Permission denied in sap router

Hello everybody,
I have installed the SAPROUTER.
when our remote user login by SAPSTRING 114.240.174.28 then user can login without any problem
but when the user used the /H/114.240.174.28/H/192.168.0.170/S/3299/H/
then they can not able to login, get error
router permission denied 115.240.50.30 to 192.168.0.170, 3299
I have check the saposs RFC from sap its work fine.
In my SAP routtab file I maintain the entries as follows
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.0.180 3200
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.0.185 3200
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.0.186 3200
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.0.180 *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.0.185 *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.0.186 *
P * 194.39.131.34 3299
P * * *
Please suggest where is wrong.
Thanks
Ganesh

HI,
Our remote user can access with the /H/external_IP_of_saprouter/H/internal_IP_of_saprouter/H/ this string
but now they are not able to access by using above said string , when they tired to access they got message
like
router permission denied 115.240.50.30 to 192.168.0.170, 3299
actually, in saprouttab I mention P * * * .
Thanks
Ganesh

Similar Messages

Saprouttab, route permission denied

hi,
I have to open one ITS (internet transaction server) link to SAP thru saprouttab. I have done the entry in saprouttab. But when SAP is trying to connect, he is getting error "SAP WEB PROXY: destination server not reachable"
detail error : route permission denied.
I have a ITS link <hostname.mycompany.com> and the port is 80. In saprouttab table, permission is given and entry is
P 204.79.199.2 <hostname.mycompany.com> 80
P 147.204.2.5 <<hostname.mycompany.com> 5631
My Question:
What is the correct port for ITS link ? Since my ITS link is having default port 80, I have given 80 in saprouttab. But still it is giving error route permission denied. SAP has send me the error screen snapshot and in that destination port it is showing 3299.
Can any one help me what should be the correct entry in saprouttab and the correct port number ?? Is there any way I can check the permission before asking SAP to check ?
Thanks
Regards,
Basis

hi basis ck,
3299, is the SAP Gateway Service port. So check whether this service is mentioned in "service" file or not. If not then make an entry there.
Normally, if u have a SAPGUI installed in ur machine, then the entry will be automatic.
I think then connection should be ok or else then try with 3299 in place of 80 in ur saprouttab entry.
with regards,
Samarpan

SAP ROUTE PERMISSION DENIED

Hi Experts,
When i try to logon SAPNET from T/Code OSS1 its througing error as
"sapsrv2a: route permission denied(12.34.23.5 to oss1 sapdp01)
Location SAPoruter 37.15 on sapserv2a
Component NI
Release 640
Version 37
Return Code -93
Counter 5
Kindly suggest any solution for this problem
Thanks in Advance,
Ramamurthy

