Renewal of SAP Router Certificate

How can I renew the SAP Router Certificate?Do I have to create another new request or can I renew the existing one?
Thanks

Hi Sandipan,
you must apply for a new certificate in the Marketplace. You can find useful the instructions detailed in this link:
http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000234692&_SCENARIO=01100035870000000202&_OBJECT=011000358700000866032001E
Please kindly regard with points if this answer was helpful.
Regards,
Gustavo

Similar Messages

SAP router Certificate Expire End of month

Hi Dear,
Please, Our SAP Router Certificate expire end of this month. can any body suggest me , Is it any amount for Renew Sap Router Certificate ? if yes then how much Amount I Paid to SAP ?
and how to renew SAP Router certificate.
I am very-2 thank full to you.
Arpan Saini

Hi,
The problem is that you are using two different pins.THe pin which you used for generation the certificate and the pin you use for importing the certifcate are different.
sapgenpse get_pse -v -r certreq -p local.pse "CN=tdep, OU=0000xxxx, OU=SAProuter, O=SAP, C=DE"
then it will generate the file and it asks for the pin you just give this pin and remember.
Then paste contnet of the "certreq" file which will be generated in the saprouter folder in the market place and select continue
this will generate the new certificate for you.Copy the content and then paste it to srcert.txt file.
Now you import the certificate using the command
sapgenpse import_own_cert -c srcert -p local.pse
here you have enter the pin which you have used for generating the file certreq file.
Regards,
Vamshi.

Error in importing SAP Router Certificate

Hello,
I am trying to import my SAP Router certificate with the following command
sapgenpse import_own_cert -c srcert -p local.pse
But I get the following reply
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1280/0x0500) No certficate with your public key found
I have placed the srcert file in c:\usr\sap\saprouter\ntintel
any suggestions?

Dear Vishnu,
Thanks for your time and inputs
I tried the procedure few times. Its just not working..... somethings really strange here
I went through the link you provided but that does not help either
Now I am getting a new error as pasted below
C:\usr\sap\saprouter\ntintel>sapgenpse import_own_cert -p local.pse -c srcert
Please enter PIN:
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1281/0x0501) aux_file2OctetString failed : "No such file or directory"
ERROR in ssf_read_certs_from_file: (1281/0x0501) aux_file2OctetString failed : "No such file or directory"
ERROR in aux_file2OctetString: (1281/0x0501) stat("srcert") returned : "No such file or directory"
Any suggestions?

SAP router certificate

Hi Gurus;
I want to re-generate my SAp certificate .
Please elloaborate the process to follow.
Thanks and regards
Tushar Pathak

Dear,
This is the procedure that I got from SDN, last December when have to renew my certificate, I got the success by following these steps, you can also try.
Here were my steps to get it sucessfully working:
1. Logon to host with username and password of SAP router service credentials
2. Stop the Saprouter service
3. Make a backup of the folder E:\usr\sap\saprouter
3a. This can be deleted after a successful upgrade
4. Delete this 4 files in E:\usr\sap\saprouter
4a. certreq
4b. cred_V2
4c. localpse
4d. srcert
5. Generate the certificate request using the following command
5a. E:\usr\sap\saprouter>sapgenpse get_pse u2013v u2013r certreq u2013p local.pse "CN=sapslm01.oii.dom, OU=0000810973, OU=SAProuter, O=SAP, C=DE"
5b. Enter a PIN of 1234
6. Copy the contents of certreq to the clipboard
7. Go to http://www.service.sap.com/saprouter-sncadd
8. Paste the contents of the clipboard into the form
9. This will generate a new certificate, copy its contents into a file called srcert
9a. You will have to create srcert
10. Then import the certificated using the following command
10a. E:\usr\sap\saprouter>sapgenpse import_own_cert u2013c srcert u2013p local.pse
10b. Enter the PIN of 1234
11. The setup the logon using the following command
11a. E:\usr\sap\saprouter>sapgenpse seclogin u2013p local.pse
11b. This will create a file called cred_V2
12. Check if the certificate has been loaded correctly by using the following command
12a. E:\usr\sap\saprouter>sapgenpse get_my_name u2013v u2013n Issuer
13. Start the Saprouter service

