Wednesday, September 7, 2016

SAP Router configuration and renew of the SAP router Certificate

Home


The first thing needs to do, is to send a customer message to SAP
Support (component XX-SER-NET-OSS-NEW) and tell them to register the
hostname and IP of your new SAProuter.

You have to register it with a official IP address (no internal IPs
allowed), but it’s allowed to use NAT in the firewall/router.

After you’ve received a confirmation from SAP that your SAProuter has
been registered, you are ready to configure your SAProuter.

If your SAProuter directory is C:\usr\sap\saprouter, these are the steps
to follow.


1. Set two environment variables: SECUDIR and SNC_LIB

C:\usr\sap\saprouter

The environment variable SNC_LIB needs to be set for the user account
   SAProuter is running under.

   variable Name : SNC_LIB
   Variable Value : D:\usr\sap\saprouter\ntintel\sapcrypto.dll


Set the environment SECUDIR = <directory_of_saprouter>

   variable Name : SECUDIR
   Variable Value : D:\usr\sap\saprouter





                         

2. Download the SAP Crypto Library  from service market place.

Create folder d:\usr\sap\saprouter   - on system where you are installing
unpack the downloaded softwere into folder

Copy these files to saprouter folder
saprouter.exe
niping.exe
sapgen.exe

Then copy these files to saprouter folder
LEGAL.TXT
Ticket
LICENSE.txt
Saprouttab

Copy ntintel this folder to saprouter folder



3. To generate a certificate request, run the command:

sapgenpse get_pse -v -r certreq -p local.pse "CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE"



Note: You will be asked for a PIN code. Just pick your own 4 numbers, but
you’ll have to use the same PIN every time you’re asked to enter one.

Please enter PIN:
Please reenter PIN:

Supplied distinguished name: "CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE"
Generating key (RSA, 1024-bits) ... succeeded.
certificate creation... ok
PSE update... ok
PKRoot... ok
Generating certificate request... ok.


4. Then you have to follow the guide and request the certificate from
http://service.sap.com/tcs -> Download Area -> SAProuter Certificate

Go to http://service.sap.com/saprouter-sncadd

Request certificate for SAP Router

which will give the certifcate like below.












5. Create a file C:\usr\sap\saprouter\srcert and copy the requested
certificate into this file and save

The run the command:
sapgenpse import_own_cert -c C:\usr\sap\saprouter\srcert -p local.pse



6. To generate credentials for the user that’s running the SAProuter
service, run command:
sapgenpse seclogin -p local.pse

running seclogin with USER="XXXadm"
Please enter PIN:
 Added SSO-credentials for PSE "C:\usr\sap\saprouter\local.pse"
   "CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE"



7. Check the configuration by running command:

sapgenpse get_my_name -v -n Issuer
(This should always give the answer “CN=SAProuter CA, OU=SAProuter,
O=SAP, C=DE”)

C:\usr\sap\saprouter>sapgenpse get_my_name -v -n Issuer
 Opening PSE "D:\usr\sap\saprouter\local.pse"...
 PSE open ok.
 ok.
 Retrieving my certificate... ok.
 Getting requested information... ok.
SSO for USER "wr1adm"
  with PSE file "D:\usr\sap\saprouter\local.pse"

Issuer  : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE




8,run command saprouter -r -K "p:CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE" -V 2


9. Create SAProuter service on Windows with the command:
ntscmgr install SAProuter -b C:\usr\sap\saprouter\saprouter.exe -p
“service -r C:\usr\sap\saprouter\saprouttab"


9. Edit the Windows Registry key as follows:

MyComputer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAProute
r\ImagePath –> Change both ^ to “


10. Start the SAProuter service

11. Enter the required parameters in OSS1 -> Technical Settings


How to troubleshoot the SAP router connectivity issue and the way to renew the SAP router certificate.

1) Issue: SAP global support unable to connect into the SAP system.

Steps to verify the SAP router connectivity at the SAP systems level

a) Execute TCODE: SM59 -> "ABAP Connections" -> double click "SAPOSS"


b) Click "Connection Test"


c) Sample error on the SAP router connectivity




Some times can be password for user OSS_RFC default password "CPIC"   or network issues
check and fix it.



2) Steps to check the SAP router validity and how to renew the certificate

Steps to check the SAP router certificate validity

a) Login to the system where the sap router been install with the <SID>adm account
    Execute: sapgense get_my_name -v -n Issuer, sapgenpse get_my_name
    Expired certificate that cause the SAP system connectivity failed




3) ERROR: The connection to the specified message server (/H/XXX.XXX.X.XX/S/sapd

24177 - OSS1: Message S1452: Connection to Message Server





Steps to renew the SAP router certificate


1) Login to the SAP support portal -> Maintenance & Services -> SAP Trust Center Services -> SAProuter certificates


2) Click "Apply Now"


3) Ensure the SAP router details been created and click "Continue"



4) Copy the "Distinguished name" to be use for certificate creation process later.



5) Login to the system where the sap router been install with the <SID>adm account
    Backup these files: certreq, cred_v2, local.pse, srcert


6) Stop the SAP router service



7) Execute: sapgenpse get_pse -v -r certreq1 -p local.pse
    Create a new PIN when prompt that will be use later in the certificate creation process
    Paste the distinguished name that copy from the SAP support portal previously


8) Examine that the "certreq1" file that been created. Copy all the contents of the file.



9) Paste the "certreq1" file contents into the SAP portal text box and click "Request Certificate"


10) Again copy all the contents generated from the portal.


11) Paste the copied contents into notepad and save in as "srcert" file in the SAP router folder



12) Install the certificate, execute: sapgenpse.exe import_own_cert -c srcert -p local.pse



13) Create the "cred_v2" file, execute: sapgenpse seclogin -p local.pse with the PIN created earlier (Step 7)



14) Check the newly created certificate and the validity date been updated
       Execute: sapgense get_my_name -v -n Issuer, sapgenpse get_my_name



15) Start the SAP router service



16) Test the connectivity with TCODE: SM59


2 comments: