SAP Support SNC Connection

 

INSTALLING THE SAPCRYPTO LIBRARY AND STARTING THE SAPROUTER

CONTENTS

This section describes the necessary steps to download and install the sapcrypto library for use with SAProuter. The SAProuter must be started with the options described later in this section.

For License conditions of SAP Cryptographic Library please refer to SAP note 597059.

Please note, that only for the connection between SAProuters at SAP and the first SAProuter on customer sites, certificates signed by a CA provided by SAP are being used. For all other uses of SAPCRYPTOLIB for SNC in backend connections, customers are free to choose any CA of their preference or simply use self-signed certificates as proposed by SAP for SNC connections in general.

Downloading necessary software components from SAP Service Marketplace

  1. Login to the SAP Service Marketplace with the S-user ID which is assigned to your installation.
  2. Use the latest SAProuter version, which can be downloaded from the SAP Software Download Center at http://service.sap.com/swdc.
  3. Change to http://service.sap.com/saprouter-sncadd. Before you can download the software components two preconditions must be met:

    1. You must have been allowed to download the software. This authorization is added as soon as SAP has received a positive statement from the "Bundesausfuhramt" (German Federal Export Office). This procedure is necessary since the software falls under EU regulations.

      For more information on how to obtain authorization if download is not possible see note 397175.

    2. You must accept that you must follow the regulations imposed by the EU on the use and distribution of the cryptographic software components downloaded from the SAP Service Marketplace.

      The acceptance of the terms and conditions is logged with your user ID and stored for reporting purposes to the "Bundesausfuhramt".

  4. Click on "Download Area" > "SAP Cryptographic Software" and select the correct sapcrypto library for your SAProuter <op-sys>. Save the file to the directory where the SAProuter executable is located.
  5. You can get the file car.exe/sapcar.exe, which is necessary to unpack the archive from any Installation Kernel CD. Executing the command car -xvf SAPCRYPTO.CAR will unpack the following files:
    • [lib]sapcrypto.[dll|so|sl]
    • sapgenpse[.exe]
    • ticket

Back to top

Creating the certificate request

  1. As user <snc_adm> set the environment variables SNC_LIB and SECUDIR:

    UNIX

    SECUDIR = <directory_of_SAProuter>

    SNC_LIB = <path_to_libsecude>/<name_of_sapcrypto_library>
    Windows NT, 2000, XP or higher

    SECUDIR = <directory_of_SAProuter>

    SNC_LIB = <drive>:\<path_to_libsecude>\ntia64\sapcrypto.dll or
    SNC_LIB = <drive>:\<path_to_libsecude>\ntintel\sapcrypto.dll or
    SNC_LIB = <drive>:\<path_to_libsecude>\nt-x86_64\sapcrypto.dll
    Note After configuring the variables in Windows, you have to reboot this server before you continue.
  2. Change to http://service.sap.com/saprouter-sncadd. From the list of SAProuters registered to your installation, choose the relevant "Distinguished Name".

  3. Generate the certificate Request with the command:
    sapgenpse get_pse -v -r certreq -p local.pse "<Distinguished Name>"

    Example:
    sapgenpse get_pse -v -r certreq -p local.pse "CN=example, OU=0000123456, OU=SAProuter, O=SAP, C=DE"

    Alternatively use the two commands:
    sapgenpse get_pse -v -noreq -p local.pse "<Distinguished Name>"
    sapgenpse get_pse -v -onlyreq -r certreq -p local.pse

    You will be asked twice for a PIN here. Please choose a PIN and document it, you have to enter it identically both times. Then you will have to enter the same PIN every time you want to use this PSE.

  4. Display the output file "certreq" and with copy & paste (including the BEGIN and END statement) insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.
  5. In response you will receive the certificate signed by the CA in the Service Marketplace. Copy & paste the text to a new local file named "srcert", which must be created in the same directory as the sapgenpse executable.
  6. With this in turn you can install the certificate in your SAProuter by calling:
    sapgenpse import_own_cert -c srcert -p local.pse

  7. Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user_for_SAProuter>, the credentials are created for the logged in user account).
    sapgenpse seclogin -p local.pse -O <user_for _SAProuter>

    Note: The account of the service user should always be entered in full <domainname>\<username>

  8. This will create a file called "cred_v2" in the same directory as "local.pse"

    For increased security please check that the file can only be accessed by the user running the SAProuter.

    Do not allow any other access (not even from the same group)!
    On UNIX this will mean permissions being set to 600 or even 400!
    On Windows check that the permissions are granted only to the user the service is running as!