Error while importing SAP Router renew Certificate

Hi Gurus,
My sap router certificate got expired and got mail from SAP to renew, so I decided to renew it and followed link http://wiki.sdn.sap.com/wiki/display/Basis/HowtorenewtheSAPRouterlicense to renew saprouter certificate. All the steps were executed fine But I got below error while importing certificate from srcert file.
C:\saprouter>sapgenpse import_own_cert -c srcert -p local.pse
Please enter PIN:
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1280/0x0500) No certficate with your
public key found
Please advise me to solve this issue.
Thanks,
Venkat

Hi Deepak,
thanks for your reply.
yes i have entered correct Pin and in the first step i have moved local.pse and cred_v2, certreq, srcert files to C:/saprouter/backup folder
After executing import command it has given error first time so i copied local.pse file to C:\saprouter folder and executed but same error result.
please help me to solve it.
Thanks,
Venkat

Sap router renewal

Hi,
i have executed the following command for sap router renewval
"sapgenpse get_pse -v -r certreq1 -p local.pse"
After that it asking please enter PIN:I gave the enter,
Reenter PIN:again i gave the enter.
get_pse:Distinguished name of PSE owner: gave the enter
get_pse:an empty subject distinguished name is not supported..
Finally certreq1 fine not created..
Please help me..
Regrads,
Manjini

after this enter any PIN too, following may help
http://sapgoogle.blogspot.com/2008/12/sap-router.html

Host did not respond error in connecting the SAP Router from SERVICE PLACE

Dear Sir,
We renew the Router Certificate by October 2008. We are using broadband connection in our office with firewall (ISA) .
When we try to connect the sap router from SAP Service Market Place, It is connected and after some time, status is changing to Host did not respond due to timeout.
We checked the SAP Router Tab File also. It is correct. Guide us to solve this issue
With Regards
K.Natarajan

Hi
This type of error occurs maximum,only when there is no proper connection between the systems.So,my suggestion is to check with the connection between the systems with the help of Basis person.
regards
krishna

SAP router service is not running.

Hi Everyone.,
Today I have tried to renew the certificate in windows system every thing went well till the end but after importing newly generated certificate sap router service failed to start. Below is the error message when i try to start the service.
D:\usr\sap\SOL\SYS\exe\uc\NTI386>saprouter -r -S 3299 -K "p:CN=SOLMGR, OU=000086
1986, OU=SAPRouter, O=SAP, C=DE"
trcfile dev_rout
no logging active
DEV_rout
trc file: "dev_rout", trc level: 1, release: "700"
Sat Dec 04 09:30:26 2010
SAP Network Interface Router, Version 38.0
command line arg 0:     saprouter
command line arg 1:     -r
command line arg 2:     -S
command line arg 3:     3299
command line arg 4:     -K
command line arg 5:     p:CN=SOLMGR, OU=0000861986, OU=SAPRouter, O=SAP, C=DE
SncInit(): Initializing Secure Network Communication (SNC)
      PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/32/32)
SncInit(): Trying environment variable SNC_LIB as a
      gssapi library name: "D:\usr\sap\SOL\SYS\exe\uc\NTI386\sapcrypto.dll".
File "D:\usr\sap\SOL\SYS\exe\uc\NTI386\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
main: pid = 7560, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: './saprouttab'
When i tried to start the service manually then service is starting fine but when i tried to check OSS-001 connection in SM59 it says routtab permission failed rc-94.
Please suggest if any one ever faced this issue.
REgards,
Vinod

Hi Sunil,
I have cross checked the orutab file. Please see below routab file and sugegst me incase if you find mistakes.
SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC-connection from SAP to your system SOL with SAPGUI
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 88.85.224.92 3200
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" solmgr 3200
SNC-connection from SAP to your system SOL with WTS
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 88.85.224.92 3389
SNC-connection from SAP to your system ECC DEV with SAPGUI
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.128.2.239 3200
SNC-connection from SAP to local R/3-System for PCANYwhere
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 5631
SNC-connection from SAP to local R/3-System for saptelnet
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
Access from your local Network to SAP R/3 Frontend (OSS)
P * 194.39.131.34 3299
deny all other connections
D * * *
Also today i recieved a mail saying that client has chnaged the IP address of the saolution manager recently. Do they need to re register the IP with sap again. But i am able to telnet sapserv2 server IP using 3299 port and also able to ping the server. Please suggest.
Regards,
Vinod