HI
I have this error too if I try to logon to sapnet with OSS1 transaction.
you must logon to sapnet trought internet explorer http://service.sap.com
Note 33135 - Guidelines for OSS1
Note Language:      Version: 15     Validity: valid since 30.06.2006
PDF     Download Corrections     Compare Versions     SSCR
     Go to SAP Note: Display
Content: Summary | Header Data | Releases | Related Notes
Summary
Symptom
You are using transaction OSS1 to establish a remote connection.
Other terms
OSS1, RFC connections to SAPNet - R/3 Frontend, SAPOSS, OSS_RFC, SAProuter
Reason and Prerequisites
Remote connection to SAP, R/3 system
Solution
On April 03, 2006, SAPNet - R/3 Frontend was deactivated as a user interface. SAPNet - R/3 Frontend, which was introduced in 1995 as SAP's Online Service System (OSS), was SAP's first and, for a long time, its only support system, which customers worldwide accessed using transaction OSS1.
Today, the SAProuter connection via transaction OSS1 continues to be used for the following RFC connections:
- Transfer of EarlyWatch Alert data
- Exchange of data using the SAP Notes Assistant
To install and configure this transaction, proceed exactly as follows:
1. Making the technical settings for OSS1
You must configure transaction OSS1 before you can use it. Choose "Parameter" from the menu bar (-> Techn. Settings) and choose "Change".
The technical settings for transaction OSS1 are set by default to Walldorf (sapserv3) with the IP address 147.204.2.5. If this address does not correspond with the entry in your host file, choose the sapserv3 IP address that is valid for you by choosing the menu option "SAPRouter at SAP -> Walldorf".
Furthermore, enter your local SAPRouter information in the "SAPRouter 1" fields. Now save the settings.
After making these changes, the screen for the technical settings should be as follows:
Router data for the logon to SAPNet - R/3 Frontend
-Customer SAPRouters----
-SAPRouter 1----    -SAPRouter 2----
Name         my_saprouter
Name
IP Address   x.x.x.x
IP Address
Instanc No. 99
Instance No.
-SAPRouter and OSS Message Server at SAP----
-SAPRouter at SAP----    -OSS Message Server----
Name          sapservX
Name          oss001
IP Address    x.x.x.x
DB Name       O01
Instance No. 99
Instance No. 01
NOTE:
Replace sapservX with the following values:
sapserv1 (194.117.106.129) connection via Internet VPN
sapserv2 (194.39.131.34) connection via Internet SNC
sapserv3 (147.204.2.5)    for customers with connection to Germany
sapserv4 (204.79.199.2)    for customers in America
sapserv5 (194.39.138.2)    for customers with connection to Japan
sapserv6 (194.39.139.16) for customers in Australia and New Zealand
sapserv7 (194.39.134.35)   for customers in Asia
Choose "Start Logon to SAPNet - R/3 Frontend". If the system issues message S1 452, there are errors in the operating system configuration. In this case, see appendix A.
When you install an access authorization file "saprouttab", you should ensure that all of your front ends and R/3 servers can establish a connection to sapserv3, service sapdp99. Appendix E contains examples of saprouttabs. For more information on the SAPRouter, refer to the SAPRouter documentation (Note 30289).
Try it again until the dialog box "Please select a group" appears. If the dialog box "Please select a group" is displayed, the configuration for transaction OSS1 is correct. You can then proceed with the next section.
NOTE:
When you try to log on to SAPNet - R/3 Frontend, the system issues an error message indicating that you are no longer allowed to log on to SAPNet - R/3 Frontend.
2. Further questions?
As soon as you have carried out the steps described above, transaction OSS1 should connect you to the most efficient SAPNet - R/3 Frontend application server.
If you have further questions or problems, the file entitled "OSS1. TroubleShooting" contains additional information. If you have a problem that you cannot solve, contact our hotline: 0180/5 34 34 3-3.
Appendix A
If message S1 452 appears when you try to log on to SAPNet - R/3
Frontend with transaction OSS1, there is an incorrect setting somewhere (either in the technical settings for OSS1 or at operating system level).
To find out why the connection to the message server was unsuccessful, choose Tools (Case, Test ( Developer trace (transaction ST11). The trace contains an entry for dev_lg. This file contains the error log. The LOCATION line, if available, contains the host on which the error occurred. The problem description is found in the ERROR line. If you cannot find the entry dev_lg, check whether the program "lgtst" exists (see appendix B).
Examples of the contents of dev_lg:
ERROR       partner not reached (host abc.def.gh.i, service sapdp99)
TIME        Thu Aug 10 09:17:57 1995
RELEASE    21J
COMPONENT   NI (network interface)
VERSION    15
RC          -10
MODULE      niuxi.c
LINE        773
DETAIL      NiPConnect
SYSTEM CALL connect
ERRNO      239
ERRNO TEXT Connection refused
COUNTER    1
Here, the system could not reach the SAPRouter. For example, no SAProuter could be found under service 99 (port 3299) on the host with the IP address abc.def.gh.i. The SAPRouter process does not work or the IP address was not configured correctly in OSS1.
ERROR      service 'sapdp99' unknown
TIME        Thu Aug 10 09:22:00 1995
RELEASE    30A
COMPONENT   NI (network interface)
VERSION    17
RC          -3
MODULE      niuxi.c
LINE        404
DETAIL      NiPServToNo
SYSTEM CALL getservbyname
COUNTER    1
This message indicates that the service sapdp99 was not entered in /etc/services. Add the entry in /etc/services. This must be available on all R/3 servers and front ends.
LOCATION    SapRouter on abc.def.gh.i
ERROR      route permission denied (XXXXXXXX to sapservX, sapdp99)
TIME        Thu Aug 10 09:37:44 1995
RELEASE    30A
COMPONENT   NI (network interface)
VERSION    17
RC          -94
MODULE      nixxrout.c
LINE        1426
COUNTER    1
The file saprouttab, which contains the valid connections, is not correct. The SAPRouter on the host abc.def.gh.i does not set up the connection to sapservX. Check the SAPRouter file saprouttab. This should contain every R/3 server and frontend (see also appendix E).
LOCATION    SapRouter on abc.def.gh.i
ERROR      internal error
TIME        Thu Aug 10 10:50:18 1995
RELEASE    21J
COMPONENT   NI (network interface)
VERSION    15
RC          -93
MODULE      niuxi.c
LINE        773
DETAIL      NiPConnect
SYSTEM CALL connect
ERRNO      242
ERRNO TEXT No route to host
COUNTER    1
This error message indicates that the host abc.def.gh.i cannot process the IP address of the next host configured in OSS1. If the SAPRouter error message appears and the next host is sapservX, check the address for sapservX. OSS1 is delivered with the default settings sapserv3 and IP address 147.204.2.5. Customers in the U.S.A. are normally connected to sapserv4, IP address 204.79.199.2. If required, change the technical settings of OSS1 accordingly.
ERROR      internal error
TIME        Thu Nov 23 00:11:20 1995
RELEASE    21J
COMPONENT   NI (network interface)
VERSION    15
RC          -1
COUNTER    1
This message shows that the instance number entered does not agree with at least one of the technical settings for the SAPRouter defined in OSS1. The default for the instance number of the SAPRouter is 99. Under no circumstances should you enter the instance number of your R/3 system for the SAPRouter. You need to specify instance number 99 for sapservX. Otherwise, it is not possible to log on to SAPNet - R/3 Frontend.
LOCATION    SapRouter on sapservX
ERROR       route permission denied (XXXXXX to oss002, sapmsO01)
TIME        Mon Nov 27 19:25:54 1995
RELEASE    30A
COMPONENT   NI (network interface)
VERSION    15
RC          -94
MODULE      nixxrout.c
LINE        1390
COUNTER    1
An incorrect server was entered as message server 001, in this example, the server oss002. The message server for O01 is oss001. Change the technical settings for transaction OSS1 accordingly.
Appendix B (for Windows NT only)
Change to the directory "\usr\sap\<SID>\SYS\exe\run" and search for the program "lgtst.exe". If you cannot find it, or if the length of this file is not exactly 640216 bytes, import the program "lgtst.exe" from sapservX via ftp:
> ftp sapservX
Connected to sapservX.
220 sapservX FTP server (Version 1.7.194.2 Wed Sep 8 17:23:04 GMT 1993) ready.
Name: ftp
331 Guest login ok, send ident as password.
Password: <Your_customer_number>
ftp> cd dist/permanent/OSS1/lgtst.exe
250 CWD command successful.
ftp> binary
200 Type set to I.
ftp> get lgtst.exe
150 Opening BINARY mode data connection for lgtst.exe (640216 bytes).
226 Transfer complete.
640216 bytes received.
ftp> bye
Copy this file into the aforementioned directory.
Appendix C
The messages from transaction OSS1 (error messages and information) are given in the following list. Each message is described briefly.
|No.| Message Text
|450| Maintain technical settings first.
|452| Unable to connect to SAPNet - R/3 Frontend message server.
|454| E: Unable to start SAPGUI.
|455| SAPGUI was started.
|456| Specify a server name.
|457| Specify an IP address.
|458| Specify an instance number.
|459| Specify a database name.
|460| No authorization to log on to SAPNet - R/3 Frontend.
|461| No authorization to maintain technical settings.
|462| E: RFC destination could not be generated
Number 450: Maintain technical settings first
You can only log on to SAPNet - R/3 Frontend if the technical settings
are maintained. The technical settings determine the network path from the customer R/3 system to the online service system.
Number 452: Unable to connect to SAPNet - R/3 Frontend message server.
This message appears if the connection to the SAPNet - R/3 Frontend message server was not possible (system name O01, server oss001). There can be different reasons for this (see appendix A).
Number 454: E: Unable to start SAPGUI.
Transaction OSS1 could start the SAPGUI (not SAPTEMU), either because the program does not exist in the path given, or because the execute permission is not set correctly. Check whether the SAPGUI exists; SAPTEMU alone is not sufficient.
Number 455: SAPGUI was started.
This is not an error message. It merely informs you that an additional SAPGUI was started to establish a connection to SAPNet - R/3 Frontend.
Number 456: Specify a server name.
The server name was omitted from the technical settings.
Number 457: Specify an IP address.
The IP address was omitted from the technical settings.
Number 458: Specify an instance number.
The instance number was omitted from the technical settings.
Number 459: Specify a database name.
The database name for the Online Service System (001) was omitted from the technical settings.
Number 460: No authorization to log on to Online Service System
You do not have authorization to call transaction OSS1. Up to Release 2.2F: The authorization S_TSKH_ADM is checked for value 1. After Release 2.2F: For transaction OSS1, there are two special authorization profiles (see appendix D).
Number 461: No authorization to maintain technical settings.
You do not have the authorization to maintain the technical settings (see appendix D).
Number 462: E: RFC destination could not be generated.
In Releases 2.2, you can ignore this message. When saving the technical settings, an attempt is made to generate the RFC destination SAPOSS. The length of an RFC destination is limited in 2.2, and the maximum length was exceeded by the parameters of the technical settings.
Appendix D
As of Release 2.2F, there are two different authorization profiles for transaction OSS1: S_OSS1_START and S_OSS1_ADMIN.
S_OSS1_START authorizes you to call transaction OSS1 and to log on to the Online Service System. In addition, S_OSS1_ADMIN contains the
authorization to maintain the technical settings for the transaction.
The technical settings of OSS1 must be made at least once. Therefore, add S_OSS1_ADMIN to your user profile, log off, and then log on again afterwards.
Appendix E
Prerequisites:
(A TCP/IP connection can be established between the SAProuter on
the customer system and the SAProuter on sapserv3 in Walldorf.
(The SAProuter process must be started on the server that is registered
with SAP:
saprouter -r -R saprouttab &
Example of the "saprouttab" file with minimum configuration:
saprouttab - Example
Allows connections from the entire customer network to sapservX
and therefore to the Online Service System via SAProuter port 3299.
P      *      sapservX    sapdp99         *
Allows connections from sapserv3 to the entire customer network,
for example for EarlyWatch or First Level Support.
P   sapservX      *          *            *
Header Data
Release Status:     Released for Customer
Released on:     30.06.2006 09:13:57
Priority:     Correction with high priority
Category:     Consulting
Primary Component:     XX-SER-NET Network connection
Antonio.
Edited by: Antonio Voce on May 22, 2008 5:07 PM

