SAP global support centers getting remote access to you servers for troubleshooting and monitoring. That is why I highly recommend to have SAPRouter in place regardless of your network architecture.

Placement

You may place SAPRouter in your DMZ or inside your network and the choice is entirely yours. However, you must make sure that your firewall rules are changed accordingly to allow the following:

1) Your SAPRouter can connect to SAP global support centers on ports 3299 (TCP) and ICMP Ping (UDP). A list of IPs for the global support center is provide on SAP Note # 48243.

2) The SAP global support centers can connect to your SAPRouter on ports 3299 (TCP) and ICMP Ping (UDP). You must have a public IP routing to your SAPRouter preferably associated with a public DNS.

3) Your on-premise SAP systems can connect to your SAPRouter on ports 3299 (TCP) and ICMP Ping (UDP). 

4) Your SAPRouter can connect to your on-premise SAP systems on any regular port (>1023).

Installation

The SAPRouter is available for most Windows and UNIX/Linux distributions. Here are the steps to install:

1. Download SAPRouter specific to your OS and distribution from the SAP support portal (https://support.sap.com). 

NOTE: The following instructions are for Windows system only. But instructions for UNIX/Linux are not that different. Please follow this as a general guideline.

2. The above download may most probably be a .SAR file. You need to download a utility called SAPcar to extract the .SAR file. E.g. (for Windows)

sapcar.exe -xvf "saprouter_622-20010469.sar"

3. After the extraction, you would find the following three files:

1) niping.exe

2) saprouter.exe

3) patches.mf

4. Copy the files to a location on the server. E.g. Create D:\usr\sap\saprouter, D:\usr\sap\saprouter\logs and D:\usr\sap\saprouter\traces folders. Copy the above files to D:\usr\sap\saprouter. 

5. Create an empty text file called saprouttab at D:\usr\sap\saprouter.

NOTE: Prior to Windows 2003 there were no native tools to manipulate windows services. That is when SAP recommended to use ntscmgr.exe. This tool is no longer supported on Windows 2003 and later systems. 

6. The command to install the service is:

sc.exe create <NameOfTheService> binPath= "<PathToServiceExecutable> service -r <parameter>" type=own start=auto

For example, the following will install a windows service called SAProuter with autostart with log files rolling off at 1MB with trace verbose level set at 1 and restart count set at 3. For more information, you may refer to the SAProuter installation guide.

sc.exe create SAProuter binPath= "D:\usr\sap\saprouter\saprouter.exe service -r -G D:\usr\sap\saprouter\logs\saprouter.log -J 1048576 -T D:\usr\sap\saprouter\traces\saproutertrace.log -V 1 -E -Y 3" type= own start= auto

Smoke Test

1. After the service is installed, start the service. 

2. Check the logfile at D:\usr\sap\saprouter\logs\ to verify that the service started successfully. 

3. You now need two other machines to server as a test server and a test client. Copy niping.exe to both the machines.

4. On the box designated as the test server, start niping as follows: 

niping -s

5. On the box designated as the test client, start niping to connect to the test server as follows:

niping -c -H testserverboxname

6. After the above ping test is successful, on the box designated as the test client, start niping to connect to the SAProuter via the test server as follows:

niping -c -H /H/saprouterboxname/H/testserverboxname

NOTE: Instead of box names, you may use IP addresses.

You may receive a "route permission denied" error while running the above test. We'll get back to it later.

7. On the box designated as the SAProuter, do a self test as follows:

niping -t

The result should be OK.

8. On the SAProuter box, stop the SAProuter service, open D:\usr\sap\saprouter\saprouttab with notepad and add the following entry:

S 10.124.*.*

where 10.124 is the subnet that your test client and server machines are.

9. Save the file and start the service again. Run the test from test client again:

niping -c -H /H/saprouterboxname/H/testserverboxname

The ping should be successful.

Add your SAProuter to SAP

1. Work with your network team to create a public DNS and IP and have it NATed to your SAProuter box. Make sure the firewall rules as explained under "Placement" section are still in place. E.g.