SAP router error on windows server 2008 64bit

Hi All,
I am installing sap router on windows 2008 server 64 bit.
While trying to generate certificate request it showing below error.
E:\usr\sap\saprouter\nt-x86_64>sapgenpse get_pse -v -r certreq -p local.pse "CN=
solman, OU=000XXXXXXX, OU=SAProuter, O=SAP, C=DE"
Got absolute PSE path "C:\Users\soladm\sec\local.pse".
Please enter PIN:
Please reenter PIN:
Supplied distinguished name: "CN=solman, OU=000XXXXXXX, OU=SAProuter, O=SAP, C=
DE"
Creating PSE with format v2 (default)
get_pse: Can't create PSE.
ERROR in af_create: (4352/0x1100) could not flush : "SW-PSE"
ERROR in create_PSE: (4352/0x1100) could not flush : "SW-PSE"
ERROR in modified_PSEFile: (4352/0x1100) could not flush : "SW-PSE"
ERROR in flush_PSEFile: (1283/0x0503) Can't write file : "C:\Users\soladm\sec\lo
cal.pse"
ERROR in aux_OctetString2file: (1283/0x0503) Can't write file : "C:\Users\soladm
\sec\local.pse"
I couldn't find the cryptography software specifically for windows 2008 server 64 bit ? So I downloaded the software for windows server 64 bit platform.
Do any one have idea on this...
Please reply..
Regards
Vinay

Hi,
Yes, there is no specific cryptography software for windows server 2008 and whatever u have chosen is correct.
Fom the following error message I could see where the issue arises.
Can't write file : "C:\Users\soladm\sec\local.pse"
I think you have not set the following ENV variable for the SAPRouter admin user (in your case soladm) and hence the sapgenpse tries to import the certificate in the SOLADM user's document folder.
Set the following variables for the user SOLADM and then try to import the certificate as mentioned in the [link|http://service.sap.com/saprouter-sncdoc].
SECUDIR = E:\usr\sap\saprouter
SNC_LIB = E:\usr\sap\saprouter\nt-x86_64\sapcrypto.dll
Hope this resolves ur issue.
Regards,
Varadharajan M

SAP Router internal error

Hello
I have installed solution manager 7.0 and then sap router is also configured on the same box.
1. To generate a certificate request,
sapgenpse get_pse -v -r D:\usr\sap\saprouter\certreq -p D:\usr\sap\saprouter\local.pse "CN=sbsapmgrapp01, OU=0000809350, OU=SAProuter, O=SAP, C=DE"
2. Then you have to request the certificate from
http://service.sap.com/tcs -> Download Area -> SAProuter Certificate
3. Create a file D:\usr\sap\saprouter\srcert and copy the requested
certificate into this file. :
sapgenpse import_own_cert -c D:\usr\sap\saprouter\srcert -p
D:\usr\sap\saprouter\local.pse
4. To generate credentials for the user that's running the SAProuter
service:
sapgenpse seclogin -p D:\usr\sap\saprouter\local.pse -O sapadmin
(this will create the file "cred_v2")
5. Check the configuration:
sapgenpse get_my_name -v -n Issuer
(Result: "CN=SAProuter CA, OU=SAProuter,
O=SAP, C=DE")
6. Create SAProuter service on Windows :
ntscmgr install SAProuter -b D:\usr\sap\saprouter\saprouter.exe -p
"service -r -R D:\usr\sap\saprouter\saprouttab -W 60000 -K "CN=sbsapmgrapp01, OU=0000809350, OU=SAProuter, O=SAP, C=DE"
7. Edit the Windows Registry key :
MyComputer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAProuter\ImagePath
8. Start the SAProuter service -- success
9. Enter the parameters in OSS1 -> Technical Settings -->
hostname : sbsapmgrapp01
IP: 10.1.0.112
instance : 00
SAP host name : sapserv2
IP: 194.39.131.34
instance:99
10. saprouttab
SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.1.0.112 3200
Access from the local Network to SAPNet - R/3 Frontend (OSS)
P 10.1.0.112 194.39.131.34 3299
deny all other connections
D * * *
when I check the sap-oss connection i am getting internal error. Any help would be appreciate..
Thanks
seshu