SAPRouter problem ERROR: sapserv2a: route permission denied

Hello Gurus,
we have a problem with connection with SAPOSS, when we test the connection present the following message:
Connection Error
Error when opening an RFC connection
ERROR: sapserv2a: route permission denied (200.30.70.220 to oss001, sapmsOSS)
LOCATION: SAProuter 37.15 on sapserv2a
COMPONENT: NI (network interface)
COUNTER: 5
MODULE:
LINE:
RETURN CODE: -93
SUBRC: 0
RELEASE: 640
TIME: Fri Apr 11 23:54:16 2008
VERSION: 37
In the Tx OSS1 we have:
saprouter1
name: server name where saprouter is installed
IP address: LAN IP address where saprouter is installed (is locally intalled)
Instance no. 99
Saprouter at SAP
Name sapserv2
IP Address 194.39.131.34 (ping to this IP response)
instance 99
name oss001
db name o01
instance 01
In Tx ST11, dev_lg log file contains:
RSTR0006: Display Developer Traces
trc file: "dev_lg", trc level: 1, release: "700"
[Thr 4780] Fri Apr 11 16:41:16 2008
[Thr 4780] *** ERROR => NiBufIProcMsg: hdl 0 received rc=-93 (NIEROUT_INTERN) from peer [nibuf.cpp    2125]
[Thr 4780] *** ERROR => MsINiWrite: NiBufSend (rc=NIEROUT_INTERN) [msxxi.c      2480]
[Thr 4780] *** ERROR => MsIAttachEx: MsINiWrite (rc=NIEROUT_INTERN) [msxxi.c      734]
[Thr 4780] *** ERROR => LgIAttach: MsAttach (rc=NIEROUT_INTERN) [lgxx.c       3980]
[Thr 4780] *** ERROR => LgApplSrvInfo: LgIAttach(rc=LGEMSLAYER) [lgxx.c       1272]
[Thr 4780]
[Thr 4780] * LOCATION    SAProuter 37.15 on sapserv2a
[Thr 4780] * ERROR       sapserv2a: route permission denied (200.30.70.220 to oss001,
             sapmsO01)
[Thr 4780] *
TIME        Fri Apr 11 23:32:17 2008
[Thr 4780] * RELEASE     640
[Thr 4780] * COMPONENT   NI (network interface)
[Thr 4780] * VERSION     37
[Thr 4780] * RC          -93
[Thr 4780] * COUNTER     3
[Thr 4780] *
[Thr 4780] *****************************************************************************
dev_rout file in /usr/sap/saprouter contains:
trc file: "dev_rout", trc level: 1, release: "700"
Fri Apr 11 17:02:21 2008
SAP Network Interface Router, Version 38.10
command line arg 0:     saprouter
command line arg 1:     -r
command line arg 2:     -R
command line arg 3:     ./saprouttab
main: pid = 5504, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: './saprouttab'
Fri Apr 11 17:02:36 2008
ERROR => NiBufIProcMsg: hdl 2 received rc=-94 (NIEROUT_PERM_DENIED) from peer [nibuf.cpp    2125]
Fri Apr 11 17:03:15 2008
ERROR => NiBufIProcMsg: hdl 2 received rc=-94 (NIEROUT_PERM_DENIED) from peer [nibuf.cpp    2125]
Thanks,
HEPC

Hello Kaushik,
the problem was solved adding the following line in the saprouttab file, this line must be the firts line in the file:
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
the file continue with:
inbound connections MUST use SNC
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <IP server 1> 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <IP server 2> 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <IP server 1> 3200
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <IP server 2> 3200
outbound connections to <sapserv2> will use SNC
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <IP server with saprouter> 3299
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 3299
permission entries to check if connection is allowed at all
P <IP server 1> 194.39.131.34 *
P <IP server 2> 194.39.131.34 *
I hope this solve your problem,
Hernando Polania
Colombia

Sapserv1:route permission denied (216.53.212.149 to 147.204.100.55, sapdp01

Hi,
We are having issue with our sapnet connection. When ever I am trying to connect to sapNet im getting this error. The following is the procedure i m doing
1. t-code oss1
2. logon to SAPNet
3. selecting the group PUBLIC
then I m getting thid error
sapserv1:route permission denied (216.53.212.149 to 147.204.100.55, sapdp01)
Please reply me back ASAP as this is urgent issue. I will appriciate ur help n sugsestions.

