Introduction
SAPRouter is a software based proxy used for communications among SAP based systems on-premise or with SAP global support centers. If you have all your SAP systems on your internal network you may not need SAPRouter unless you want SAP global support centers getting remote access to you servers for troubleshooting and monitoring. That is why I highly recommend to have SAPRouter in place regardless of your network architecture.
Placement
You may place SAPRouter in your DMZ or inside your network and the choice is entirely yours. However, you must make sure that your firewall rules are changed accordingly to allow the following:
1) Your SAPRouter can connect to SAP global support centers on ports 3299 (TCP) and ICMP Ping (UDP). A list of IPs for the global support center is provide on SAP Note # 48243.
2) The SAP global support centers can connect to your SAPRouter on ports 3299 (TCP) and ICMP Ping (UDP). You must have a public IP routing to your SAPRouter preferably associated with a public DNS.
3) Your on-premise SAP systems can connect to your SAPRouter on ports 3299 (TCP) and ICMP Ping (UDP).
4) Your SAPRouter can connect to your on-premise SAP systems on any regular port (>1023).
Installation
The SAPRouter is available for most Windows and UNIX/Linux distributions. Here are the steps to install:
1. Download SAPRouter specific to your OS and distribution from the SAP support portal (https://support.sap.com).
NOTE: The following instructions are for Windows system only. But instructions for UNIX/Linux are not that different. Please follow this as a general guideline.
2. The above download may most probably be a .SAR file. You need to download a utility called SAPcar to extract the .SAR file. E.g. (for Windows)
sapcar.exe -xvf "saprouter_622-20010469.sar"
3. After the extraction, you would find the following three files:
1) niping.exe
2) saprouter.exe
3) patches.mf
4. Copy the files to a location on the server. E.g. Create D:\usr\sap\saprouter, D:\usr\sap\saprouter\logs and D:\usr\sap\saprouter\traces folders. Copy the above files to D:\usr\sap\saprouter.
5. Create an empty text file called saprouttab at D:\usr\sap\saprouter.
NOTE: Prior to Windows 2003 there were no native tools to manipulate windows services. That is when SAP recommended to use ntscmgr.exe. This tool is no longer supported on Windows 2003 and later systems.
6. The command to install the service is:
sc.exe create <NameOfTheService> binPath= "<PathToServiceExecutable> service -r <parameter>" type=own start=auto
For example, the following will install a windows service called SAProuter with autostart with log files rolling off at 1MB with trace verbose level set at 1 and restart count set at 3. For more information, you may refer to the SAProuter installation guide.
sc.exe create SAProuter binPath= "D:\usr\sap\saprouter\saprouter.exe service -r -G D:\usr\sap\saprouter\logs\saprouter.log -J 1048576 -T D:\usr\sap\saprouter\traces\saproutertrace.log -V 1 -E -Y 3" type= own start= auto
Smoke Test
1. After the service is installed, start the service.
2. Check the logfile at D:\usr\sap\saprouter\logs\ to verify that the service started successfully.
3. You now need two other machines to server as a test server and a test client. Copy niping.exe to both the machines.
4. On the box designated as the test server, start niping as follows:
niping -s
5. On the box designated as the test client, start niping to connect to the test server as follows:
niping -c -H testserverboxname
6. After the above ping test is successful, on the box designated as the test client, start niping to connect to the SAProuter via the test server as follows:
niping -c -H /H/saprouterboxname/H/testserverboxname
NOTE: Instead of box names, you may use IP addresses.
You may receive a "route permission denied" error while running the above test. We'll get back to it later.
7. On the box designated as the SAProuter, do a self test as follows:
niping -t
The result should be OK.
8. On the SAProuter box, stop the SAProuter service, open D:\usr\sap\saprouter\saprouttab with notepad and add the following entry:
S 10.124.*.*
where 10.124 is the subnet that your test client and server machines are.
9. Save the file and start the service again. Run the test from test client again:
niping -c -H /H/saprouterboxname/H/testserverboxname
The ping should be successful.
Add your SAProuter to SAP
1. Work with your network team to create a public DNS and IP and have it NATed to your SAProuter box. Make sure the firewall rules as explained under "Placement" section are still in place. E.g.
