A guide to configure SAProuter
INTRODUCTION:
I found a lot of notes and documents when i wanted to configure saprouter. Here i would like to collaborate all how-to’s into a single document.
SAProuter is kind application level firewall, allows your SAP servers to be accessed globally in a secured way. Nowadays it is a basic requirement for every customer who uses Solution manager for getting support from SAP. Following are the situations where you need SAPRouter.
- You want your users access SAP server out of LAN without having VPN .
- You want to get support from SAP.
- You are planning to implement SAP Solution manager.
- You want to download SAP notes and corrections via snote assistant
This document is targeted for those who have following environment.
OS platform : Windows 2008 or higher (indeed for windows 7)
Architecture : nt-x86_64
PREREQUISITES:
1. Get a Public IP from your ISP for SAProuter.
2. Create message on support portal as in this note 28976 – Remote connection data sheet
You would receive a confirmation from SAP with a Destination SAP IP and Distinguished name.
3. NAT policy in firewall with permission to the TCP ports 3200-3299 for the above registered public IP
(TCP ports for message servers 32<instance_no> and any free TCP port as a dedicated port for SAProuter)
4. Download latest version of SAPRouter from support portal.
(visit Support Packages –> Browse Download catalogue –> Additional components– >SAProuter)
5. Download latest version of SAPCRYPTOLIB from support portal.
(visit Support Packages –> Browse Download catalogue –> Additional components– >SAPCRYPTOLIB)
6. Download latest version of SAPCAR to extract the above downloaded software.
(visit Support Packages –> Browse Download catalogue –> Additional components– >SAPCAR)
PREPARATIONS:
1. Copy all the above downloaded files in to temporary dir and uncar the Saprouter and cryptolib files.
2. Open cmd and navigate to above temp location and execute sapcar_<version>.exe -xvf <filename>.sar
3. Make new directory (ex: D:\usr\sap\saprouter) and paste the extracted files of router and cryptolib files.
4. I recommend you to create an exclusive local user “sncadm” and set password never expires.
(in my case i use to change pwd for sidadm and this caused issues in starting router)
5. Logon with user for saprouter and set following user environmental variables.
SECUDIR = <dir_saprouter> (ex: SECUDIR = D:\usr\sap\saprouter)
SNC_LIB = <dir_saprouter>\nt-x86_x64\sapcrypto.dll (ex: D:\usr\sap\saprouter\nt-x86_x64\sapcrypto.dll)
CONFIGURATION:
1. Generating a new certificate request.
a. Goto SAProuter Certificates –> click Apply Now and copy your distinguished name and click next
b. Open cmd as administrator and navigate to <path_saprouter>\nt-x86_x64\ and execute,
sapgenpse get_pse -v -r certreq -p local.pse “<Distinguished Name>“
example: sapgenpse get_pse -v -r certreq -p local.pse “CN=example, OU=00123456, OU=SAProuter, O=SAP, C=DE”
c. It will ask to enter and re-enter a PIN. This is used to access the local.pse, so better note it down.
b. A file “local.pse” will be created in the saprouter directory. (Ex: D:\usr\sap\saprouter\local.pse)
d. A file “certreq” will under <dir_saprouter>\nt-x86_x64 (Ex: D:\usr\sap\saprouter\certreq)
2. Aquiring certificate signed by CA.
a. Open the “certreq” file with notepad and copy the text (including BEGIN and END)
b. Paste it on the above opened certificate page and click next.
c. You would get a certificate (series of jumbled characters) copy this (including BEGIN and END)
d. create a new file “routcert.txt” under <dir_saprouter>\nt-x86_x64 and paste the above certificate text.
3. Importing router certificate.
a. Open cmd as administrator and navigate to <dir_saprouter>\nt-x86_x64\ and execute,
sapgenpse import_own_cert -c routcert.txt -p local.pse
Running the above command would ask you to enter PIN, enter the one you have given on step 1c
4. Authorizing windows user for accessing SAPRouter.
Execute the following cmd with the saprouter user (sncadm).
sapgenpse seclogin -p local.pse -O <exclusive_user_SAProuter>
example: sapgenpse seclogin -p local.pse -O hostname\sncadm
Now you will prompted to enter the PIN. enter the one you have given on step 1c
Check whether a file “cred_v2” is created under saprouter directory.