Hi,
On April 03, 2006, SAPNet - R/3 Frontend was deactivated as a user interface. SAPNet - R/3 Frontend, which was introduced in 1995 as SAP's Online Service System (OSS), was SAP's first and, for a long time, its only support system, which customers worldwide accessed using transaction OSS1.
Today, the SAProuter connection via transaction OSS1 continues to be used for the following RFC connections:
- Transfer of EarlyWatch Alert data
- Exchange of data using the SAP Notes Assistant
To install and configure this transaction, proceed exactly as follows:
1. Making the technical settings for OSS1
You must configure transaction OSS1 before you can use it. Choose "Parameter" from the menu bar (-> Techn. Settings) and choose "Change".
The technical settings for transaction OSS1 are set by default to Walldorf (sapserv3) with the IP address 147.204.2.5. If this address does not correspond with the entry in your host file, choose the sapserv3 IP address that is valid for you by choosing the menu option "SAPRouter at SAP -> Walldorf".
Furthermore, enter your local SAPRouter information in the "SAPRouter 1" fields. Now save the settings.
NOTE:
Replace sapservX with the following values:
sapserv1 (194.117.106.129) connection via Internet VPN
sapserv2 (194.39.131.34) connection via Internet SNC
sapserv3 (147.204.2.5)    for customers with connection to Germany
sapserv4 (204.79.199.2)    for customers in America
sapserv5 (194.39.138.2)    for customers with connection to Japan
sapserv6 (194.39.139.16) for customers in Australia and New Zealand
sapserv7 (194.39.134.35)   for customers in Asia
Choose "Start Logon to SAPNet - R/3 Frontend". If the system issues message S1 452, there are errors in the operating system configuration.
When you install an access authorization file "saprouttab", you should ensure that all of your front ends and R/3 servers can establish a connection to sapserv3, service sapdp99.
Try it again until the dialog box "Please select a group" appears. If the dialog box "Please select a group" is displayed, the configuration for transaction OSS1 is correct.
I hope this will help you.
Regards
Aashish Sinha
PS : reward points if helpful

Route permission denied

Hello everbody;
When I want to entry to the server sap, I have this error route permission denied (181.66.156.130 to n4sexternal,sapdp01)
Someone can help me please

Hi, Robert!
You'll have to config your SapRouter appropriately. It's usually done by Basis team.

Saprouter "sapserv3: route permission denied"

Hi!
I have one question regarding the SAP router functionality.
If I check the connection via Tx. OSS1 I can choose the different groups (EWA, 1_PUBLIC, etc.) but after this I am getting the error "sapserv3: route permission denied (212.6.91.12 to 10.16.1.19, sapdp01").
<b>How can I solve the problem?</b>
My SAPROUTTAB looks like "P * * *" (it means alls connections are allowed)

Hi Axel,
The direct connection via OSS1 is not possible anymore. SAP has deactivated this since April-2006.
You should make the configuration in OSS1 (I think that is okay for your case as you are getting the different group selection as pop-up).
Only RFC connection logon is allowed. For more info please check note: 33135
http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=33135&_NLANG=E
Cheers !!
Satya.
PS: Pls reward points if the answer is helpful...Thx.

SAPROUTER - route permission denied

Hello.
I'm trying to connect my ERP to SAPNet but i'm getting troubles.
This is the error.
[Thr 4812] * LOCATION    SapRouter on sapserv2a
[Thr 4812] * ERROR       sapserv2a: route permission denied (80.37.122.205 to oss001,
             sapmsO01)
[Thr 4812] *
TIME        Mon Jun 25 10:24:43 2007
[Thr 4812] * RELEASE     620
[Thr 4812] * COMPONENT   NI (network interface)
[Thr 4812] * VERSION     36
[Thr 4812] * RC          -93
[Thr 4812] * COUNTER     19
[Thr 4812] *
[Thr 4812] *****************************************************************************
I have the 3299 port open for the saprouter host.
My saprouter is registered in SAP, i have my certificated and i applied correctly on my saprouter.
My routerttab permits all traffic. P * * * *
I'm configuring my connection on the SM59 transaction.
Target system: OSS
Msg. Server: /H/194.39.131.34/H/OSS001
Language: EN
Client: 001
User: My SSO number
PWD: My sso password.
Any idea?
Thanks in advance.

Hi,
As of April 3rd, 2006 the SAPNet R/3 Frontend will be not available for
Support applications anylonger. It will be substituted by both supports Platforms,
SAP Support Portal and SAP Solution Manager
So OSS1 -->Logon to SapNet (Does not work).
You can maintain the IP's and Other Information in OSS1 -->Paramter ->Technical Settings. which will modify the "SAPOSS" RFC destination.
Thanks,
Tanuj

SAPRouter - sapserv2a: route permission denied

Hi Gurus,
I have configured and registered SAProuter.
Version: SAP Network Interface Router, Version 38.10
When try to Log On to SAPNet with 1_Public , I get following error
*sapserv2a: route permission denied
Routtab entired:
SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC connection to local system for R/3-Support
R/3 Server: 192.168.2.4
R/3 Instance: 00
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.2.4 3200
SNC connection to local WINDOWS system for WTS, if applicable
Windows server: 192.168.2.35
Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.2.35 3389
Access from the local Network to SAP
P 192.168.. 194.39.131.34 3299
Deny all other connections
D * * *
SOLMAN: SP17
WIN32
I did not find any latest version of SAPRouter for WIN32. Please suggest ..
Regards
Shreeshail Ganiger

Hi,
> *sapserv2a: route permission denied
>
Why it is picking sapserv2a ? It should be sapserv2. Please check.
Thanks
Sunny

JCO Connection - route permission denied

Coulds any one suggest on this error
Connect to SAP gateway failed Connect_PM
Rout permission denied

Hello Mario,
it seems that the SAP Router which is used with hte connection String does not allow you to connect. Have you tried the Connection string to logon with SAP GUI?
Regards
Gregor

Setting up SAP Router for SNC ... error...

