Register Login

SAP SNC Configuration Guide

Updated Jul 09, 2018

One Stop Guide to Configure SNC SAPRouter

SAP SNC CONFIGURATION .....3

DOWNLOADING CRYPTOGRAPHIC SOFTWARE ..........3

CREATING THE KEY ...............4

TRANSMITTING THE KEY .......4

CREATING THE CERTIFICATE ..6

IMPORTING CERTIFICATE ......6

START SNC SAP ROUTER ......7

In Unix ................7

In windows .........7

SAP ROUTTAB ENTRIES ......8

Example ............8

DEBUGGING ......9

Check whether certificate is installed correctly ............9

CHECK THE ENVIROMENT VARIABLES .9

UNIX .9

WINDOWS ...........9

SAP SNC CONFIGURATION DOWNLOADING CRYPTOGRAPHIC SOFTWARE

SAP-SNC-1

Extract the criptographic libraries and sapgenpse and ticket files in to the saprouter.exe location using

# SAPCAR –xvf < cryprographic car file>

CREATING THE KEY

Next goto www.service.sap.com/tcp get the distingush name . Then execute the following commands by copy paste the distinguished name

/* “CN & "OU " in the distingush name will be different for different organizations */

#./sapgenpse get_pse -v -r certreq -p local.pse "CN=yourhostname , OU=123456, OU=SAProuter, O=SAP, C=DE "

Got absolute PSE path "/usr/sap/C11/SYS/exe/run/local.pse". Please enter PIN:<press enter> Please reenter PIN:<press enter> Supplied distinguished name: "CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE " Generating key (RSA, 1024-bits) ... succeeded. certificate creation... ok PSE update... ok PKRoot... ok Generating certificate request... ok.

TRANSMITTING THE KEY

It will generate a key in "certreq " . Next step is copy this key to service sap/tcp against your SAP router registration . The ---- BEGIN CERTIFICATE REQUEST to --- END CERTIFICATE REQUEST should also be copied */

# cat certreq

-----BEGIN CERTIFICATE REQUEST-----

MIIBmDCCAQECAQAwWDELMAkGA1UEBhMCREUxDDAKBgNVBAoTA1NBUDESMBAGA1UE CxMJU0FQcm91dGVyMRMwEQYDVQQLEwowMDAwNjMyNzY2MRIwEAYDVQQDEwltZnFz YXBwcmQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP/sY2nK8NR85+HZne3d 7ZQITR2tdlCG8gbJ/88SWFcWrjmD5me8jR9x9ut8wISSVkWgKCCZ/fM74XRGlU4V HQ/8hjht8bP93Uyf06hE9re//SszGlySNdhG3TMx/wslJW8PAk0KXGozjMJrKRVE Pd4Upb7jKhGoTcyaqJNi7SILAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQA3mM3W 9qBgCXcoN/XGp6/odakIQzRsQ8PJYhu2ogEwDixu3bNWW3doiiglqCCsJdyAdzfi /yY/bUk/SJxDWVXZzYfw5c0Y3wmbDhqqLw3mm7nbVWFn6q8cn9MNeF1FdlUIfY7O Yq8Inb/ropL1eMnkT1hepa79HIfdmHoAdjXDGQ==

-----END CERTIFICATE REQUEST-----

Copy the above key and paste it like shown below

SAP-SNC--2

After Copying, click on the "Request Certificate" Button .

Next screen will display the certificate. Copy and paste the generated certificate in a new file named 'srcert' in the same location of your saprouter .

N:B Do not forget to copy the BEGIN and END tags too.

CREATING THE CERTIFICATE

Windows users can use notepad and UNIX vi editor. vi srcert < paste> <ESC><SHIFT> : x

# vi srcert

-----BEGIN CERTIFICATE-----

MIIHqAYJKoZIhvcNAQcCoIIHmTCCB5UCAQExADALBgkqhkiG9w0BBwGgggd9MIICd TCCAd6gAwIBAgICI1MwDQYJKoZIhvcNAQEEBQAwRjELMAkGA1UEBhMCREUxDDAKBg NVBAoTA1NBUDESMBAGA1UECxMJU0FQcm91dGVyMRUwEwYDVQQDEwxTQVByb3V0ZXI gQ0EwHhcNMDQwMTIxMDQwMDI0WhcNMDUwMTIxMDQwMDI0WjBYMQswCQYDVQQGEwJE RTEMMAoGA1UEChMDU0FQMRIwEAYDVQQLEwlTQVByb3V0ZXIxEzARBgNVBAsTCjAwM DA2MzI3NjYxEjAQBgNVBAMTCW1mcXNhcHByZDCBnzANBgkqhkiG9w0BAQEFAAOBjQ AwgYkCgYEA/+xjacrw1Hzn4dmd7d3tlAhNHa12UIbyBsn/zxJYVxauOYPmZ7yNH3H 263zAhJJWRaAoIJn98zvhdEaVThUdD/yGOG3xs/3dTJ/TqET2t7/9KzMaXJI12Ebd MzH/CyUlbw8CTQpcajOMwmspFUQ93hSlvuMqEahNzJqok2LtIgsCAwEAAaNgMF4wD

