SAProuter Installation
1. Introduction
The purpose of this document is to
set out the process used in the creation of a SAProuter connection to SAP.
2. Installation Process
2.1. Server
A dedicated server (hostname) has
been built for the SAProuter). The spec of this server is:
·
2 hyper-threading (HTT) CPUs
with 2GHz tact frequency
·
2 GB RAM
·
50 MB free space on the hard
drive for SAProuter and configuration
·
20GB D: drive for SAP router
& log files
·
64bit server
·
OS Windows 2008
Its internal IP address: Host IP
2.2. SAP Registration
In order to have this new SAProuter
connection with SAP, registered the following details with SAP.
On approval SAP register the following
details in the SAP Marketplace
1.1. SAProuter Software
The following version of the SAProuter software was
downloaded from the SAP Marketplace:
·
SAProuter
7.20 (patch level 423) for Windows on x64 64bit
We also downloaded the following cryptographic
software for the SNC connection
·
SAPCRYPTOLIB
5.5.5 (patch level 36) for Windows on x64 64bit
1.1. Setting the environment variable
Once the software has been installed on the server the
next step is to set the environment variables SECUDIR and SNC_LIB. These are as
follows:
·
SECUDIR
= D:\usr\sap\sap\saprouter
·
SNC_LIB
= D:\usr\sap\sap\saprouter\ntintel\sapcrypto.dll
One set reboot the system once you have checked that
the terminal services have started.
1.1. Downloading and installing the SAProuter certificate
From the SAP Marketplace download a certificate and
then install it on the server. The process for doing this is as follows.
Go to the SAP Marketplace and obtain the “Distinguished
Name” for the new SAProuter installation as advised by SAP. For this
installation it is:
·
CN=HOSTNAME,
OU=0000848841, OU=SAProuter, O=SAP, C=DE
Generate the certificate request with the command:
sapgenpse get_pse -v -r certreq -p local.pse "" as follows:
·
sapgenpse
get_pse -v -r certreq -p local.pse "CN=hostname, OU=0000848841,
OU=SAProuter, O=SAP, C=DE"
From the directory D:\usr\sap\sap\saprouter\ntintel\,
copy the content of the file certreq to the second tab “Create and Enter CSR”
in the SAP Marketplace.
SAP
will then return the new certificate on selecting “Request Certificate
Copy and paste the text to a new local file named
"srcert", which must be created in the same directory as the
sapgenpse executable (D:\usr\sap\sap\saprouter\ntintel\)
This certificate needs to be imported into SAProuter.
First of all execute the following command on the /saprouter/ntintel
directory:
·
sapgenpse
import_own_cert -c srcert -p local.pse
Enter PIN: ?????
Now you will have to create the credentials for the
SAProuter to do this execute the following command in the /saprouter/ntintel
directory.
·
sapgenpse
seclogin -p local.pse
·
Enter PIN: ????? (same as point 9)
This will create a file "cred_v2" in the
same directory as local.pse.
To check whether the certificate has been imported
correctly execute this command in the /saprouter/ntintel directory.
·
sapgenpse
get_my_name -v -n Issuer
The successful result will be: Issuer : "CN=SAProuter CA, OU=SAProuter, O=SAP,
C=DE".
1.1. Installing the SAProuter as an NT Service
Should there be registry
changes also detailed here?
Use the following command to newly define the service
from the command line:
·
sc.exe
create SAPRouter binPath= "D:\usr\sap\saprouter\saprouter.exe service -r
-W 60000 -R D:\usr\sap\saprouter\saprouttab -K ^p:CN=HOSTNAME, OU=0000848841,
OU=SAProuter, O=SAP, C=DE ^" start= auto obj= "NT
AUTHORITY\LocalService"
You will receive the following success message: [SC] CreateService
SUCCESS
1.1. Starting the SAProuter
To start the SAProuter use the following command line:
·
saprouter
-r -S -K "p:"
(-K tells the SAProuter to start with loading the SNC
library)
In our case the command was:
·
saprouter
-r -K "p:CN=hostname, OU=0000848841, OU=SAProuter, O=SAP, C=DE"
The parameter -S , was omitted and therefore the
SAProuter is using the default port 3299.
Network Part.
|
|
Network Part.
Steps
described in SAP note 525751(Installation of the SNC SAP Router as NT Service)
Edit the string in the registry under
MyComputer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ saprouter and
change ^ to “ under Image Path.
Then Save it.
Routtab configuration.
The corresponding file saprouttab must contain at least the following
entries
# Outbound connections to will use SNC
KT "p:CN=sapservX, OU=SAProuter, O=SAP, C=DE"
# Inbound connections MUST use SNC
KP "p:CN=sapservX, OU=SAProuter, O=SAP, C=DE"
# Repeat this for the servers and port_numbers you will need to
# allow. Please make sure that all explicit ports are inserted
in
# front of a generic entry '*' for port_number
# Permission entries to check if connection is allowed at all
P
# All other connections will be denied
D * * *
Configuration in SAP market place and OSS1 (Technical settings)
Tcode- OSS1
Go to – technical settings
Maintain the details. (New SAP
router details)