Hi Rahu
Thanks for your response. Here is my saprouttab entry's
SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC-connection from SAP to local Solman System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.1.0.112 3200
Access from the local Network to SAPNet - R/3 Frontend (OSS)
P     10.1.0.112     194.39.131.34     3299
P     10...*     194.39.131.34     *
Here is my dev_rout file..
trc file: "dev_rout", trc level: 1, release: "700"
Thu Oct 16 02:08:22 2008
SAP Network Interface Router, Version 38.10
command line arg 0:     D:\usr\sap\saprouter\saprouter.exe
command line arg 1:     -r
command line arg 2:     -R
command line arg 3:     D:\usr\sap\saprouter\saprouttab
command line arg 4:     -W
command line arg 5:     60000
command line arg 6:     -K
command line arg 7:     p:CN=sbsapmgrapp01, OU=0000809350, OU=SAProuter, O=SAP, C=DE
SncInit(): Initializing Secure Network Communication (SNC)
      PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)
SncInit(): Trying environment variable SNC_LIB as a
      gssapi library name: "D:\usr\sap\saprouter\sapcrypto.dll".
File "D:\usr\sap\saprouter\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
main: pid = 1684, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: 'D:\usr\sap\saprouter\saprouttab'
Thu Oct 16 09:14:17 2008
***LOG Q0I=> NiPConnect2: connect (10061: WSAECONNREFUSED: Connection refused) [nixxi.cpp 2823]
ERROR => NiPConnect2: SiPeekPendConn failed for hdl 2 / sock 256
    (SI_ECONN_REFUSE/10061; I4; ST; 194.39.131.34:3299) [nixxi.cpp    2823]
Thu Oct 16 09:14:20 2008
***LOG Q0I=> NiPConnect2: connect (10061: WSAECONNREFUSED: Connection refused) [nixxi.cpp 2823]
ERROR => NiPConnect2: SiPeekPendConn failed for hdl 2 / sock 256
    (SI_ECONN_REFUSE/10061; I4; ST; 194.39.131.34:3299) [nixxi.cpp    2823]
Kindly suggest the changes in my saprottab file..
Thanks
seshu
Issue resloved..
Edited by: Seshagiri Rao Myneni on Oct 16, 2008 7:31 PM

Wrong Distinguished Name for SAP-Router

Hello Everybody,
I have a Problem about the Distinguish name of my sap router.
The Problem, when I go to sap to look for my Distinguish name and therefore to generate the saprouter certificat.
I found something totally wrong :
e.g. CN=SAProuter, OU=0000755120, OU=SAProuter, O=SAP, C=DE
but it muss be like this e.g. CN=Routi, OU=0003380660, OU=SAProuter, O=SAP, C=DE
How can I change this, I don't want to start my saprouter with the wrong Distinguish name.
Thanks in Advance.
Best Regards,
Kais

Hello,
Is your SAPRouter in the DMZ ?
In that case, you have to open the firewall port.
Regards,
Abhilash

