How to secure a SAPRouter Connection
SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP systems, or between SAP systems and external networks.
This document explains the procedure to install SAProuter with additional security.
Below is the brief explanation of the installation I did:
- A new VM was built on the DMZ.
- Registered that VM’s details with SAP using the “Remote connection data sheet” in Note 28976.
- Downloaded latest version of SAProuter software and Crypto Library.
- Installed SAProuter as a service as per Note 525751.
- Created saproutab file with SNC settings.
- Opened Firewall ports.
- Generated PSE file using the link https://launchpad.support.sap.com/#/saproutercertificate
- Ran sapgenpse command using that PSE file
- Made additional security changes as explained below.
Most functions of CommonCryptoLib are directly controlled by the application but there are additional parameters (mainly for SNC) which are determined by configuration. That configuration can be defined in a Configuration file. CommonCryptoLib gets the name of its Configuration file from the environment variable CCL_PROFILE.
Follow the steps in Note 2338952
- Create a new Configuration file.
- Add the below entries in that file:
- ccl/snc/client_cipher_suites = HIGH
- ccl/snc/server_cipher_suites = HIGH
- Set a new environment variable CCL_PROFILE to the path of that configuration file.
- Restart SAProuter service.
Once the above settings are in place, the SNC connection will only use HIGH ciphers.
The below two parameters can also be added to the file and when required, the trace level can be increased and additional traces obtained.
- ccl/trace/directory = C:\usr\sap\SAPRouter\SAPRouter_Trace
- ccl/trace/level = 2