Setting up an SNC tunnel for SAPRouter

Let’s say you need to configure SAPRouter with SNC for remote users, for example, people from another office.

Download and unpack saprouter (sapcar -xvf) and the crypto library to, for example, C:\saprouter.

Let’s write the environment variables (example):

SECUDIR=C:\sapouter

SNC_LIB=C:\saprouter\nt-x86_64\sapcrypto.dll

Next, we will create certificates and exchange them:
Attention, names are CASE SENSITIVE ! CN in this case is the HOST NAME (it also works using a short name, without a domain). However, CN can be anything and does not coincide with the machine name, but is used for ease of understanding.
Initiator’s side:

sapgenpse get_pse -v -noreq -p local.pse “CN=spb-initiator”
sapgenpse seclogin -p local.pse
sapgenpse export_own_cert -o spb-initiator.cer -p local.pse

Acceptor side:

sapgenpse get_pse -v -noreq -p local.pse “CN=msk-acceptor”
sapgenpse seclogin -p local.pse
sapgenpse export_own_cert -o msk-acceptor.cer -p local.pse

Let’s exchange certificates and write them to the directory C:\saprouter\nt-x86_64

On the initiator side we will place the file  msk-acceptor.cer ,  on the acceptor side we will place the file  spb-initiator.cer

Let’s execute the command on the initiator’s side:

sapgenpse maintain_pk -a msk-acceptor.cer -p local.pse

And on the acceptor side:

sapgenpse maintain_pk -a spb-initiator.cer -p local.pse

saproutetab settings:

Initiator:

# Allow Outbound connections to SAProuter host2 will use SNC
KT “p:CN=msk-acceptor” <acceptor IP> 3299

# Allow all inbound connections
P * * *

Acceptor:

# accept incoming connections from SAProuter1
# with destination sapdp00 and 3298 on any host
KP “p:CN=spb-initiator” * sapdp00
KP “p:CN=spb-initiator” * 3298

Starting saprouter:

Initiator:

Saprouter -r -K p:CN=spb-initiator

Acceptor:

Saprouter -r -K p:CN=msk-acceptor

String SAPROUTER in SAP GUI:

/H/<IP of the initiator>/H/<IP of the acceptor>/H/

Check: 

Initiator:

niping -c -H /H/<IP of the initiator>/S/3299/H/<IP of the acceptor>/S/3299/H/<IP of the acceptor>

Acceptor:

niping -s

We receive a message like:

connect to server o.k.
send and receive 10 messages (len 1000)

——- times —–
avg 12.900 ms
max 13.548 ms
min 12.631 ms
tr 151.405 kB/s
excluding max and min:
av2 12.853 ms
tr2 151.963 kB/s

If not, read the file dev_rout. If the program complains about SNC, you have confused something with the certificates, most likely you have confused the initiator, acceptor and who is waiting for which certificate.

If it complains about route permition denied, check saproutetab, apparently you specified the wrong IP. Perhaps the sapdp00 port is not described in c:\windows\system32\drivers\etc\services .

Saprouters can be combined; the most common topology is a star: one acceptor and many initiators.

Problem: a person from the region comes on a business trip with the saprouter line written to the central office. Because of this line here, he begins to walk in a loop to his region and back here.

Solution: create another guest saprouter. In DNS, name the host everywhere in the regions, for example, saprouter. A guest saprouter is also called a saprouter. That. an employee in his home region and on a business trip will go through support providers, only in one case through the region-central office channel, in the other – between two local support providers of the central office.

SCN Instruction:

http://wiki.scn.sap.com/wiki/display/Basis/How+to+setup+SNC+connection+between+SAProuters

This entry was posted in SAP.