5. Verifying authorization for the sncadm of saprouter.
log on to user for saprouter, open cmd and navigate to <dir_saprouter>\nt-x86_x64\ and execute
sapgenpse get_my_name -v -n Issuer
You should get an output like this. CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
Voila ! you have configured your SAPRouter successfully.
But wait.. We have to check whether the router works or not.
Start your sap router using command <dir_saprouter>\saprouter.exe -r
You should be getting an out put “trcfile dev_rout no logging active“. This shows that the router started successfully. But if you close the above cmd prompt, then your SAPRouter will shutdown.
We can avoid this by registering SAProuter as windows service, so that it can run on background
Registering SAProuter as Windows service:
1. open command prompt as administrator, and navigate to <dir_saprouter>
2. execute following commands as it is. Replace the <path> with your saprouter directory path and <your distinguished name>
sc.exe create SAPRouter binPath= “<path>\saprouter.exe service -r -S 3299 -W 60000 -R <path>\saprouttab -K ^p:<distinguished name>^”
example: sc.exe create SAPRouter binPath= “D:\usr\sap\saprouter\saprouter.exe service -r -S 3299 -W 60000 -R
D:\usr\sap\saprouter\saprouttab -K ^p:CN=example, OU=00123456, OU=SAProuter, O=SAP, C=DE^”
3. You would get an output saying service “SAPRouter” created successfully.
4. Open “regedit.exe” and edit the string “ImagePath” under following location.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ saprouter
5. Replace ^ with “ and click OK. The updated value should look like below
<path>\saprouter.exe service -r -S 3299 -W 60000 -R<path>\saprouttab -K “p:CN=example, OU=00123456, OU=SAProuter, O=SAP, C=DE“
6. Now open “services” right click “SAPRouter” and choose properties. click on “Log On” tab and choose “This account”.
Type the user ID created for configuring saprouter (sncadm), type password and then click apply.
7. Now start the saprouter service and you’re done.
Congrats !! You have implemented SAP ROUTER successfully.
This is the best procedure I ever found for SAProuter. thanks Mahendra!
You're welcome 🙂
excellent article... well done, sir! 🙂
This guide is the only worked document for me !!! I dont know why, but it is not worked for me : 41054 - Installation of SAProuter as Windows service
Hi Mahendra,
What would be the procedure for migrating existing saprouter to new hardware?
Thanks,
Asad
Hi,
the following worked for me to register the SAPRouter as Windows Service on Windows 2008R2 Server x86-64.
I replaced ^ with \" at the "sc create ..." command and ther was no need to edit the Registry entry.
Registering SAProuter as Windows service:
...
sc.exe create SAPRouter binPath= "<path>\saprouter.exe service -r -S 3299 -W 60000 -R <path>\saprouttab -K \"p:<distinguished name>\" "
example: sc.exe create SAPRouter binPath= "D:\usr\sap\saprouter\saprouter.exe service -r -S 3299 -W 60000 -R
D:\usr\sap\saprouter\saprouttab -K \"p:CN=example, OU=00123456, OU=SAProuter, O=SAP, C=DE\" "
...
By the way I had to specify more Parameters for the "sc.exe create" Command to get the message "[SC] CreateService SUCCESS".
It seems to be important to have / must have after "=" a "SPACE".
eg:
sc create test binPath="test" --> does not work!
sc create test binPath= "test" --> works
sc.exe create SAPRouter type= own start= auto binPath= "<path>\saprouter\saprouter.exe service -r -W 60000 -R <path>\saprouter\saprouttab -G <path>\saprouter\log\log -T <path>\saprouter\log\trace -D -K \"p:<your_distinguished_name> \" obj= "<Domain>\<SAPROUTER-User>" DisplayName= "SAPRouter" password= <Password-of-SAPROUTER-User>
example:
sc.exe create SAPRouter type= own start= auto binPath= "D:\usr\sap\saprouter\saprouter.exe service -r -W 60000 -R d:\usr\sap\saprouter\saprouttab -G d:\usr\sap\saprouter\log\log -T d:\usr\sap\saprouter\log\trace -D-K \"p:CN=SAPROUTERSERVER, OU=SAPCUSTOMERNUMBER, OU=SAProuter, O=SAP, C=DE\" " obj= "SAPROUTERSERVER\SAPROUTER-User" DisplayName= "SAPRouter" password= XXXXXXXX
Please Take a look at "How to create sap router service in Windows 2012" https://scn.sap.com/thread/3748392
how to add a new SAP Server in SAPRouter Configuration