DNS "A" Record

Public Address: saprouter01.example.com

IP: NNN.NNN.NNN.NNN

2. Download SAP Note 28976 (Remote connection data sheet) and fill it out. There are several connection types supported by SAP including VPN and dial-up. The simplest way is to configure it via secured connections on internet. If that is the case, fill out only the "Remote connection data sheet (Internet)" section.

3. Create an incident with SAP with component "XX-SER-NET-NEW". The short description should say "Remote Connection Data Sheet". Attach the filled out remote connection data sheet.

4. Once it has been worked by SAP, you would see that your SAP router is added to your organization's SAP router list. To check, go to https://support.sap.com/remote-support/saprouter/saprouter-certificates.html and click on "Apply Now" button on the right. You should see something like the following:

SAProuter Name	Distinguished Name (Parameter for SAPGENPSE)	Target (on SAP-side)
SAPROUTER01	CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE	sapserv2

5. Click on "Continue" button. On the next screen, copy the distinguished name (DN) to notepad. The DN should look like:

CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE

6. Cancel this request for the time being, as we have more work to do as below.

Secure the connection

In order to secure connection between your SAProuter and SAP's SAProuter, you need to enable SNC (Secured Network Connection). There are several steps involved here.

Install SAP Cryptolib

Firstly, you need to install the SAP Cryptolib. 

1. Download SAPCryptolib specific to your OS and distribution from the SAP support portal (https://support.sap.com). 

NOTE: The following instructions are for Windows system only. But instructions for UNIX/Linux are not that different. Please follow this as a general guideline.

2. The above download may most probably be a .SAR file. You need to download a utility called SAPcar to extract the .SAR file. E.g. (for Windows)

sapcar.exe -xvf "SAPCRYPTOLIB_38-10010888.SAR"

3. After the extraction, you would find the following files/folders:

1) ntia64

2) ntintel

3) nt-x86_64
4) Changelog.txt
5) LEGAL.TXT
6) LICENSE.TXT
7) SIGNATURE.SMF
8) ticket
9) Ver555.pl38
10) WHICH.TXT

4. Copy the all these files/folders to a location on the server. E.g. Create D:\usr\sap\sapcryptolib and D:\usr\sap\sapcryptolib\certificates. Copy the above files/folders to D:\usr\sap\sapcryptolib.

5. Create a System Environment Variable called SECUDIR with the value D:\usr\sap\sapcryptolib\certificates.

6. Create another System Environment Variable called SNC_LIB pointing to the sapcrypto.dll to your specific processor architecture. E.g. D:\usr\sap\sapcryptolib\nt-x86_64\sapcrypto.dll

Create a PSE (Personal Security Environment) and CSR (Certificate Signing Request)

1. On the command prompt, change directory to the cryptolib directory and then to specific processor architecture for your box. E.g.

cd D:\usr\sap\sapcryptolib\nt-x86_64

2. Run the sapgenpse with get_pse option with appropriate details. E.g.

sapgenpse get_pse -p "D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" -r "D:\usr\sap\sapcryptolib\certificates\saprouter01req.txt" -x "mypassword" "CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE"

where

"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"D:\usr\sap\sapcryptolib\certificates\saprouter01req.txt" is the complete path to the CSR file
"mypassword" is the password to protect the PSE
"CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE" is the distinguished name as copied from last step of "Adding your SAProuter to SAP" section from above.

3. Verify that the PSE and CSR has been created.

Request and Import Certificate for SAProuter

1. Go to https://support.sap.com/remote-support/saprouter/saprouter-certificates.html and click on "Apply Now" button on the right. You should see something like the following:

SAProuter Name	Distinguished Name (Parameter for SAPGENPSE)	Target (on SAP-side)
SAPROUTER01	CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE	sapserv2

2. Click on "Continue" button. Copy the content of the CSR file generated above to the text box and click on "Request Certificate".