Unable to Start SAP Router

Hi All,
I have installed SAP Router before but this time when I installed and tried to start SAP Router its not getting started, and also not giving any error log file in SAP Router directory.
Please check the below command and correct me if I am wrong.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\sap_admin>cd \
C:\>cd SAPRTR
C:\SAPRTR>saprouter -r -S 3299 -K "p:CN=<MyRouterHOSTNAME>, OU=<Cust_NUM>, OU=SAProuter,
O=SAP, C=DE"
SAP Network Interface Router, Version 38.10
Compiled Oct 7 2009 03:08:09
start router : saprouter -r
stop router : saprouter -s
soft shutdown: saprouter -p
router info : saprouter -l (-L)
new routtab : saprouter -n
toggle trace : saprouter -t
cancel route : saprouter -c id
dump buffers : saprouter -d
flush   "    : saprouter -f
hide errInfo : saprouter -z
start router with third-party library: saprouter -a library
additional options
-R routtab   : name of route-permission-file (default ./saprouttab)
-G logfile   : name of log file               (default no logging)
-T tracefile : name of trace file             (default dev_rout)
-V tracelev : trace level to run with        (default 1)
-H hostname : of running SAProuter           (default localhost)
-S service   : service-name / number          (default 3299)
-P infopass : password for info requests
-C clients   : maximum no of clients          (default 800)
-Y servers   : maximum no of servers to start (default 1)
-K [myname] : activate SNC; if given, use 'myname' as own sec-id
-A initstring: initialization options for third-party library
-D           : switch DNS reverse lookup off
-E           : append log- and trace-files to existing
-J filesize : maximum log file size in byte (default off)
-6           : IPv6 enabled
-Z           : hide connect error information for clients
expert options
-B quelength : max. no. of queued packets per client (default 1)
-Q queuesize : max. total size for all queues (default 20000000 bytes)
-W waittime : timeout for blocking net-calls (default 5000 millisec)
-M min.max   : portrange for outgoing connects, like -M 1.1023
-I address   : address for outgoing connects, like -I 155.56.76.6
this is a sample routtab : -----------------------------------------
D     host1                host2     serviceX
D     host3
P     *                    *         serviceX
P     155.56..           155.56
P     155.57.1011xxxx.*
P     host4                host5     *          xxx
P     host6                localhost 3299
P     host7                host8     telnet
S     host9
P0,* host10
KP    sncname1             *         *
KS    *                    host11    *
KD    "sncname "abc"       *         *
KT    sncname3             host11    *
deny routes from host1 to host2 serviceX
deny all routes from host3
permit routes from anywhere to any host using serviceX
permit all routes from/to addresses matching 155.56
permit ... with 3rd byte matching 1011xxxx
permit routes from host4 to host5 if password xxx supplied
permit information requests from host6
permit native-protocol-routes to non-SAP-server telnet
permit ... excluding native-protocol-routes (SAP-servers only)
permit ... if number of preceding/succeeding hops (SAProuters) <= 0/*
permit SNC-connection with partnerid = 'sncname1' to any host
permit all SAP-SAP SNC-connections to host11
deny all SNC-connections with partnerid = 'sncname "abc'
open connects to host11 with SNC enabled and partnerid = 'sncname3'
first match [host/sncname host service] is used
permission is denied if no entry matches
service wildcard (*) does not apply to native-protocol-routes
C:\SAPRTR>
Rg
Ramesh

Hello my friend
It could be certificate didn't import properly or routtab content is not correct. Here's your checklist:
Creating the certificate request
1) As user <snc_adm> set the environment variables SNC_LIB and SECUDIR
2) Change to the alias SAPROUTER-SNCADD. From the list of SAProuters registered to your installation, choose the relevant u201CDistinguished Nameu201D.
3) Generate the certificate Request with the command:
sapgenpse get_pse -v -r certreq -p local.pse u201C<Distinguished Name>u201D
You will be asked twice for a PIN here. Please choose a PIN and document it, you have to enter it identically both times. Then you will have to enter the same PIN every time you want to use this PSE.
4) Display the output file "certreq" and with copy&paste (including the BEGIN and END statement) insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.
5) In response you will receive the certificate signed by the CA in the Service Marketplace. Copy&paste the text to a new local file named "srcert", which must be created in the same directory as the sapgenpse executable.
6) With this in turn you can install the certificate in your saprouter by calling:
sapgenpse import_own_cert -c srcert -p local.pse
7) Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user_for_saprouter>, the credentials are created for the logged in user account).
sapgenpse seclogin -p local.pse -O <user_for _saprouter>
Note: The account of the service user should always be entered in full <domainname>\<username>
8) This will create a file called "cred_v2" in the same directory as "local.pse"
9) Check if the certificate has been imported successfully with the following command:
sapgenpse get_my_name -v -n Issuer
The name of the Issuer should be:
CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
10) If this is not the case, delete the files "cred_v2"and "local.pse" and start over at Item 3.
Additional actions necessary before you can start SAProuter
1.     Check if the environment of the user running SAProuter contains the environment variable SNC_LIB and SECUDIR
2.     Start the SAProuter with the following command line (to start the SAProuter as a Windows service, please follow the steps described in SAP note 525751):
               saprouter -r -S <port> -K "p:<Distingushed Name>"
               -K tells the saprouter to start with loading the SNC library
3.     The corresponding file "saprouttab" should look like:
SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *
SNC-connection from SAP to telnet in your network
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 23
Access from the local Network to SAPNet - R/3 Frontend (OSS)
P * 194.39.131.34 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your IP> <port>
Regards,
Effan
DON'T KNOW WHY THE FORMAT MESSED UP, PLEASE USE QUOTE ORIGINAL IN REPLY MODE TO READ THE CORRECT FORMAT CONTENT. SORRY!

