5 Replies Latest reply: Oct 5, 2012 5:20 AM by deepa awasthi RSS

How to setup saprouter.

deepa awasthi
Currently Being Moderated

Hi Experts,


I've to setup saprouter as a pre-requisite for MOPZ in solution manager.

How can I decide if I should go for VPN internet connection or Non Internet connection.

I need some criteria on basis on which I can decide which option I should go for saprouter Installation on windows box.

Please suggest.




  • Re: How to setup saprouter.
    jagadish gudla
    Currently Being Moderated

    Hi Deepa,


    Please check the below link,




    You have a topic called SAP Router config where you can find how to define SAP Route string..


    You need to discuss with your network team and parellely you can open a message with SAP Network Support.




  • Re: How to setup saprouter.
    Vinod B
    Currently Being Moderated
  • Re: How to setup saprouter.
    Vinod B
    Currently Being Moderated

    Hello Deepa,


    If you got the Answer to this question please mark it as Answered.



    Vinod Palli

  • Re: How to setup saprouter.
    Ramesh Nair
    Currently Being Moderated



    Here is the complete step.



    1) First of all get Public IP address. Public IP need to be configured to you local SAP Router IP address.


    2) Get port 3299 & 3298 open from SAP router ip host to SAP AG.


    3) Create a Customer Message with the Following details. Open a customer message under the component XX-SER-NET Customer

        Number, Hostname(on which SAPRouter is installed),Private IP Address, Public IP Address etc.


    4) Create the subdirectory saprouter in the directory \usr\sap.


    5) Now download the SAP ROUTER Software and Cryptographic Library Software. www.service.sap.com/saprouter-sncadd


    6) Once the software is downloaded copy the saprouter and cryptographic software into E:\usr\sap\saprouter

        eg: saprouter_15_XXXXX.sar, 9000XXXXX.sar


    7) Uncar the file


    8) Set environmental variable


       SECUDIR= <drive>:\usr\sap\saprouter

       SNC_LIB =<drive>:\usr\sap\saprouter\nt-xxx\sapcrypto.dll



    9) Generating the Registering the Key and Certificate


    Go to the link https://websmp201.sap-ag.de/SAPROUTER-SNCADD


    Click on Apply Now!


    10) Copy the Distinguished name (eg  CN=XXXXXX, OU=XXXXXXXXX, OU=SAProuter, O=SAP, C=DE)


    11) Create saprouttab text file without any extension in saprouter folder (<drive>:\usr\sap\saprouter)


    12) Now create a “certreq” textfile without any extension in the <drive>:\usr\sap\saprouter\nt-xxx


    13) Generate the certificate Request on SAP router OS with the Following command (execute from  <drive>:\usr\sap\saprouter



         sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"

         sapgenpse get_pse –v -onlyreq -r certreq -p local.pse


        You will be asked twice for a PIN here. Please choose a PIN and document it, you have to enter it identically both times. Then you    

        will have to enter the same PIN every time you want to use this PSE.

    14) Display the output file "certreq" and with copy & paste (including the BEGIN and END statement) insert the certificate request into   

        the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.


    15) In response you will receive the certificate signed by the CA in the Service Marketplace. copy the content

         Create a “srcert” file without any extension in the same location (<drive>:\usr\sap\saprouter\nt-xxx) and paste it

    16) Importing the Certificate & Creating Credential

         Now Import the certificate using the below command

         sapgenpse import_own_cert -c srcert -p local.pse  (execute from  <drive>:\usr\sap\saprouter\nt-xxx)

         enter pin which you have already saved.

         Out of the command should show

         CA-Response successfully imported into PSE XXXX\saprouter\local.pse

    17) Creating the credential for User responsible to start SAP Router

         After importing the certificate create Credential for user <sid>adm who will be responsible to start the stop SAP Router

    18) sapgenpse seclogin –p local.pse –O <sidadm> (entered in full <domainname>\<username>)

    19) Verifying the Configuration


         sapgenpse get_my_name -v -n Issuer


         Out of the command should show

         Name of the Issuer as : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE


    20) Post Configuration Activity. Now we need to maintain the details in the saprouttab file. SAPROUTTAB is nothing but permission file which has information who should be communicate through SAP Router


    21) Following is an example content of saprouttab


    # SNC connection to and from SAP

    KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" *

    # SNC-connection from SAP to local system for R/3-Support

    KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" < sap server ip > < port >

    # Access from your local Network to SAP

    P < sap server ip > 3299

    # All other connections will be denied



    < Sap server ip > is nothing but ip address of the sap server which is need to be access via SAP Router

    < Port > is nothing but the port of SAP Application for e.g. 3200 ( dispatcher port )

    D * * * mean reject all the connection accept the entry of the server ip which mention in saprouttab


    22) How to Start & Stop SAP Router


          saprouter -r -S 3299 -V 3 -K "p:CN=<saprouter hostname>, OU=< Customer number >,

         OU=SAProuter,O=SAP, C=DE" &


    23) How to Stop SAP Router

         saprouter –s


    24) If we want to create as a service go through  Note 525751



    ntscmgr install saprouter -b <path>\saprouter.exe -p "service -r -W 60000 -R

    <path>\saprouttab -K ^p:<your_distinguished_name>^"


    (eg : ntscmgr install saprouter -b <drive>\usr\sap\saprouter.exe -p "service -r -W 60000 -R

    <drive>\usr\sap\saprouter\saprouttab -K ^p:CN=XXXXXX, OU=XXXXXXXXX, OU=SAProuter, O=SAP, C=DE^")




    Ramesh Nair