  9. Check if the certificate has been imported successfully with the following command:
    sapgenpse get_my_name -v -n Issuer

    The name of the Issuer should be:
    CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

  10. If this is not the case, delete the files "cred_v2"and "local.pse" and start over at item 3. If the output still does not match please open a customer message at component XX-SER-NET stating the actions you have taken so far and the output of the commands 3.,6.,7. and 9.

Back to top

Additional actions necessary before you can start SAProuter

  1. Check if the environment of the user running SAProuter contains the environment variable SNC_LIB and SECUDIR

    UNIX printenv
    Windows NT, 2000, XP User environment variable

  2. Start the SAProuter with the following command line (to start the SAProuter as a Windows service, please follow the steps described in SAP note 525751):
    saprouter -r -S <port> -K "p:<Distingushed Name>"

    -K tells the SAProuter to start with loading the SNC library

    Example
    saprouter -r -K "p:CN=example, OU=0000123456, OU=SAProuter, O=SAP, C=DE"

    If you omit -S <port>, the process is being started on default Port 3299.

  3. The corresponding file saprouttab must contain at least the following entries

    # Outbound connections to <sapservX> will use SNC
    KT "p:CN=sapservX, OU=SAProuter, O=SAP, C=DE" <sapservX> <inbound_port>

    # Inbound connections MUST use SNC
    KP "p:CN=sapservX, OU=SAProuter, O=SAP, C=DE" <your_server1> <port_number>

    # Repeat this for the servers and port_numbers you will need to
    # allow. Please make sure that all explicit ports are inserted in
    # front of a generic entry '*' for port_number

    # Permission entries to check if connection is allowed at all
    P <IP address of a local host> <IP address of sapservX>

    # All other connections will be denied
    D * * *

    Examples

    SNC connections registered to sapserv2 in Germany

    # SNC connection to and from SAP
    KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

    # SNC connection to local system for R/3-Support
    # R/3 Server: 192.168.1.1
    # R/3 Instance: 00
    KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.1 3200

    # SNC connection to local WINDOWS system for WTS, if applicable
    # Windows server: 192.168.1.2
    # Default WTS port: 3389
    KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.2 3389

    # SNC connection to local UNIX system for SAPtelnet, if applicable
    # UNIX server: 192.168.1.3
    # Default Telnet port: 23
    KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.3 23

    # SNC connection to local Portal system for URL access, if applicable
    # Portal server: 192.168.1.4
    # Port number: 50003
    KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.4 50003

    # Access from the local Network to SAP
    P 192.168.*.* 194.39.131.34 3299

    # deny all other connections
    D * * *

    SNC connections registered to sapserv9 in Singapore

    # SNC connection to and from SAP
    KT "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 169.145.197.110 *

    # SNC connection to local system for R/3-Support
    # R/3 Server: 192.168.1.1
    # R/3 Instance: 00
    KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.1.1 3200

    # SNC connection to local WINDOWS system for WTS, if applicable
    # Windows server: 192.168.1.2
    # Default WTS port: 3389
    KP "p:CN=sapserv9 OU=SAProuter, O=SAP, C=DE" 192.168.1.2 3389

    # SNC connection to local UNIX system for SAPtelnet, if applicable
    # UNIX server: 192.168.1.3
    # Default Telnet port: 23
    KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.1.3 23

    # SNC connection to local Portal system for URL access, if applicable
    # Portal server: 192.168.1.4
    # Port number: 50003
    KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.1.4 50003

    # Access from the local Network to SAP
    P 192.168.*.* 169.145.197.110 3299

    # deny all other connections
    D * * *

 

 

Reason and Prerequisites

A SAProuter connection to SAP (SAPserv X) has already been set up.
This note does not provide information on how to setup the SAProuter connection - see Note 35010.

 

Solution

The procedure for setting up the R/3 support connection is divided into three sections:
-  Setting up SAProuter.
-  Maintaining the system data in the SAP Support Portal of the SAP Service Marketplace.
   Note that SAP employees can ONLY log on to servers that are maintained in the system data.
-  Setting up the service in the SAP Support Portal of the SAP Service Marketplace and opening the service connection.


Setting up SAProuter:
-  Check with which route permission table 'saprouttab' the used SAProuter works.
   Create an entry of the type:
   P <IP address SAP-SR> <IP server> <instance number>
   Example:
   P  147.204.2.5  10.10.10.10  3200

   or for SNC encryption (SAPserv2):
   KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <IP Server>
   <Instance number>
   Example:
   KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.10.10.10 3200
   in the corresponding table.