3. Copy the display on the screen including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" to Notepad on SAProuter box and save it as D:\usr\sap\sapcryptolib\certificates\saprouter01.cer.

4. On the command prompt, change directory to the cryptolib directory and then to specific process architecture for your box. E.g.

cd D:\usr\sap\sapcryptolib\nt-x86_64

5. Run the sapgenpse with import_own_cert option with appropriate details. E.g.

sapgenpse get_pse -p "D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" -c "D:\usr\sap\sapcryptolib\certificates\saprouter01.cer" -x "mypassword" 

where

"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"D:\usr\sap\sapcryptolib\certificates\saprouter01.cer" is the complete path to the Certificate downloaded from SAP
"mypassword" is the password to protect the PSE

6. Verify that the certificate is properly imported to PSE.

Create Service Account and its Credentials

So far, the SAProuter service has been running under "Local System" account. Now it is time to create a service account to run the service.

1. Work with your Domain Administrators to create a domain account. E.g. example.com\saprouter.

2. On the command prompt, change directory to the cryptolib directory and then to specific process architecture for your box. E.g.

cd D:\usr\sap\sapcryptolib\nt-x86_64

3. Run the sapgenpse with seclogin option with appropriate details. E.g.

sapgenpse seclogin -p "D:\usr\sap\sapcryptolib\certificates\saprouter0101.pse" -O "example.com\saprouter" -x "mypassword"

where

"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"example.com\saprouter" is the domain account that will be used to run the service
"mypassword" is the password to protect the PSE

4. Verify that the credentials for SSO has been added properly

5. Login as the domain user (example.com\saprouter) to the box and run sapgenpse with get_my_name option to verify credentials. E.g.

sapgenpse get_my_name -v -n Issuer

It should display the issuer as follows (depending on your SAP location):

Issuer  : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

Change Service User and Options

When we first installed the service (step #6 of "Installation"), we had created it without SNC. Now is the time to delete the service and recreate using SNC.

1. Delete the SAProuter service by providing the following command:

sc.exe delete SAProuter 

2. Recreate the service with SNC

sc.exe create SAProuter binPath= "D:\usr\sap\saprouter\saprouter.exe service -r -K """p:CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE""" -G D:\usr\sap\saprouter\logs\saprouter.log -J 1048576 -T D:\usr\sap\saprouter\traces\saproutertrace.log -V 1 -E -Y 3" type= own start= auto

The only parameter added from the last time is -K """p:CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE"""

NOTE: The option for -K should be enclosed by 3 double-quotes to serve as one double quote as a parameter to sc.exe. Also the distinguished name should be mentioned as p:distingushed name.

3. Modify the service to run as the domain account instead of default local system account. Start the service.

4. Perform a round of smoke test as explained under "Smoke Testing" section.

Change Route Table to allow access from SAP

1. If you've followed the steps under "Smoke Test" section, you may have the following entry in D:\usr\sap\saprouter\saprouttab file:

S 10.124.*.*

where 10.124 is the subnet where your SAP servers are (BOBJ, BODS, ABAP etc.)

2. If you've requested SNC over internet, most likely you've been assigned sapserv2 as SAP's router. The following is an example of how the saprouttab file must be set up:

# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC connection to local system for R/3-Support
# R/3 Server: 10.124.1.1
# R/3 Port: 3200
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.1 3200

# SNC connection to local WINDOWS system for WTS, if applicable
# Windows server: 10.124.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.2 3389

# SNC connection to local UNIX system for SAPtelnet, if applicable
# UNIX server: 10.124.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.3 23

# SNC connection to local Portal system for URL access, if applicable
# Portal server: 10.124.1.4
# Port number: 50003
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.4 50003

# Access from the local Network to SAP
P 10.124.*.* 194.39.131.34 3299

# deny all other connections
D * * *

In the following posts, I'll explain how to add different systems to SAP router.

Revisions

I expect to update this post quite often. Here is the revision log:

11/04/2014: Initial Version