Hi,
My SAP Router is installed on a server that is Linux based. (IP address is 10.11.0.24)
I'm not sure if is saprouttab or saprouter itself having issue.
I started the saprouter via this command: saprouter -r -G routerlog -W 60000 -S 3299 -K "p:CN=XXXXXXXX, OU=ZZZZZZZZZZ, OU=SAProuter, O=SAP, C=DE"
saprouttab
# SNC connection to and from SAP
KT "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 169.145.197.110 *
KT "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 10.11.0.24 3200
# SNC connection to local system for R/3-Support for support
KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 10.11.0.24 3200
KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 10.11.0.24 3201
KP "p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE" 10.11.0.23 3200
# Access from local network to SAPNet (OSS)
P 10.11.0.* 169.145.197.110 3299
P * 10.11.0.* * *
# deny all other connections
D * * *
Troubleshooting steps taken:
Running niping -s on SAP Router Server & niping.exe -c -H 10.11.0.24 is successful, self-test is okay but... when running both niping -s & saprouter -r on SAP Router Server is giving me the following error:
C:\test>niping.exe -c -S 3299 -H 10.11.0.24
Wed Feb 05 14:51:29 2014
connect to server o.k.
Wed Feb 05 14:51:30 2014
*** ERROR => NiBufIProcMsg: hdl 1 received rc=-93 (NIEROUT_INTERN) from peer [nibuf.cpp    2146]
*** ERROR => NiTClientLoop: NiTReadLoop (rc=-93) [nixxtst.cpp 2590]
* LOCATION    SAProuter 40.4 on 'XXXXXXXX'
* ERROR       internal error
* TIME        Wed Feb 5 14:51:29 2014
* RELEASE     720
* COMPONENT   NI (network interface)
* VERSION     40
* RC          -93
* MODULE      nirout.cpp
* LINE        2698
* DETAIL      NiRClientHandle: route expected
* COUNTER     2
C:\Users\tohcy\Desktop\test>niping.exe -c -S 3299 -H /H/10.11.0.24/H/10.11.0.24
Wed Feb 05 15:01:00 2014
*** ERROR => NiBufIProcMsg: hdl 1 received rc=-94 (NIEROUT_PERM_DENIED) from peer [nibuf.cpp    2146]
*** ERROR => NiBufIConnect: route connect for non-buffered hdl 1 failed (rc=-94;/H/10.11.0.24/H/10.11.0.24); pong not received [nibuf.cpp    4801]
*** ERROR => NiTClientLoop: NiHandle (rc=-94) [nixxtst.cpp 2590]
* LOCATION    SAProuter 40.4 on 'XXXXXXXX'
* ERROR       XXXXXXXX: route permission denied (YYY to 10.11.0.24, 3299)
* TIME        Wed Feb 5 15:00:59 2014
* RELEASE     720
* COMPONENT   NI (network interface)
* VERSION     40
* RC          -94
* COUNTER     7

Hi Deepak,
I've changed to the P * * *
I run the command: niping.exe -c -S 3299 -H /H/10.11.0.24/H/10.11.0.23
Can I check if this command is correct?
Router is 10.11.0.24 trying to reach sap server 10.11.0.23.
Error:
Thu Feb 06 09:20:17 2014
*** ERROR => NiBufIProcMsg: hdl 1 received rc=-5 (NIETIMEOUT) from peer [nibuf.cpp    2146]
NiBufIConnect: route connect of non-buffered hdl 1 to '/H/10.11.0.24/H/10.11.0.23' timeout
*** ERROR => NiTClientLoop: NiHandle (rc=-5) [nixxtst.cpp 2590]
* ERROR       timeout occured
* TIME        Thu Feb 06 09:20:17 2014
* RELEASE     720
* COMPONENT   NI (network interface)
* VERSION     40
* RC          -5
* MODULE      nibuf.cpp
* LINE        4795
* DETAIL      NiBufIConnect: route connect '/H/10.11.0.24/H/10.11.0.23'
*              timeout
* COUNTER     1
routerlog:
Thu Feb 6 09:27:21 2014 CONNECT FROM C19/- host 10.11.0.181/50107
Thu Feb 6 09:27:21 2014 CONNECT TO   S19/12 host 10.11.0.23/3299
Thu Feb 6 09:28:21 2014 CONNECT ERR S19/12 could not establish connection within 60s
Thu Feb 6 09:28:21 2014 DISCONNECT   S19/12 host 10.11.0.23/3299
10.11.0.181 is my computer current IP address.
Any other clues/hint?

Unable to Start SAP Router

Hi All,
I have installed SAP Router before but this time when I installed and tried to start SAP Router its not getting started, and also not giving any error log file in SAP Router directory.
Please check the below command and correct me if I am wrong.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\sap_admin>cd \
C:\>cd SAPRTR
C:\SAPRTR>saprouter -r -S 3299 -K "p:CN=<MyRouterHOSTNAME>, OU=<Cust_NUM>, OU=SAProuter,
O=SAP, C=DE"
SAP Network Interface Router, Version 38.10
Compiled Oct 7 2009 03:08:09
start router : saprouter -r
stop router : saprouter -s
soft shutdown: saprouter -p
router info : saprouter -l (-L)
new routtab : saprouter -n
toggle trace : saprouter -t
cancel route : saprouter -c id
dump buffers : saprouter -d
flush   "    : saprouter -f
hide errInfo : saprouter -z
start router with third-party library: saprouter -a library
additional options
-R routtab   : name of route-permission-file (default ./saprouttab)
-G logfile   : name of log file               (default no logging)
-T tracefile : name of trace file             (default dev_rout)
-V tracelev : trace level to run with        (default 1)
-H hostname : of running SAProuter           (default localhost)
-S service   : service-name / number          (default 3299)
-P infopass : password for info requests
-C clients   : maximum no of clients          (default 800)
-Y servers   : maximum no of servers to start (default 1)
-K [myname] : activate SNC; if given, use 'myname' as own sec-id
-A initstring: initialization options for third-party library
-D           : switch DNS reverse lookup off
-E           : append log- and trace-files to existing
-J filesize : maximum log file size in byte (default off)
-6           : IPv6 enabled
-Z           : hide connect error information for clients
expert options
-B quelength : max. no. of queued packets per client (default 1)
-Q queuesize : max. total size for all queues (default 20000000 bytes)
-W waittime : timeout for blocking net-calls (default 5000 millisec)
-M min.max   : portrange for outgoing connects, like -M 1.1023
-I address   : address for outgoing connects, like -I 155.56.76.6
this is a sample routtab : -----------------------------------------
D     host1                host2     serviceX
D     host3
P     *                    *         serviceX
P     155.56..           155.56
P     155.57.1011xxxx.*
P     host4                host5     *          xxx
P     host6                localhost 3299
P     host7                host8     telnet
S     host9
P0,* host10
KP    sncname1             *         *
KS    *                    host11    *
KD    "sncname "abc"       *         *
KT    sncname3             host11    *
deny routes from host1 to host2 serviceX
deny all routes from host3
permit routes from anywhere to any host using serviceX
permit all routes from/to addresses matching 155.56
permit ... with 3rd byte matching 1011xxxx
permit routes from host4 to host5 if password xxx supplied
permit information requests from host6
permit native-protocol-routes to non-SAP-server telnet
permit ... excluding native-protocol-routes (SAP-servers only)
permit ... if number of preceding/succeeding hops (SAProuters) <= 0/*
permit SNC-connection with partnerid = 'sncname1' to any host
permit all SAP-SAP SNC-connections to host11
deny all SNC-connections with partnerid = 'sncname "abc'
open connects to host11 with SNC enabled and partnerid = 'sncname3'
first match [host/sncname host service] is used
permission is denied if no entry matches
service wildcard (*) does not apply to native-protocol-routes
C:\SAPRTR>
Rg
Ramesh