Instance number: Instance number, under which the R/3 system is accessible on this server. This number is NOT 3299, but in most cases 3200 or 3201. You can also maintain several instances.

-  Read the changed table in the SAProuter with the command 'saprouter - n ' or restart the SAProuter.
-  Check whether the SAProuter can reach the target host (IP address or, if necessary, host name) on the corresponding port of the application. If not, set up the network accordingly. Note that only the current SAProuter software supports all services. If necessary, update your SAProuter software.


Maintaining the system data in the SAP Support Portal of the SAP Service Marketplace:

System data maintenance:
-  Log on to the SAP Support Portal, alias 'serviceconnection' (URL: http://service.sap.com/serviceconnection).
-  Choose 'Manage connections'.
-  Select the desired system by clicking the system ID.
-  Choose 'Display system data' (in the lower part of the screen).
-  Select the 'DB server' or 'Application server' tab.
-  Choose 'Create server'.
-  Enter the required data (IP address in particular). Note that the entries for the additional SAProuter are only needed if two SAProuters are to be used in a row on your side.
-  Save the entries.

Creating the service and opening the connection:
-  Log on to the SAP Support Portal, alias 'serviceconnection' (URL: http://service.sap.com/serviceconnection).
-  Select the desired system by clicking the system ID

Creating the service:
-  Choose 'Manage services'.
-  Select the service R/3 Support by clicking the icon in front of the service name.
-  Choose a contact person.
-  Copy the selection using the 'Save' button at the end of the list.
-  Press the back button to go back to the view 'Service connections - System SID'

Opening the connection:
-  Use the 'Manage connections' button to display the list of the active services.
-  Click the icon in front of the service to open the corresponding service connection. You can maintain the contact person manually or make a selection from the registered contact persons.

Reason and Prerequisites

You must already have a physical link to SAP (for example, using ISDN, VPN, and so on).

The addresses of external providers, such as network providers, are available in Notes 33953 (network providers Europe/EMEA), 200330 (network providers CIS and Baltic states), 40739 (network providers America), 37946 (network providers Asia), 39894 (network providers Japan) or 102414 (network providers Australia and New Zealand).



Solution

Table of contents:


1. Technical requirements
1.1 Setting up your network
1.2 Configuration of the SAProuter
1.3 Setting up your R/3 system
1.4 Testing the network connection to SAP

2. Setting up the service connection (access by SAP to your systems, support connection)
2.1 Releases on the SAProuter (for customer)
2.2 Maintaining your system data in the SAP Support Portal
2.3 Setting up or activating the service connections
2.4 Opening the service connection in the SAP Support Portal

1. Technical requirements

To set up the service connection, you require a data line to SAP. A SAProuter must also be installed and configured on both sides (customer, SAP).

1.1 Setting up your network

Choose the network type that you require for your remote connection:

    • ISDN dial-up connection (Note 32500)
    • Internet connection (VPN or SNC connection, see SAP Note 486688, or URL http://service.sap.com/internetconnection)
    • Provider connection (SAP Note 33953 Europe/EMEA, SAP Note 200330 CIS and Baltic states, SAP Note 37946 Asia, SAP Note 39894 Japan, SAP Note 102414 Australia/New Zealand, or SAP Note 40739 America/Canada).


The main document for registering your connection/SAProuter IP address with SAP is SAP Note 28976 (Remote Connection Data Sheet). This SAP Note contains all of the information that you require when setting up your connection to SAP. You must therefore fill out this document completely and send it to SAP. SAP Note 28976 contains the contact addresses.
If you have any problems or any questions about this paragraph, create an incident under the component XX-SER-NET in the SAP Support Portal. This is located at http://service.sap.com/message (for help, see point 3).

1.2 Configuration of the SAProuter

Information about setting up the SAProuter is available in the SAP Support Portal at http://service.sap.com/saprouter or in Note 30289 "SAProuter documentation" (refer to the attachment).
If you have any problems or any questions about the SAProuter, create an incident under the component BC-CST-NI in the SAP Support Portal. This is located at http://service.sap.com/message (for help, see point 3).

1.3 Setting up your R/3 system

SAP Note 33135 describes the procedure for setting up transaction OSS1 for the connection test. You have to set up and test the connection in transaction OSS1, because RFC connections, for example, also transfer and use the settings that are maintained here.
If you have any problems or any questions about this paragraph, create an incident under the component XX-SER-NET in the SAP Support Portal. This is located at http://service.sap.com/message (for help, see point 3).

