OSS- Connectivity through SNC over Internet
Following things were done in regards of making snc communication over internet setup using our SAP router as saplanco (126.96.36.199).
1. PC with Windows 2000 or 2003 server SP Pack /latest mcafee antivirus/routing enabled.
2. Hostname:. saplanco user id is idsadm and password lancoides1
3. Downloading of latest saprouter file from SAP Service market Place.
4. Installation of Saprouter in the directory D:usrsapsaprouter
5. Host file entry for sapserv2 as 188.8.131.52 and host file entry in sap servers as Development Systen and Production System
6. Live IP addresses is 184.108.40.206
7. Ping test to sapserv2 was successful with time response as 400-500 ms.
8. “idsadm” admin user created for saplanco server in local login.
9. Registration with SAP for our new sap router gilsolman and distinguished name was get from SAP as “CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE”
It will get from this site (service.sap.com/saprouter-sncadd and configuration document will be getting from this site ( service.sap.com/saprouter-sncdoc)
10. Downloading of sapcrypto.car sap cryptographic component file from service.sap.com
11. As user soladm we have set the environment variables SECUDIR = as D:usrsapsaprouter
12. Installation of sapcrypto.car file using the command
sapcar -xvf SAPCRYPTO.CAR.
This command unpacks following files:
These files were installed in D:usrsapsaprouter directory. It will be created one directory D:usrsapsaprouter intel. These two files will be created in D:usrsapsaprouter intel sapcrypto.dll, sapgenpse.exe during the uncar of the SAPCRYPTO.CAR. You have to copy the ticket file from D:usrsapsaprouter to C:Documents and settings idsadmsec you have to create this directory before copying the ticket file) and D:usrsapsaprouter intel
13.Then generation of certificate request using the steps:
Generating the certificate Request with the command from command prompt ( D:usrsapsaprouter intel)
sapgenpse get_pse -v -r certreq -p local.pse “CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE” Asking PIN and you have to give admin123 ( anything you can give).
certreq file will be created into the D:usrsapsaprouter intel
14.This command created one file named certreq
- The output file "certreq" was copied and contents were inserted into the certificate request text area of the same form on the SAP Service Marketplace.
- In response we received the certificate signed by the CA in the Service Marketplace, The text was cut & pasted into a local file named srcert (D:usrsapsaprouter intel). Remove the extension after creating the file srcert.
15. With this file srcert in turn we installed the certificate in our saprouter by calling
sapgenpse import_own_cert -c srcert -p local.pse
16. Now credentials for the SAProuter with the same program is created . the credentials are created for the logged in user account)
sapgenpse seclogin -p local.pse -O idsadm
his will create a file called cred_v2 in the C:Documents and settings idsadmsec directory and copy this to D:usrsapsaprouter
To check that certificate has been imported correctly sapgenpse get_my_name -v -n Issuer
The name of the Issuer found to be: CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
17. After restarting the sap router using the command. saprouter -r -S 3299 -K "p: CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE” or saprouter -r -S 3299 –R F:usrsapsaproutersaprouttab -K "p: CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE” we got the error as sncgss32..dll file missing and sap router was unable to load.
18. It was identified that the file is gss32api.dll found in Sap kernel CD.
This file was taken and copied into saprouter directory.
As a user idsadm you have to set the environment variables SNC_LIB = D:usrsapsaprouter intelsapcrypto.dll
19. Then some additions were done in sap routing table named as saprouttab (D:usrsapsaprouter) The entries of this file are as follows:
# outbound connections to will use SNC
# SNC connection to SAP KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 220.127.116.11 *
# SNC-connection from SAP to local R/3-System for Support KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 18.104.22.168 3200
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 22.214.171.124 3201
3201 KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 126.96.36.199 8000
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 188.8.131.52 8001
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 184.108.40.206 3201
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 220.127.116.11 3202
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 18.104.22.168 8001
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 22.214.171.124 8002
# SNC-connection from SAP to local R/3-System for pcAnywhere
# SNC-connection from SAP to local R/3-System for SAPtelnet
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 126.96.36.199 23
# Access from your local Network to SAPNet - R/3 Frontend
P * 188.8.131.52 3299
# All other connections will be permitted
P * * *
20. Then saprouter was restarted using the command
saprouter -r -S 3299 –R D:usrsapsaproutersaprouttab -K "p: CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE” -V 2 trace file name is dev_rout.
SAProuter creation as a Service : Command : ( Note no. 525751)
ntscmgr install SAProuter –b D:usrsapsaproutersaprouter.exe – p “service –r –W 60000 -K ^p: CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE^”
Edit the string in the registry under MyComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices saprouter and change ^ to " under ImagePath
Manually you can add this in ImagePath if you have no value in imagePath.
D:usrsapsaproutersaprouter.exe service –r –R
D:usrsapsaproutersaproutab-W 60000 -S 3299 -K "p:
CN=saplanco, OU=0000881410, OU=SAProuter, O=SAP, C=DE"
After that you have to change SAProuter Service logon details with the user soladm and password(lancoides1). – goto OSS1- Parameter-Technical setting
1. After saving this technical, RFC connection of SAPOSS will be created automatically.
2. After executing the Tcode SDCC, RFC connection of SAPNET_RFC will be created automatically
3. After executing the Program RTCCTOOL, RFC connection of SAPNET_RTCC will be created automatically
User ID OSS_RFC and password is rfc in RFC connection SAPOSS , SAPNET_RFC and SAPNET_RTCC ,
Target system : OSS
Client : 001
Msg. Server : /H/184.108.40.206/S/sapdp99/H/220.127.116.11/S/sapdp99/H/oss001
Port No. for saprouter in firewall : 3299,3200,3201,3300,4700,3600,telnet (23),5632(PcAnywhere) and 3389 (Terminal Service)
Nating command : static (inside,outside) 18.104.22.168 netmask 255,255,255,255
Command for port open in firewall “ Access_list act_out extended permit tcp any host 22.214.171.124 eq 3299
In order to avoid this warning message and to get a proper (green: successful) connection status displayed in the SAP Service Marketplace, your firewall would have to allow only the following additional rules:
126.96.36.199 -> 188.8.131.52:icmp (echo-request, type 8)
184.108.40.206-> 220.127.116.11:icmp (echo-reply, type 0)