DNS "A" Record
Public Address: saprouter01.example.com
IP: NNN.NNN.NNN.NNN
2. Download SAP Note 28976 (Remote connection data sheet) and fill it out. There are several connection types supported by SAP including VPN and dial-up. The simplest way is to configure it via secured connections on internet. If that is the case, fill out only the "Remote connection data sheet (Internet)" section.
3. Create an incident with SAP with component "XX-SER-NET-NEW". The short description should say "Remote Connection Data Sheet". Attach the filled out remote connection data sheet.
4. Once it has been worked by SAP, you would see that your SAP router is added to your organization's SAP router list. To check, go to https://support.sap.com/remote-support/saprouter/saprouter-certificates.html and click on "Apply Now" button on the right. You should see something like the following:
SAProuter Name
|
Distinguished Name
(Parameter for SAPGENPSE)
|
Target (on SAP-side)
|
SAPROUTER01
|
CN=SAPROUTER01,
OU=0000123456, OU=SAProuter, O=SAP, C=DE
|
sapserv2
|
5. Click on "Continue" button. On the next screen, copy the distinguished name (DN) to notepad. The DN should look like:
CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE
6. Cancel this request for the time being, as we have more work to do as below.
Secure the connection
In order to secure connection between your SAProuter and SAP's SAProuter, you need to enable SNC (Secured Network Connection). There are several steps involved here.
Install SAP Cryptolib
Firstly, you need to install the SAP Cryptolib.
1. Download SAPCryptolib specific to your OS and distribution from the SAP support portal (https://support.sap.com).
NOTE: The following instructions are for Windows system only. But instructions for UNIX/Linux are not that different. Please follow this as a general guideline.
2. The above download may most probably be a .SAR file. You need to download a utility called SAPcar to extract the .SAR file. E.g. (for Windows)
sapcar.exe -xvf "SAPCRYPTOLIB_38-10010888.SAR"
3. After the extraction, you would find the following files/folders:
1) ntia64
2) ntintel
3) nt-x86_64
4) Changelog.txt
5) LEGAL.TXT
6) LICENSE.TXT
7) SIGNATURE.SMF
8) ticket
9) Ver555.pl38
10) WHICH.TXT
4. Copy the all these files/folders to a location on the server. E.g. Create D:\usr\sap\sapcryptolib and D:\usr\sap\sapcryptolib\certificates. Copy the above files/folders to D:\usr\sap\sapcryptolib.
5. Create a System Environment Variable called SECUDIR with the value D:\usr\sap\sapcryptolib\certificates.
6. Create another System Environment Variable called SNC_LIB pointing to the sapcrypto.dll to your specific processor architecture. E.g. D:\usr\sap\sapcryptolib\nt-x86_64\sapcrypto.dll
Create a PSE (Personal Security Environment) and CSR (Certificate Signing Request)
1. On the command prompt, change directory to the cryptolib directory and then to specific processor architecture for your box. E.g.
cd D:\usr\sap\sapcryptolib\nt-x86_64
2. Run the sapgenpse with get_pse option with appropriate details. E.g.
sapgenpse get_pse -p "D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" -r "D:\usr\sap\sapcryptolib\certificates\saprouter01req.txt" -x "mypassword" "CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE"
where
"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"D:\usr\sap\sapcryptolib\certificates\saprouter01req.txt" is the complete path to the CSR file
"mypassword" is the password to protect the PSE
"CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE" is the distinguished name as copied from last step of "
Adding your SAProuter to SAP" section from above.
3. Verify that the PSE and CSR has been created.
Request and Import Certificate for SAProuter
1. Go to https://support.sap.com/remote-support/saprouter/saprouter-certificates.html and click on "Apply Now" button on the right. You should see something like the following:
SAProuter Name
|
Distinguished Name (Parameter for SAPGENPSE)
|
Target (on SAP-side)
|
SAPROUTER01
|
CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE
|
sapserv2
|
2. Click on "Continue" button. Copy the content of the CSR file generated above to the text box and click on "Request Certificate".
