Tuesday 5 November 2013

SAProuter Installation Step by Step

SAProuter Installation

1.     Introduction

The purpose of this document is to set out the process used in the creation of a SAProuter connection to SAP.

2.     Installation Process

2.1. Server

A dedicated server (hostname) has been built for the SAProuter). The spec of this server is:
·         2 hyper-threading (HTT) CPUs with 2GHz tact frequency
·         2 GB RAM
·         50 MB free space on the hard drive for SAProuter and configuration
·         20GB D: drive for SAP router & log files
·         64bit server
·         OS  Windows 2008
Its internal IP address: Host IP

2.2. SAP Registration

In order to have this new SAProuter connection with SAP, registered the following details with SAP.
On approval SAP register the following details in the SAP Marketplace


1.1. SAProuter Software

The following version of the SAProuter software was downloaded from the SAP Marketplace:
·         SAProuter 7.20 (patch level 423) for Windows on x64 64bit



We also downloaded the following cryptographic software for the SNC connection
·         SAPCRYPTOLIB 5.5.5 (patch level 36) for Windows on x64 64bit

1.1. Setting the environment variable

Once the software has been installed on the server the next step is to set the environment variables SECUDIR and SNC_LIB. These are as follows:
·         SECUDIR = D:\usr\sap\sap\saprouter
·         SNC_LIB = D:\usr\sap\sap\saprouter\ntintel\sapcrypto.dll
One set reboot the system once you have checked that the terminal services have started.

1.1. Downloading and installing the SAProuter certificate

From the SAP Marketplace download a certificate and then install it on the server. The process for doing this is as follows.
Go to the SAP Marketplace and obtain the “Distinguished Name” for the new SAProuter installation as advised by SAP. For this installation it is:
·         CN=HOSTNAME, OU=0000848841, OU=SAProuter, O=SAP, C=DE

Generate the certificate request with the command: sapgenpse get_pse -v -r certreq -p local.pse "" as follows:
·         sapgenpse get_pse -v -r certreq -p local.pse "CN=hostname, OU=0000848841, OU=SAProuter, O=SAP, C=DE"
From the directory D:\usr\sap\sap\saprouter\ntintel\, copy the content of the file certreq to the second tab “Create and Enter CSR” in the SAP Marketplace.


SAP will then return the new certificate on selecting “Request Certificate
Copy and paste the text to a new local file named "srcert", which must be created in the same directory as the sapgenpse executable (D:\usr\sap\sap\saprouter\ntintel\)

This certificate needs to be imported into SAProuter.
First of all execute the following command on the /saprouter/ntintel directory:
·         sapgenpse import_own_cert -c srcert -p local.pse
Enter PIN: ?????

Now you will have to create the credentials for the SAProuter to do this execute the following command in the /saprouter/ntintel directory.
·         sapgenpse seclogin -p local.pse
·         Enter PIN: ????? (same as point 9)
This will create a file "cred_v2" in the same directory as local.pse.

To check whether the certificate has been imported correctly execute this command in the /saprouter/ntintel directory.
·         sapgenpse get_my_name -v -n Issuer
The successful result will be: Issuer  : "CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE".

1.1. Installing the SAProuter as an NT Service

Should there be registry changes also detailed here?
Use the following command to newly define the service from the command line:
·         sc.exe create SAPRouter binPath= "D:\usr\sap\saprouter\saprouter.exe service -r -W 60000 -R D:\usr\sap\saprouter\saprouttab -K ^p:CN=HOSTNAME, OU=0000848841, OU=SAProuter, O=SAP, C=DE ^" start= auto obj= "NT AUTHORITY\LocalService"
You will receive the following success message: [SC] CreateService SUCCESS

1.1. Starting the SAProuter


To start the SAProuter use the following command line:
·         saprouter -r -S -K "p:"
(-K tells the SAProuter to start with loading the SNC library)
In our case the command was:
·         saprouter -r -K "p:CN=hostname, OU=0000848841, OU=SAProuter, O=SAP, C=DE"
The parameter  -S , was omitted and therefore the SAProuter is using the default port 3299.

Network Part.
|

|
Network Part.


Steps described in SAP note 525751(Installation of the SNC SAP Router as NT Service)
Edit the string in the registry under MyComputer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ saprouter and change ^ to “ under Image Path.


Then Save it.

Routtab configuration.

The corresponding file saprouttab must contain at least the following entries
# Outbound connections to will use SNC
KT "p:CN=sapservX, OU=SAProuter, O=SAP, C=DE"
# Inbound connections MUST use SNC
KP "p:CN=sapservX, OU=SAProuter, O=SAP, C=DE"
# Repeat this for the servers and port_numbers you will need to
# allow. Please make sure that all explicit ports are inserted
in
# front of a generic entry '*' for port_number
# Permission entries to check if connection is allowed at all
P
# All other connections will be denied
D * * *
 Configuration in SAP market place and OSS1 (Technical settings)

Tcode- OSS1

Go to – technical settings
 Maintain the details. (New SAP router details)


Cross check the Msg Server string, it should be with the new SAP router,

/H/Router Host IP/S/sapdp99/H/194.39.131.34/S/sapdp99/H/oss001

Login to SMP. (SAP market place)

Help & Support -> Connect to SAP > Maintain connection

Select the system.> go to system data. Update the router information as below indicated
































9 comments:

  1. nice post sir thank you for your valuable information thank you

    ReplyDelete
  2. Thank you four your detail information.
    It is very useful.
    One thing i want to ask only:
    Is it necessary to register the saprouter to SAP by sending a message by using the company's OSS user at first step?

    ReplyDelete
  3. can u share how to renew the certificate before it get expired?

    ReplyDelete

Please join as member for latest updates