Hello my friend
It could be certificate didn't import properly or routtab content is not correct. Here's your checklist:
Creating the certificate request
1) As user <snc_adm> set the environment variables SNC_LIB and SECUDIR
2) Change to the alias SAPROUTER-SNCADD. From the list of SAProuters registered to your installation, choose the relevant u201CDistinguished Nameu201D.
3) Generate the certificate Request with the command:
sapgenpse get_pse -v -r certreq -p local.pse u201C<Distinguished Name>u201D
You will be asked twice for a PIN here. Please choose a PIN and document it, you have to enter it identically both times. Then you will have to enter the same PIN every time you want to use this PSE.
4) Display the output file "certreq" and with copy&paste (including the BEGIN and END statement) insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.
5) In response you will receive the certificate signed by the CA in the Service Marketplace. Copy&paste the text to a new local file named "srcert", which must be created in the same directory as the sapgenpse executable.
6) With this in turn you can install the certificate in your saprouter by calling:
sapgenpse import_own_cert -c srcert -p local.pse
7) Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user_for_saprouter>, the credentials are created for the logged in user account).
sapgenpse seclogin -p local.pse -O <user_for _saprouter>
Note: The account of the service user should always be entered in full <domainname>\<username>
8) This will create a file called "cred_v2" in the same directory as "local.pse"
9) Check if the certificate has been imported successfully with the following command:
sapgenpse get_my_name -v -n Issuer
The name of the Issuer should be:
CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
10) If this is not the case, delete the files "cred_v2"and "local.pse" and start over at Item 3.
Additional actions necessary before you can start SAProuter
1.     Check if the environment of the user running SAProuter contains the environment variable SNC_LIB and SECUDIR
2.     Start the SAProuter with the following command line (to start the SAProuter as a Windows service, please follow the steps described in SAP note 525751):
               saprouter -r -S <port> -K "p:<Distingushed Name>"
               -K tells the saprouter to start with loading the SNC library
3.     The corresponding file "saprouttab" should look like:
SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *
SNC-connection from SAP to telnet in your network
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 23
Access from the local Network to SAPNet - R/3 Frontend (OSS)
P * 194.39.131.34 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your IP> <port>
Regards,
Effan
DON'T KNOW WHY THE FORMAT MESSED UP, PLEASE USE QUOTE ORIGINAL IN REPLY MODE TO READ THE CORRECT FORMAT CONTENT. SORRY!

How to install and configure SAP Router

Dear SAP Expert !
I want to install SAP Router but i dont know the SAP router package is allocated on DVD ? what is the DVD number ?
If you already configure SAP router please let me know how to configure ?

