SAPROUTER Configuration for LANCO11239501081

LANCO SAP Router Configuration ------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------ Page 1 of 6

“OSS- Connectivity through SNC over internet” Following things were done in regards of making snc communication over internet setup using our SAP router as saplanco (192.1.47.230).

1. PC with Windows 2000 or 2003 server SP Pack /latest mcafee antivirus/routing enabled.

2. Hostname:. saplanco user id is idsadm and password

lancoides1

3. Downloading of latest saprouter file from SAP Service market Place.

4. Installation of Saprouter in the directory

D:\usr\sap\saprouter

5. Host file entry for sapserv2 as 194.39.131.34 and host file entry in sap servers as Development Systen and Production System

6. Live IP addresses is 116.214.29.83

7. Ping test to sapserv2 was successful with time response as

400-500 ms. 8. “idsadm” admin user created for saplanco server in local

login.

9. Registration with SAP for our new sap router gilsolman and distinguished name was get from SAP as “CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE”

It will get from this site (service.sap.com/saprouter-sncadd and configuration document will be getting from this site ( service.sap.com/saprouter-sncdoc)

10. Downloading of sapcrypto.car sap cryptographic component file from service.sap.com

11. As user soladm we have set the environment variables SECUDIR = <directory_of_saprouter> as D:\usr\sap\saprouter\


------------------------------------------------------------------------------------------------------------ Page 2 of 6

12. Installation of sapcrypto.car file using the command

sapcar -xvf SAPCRYPTO.CAR. This command unpacks following files:

sapcrypto.dll sapgenpse.exe ticket

These files were installed in D:\usr\sap\saprouter directory. It will be created one directory D:\usr\sap\saprouter\ntintel. These two files will be created in D:\usr\sap\saprouter\ntintel sapcrypto.dll, sapgenpse.exe during the uncar of the SAPCRYPTO.CAR. You have to copy the ticket file from D:\usr\sap\saprouter to C:\Documents and settings \idsadm\sec (you have to create this directory before copying the ticket file) and D:\usr\sap\saprouter\ntintel

13. Then generation of certificate request using the steps:

Generating the certificate Request with the command from command prompt ( D:\usr\sap\saprouter\ntintel) sapgenpse get_pse -v -r certreq -p local.pse “CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE” Asking PIN and you have to give admin123 ( anything you can give). certreq file will be created into the D:\usr\sap\saprouter\ntintel

14. This command created one file named certreq 1. The output file "certreq" was copied and contents were

inserted into the certificate request text area of the same form on the SAP Service Marketplace .

2. In response we received the certificate signed by the CA in the Service Marketplace, The text was cut & pasted into a local file named srcert (D:\usr\sap\saprouter\ntintel). Remove the extension after creating the file srcert.

15. With this file srcert in turn we installed the certificate

in our saprouter by calling sapgenpse import_own_cert -c srcert -p local.pse


------------------------------------------------------------------------------------------------------------ Page 3 of 6

16. Now credentials for the SAProuter with the same program is created . the credentials are created for the logged in user account)

sapgenpse seclogin -p local.pse -O idsadm This will create a file called cred_v2 in the C:\Documents and settings \idsadm\sec directory and copy this to D:\usr\sap\saprouter

To check that certificate has been imported correctly sapgenpse get_my_name -v -n Issuer The name of the Issuer found to be: CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

17. After restarting the sap router using the command. saprouter -r -S 3299 -K "p: CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE” or saprouter -r -S 3299 –R F:\usr\sap\saprouter\saprouttab -K "p: CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE” we got the error as sncgss32..dll file missing and sap router was unable to load.

18. It was identified that the file is gss32api.dll found in Sap kernel CD.

This file was taken and copied into saprouter directory.

As a user idsadm you have to set the environment variables

SNC_LIB = D:\usr\sap\saprouter\ntintel\sapcrypto.dll

19. Then some additions were done in sap routing table named as

saprouttab (D:\usr\sap\saprouter) The entries of this file are as follows:

# outbound connections to <sapservX> will use SNC # SNC connection to SAP KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 * # SNC-connection from SAP to local R/3-System for Support KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.1.47.235 3200 KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.1.47.235 3201 KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.1.47.235 8000


------------------------------------------------------------------------------------------------------------ Page 4 of 6

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.1.47.235 8001 KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.1.47.240 3201 KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.1.47.245 3202 KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.1.47.240 8001 KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.1.47.245 8002 # SNC-connection from SAP to local R/3-System for pcAnywhere # SNC-connection from SAP to local R/3-System for SAPtelnet KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.1.47.240 23 # Access from your local Network to SAPNet - R/3 Frontend P * 194.39.131.34 3299 # All other connections will be permitted P * * *

20. Then saprouter was restarted using the command

saprouter -r -S 3299 –R D:\usr\sap\saprouter\saprouttab -K "p: CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE” -V 2 trace file name is dev_rout. SAProuter creation as a Service : Command : ( Note no. 525751) ntscmgr install SAProuter –b D:\usr\sap\saprouter\saprouter.exe –p “service –r –W 60000 -K ^p: CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE^” Edit the string in the registry under MyComputer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ saprouter and change ^ to " under ImagePath Manually you can add this in ImagePath if you have no value in imagePath. D:\usr\sap\saprouter\saprouter.exe service –r –R D:\usr\sap\saprouter\saproutab-W 60000 -S 3299 -K "p: CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE"


------------------------------------------------------------------------------------------------------------ Page 5 of 6

After that you have to change SAProuter Service logon details with the user soladm and password(lancoides1). – goto OSS1- Parameter-Technical setting

1. After saving this technical, RFC connection of SAPOSS will be created automatically. 2. After executing the Tcode SDCC, RFC connection of SAPNET_RFC will be created automatically 3. After executing the Program RTCCTOOL, RFC connection of SAPNET_RTCC will be created automatically User ID OSS_RFC and password is rfc in RFC connection SAPOSS , SAPNET_RFC and SAPNET_RTCC , Target system : OSS Client : 001 Msg. Server : /H/192.1.47.230/S/sapdp99/H/194.39.131.34/S/sapdp99/H/oss001


------------------------------------------------------------------------------------------------------------ Page 6 of 6

Port No. for saprouter in firewall : 3299,3200,3201,3300,4700,3600,telnet (23),5632(PcAnywhere) and 3389 (Terminal Service) Nating command : static (inside,outside) 116.214.29.83 netmask 255,255,255,255 Command for port open in firewall “ Access_list act_out extended permit tcp any host 116.214.29.83 eq 3299 Sh run In order to avoid this warning message and to get a proper (green: successful) connection status displayed in the SAP Service Marketplace, your firewall would have to allow only the following additional rules: 194.39.131.34 -> 116.214.29.83:icmp (echo-request, type 8) 116.214.29.83-> 194.39.131.34:icmp (echo-reply, type 0)