Environment :
Windows 2008 R2 , X64 Architecture, Public IP with ports opened 3298 and 3299
A. SAPRouter Files
Navigate to service.sap.com/swdc > SAP Software Download Center > Support Packages and Patches > Browse our Download Catalog > Additional Components > SAPROUTER > Download sap router depending on your operating system
B. SAP Cryptographic Software
Navigate to service.sap.com/swdc > SAP Software Download Center > Support Packages and Patches > Browse our Download Catalog > Additional Components > SAPCRYPTOLIB > SAPCRYPTOLIB.SAR
2. Register SAP router with SAP
Raise an OSS Message under component XX-SER-NET-NEW. After successful registration they will provide you distinguished name. This name is required for further activities and it look like Customer data
Hostname SAProuter : HOSTNAME
IP address SAProuter : XXX.XXX.XXX.XXX
Your Distinguished Name:
"CN=hostname, OU=Number, OU=SAProuter, O=SAP, C=DE"
3. Set environment variables
Variable name: SAPROUTTAB Variable value: D:\usr\sap\saprouter
Variable name: SECUDIR Variable value: D:\usr\sap\saprouter
Variable name: SNC_LIB Variable value: D:\usr\sap\saprouter\sapcrypto.dll
4. Create a shared folder on your router machine as folder structure and put all uncarred files in this folder. This will give you saprouter and other required files and uncaring cryptolib will give sapgenpse in architecture specific folder.Execute following command where sapgenpse is located. In my case it is D:\usr\sap\saprouter\nt-x86_64. After executing command you will find new file certreq in same folder.
sapgenpse get_pse -v -r certreq -p local.pse "CN=example, OU=0000123456, OU=SAProuter, O=SAP, C=DE"
6. Request certificate for sap router
Navigate to http://service.sap.com/saprouter-sncadd and click on Apply Now button. This will give you list of router systems registered with sap. Click on the newly created host name and continue. This will give you a text box where you need to paste the content of certreq file including begin and end lines from path \usr\sap\saprouter\nt-x86_64 . Continue to Request Certificate. This will give certificate code. Paste all the contents to a notepad with file name srcert and rename srcert.txt to srcert with no extension.
You will be asked twice for a PIN here. Please choose a PIN and document it, you have to enter it identically both times. Then you will have to enter the same PIN every time you want to use this PSE.
7. Install the certificate in your SAProuter
Execute following command. After successful exection sap certificate will be installed in your sap router machine.
sapgenpse import_own_cert -c srcert -p local.pse
8. Create the credentials for the SAProuter ada
This will create a user used for sap router start and stop. Replace <User_For_SAProuter > with domain\user. if you omit -O <user_for_SAProuter>, the credentials are created for the logged in user account. This will create a file called cred_v2 in the same directory where local.pse is located.
sapgenpse seclogin -p local.pse -O <user_for _SAProuter>
9. Check if the certificate has been imported successfully
Execute following comman at the path sapgenpse is located.
sapgenpse get_my_name -v -n Issuer
The output of command should be
CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
10. Create Route Tab
Create a file saprouttab in notepad and rename to saprouttab with no extension. This file will consists route tab entries. And will be in following format.
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC connection to local system for R/3-Support
# R/3 Server: 192.168.1.1
# R/3 Instance: 00
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.1 3200
# SNC connection to local WINDOWS system for WTS, if applicable
# Windows server: 192.168.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.2 3389
# SNC connection to local UNIX system for SAPtelnet, if applicable
# UNIX server: 192.168.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.3 23
# SNC connection to local Portal system for URL access, if applicable
# Portal server: myserver.mydomain
# Port number: 50003
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" myserver.mydomain 50003
# Access from local network to SAP
P 192.168.*.* 194.39.131.34 3299
# deny all other connections
D * * *
11. Start SAP RouterKT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC connection to local system for R/3-Support
# R/3 Server: 192.168.1.1
# R/3 Instance: 00
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.1 3200
# SNC connection to local WINDOWS system for WTS, if applicable
# Windows server: 192.168.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.2 3389
# SNC connection to local UNIX system for SAPtelnet, if applicable
# UNIX server: 192.168.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.3 23
# SNC connection to local Portal system for URL access, if applicable
# Portal server: myserver.mydomain
# Port number: 50003
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" myserver.mydomain 50003
# Access from local network to SAP
P 192.168.*.* 194.39.131.34 3299
# deny all other connections
D * * *
This completes your installation of sap router. And following commands are required to operate sap router.
start router : saprouter –r
You can also use saprouter -r -V 2 -K "p:CN=example, OU=Number, OU=SAProuter,O=SAP, C=DE"
stop router : saprouter -s
soft shutdown: saprouter -p
new routtab : saprouter –n
12. Test SAP Router
Follwing notes will guide you to test sap router installation.
Integrating SAProuter into a firewall see note 48243
Ping from SAProuter server to sapserv2 (194.39.131.34)
SAP Remote Services: Technical preparation (see SAP Note 812386)
niping.exe -c -H /H/<local_SR>/H/194.39.131.34/H/localhost
Ping from SAProuter server to sapserv2 (194.39.131.34)
SAP Remote Services: Technical preparation (see SAP Note 812386)
niping.exe -c -H /H/<local_SR>/H/194.39.131.34/H/localhost
Maintain new sap router entry for the system , so that SAP can access your system for remote support. To do this navigate to
http://service.sap.com/system-data -> "SID" system -> "System" Tab -> SAProuter drop-down list and save the entry for sap router.
14. Trouble shooting
If there are any issues with installation following commands will give you the logs
Output of the command 'sapgenpse'
Output of the command 'sapgenpse get_my_name -n all'
Output of the command 'sapgenpse seclogin -l'
Files dev_rout and saprouttab
15. Referenceshttps://websmp101.sap-ag.de/saprouter-sncdoc
http://scn.sap.com/community/netweaver-administrator/blog/2012/06/17/detailed-sap-router-installation-for-windows-x64
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c06c8846-c160-2d10-d18e-d9961e9c7219?overridelayout=true
Facebook
0 comments:
Post a Comment