Hello Thao
what is th exact issue that are u facing.
The account must be the administartor of the machine where u are installing SAPROUTER.Make sure you are following the correct steps as follows:
Downloading necessary software components from SAP Service Marketplace
1. Login to the SAP Service Marketplace with the Service Marketplace at using
the USERID/PASSWORD which was assigned for your installation.
2. Change the alias to www.service.sap.com/tcs to downloaded the SAP
cryptographic software. Select the correct SAPcrptographic software
depending on your saprouter operating system as shown below.
3. You must have the sapcar.exe in order to extract the SAP cryptographic
software file.
4. With the command of u201Csapcar -xvf xxxxxxx.saru201D, /ntintel directory would be
created and the following files would be extracted.
(Example C:/saprouter/ntintel)
( when the Microsoft Windows NT Intel version is downloaded)
C:/saprouter/ntintel/sapcrypto.dll
C:/saprouter/ntintel/sapgenpse.exe
C:/saprouter/ticket
Issue of Electronic Certificate
5. It is necessary to define the environment variable for u201CSECUDIRu201D and
u201CSNC_LIBu201D under system account.
Window NT environment variable setup :
Right-clicked the icon of you computer
Property -> details -> environment variable
SECUDIR = < Directory name >
Example. Variable name : SECUDIR
Variable value
: C:/saprouter/SNC_LIB = < Directory name >
Example. Variable name : SNC_LIB
Variable value : C:/saprouter/ntintel/sapcrypto.dll
UNIX
<path_to_libsecude>/<name_of_sapcrypto_library>
Windows
NT,
<drive>:/<path_to_libsecude>/<name_of_sapcrypto_library>
Windows
2000
6. Check if the environment of the user running saprouter contains the
environment variable SNC_LIB.
UNIX
Printenv
Windows NT
System environment Variable
7. You may now apply for a SAProuter certificate from the SAP Trust Center
Service of SAP service marketplace
http://service.sap.com/tcs
> SAP Trust Center Service in Detail
> SAProuter Certificates
SAProuter Certificate "Apply Now"
Click the button.
8. Please take note of your "Distinguished Name"
Please refer to the example above
-SAPRouter Name
: JPL50020586
-Distinguished Name
CN=JPL50020586, OU=0000036946, OU=SAProuter, O=SAP, C=DE
Then, clicked the "Continue" button.
9. Execute the following command in the /saprouter/ntintel
directory in order to generate your certificate to be exchanged with SAP.
sapgenpse get_pse -v -r certreq -p local.pse "Distinguished Name"
Example
sapgenpse get_pse u2013v -r certreq -p local.pse "CN=JPL50020586, OU=0000036946,
OU=SAProuter, O=SAP, C=DE"
Enter the PIN number. (you may enter any PIN Number you wish.)
Please enter PIN :
Please re-enter PIN :
<- you must use the same PIN Number as the above.
10. The "certreq" file is created in the /saprouter/ntintel directory.
11. Use a notepad to open the "certreq" file and copy the displayed information
(From the -BEGIN .to the END -)
12.You now have to paste the above copy content into the space provided
shown below. After you have pasted the text, click the u201CRequest certificateu201D
button to submit your request.
13. Once you click on the u201CRequest Certificateu201D a new screen will be displaying
your certificate issued by SAP CA (Certification Authority).
14. Using a notepad to copy the content (From u2013Beingu2026 to -END) and save it
as u201Csrcertu201D into /saprouter/ntintel/srcert.
Note :
- Please rename srcert.txt into srcert without any extension.
15. You then need to import this certificate into SAProuter using the following
command.
Please run on /saprouter/ntintel directory.
sapgenpse import_own_cert -c srcert -p local.pse
Please enter PIN : (same as point 9)
16. Execute the following command in the /saprouter/ntintel directory.
sapgenpse seclogin -p local.pse
Please enter PIN : (same as point 9)
This will create a file "cred_v2" in the same directory.
17. Please check whether the certificate has been imported correctly.
Execute this command in /saprouter/ntintel directory.
sapgenpse get_my_name -v -n Issuer
The result should be "CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE".
18. When the above results are not obtained , please delete local.pse and
cred_v2 and work again from steps 9. Please seek the assistance from your
local SAP helpdesk or create an OSS message via component XX-SER-NET-
OSS, if you are not able to obtain the above-mentioned result after you have
repeated the above steps.
Route permission table (saprouttab)
19. The corresponding file ./saprouttab should contain at least the following
entries.
Example : by SNC connection, when connecting to sapserv2
(194.39.131.34) the following entries need to be indicated by saprouttab.,
SNC-connection to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34
SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-Instance>
SNC-connection from SAP to local R/3-System for pcANYWHERE, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 5631
SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503
SNC-connection from SAP to local R/3-System for saptelnet, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
Access from the local Network to SAPNet - R/3 Frontend (OSS)
P <IP-addess of a local PC> 194.39.131.34 3299
deny all other connections
D * * *
Start the SAProuter with the following command.
Saprouter -r -S <port> -K
"p: <Your Distingiushed Name>"
-K tells the saprouter to start with loading the SNC library.
Example: saprouter -r -S 3299 u2013K "p:CN=JPL50020586, OU=0000036946,
OU=SAProuter, O=SAP, C=DE"
Additional Note
-You may refer to SAP note: 30289 in the SAP service marketplace for detail
information with regards to SAProuter
http://www.service.sap.com/note

Pre requisites for installing SAP Router

Hi Friends,
As i am going through the implementation phase, I have to install sap router which i am new at. Also i am doing it because i have to connect Maintenance Optimizer to Sap service Market place for which Router would be essentially required.
I have some questions to put forth.
1. what are the pre requisites for SAP Router
2. Do we require Public IP and what would be the use of this ip
3. how to configure the SAP Router
4. Can i install the SAP router on the same host on which we have Solution manager, is it advisable. or we should go for a seperate host.
Regards
Aayush

Installing the sapcrypto library and starting the SAProuter
Contents
u2022     Downloading necessary software components from SAP Service Marketplace
u2022     Creating the certificate request
u2022     Additional actions necessary before you can start saprouter
This section describes the necessary steps to download and install the sapcrypto library for use with saprouter. The saprouter must be started with the options described later in this section.
The license for the sapcrypto library covers saprouter connections between saprouters at SAP and the first saprouter on customer sites and backend connections within the customer`s network. For all other purposes the library CANNOT be used!
Downloading necessary software components from SAP Service Marketplace
1.     Login to the SAP Service Marketplace with the Service Marketplace USERID which is assigned to your installation.
2.     Change to the alias SAPROUTER-SNCADD. Before you can download the software components two preconditions must be met.
     a.     You must have been allowed to download the software. This authorization is added as soon as SAP has received a positive statement from the "Bundesausfuhramt". This procedure is necessary since the software falls under EU regulations.
     b.     For more information on how to obtain authorization if download is not possible see note 397175.
     c.     You must accept that you must follow the regulations imposed by the EU on the use and distribution of the cryptographic software components downloaded from the SAP Service Marketplace.
3.     The acceptance of the terms and conditions is logged with your USERID and stored for reporting purposes to the "Bundesausfuhramt".
4.     Accepting with the button on the web-based form takes you to the folder where you can download the Software components.
These are packed into a single CAR file sapcrypto.car
5.     Copy the file to the direcory where the saprouter executable is located
6.     You can get the file car.exe/sapcar.exe, which is necessary to unpack the archive from any Installation Kernel CD.
Executing the command car -xvf SAPCRYPTO.CAR will unpack the following files:
[lib]sapcrypto.[dll|so|sl]
sapgenpse[.exe]
ticket
Creating the certificate request
1.     As user <snc>adm set the environment variables
SECUDIR = <directory_of_saprouter>
2.     Change to the Shortlink SAPROUTER-SNCADD. From the list of SAProuters registered to your installation, choose the relevant "Distinguished Name"
3.     Generate the certificate Request with the command
sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"
4.     Alternatively use the two commands:
sapgenpse get_pse -v -noreq -p local.pse "<Your Distinguished Name>"
sapgenpse get_pse -v -onlyreq -r certreq -p local.pse
5.     Display the output file "certreq" and with copy&paste insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name
6.     In response you will receive the certificate signed by the CA in the Service Marketplace, cut&paste the text to a local file named srcert
7.     With this in turn you can install the certificate in your saprouter by calling
sapgenpse import_own_cert -c srcert -p local.pse
8.     now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user>, the credentials are created for the logged in user account)
sapgenpse seclogin -p local.pse -O <user_for _saprouter>
9.     This will create a file called cred_v2 in the same directory.
For increased security please check that the file can only be accessed by the user running the SAProuter.
Do not allow any other access (not even from the same group)!
On UNIX this will mean permissions being set to 600 or even 400!
On NT check that the permissions are granted only to the user the service is running as!
1.     Check if the certificate has been imported correctly
sapgenpse get_my_name -v -n Issuer
The name of the Issuer should be: CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
2.     If this is not the case, delete the files cred_v2, local.pse and start over at Item 4. If the output still does not match please open a customer message in component XX-SER-NET-OSS stating the actions you have taken so far and the output of the commands
4.,7.,8. and 10.
Additional actions necessary before you can start saprouter
1.     The environment variable SNC_LIB needs to be set for the user account SAProuter is running under.
SNC_LIB has the form
UNIX      <path_to_libsecude>/<name_of_sapcrypto_library>
Windows NT, Windows 2000     <drive>:\<path_to_libsecude>\<name_of_sapcrypto_library>
2.     Check if the environment of the user running saprouter contains the environment variable SNC_LIB
UNIX     printenv
Windows NT     System environment variable
3.     start the saprouter with the following command line:
saprouter -r -S <port> -K "p:<Your Distingushed Name>"
-K tells the saprouter to start with loading the SNC library
the corresponding file ./saprouttab should contain at least the following entries
inbound connections MUST use SNC
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1> <port_number>
repeat this for the servers and port_numbers you will need to allow,
please make sure that all explicit ports are inserted in front of a
generic entry '*' for port_number
outbound connections to <sapservX> will use SNC
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <sapservX> <sapservX_inbound_port>
permission entries to check if connection is allowed at all
P <IP address of a local host> <IP address of sapserv2>
all other connections will be denied
D * * *
Example
For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34), the saprouttab should contain the following entries:
SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-Instance>
SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503
SNC-connection from SAP to local R/3-System for saptelnet, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
Access from the local Network to SAPNet - R/3 Frontend (OSS)
P <IP-addess of a local PC> 194.39.131.34 3299
deny all other connections
D * * *
Lalit Kumar