1.4 Testing the network connection to SAP

Perform a connection test to ensure that the settings, and therefore the function of the network connection to SAP, are correct.
If you have any problems or any questions about this paragraph, create an incident under the component XX-SER-NET in the SAP Support Portal. This is located at http://service.sap.com/message (for help, see point 3).

2 Setting up the service connection (access by SAP to your systems, support connection)

The service connection from SAP to your systems uses only the existing connection between the SAProuter in SAP and the SAProuter that is set up in your network infrastructure and registered with SAP (SAProuter of customer). No provision is made for other service connections, such as browser-supported connections using the public Internet (without sapserv1 or sapserv2).
Your SAProuter enables you to access all of your SAP solutions, but you can use the maintained system data, the setting of the service accesses to be used (for example R/3 Support, HTTP Connect URLAccess, and so on) and the setting of your SAProuter (keyword 'saprouttab') to determine which accesses you want to allow. This means that a service connection allows you to have control over all access options.

2.1 Releases on the SAProuter (for customer)

The SAProuter must be registered and set up as described in paragraph 1 and the paragraphs that follow. This means that the data transfer to the SAProuter software must also be possible from the SAP system (SAPservX) to the port that is maintained in the system data (see point 2.2 for system data maintenance). The accesses by SAP to the systems must be released in the route permission table 'saprouttab' (see point 1.2 or SAP Note 30289 "SAProuter documentation" and refer to the attachment).
If you have any problems or any questions about this paragraph, create an incident under the component XX-SER-NET in the SAP Support Portal. This is located at http://service.sap.com/message (for help, see point 3).

2.2 Maintaining your system data in the SAP Support Portal

To enable an SAP employee to access your systems, you must completely maintain the system data in the SAP Support Portal at http://service.sap.com/system-data. The portal also describes the maintenance of the system data. Note that SAP employees can ONLY log on to systems or servers that are maintained in the system data. SAP employees CANNOT manually select the target system or server, for example, by entering their IP addresses.
If you have any problems or any questions about this paragraph, create an incident under the component XX-SER-SAPSMP-SYS in the SAP Support Portal. This is located at http://service.sap.com/message (for help, see point 3).

If you are using the SAP Solution Manager, you can use a background job to periodically transfer your system data to the SAP Support Portal (see SAP Note 993775).
If you have any problems or questions regarding the SAP Solution Manager, create an incident in the SAP Support Portal at http://service.sap.com/message (for help, see point 3). For questions about the installation or configuration, create the incident under the component SV-SMG-INS and for questions and problems regarding the setting-up of the service connection, create the incident under the component SV-SMG-SVC.

2.3 Setting up or activating the service connections

Before you can open a certain service connection, you must set it up or activate it. A list of the individual service types including the corresponding SAP Note is available here:
https://support.sap.com/remote-support/connection-types.html

If you have any problems or any questions about this paragraph, create an incident under the component XX-SER-NET in the SAP Support Portal. This is located at http://service.sap.com/message (for help, see point 3).

If you are using the SAP Solution Manager, you can use transaction SOLMAN_CONNECT to set up the service connections. You can also migrate connections that have already been set up in the SAP Support Portal to the Solution Manager. Further support for this issue is available in the SAP Support Portal under http://help.sap.com/saphelp_sm40/helpdata/en/28/9015dd452e48fabfb86098cda89e5b/frameset.htm or
http://help.sap.com/saphelp_sm40/helpdata/de/28/9015dd452e48fabfb86098cda89e5b/frameset.htm. If you have any problems or questions regarding the SAP Solution Manager, create an incident in the SAP Support Portal at http://service.sap.com/message (for help, see point 3). For questions about the installation or configuration, create the incident under the component SV-SMG-INS and for questions and problems regarding the setting-up of the service connection, create the incident under the component SV-SMG-SVC.

2.4 Opening the service connection in the SAP Support Portal

SAP Note 31515 describes how to open a service connection. Use the following link: http://service.sap.com/access-support. Define the logon data for your systems as described in SAP Note 508140.
If you have any problems or any questions about this paragraph, create an incident under the component XX-SER-SAPSMP in the SAP Support Portal. This is located at http://service.sap.com/message (for help, see point 3).

If you are using the SAP Solution Manager, you can use transaction SOLMAN_CONNECT to open the service connections.
If you have any problems or any questions regarding the SAP Solution Manager, create an incident under the component SV-SMG in the SAP Support Portal. This is located at http://service.sap.com/message (for help, see point 3).