<- --------- LINES DELETED -----------------------------------€

hvcNAQEBBQADgY0AMIGJAoGBAP6a6fk9E5Is6WO84kyTjY08fMi2IsCzfC0NYkp3C Vb0cx04csKiZZwB/V+IOICtx+C4mUpxDeDnT07i6onBKLqs3Jj5opOABe3pOHABOk a+GiajTQ4MBHpgf7pb5zRAdqp7G6gx0bzGNIHxLx1U4jzbvZJF9xUIRJUBy44adK2 /AgMBAAGjaTBnMA8GA1UdEwEB/wQFMAMBAf8wJQYDVR0RBB4wHIYaaHR0cDovL3Nl cnZpY2Uuc2FwLmNvbS9UQ1MwDgYDVR0PAQH/BAQDAgH2MB0GA1UdDgQWBBSivTpjU s0Z/L7oQ9Cu5YSgSffa/DAJBgUrDgMCHQUAA4GBAMgUUSEs6bZKH067xP+RWnJ4fP 3l/qoydP3PZvCO4ThQHkhqMMhG+28J+jyWMijklAnJsJaWePBEBPbtLC5nKjNIZuW WZaGOinWz192FGAHnoN2z0dcUTUljZLJrY/9NrCbfpC2TEqBQf1+Sr82DlJL6wmCX Ejlpr1Kk/g7ZPYorMQA= -----END CERTIFICATE-----

<ESC><SHIFT> : x

IMPORTING CERTIFICATE

Next step is to import this certificate using the below command syntax .

# ./sapgenpse import_own_cert -c srcert -p local.pse

CA-Response successfully imported into PSE "/usr/sap/MPS/SYS/exe/run/local.pse"

SETTING SECURED LOGIN TO SAPROUTER

Now specify the user who is allowed secure login to PSE

Use < sid> adm if you want to start saprouter with sap admin user. If you omit -O <user>, the credentials are created for the logged in user account who is running the below command )

# ./sapgenpse seclogin -p local.pse -O saprouterUser

running seclogin with USER="saprouterUser" creating credentials for yourself (USER="saprouterUser ")... Added SSO-credentials for PSE "/usr/sap/C11/SYS/exe/run/local.pse" "CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE"

N:B Check a file named cred_v2 is created in the same directory

START SNC SAP ROUTER

In Unix

In UNIX use the below sysntax to start sap router using SNC

# nohup ./saprouter -r -G routerlog -S 3299 -K "p:CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE" &

In windows

In Windows use the below syntax

<Drive>:SNC-SaprouterDirectory saprouter -r -G routerlog -S 3299 –K "p:CN=YourHostName, OU=12345, OU=SAProuter, O=SAP, C=DE"

N:B –K option tells saprouter to load the SNC cryptographic library too.

SAPROUTTAB ENTRIES

For SNC SAPROUTER , the enries should not be the same as non-saprouter

./saprouttab should contain at least the following entries

# inbound connections MUST use SNC KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1> <port_number> # repeat this for the servers and port_numbers you will need to allow, # please make sure that all explicit ports are inserted in front of a # generic entry '*' for port_number

# outbound connections to <sapservX> will use SNC KT "p:CN=sapserv2 OU=SAProuter, O=SAP, C=DE" <sapservX> <sapservX_inbound_port>

# permission entries to check if connection is allowed at all P <IP address of a local host> <IP address of sapserv2> # all other connections will be denied D * * *

Example:

For a SNC encrypted connection to the SAP Router on sapserv2 (194.39.131.34), the saprouttab should contain the following entries:

# # SNC-connection from and to SAP KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC-connection from SAP to local R/3-System for Support KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3- Instance>

# SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503

# SNC-connection from SAP to local R/3-System for saptelnet, if it is needed KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23

# Access from the local Network to SAPNet - R/3 Frontend (OSS) P <IP-addess of a local PC> 194.39.131.34 3299

# deny all other connections D * * *

DEBUGGING

Check whether certificate is installed correctly

# ./sapgenpse get_my_name -v -n issuer

Opening PSE "/usr/sap/C11/SYS/exe/run/local.pse"... PSE open ok. ok. Retrieving my certificate... ok. Getting requested information... ok. SSO for USER "UserID" with PSE file "/usr/sap/C11/SYS/exe/run/local.pse"

Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

If any errors found in the above , you can do all the steps once again . But make sure that cred_v2, local.pse is deleted . If you whant to create the ket once again delete certreq file too before doing so.

CHECK THE ENVIRONMENT VARIABLES

Create the following entries are there in the .login ( dot login) script of the SNC saprouter user . ONLY THE BOLD AREAS

UNIX

set path = ( /usr/bin /etc /usr/sbin /usr/ucb $HOME/bin /usr/bin/C11 /sbin /usr/SNC-saprouter/snc_library /usr/lib . ) setenv MAIL "/var/spool/mail/$LOGNAME" setenv SECUDIR “/usr/SNC-saprouter” setenv SNC_LIB "/usr/SNC-Saprouter/snc_library/libsapcrypto.o" setenv LIBPATH "/usr/lib:/lib:/usr/sap/C11/SYS/exe/run:/oracle/C11/92_64/lib:/usr/SNC- saprouter/snc_library”

WINDOWS

For windows create PATH, SECUDIR, SNC_LIB and LIBPATH in their environment settings area.


 Download attached file.

You must be Logged in to download this file

×