Hi,
Here is the complete step.
1) First of all get Public IP address. Public IP need to be configured to you local SAP Router IP address.
2) Get port 3299 & 3298 open from SAP router ip host to SAP AG.
3) Create a Customer Message with the Following details. Open a customer message under the component XX-SER-NET Customer
Number, Hostname(on which SAPRouter is installed),Private IP Address, Public IP Address etc.
4) Create the subdirectory saprouter in the directory \usr\sap.
5) Now download the SAP ROUTER Software and Cryptographic Library Software. www.service.sap.com/saprouter-sncadd
6) Once the software is downloaded copy the saprouter and cryptographic software into E:\usr\sap\saprouter
eg: saprouter_15_XXXXX.sar, 9000XXXXX.sar
7) Uncar the file
😎 Set environmental variable
SECUDIR= <drive>:\usr\sap\saprouter
SNC_LIB =<drive>:\usr\sap\saprouter\nt-xxx\sapcrypto.dll
9) Generating the Registering the Key and Certificate
Go to the link https://websmp201.sap-ag.de/SAPROUTER-SNCADD
Click on Apply Now!
10) Copy the Distinguished name (eg CN=XXXXXX, OU=XXXXXXXXX, OU=SAProuter, O=SAP, C=DE)
11) Create saprouttab text file without any extension in saprouter folder (<drive>:\usr\sap\saprouter)
12) Now create a “certreq” textfile without any extension in the <drive>:\usr\sap\saprouter\nt-xxx
13) Generate the certificate Request on SAP router OS with the Following command (execute from <drive>:\usr\sap\saprouter
\nt-xxx)directory
sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"
sapgenpse get_pse –v -onlyreq -r certreq -p local.pse
You will be asked twice for a PIN here. Please choose a PIN and document it, you have to enter it identically both times. Then you
will have to enter the same PIN every time you want to use this PSE.
14) Display the output file "certreq" and with copy & paste (including the BEGIN and END statement) insert the certificate request into
the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.
15) In response you will receive the certificate signed by the CA in the Service Marketplace. copy the content
Create a “srcert” file without any extension in the same location (<drive>:\usr\sap\saprouter\nt-xxx) and paste it
16) Importing the Certificate & Creating Credential
Now Import the certificate using the below command
sapgenpse import_own_cert -c srcert -p local.pse (execute from <drive>:\usr\sap\saprouter\nt-xxx)
enter pin which you have already saved.
Out of the command should show
CA-Response successfully imported into PSE XXXX\saprouter\local.pse
17) Creating the credential for User responsible to start SAP Router
After importing the certificate create Credential for user <sid>adm who will be responsible to start the stop SAP Router
18) sapgenpse seclogin –p local.pse –O <sidadm> (entered in full <domainname>\<username>)
19) Verifying the Configuration
sapgenpse get_my_name -v -n Issuer
Out of the command should show
Name of the Issuer as : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
20) Post Configuration Activity. Now we need to maintain the details in the saprouttab file. SAPROUTTAB is nothing but permission file which has information who should be communicate through SAP Router
21) Following is an example content of saprouttab
---------------------------------------------------------------------------------------
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC-connection from SAP to local system for R/3-Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" < sap server ip > < port >
# Access from your local Network to SAP
P < sap server ip > 194.39.131.34 3299
# All other connections will be denied
#D
-------------------------------------------------------------------------------------
< Sap server ip > is nothing but ip address of the sap server which is need to be access via SAP Router
< Port > is nothing but the port of SAP Application for e.g. 3200 ( dispatcher port )
D * * * mean reject all the connection accept the entry of the server ip which mention in saprouttab
22) How to Start & Stop SAP Router
saprouter -r -S 3299 -V 3 -K "p:CN=<saprouter hostname>, OU=< Customer number >,
OU=SAProuter,O=SAP, C=DE" &
23) How to Stop SAP Router
saprouter –s
24) If we want to create as a service go through Note 525751
ntscmgr install saprouter -b <path>\saprouter.exe -p "service -r -W 60000 -R
<path>\saprouttab -K ^p:<your_distinguished_name>^"
(eg : ntscmgr install saprouter -b <drive>\usr\sap\saprouter.exe -p "service -r -W 60000 -R
<drive>\usr\sap\saprouter\saprouttab -K ^p:CN=XXXXXX, OU=XXXXXXXXX, OU=SAProuter, O=SAP, C=DE^")
Thanks
Ramesh Nair
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.