You are on page 1of 4

7/5/2017 Install SAProuter

Install SAProuter
Install SAProuter
This section describes the necessary steps to download and install the SAP Cryptographic
Library for use with SAProuter. The SAProuter must be started with the options described
later in this section.
For License conditions of SAP Cryptographic Library please refer to SAP note 597059
(https://launchpad.support.sap.com/#/notes/597059). Only for the connection between SAProuters at SAP and the
rst SAProuter on customer sites, certicates signed by a CA provided by SAP are being used. For all other uses of
SAPCRYPTOLIB for SNC in backend connections, customers are free to choose any CA of their preference or simply
use self-signed certicates as proposed by SAP for SNC connections in general.

Download SAProuter

1. Login to the SAP Support Portal with the S-User ID which is assigned to your installation.

2. Use the latest SAProuter version, which can be downloaded from the SAP Software Download Center
(https://launchpad.support.sap.com/#/softwarecenter).

On the Support Packages & Patches tab click:

A-Z Alphabetical List of Products > S > SAPROUTER > SAPROUTER (latest versions) > select OS from drop-down >
select saprouter_XXX-XXXXXXXX.sar > Download Basket button

Notes:

In Linux be sure to set environment variable $LIBPATH to SAProuter-directory if needed

In Windows, possibly also implement SAP Note 1553465 (https://launchpad.support.sap.com/#/notes/1553465)

In OS400, follow all instructions in SAP Note 2173275 (https://launchpad.support.sap.com/#/notes/2173275)

3. Download the latest SAP Cryptographic Library from the SAP Software Download Center
(https://launchpad.support.sap.com/#/softwarecenter).

On the Support Packages & Patches tab click:

A-Z Alphabetical List of Products > S > SAPCRYPTOLIB > COMMONCRYPTOLIB (latest version) > select OS from
drop-down > select SAPCRYPTOLIBP_xxxx-xxxxxxxx.SAR > Download Basket button

4. Download the SAPCAR executable, which is necessary to unpack SAR archives, from any Installation Kernel CD or
from the SAP Software Download Center (https://launchpad.support.sap.com/#/softwarecenter).

On the Support Packages & Patches tab click:

A-Z Alphabetical List of Products > S > SAPCAR > SAPCAR (latest version)
>your preferred O.S. version > SAPCAR_xxx-xxxxxxxx.EXE

5. Execute the command SAPCAR_XXX-XXXXXXXX.EXE -xvf saprouter_XXX-XXXXXXXX.sar which will unpack the
following les:

saprouter[.exe]

niping[.exe}]

6. Execute the command SAPCAR_XXX-XXXXXXXX.EXE -xvf SAPCRYPTOLIBP_XXXX-XXXXXXXX.SAR which will


unpack the following les:

[lib]sapcrypto.[dll|so|sl]

sapgenpse[.exe]

Note:

SAP recommends that you unpack the SAPCRYPTOLIBP, SAPCAR and SAPCRYPTOLIBP les in the designated
SAProuter directory.

https://support.sap.com/en/tools/connectivity-tools/saprouter/install-saprouter.html 1/4
7/5/2017 Install SAProuter

Install SAProuter
Create a Certicate Request

1. Logged on as an administrator, set the environment variables SNC_LIB and SECUDIR:

UNIX

SECUDIR = <directory_of_SAProuter>

SNC_LIB = <path_to_libsecude>/<name_of_sapcrypto_library>

Windows NT, 2000, XP or higher

SECUDIR = <directory_of_SAProuter>

SNC_LIB = <drive>:\<path_to_libsecude>\sapcrypto.dll

Notes:

After conguring the variables in Windows, verify them with the command 'set'. In case the variables are not
displayed as entered, reboot the server.

If the O.S. of SAProuter is OS400, implement SAP Note 2173275.


(https://launchpad.support.sap.com/#/notes/2173275)

2. Change to Certication (https://support.sap.com/remote-support/saprouter/saprouter-certicates.html). From


the list of SAProuters registered to your installation, choose the relevant "Distinguished Name".

3. Generate the certicate request with the following command:

sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse "<Distinguished Name>"

Example:

sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse "CN=example, OU=0000123456,


OU=SAProuter, O=SAP, C=DE"

Alternatively use either of these two commands:

sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -noreq -p local.pse "<Distinguished Name>"

sapgenpse get_pse -v -onlyreq -r certreq -p local.pse

4. Display the output le "certreq" and with copy & paste (including the BEGIN and END statement) insert the
certicate request into the text area of the same form on the SAP Service Marketplace from which you copied the
Distinguished Name.

5. In response you will receive the certicate signed by the CA in the Service Marketplace. Copy & paste the text to a
new local le named "srcert", which must be created in the same directory as the sapgenpse executable.