3. Copy the display on the screen including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" to Notepad on SAProuter box and save it as D:\usr\sap\sapcryptolib\certificates\saprouter01.cer.
4. On the command prompt, change directory to the cryptolib directory and then to specific process architecture for your box. E.g.
cd D:\usr\sap\sapcryptolib\nt-x86_64
5. Run the sapgenpse with import_own_cert option with appropriate details. E.g.
sapgenpse get_pse -p "D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" -c "D:\usr\sap\sapcryptolib\certificates\saprouter01.cer" -x "mypassword"
where
"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"D:\usr\sap\sapcryptolib\certificates\saprouter01.cer" is the complete path to the Certificate downloaded from SAP
"mypassword" is the password to protect the PSE
6. Verify that the certificate is properly imported to PSE.
Create Service Account and its Credentials
So far, the SAProuter service has been running under "Local System" account. Now it is time to create a service account to run the service.
1. Work with your Domain Administrators to create a domain account. E.g. example.com\saprouter.
2. On the command prompt, change directory to the cryptolib directory and then to specific process architecture for your box. E.g.
cd D:\usr\sap\sapcryptolib\nt-x86_64
3. Run the sapgenpse with seclogin option with appropriate details. E.g.
sapgenpse seclogin -p "D:\usr\sap\sapcryptolib\certificates\saprouter0101.pse" -O "example.com\saprouter" -x "mypassword"
where
"D:\usr\sap\sapcryptolib\certificates\saprouter01.pse" is the complete path to the PSE file
"example.com\saprouter" is the domain account that will be used to run the service
"mypassword" is the password to protect the PSE
4. Verify that the credentials for SSO has been added properly
5. Login as the domain user (example.com\saprouter) to the box and run sapgenpse with get_my_name option to verify credentials. E.g.
sapgenpse get_my_name -v -n Issuer
It should display the issuer as follows (depending on your SAP location):
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
Change Service User and Options
When we first installed the service (step #6 of "Installation"), we had created it without SNC. Now is the time to delete the service and recreate using SNC.
1. Delete the SAProuter service by providing the following command:
sc.exe delete SAProuter
2. Recreate the service with SNC
sc.exe create SAProuter binPath= "D:\usr\sap\saprouter\saprouter.exe service -r -K """p:CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE""" -G D:\usr\sap\saprouter\logs\saprouter.log -J 1048576 -T D:\usr\sap\saprouter\traces\saproutertrace.log -V 1 -E -Y 3" type= own start= auto
The only parameter added from the last time is -K """p:CN=SAPROUTER01, OU=0000123456, OU=SAProuter, O=SAP, C=DE"""
NOTE: The option for -K should be enclosed by 3 double-quotes to serve as one double quote as a parameter to sc.exe. Also the distinguished name should be mentioned as p:distingushed name.
3. Modify the service to run as the domain account instead of default local system account. Start the service.
4. Perform a round of smoke test as explained under "Smoke Testing" section.
Change Route Table to allow access from SAP
1. If you've followed the steps under "
Smoke Test" section, you may have the following entry in D:\usr\sap\saprouter\saprouttab file:
S 10.124.*.*
where 10.124 is the subnet where your SAP servers are (BOBJ, BODS, ABAP etc.)
2. If you've requested SNC over internet, most likely you've been assigned sapserv2 as SAP's router. The following is an example of how the saprouttab file must be set up:
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC connection to local system for R/3-Support
# R/3 Server: 10.124.1.1
# R/3 Port: 3200
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.1 3200
# SNC connection to local WINDOWS system for WTS, if applicable
# Windows server: 10.124.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.2 3389
# SNC connection to local UNIX system for SAPtelnet, if applicable
# UNIX server: 10.124.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.3 23
# SNC connection to local Portal system for URL access, if applicable
# Portal server: 10.124.1.4
# Port number: 50003
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.124.1.4 50003
# Access from the local Network to SAP
P 10.124.*.* 194.39.131.34 3299
# deny all other connections
D * * *
In the following posts, I'll explain how to add different systems to SAP router.
Revisions
I expect to update this post quite often. Here is the revision log:
11/04/2014: Initial Version
