SAProuter Installation Step by Step

SAProuter Installation

1. Introduction
The purpose of this document is to set out the process used in the creation of a SAProuter
connection to SAP.

2. Installation Process
2.1. Server

A dedicated server (hostname) has been built for the SAProuter). The spec of this server
is:
2 hyper-threading (HTT) CPUs with 2GHz tact frequency
2 GB RAM
50 MB free space on the hard drive for SAProuter and configuration
20GB D: drive for SAP router & log files
64bit server
OS Windows 2008
Its internal IP address: Host IP

2.2. SAP Registration

In order to have this new SAProuter connection with SAP, registered the following details
with SAP.
On approval SAP register the following details in the SAP Marketplace

1.1. SAProuter Software

The following version of the SAProuter software was downloaded from the SAP
Marketplace:
SAProuter 7.20 (patch level 423) for Windows on x64 64bit

We also downloaded the following cryptographic software for the SNC connection
SAPCRYPTOLIB 5.5.5 (patch level 36) for Windows on x64 64bit

1.1. Setting the environment variable

Once the software has been installed on the server the next step is to set the environment
variables SECUDIR and SNC_LIB. These are as follows:
SECUDIR = D:\usr\sap\sap\saprouter
SNC_LIB = D:\usr\sap\sap\saprouter\ntintel\sapcrypto.dll

One set reboot the system once you have checked that the terminal services have started.

1.1. Downloading and installing the SAProuter

certificate

From the SAP Marketplace download a certificate and then install it on the server. The
process for doing this is as follows.
Go to the SAP Marketplace and obtain the Distinguished Name for the new SAProuter
installation as advised by SAP. For this installation it is:
CN=HOSTNAME, OU=0000848841, OU=SAProuter, O=SAP, C=DE

Generate the certificate request with the command: sapgenpse get_pse -v -r certreq -p
local.pse "" as follows:
sapgenpse get_pse -v -r certreq -p local.pse "CN=hostname, OU=0000848841,
OU=SAProuter, O=SAP, C=DE"

From the directory D:\usr\sap\sap\saprouter\ntintel\, copy the content of the file certreq to
the second tab Create and Enter CSR in the SAP Marketplace.

SAP will then return the new certificate on selecting Request

Certificate

Copy and paste the text to a new local file named "srcert", which must be created in the
same directory as the sapgenpse executable (D:\usr\sap\sap\saprouter\ntintel\)

This certificate needs to be imported into SAProuter.

First of all execute the following command on the /saprouter/ntintel directory:
sapgenpse import_own_cert -c srcert -p local.pse
Enter PIN: ?????

Now you will have to create the credentials for the SAProuter to do this execute the
following command in the /saprouter/ntintel directory.
sapgenpse seclogin -p local.pse
Enter PIN: ????? (same as point 9)

This will create a file "cred_v2" in the same directory as local.pse.

To check whether the certificate has been imported correctly execute this command in the
/saprouter/ntintel directory.
sapgenpse get_my_name -v -n Issuer
The successful result will be: Issuer : "CN=SAProuter CA, OU=SAProuter, O=SAP,
C=DE".

1.1. Installing the SAProuter as an NT Service

Should there be registry changes also detailed here?

Use the following command to newly define the service from the command line:
sc.exe create SAPRouter binPath= "D:\usr\sap\saprouter\saprouter.exe service -r -W
60000 -R D:\usr\sap\saprouter\saprouttab -K ^p:CN=HOSTNAME, OU=0000848841,
OU=SAProuter, O=SAP, C=DE ^" start= auto obj= "NT AUTHORITY\LocalService"
You will receive the following success message: [SC] CreateService SUCCESS

1.1. Starting the SAProuter

To start the SAProuter use the following command line:

saprouter -r -S -K "p:"
(-K tells the SAProuter to start with loading the SNC library)
In our case the command was:
saprouter -r -K "p:CN=hostname, OU=0000848841, OU=SAProuter, O=SAP, C=DE"
The parameter -S , was omitted and therefore the SAProuter is using the default port
3299.

Network Part.
|
|

Network Part.
Steps described in SAP note 525751(Installation of the SNC SAP Router as
NT Service)

Edit the string in the registry under

MyComputer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ saprouter and change ^
to under Image Path.

Then Save it.

Routtab configuration.
The corresponding file saprouttab must contain at least the following entries
# Outbound connections to will use SNC
KT "p:CN=sapservX, OU=SAProuter, O=SAP, C=DE"
# Inbound connections MUST use SNC
KP "p:CN=sapservX, OU=SAProuter, O=SAP, C=DE"
# Repeat this for the servers and port_numbers you will need to
# allow. Please make sure that all explicit ports are inserted
in
# front of a generic entry '*' for port_number
# Permission entries to check if connection is allowed at all
P
# All other connections will be denied
D***

Configuration in SAP market place and OSS1 (Technical settings)

Tcode- OSS1

Go to technical settings
Maintain the details. (New SAP router details)

Cross check the Msg Server string, it should be with the new SAP router,
/H/Router Host IP/S/sapdp99/H/194.39.131.34/S/sapdp99/H/oss001

Login to SMP. (SAP market place)

Help & Support -> Connect to SAP > Maintain connection
Select the system.> go to system data. Update the router information as below indicated