Changing SAP Router to different System

HI Experts,
                SAP Router is installed in our Develpoment system can it be possible for us to install this on the solution manager System. Is this advisable to change the SAP router to a different machine. If so How is that possible?
Regards,
Vamshi.

Hi,
Please use the following step.
Installation Steps
1.1     Downloading necessary software components from SAP Service Marketplace:
1.     SAProuter
Use the latest SAProuter version (37.x), which can be downloaded from
SAP Service Marketplace under the following link.
http://service.sap.com/swdc
     Download
     Support Packages and Patches
     Entry by Application Group
     Additional Components
     SAPROUTER
     SAPROUTER 6.40
SAPROUTER 6.40
From the available list of SAProuters, select the SAProuter for your OS platform.
2.     SNC Libraries (SAPcryptolib) download:
http://service.sap.com/swdc
     Download
     SAP Cryptographic Software
Select the SAPcrytoLib libraries compatible with your Operating System.
Note: Please also download the SAPCAR.exe file from the above location to extract the SAProuter archive files.
3.     Create a folder in /usr/sap with the name as: saprouter.
4.     Extract both the files i.e. SAProuter.SAR and Cryptolib.CAR files into saprouter folder using the command:
SAPCAR -xvf SAProuterxxx.SAR
SAPCAR -xvf CRYPTOLIBxxx.CAR
1.2     Creating the certificate request
1.     As user <snc>adm set the environment variables:
SECUDIR = /usr/sap/saprouter
SNC_LIB = /usr/sap/saprouter/libsapcrypto.so
2.     Go to the Trust Center Service - Download Area and get the "Distinguished Name" for your SAProuter from the list of SAProuters registered for your installation.
3.     Generate the certificate Request with the command:
./sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"
P.S: We can also get the distinguished name from SAP itself when we register for the remote service connection.
4.     Display the output file "certreq" using the command:
cat certreq
and with copy & paste insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.
1.3     Importing the certificate request
1.     With this in turn you can install the certificate in your saprouter by calling
./sapgenpse import_own_cert -c srcert -p local.pse
1.4     Setting secured login to SAProuter
1.     Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user>, the credentials are created for the logged in user account)
sapgenpse seclogin -p local.pse -O <user_for _saprouter>
2.     This will create a file called cred_v2 in the same directory.
3.     Check if the certificate has been imported correctly
./sapgenpse get_my_name -v -n Issuer
4.     If this is not the case, delete the files cred_v2, local.pse and start over at Item 3 of 4.2 . If the output still does not match please open a customer message in component XX-SER-NET-OSS stating the actions you have taken so far and the output of the commands 3 of 4.2, 4.3, and 4.4.
1.5     Additional actions necessary before you can start saprouter
1.     Logon to the system as <sid>adm, here sa1adm.
2.     The environment variables SECUDIR, SNC_LIB and USER needs to be set for the user account SAProuter is running under using the commands:
setenv SECUDIR <path_to_libsecude>
i.e. setenv SECUDIR /usr/sap/saprouter
setenv SNC_LIB <path_to_libsecude>/<name_of_sapcrypto_library>
i.e. setenv SNC_LIB /usr/sap/saprouter/libsapcrypto.so
setenv USER sa1adm
3.     Check if the environment of the user running saprouter contains the environment variable SECUDIR, SNC_LIB and USER using : printenv
4.     Start the saprouter with the following command line:
#./saprouter -r -S <port> -K "p:<Your Distingushed Name>"
-K tells the saprouter to start with loading the SNC library
Eg. ./saprouter -r -S 3299 -K "p:CN=nradev, OU=0000759188, OU=SAProuter, O=SAP, C=DE"
./saprouter -r -V 2 -K "p:CN=nradev, OU=0000759188, OU=SAProuter, O=SAP, C=DE"
./saprouter -r -R /usr/sap/saprouter/saprouttab -G log.txt -V 2 -K "p:CN=nradev, OU=0000759188, OU=SAProuter, O=SAP, C=DE"
5.     The corresponding file ./saprouttab should contain at least the following entries
inbound connections MUST use SNC
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1> <port_number>
repeat this for the servers and port_numbers you will need to allow,
please make sure that all explicit ports are inserted in front of a
generic entry '*' for port_number
outbound connections to <sapservX> will use SNC
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <sapservX> <sapservX_inbound_port>
permission entries to check if connection is allowed at all
P <IP address of a local host> <IP address of sapserv2>
all other connections will be denied
D * * *
6.     Example: For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34), the saprouttab should contain the following entries:
SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-Instance>
SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503
SNC-connection from SAP to local R/3-System for saptelnet, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
Access from the local Network to SAPNet - R/3 Frontend (OSS)
P <IP-addess of a local PC> 194.39.131.34 3299
deny all other connections
D * * *
Thanks,
Harshal

Permission denied in sap router

Similar Messages

Maybe you are looking for