6. With this in turn you can install the certicate in your SAProuter by calling:

sapgenpse import_own_cert -c srcert -p local.pse

7. Now you will have to create the credentials for the SAProuter with the same program (if you omit -O
<user_for_SAProuter>, the credentials are created for the logged in user account):

sapgenpse seclogin -p local.pse -O <user_for _SAProuter>

8. This will create a le called "cred_v2" in the same directory as "local.pse"

Notes:

The account of the service user should always be entered in full <domainname>\<username>

For increased security, check that the le can only be accessed by the user running SAProuter

On UNIX, do not allow any other access (not even from the same group) as this will mean permissions being set to
600 or even 400

On Windows check that the permissions are granted only to the user the service is running as

9. Check if the certicate has been imported successfully with the following command:

sapgenpse get_my_name -v -n Issuer

The name of the issuer should be:

https://support.sap.com/en/tools/connectivity-tools/saprouter/install-saprouter.html 2/4
7/5/2017 Install SAProuter
CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE
Install SAProuter 10. If this is not the case, delete the les "cred_v2", "local.pse", "srcert" and "certreq" and start over at item 3. If the
output still does not match, open an incident using component XX-SER-NET stating the actions you have taken so far
and the output of the commands 3.,6.,7. and 9.

Required Actions Before Starting SAProuter

Check if the environment of the account running SAProuter contains the environment variables SNC_LIB and
SECUDIR

UNIX - printenv

Windows NT, 2000, XP - User enviornment variable

The corresponding le saprouttab, a local le that must be created manually and is normally created in the main
SAProuter-directory, must contain at least the following entries :

Example SAPROUTTAB for SNC connections registered to sapserv2 in Germany

# SNC connection to and from SAP

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC connection to local system for R/3-Support

# R/3 Server: 192.168.1.1

# R/3 Instance: 00

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.1 3200 (optional SAProuter password)

# SNC connection to local WINDOWS system for WTS, if applicable

# Windows server: 192.168.1.2

# Default WTS port: 3389

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.2 3389 (optional SAProuter password)

# SNC connection to local UNIX system for SAPtelnet, if applicable

# UNIX server: 192.168.1.3

# Default Telnet port: 23

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.3 23 (optional SAProuter password)

# SNC connection to local Portal system for URL access, if applicable

# Portal server: 192.168.1.4

# Port number: 50003

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.4 50003 (optional SAProuter password)

# Access from the local Network to SAP

P 192.168.*.* 194.39.131.34 3299

# deny all other connections

D***

Example SAPROUTTAB for SNC connections registered to sapserv9 in Singapore

# SNC connection to and from SAP

KT "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 169.145.197.110 *

https://support.sap.com/en/tools/connectivity-tools/saprouter/install-saprouter.html 3/4
7/5/2017 Install SAProuter
# SNC connection to local system for R/3-Support
Install SAProuter # R/3 Server: 192.168.1.

# R/3 Instance: 00

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.1.1 3200 (optional SAProuter password)

# SNC connection to local WINDOWS system for WTS, if applicable

# Windows server: 192.168.1.2

# Default WTS port: 3389

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.1.2 3389 (optional SAProuter password)

# SNC connection to local UNIX system for SAPtelnet, if applicable

# UNIX server: 192.168.1.3

# Default Telnet port: 23

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.1.3 23 (optional SAProuter password)

# SNC connection to local Portal system for URL access, if applicable

# Portal server: 192.168.1.4

# Port number: 50003

KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 192.168.1.4 50003 (optional SAProuter password)

# Access from the local Network to SAP

P 192.168.*.* 169.145.197.110 3299

# deny all other connections

D***

Start the SAProuter with the following command line (to start the SAProuter as a Windows service, follow the steps
described in SAP Note 525751 (https://launchpad.support.sap.com/#/notes/525751)):

-K tells the SAProuter to start with loading the SNC library

<Distingushed Name> : you can nd this parameter on the Certication webpage (https://support.sap.com/remote-
support/saprouter/saprouter-certicates.html) after you click the Apply Now button.

Example

saprouter -r -K "p:CN=example, OU=0000123456, OU=SAProuter, O=SAP, C=DE"

If you omit -S , the process is being started on default Port 3299.

Note:

If the O.S. of SAProuter is OS400, implement SAP Note 1818735


(https://launchpad.support.sap.com/#/notes/1818735)

If SAProuter fails to start, also implement SAP Note 684106 (https://launchpad.support.sap.com/#/notes/684106)


- Microsoft runtime DLLs.

Follow
Terms of Use (/en/terms-of-use.html) Privacy (http://go.sap.com/corporate/en/legal/privacy.html) Copyright (http://go.sap.com/corporate/en/legal/copyright.html)
Legal Disclosure (http://go.sap.com/corporate/en/legal/impressum.html) Trademark (http://go.sap.com/corporate/en/legal/trademark.html) Sub-processors (/en/my-support/subprocessors.html)
Contact Us (/en/contact-us.html)

https://support.sap.com/en/tools/connectivity-tools/saprouter/install-saprouter.html 4/4