Renew and Download maintainance certificate from solution manager

Hi Friends,
I am looking to renew and download maintenance certificate for MANAGED SYSTEM from Solution Manager (7.1) SP12.
Can you guys guide me on this how do I proceed.
Thanks & Regards,
Solman Starter

Hi
Please check
https://websmp204.sap-ag.de/~sapidb/011000358700000574752008
and
https://websmp204.sap-ag.de/~form/sapnet?_SCENARIO=01100035870000000202&_SHORTKEY=01100035870000716020&_OBJECT=011000358700000138222008E
check out FAQ abt maintenace certificate:
https://websmp204.sap-ag.de/~sapidb/011000358700000325262008E#6
The SAP Solution Manager triggers the generation of a valid maintenance certificate in SAP Support Portal, download it locally in SolMan system and manages the distribution to the managed system.
See detailed documentation http://help.sap.com/saphelp_sm71_sp01/helpdata/en/89/a7c08d740c4cffb491f98801f17d30
Thanks
Vikram

How to install and configure SAP Router

Dear SAP Expert !
I want to install SAP Router but i dont know the SAP router package is allocated on DVD ? what is the DVD number ?
If you already configure SAP router please let me know how to configure ?

Hello Thao
what is th exact issue that are u facing.
The account must be the administartor of the machine where u are installing SAPROUTER.Make sure you are following the correct steps as follows:
Downloading necessary software components from SAP Service Marketplace
1. Login to the SAP Service Marketplace with the Service Marketplace at using
the USERID/PASSWORD which was assigned for your installation.
2. Change the alias to www.service.sap.com/tcs to downloaded the SAP
cryptographic software. Select the correct SAPcrptographic software
depending on your saprouter operating system as shown below.
3. You must have the sapcar.exe in order to extract the SAP cryptographic
software file.
4. With the command of u201Csapcar -xvf xxxxxxx.saru201D, /ntintel directory would be
created and the following files would be extracted.
(Example C:/saprouter/ntintel)
( when the Microsoft Windows NT Intel version is downloaded)
C:/saprouter/ntintel/sapcrypto.dll
C:/saprouter/ntintel/sapgenpse.exe
C:/saprouter/ticket
Issue of Electronic Certificate
5. It is necessary to define the environment variable for u201CSECUDIRu201D and
u201CSNC_LIBu201D under system account.
Window NT environment variable setup :
Right-clicked the icon of you computer
Property -> details -> environment variable
SECUDIR = < Directory name >
Example. Variable name : SECUDIR
Variable value
: C:/saprouter/SNC_LIB = < Directory name >
Example. Variable name : SNC_LIB
Variable value : C:/saprouter/ntintel/sapcrypto.dll
UNIX
<path_to_libsecude>/<name_of_sapcrypto_library>
Windows
NT,
<drive>:/<path_to_libsecude>/<name_of_sapcrypto_library>
Windows
2000
6. Check if the environment of the user running saprouter contains the
environment variable SNC_LIB.
UNIX
Printenv
Windows NT
System environment Variable
7. You may now apply for a SAProuter certificate from the SAP Trust Center
Service of SAP service marketplace
http://service.sap.com/tcs
> SAP Trust Center Service in Detail
> SAProuter Certificates
SAProuter Certificate "Apply Now"
Click the button.
8. Please take note of your "Distinguished Name"
Please refer to the example above
-SAPRouter Name
: JPL50020586
-Distinguished Name
CN=JPL50020586, OU=0000036946, OU=SAProuter, O=SAP, C=DE
Then, clicked the "Continue" button.
9. Execute the following command in the /saprouter/ntintel
directory in order to generate your certificate to be exchanged with SAP.
sapgenpse get_pse -v -r certreq -p local.pse "Distinguished Name"
Example
sapgenpse get_pse u2013v -r certreq -p local.pse "CN=JPL50020586, OU=0000036946,
OU=SAProuter, O=SAP, C=DE"
Enter the PIN number. (you may enter any PIN Number you wish.)
Please enter PIN :
Please re-enter PIN :
<- you must use the same PIN Number as the above.
10. The "certreq" file is created in the /saprouter/ntintel directory.
11. Use a notepad to open the "certreq" file and copy the displayed information
(From the -BEGIN .to the END -)
12.You now have to paste the above copy content into the space provided
shown below. After you have pasted the text, click the u201CRequest certificateu201D
button to submit your request.
13. Once you click on the u201CRequest Certificateu201D a new screen will be displaying
your certificate issued by SAP CA (Certification Authority).
14. Using a notepad to copy the content (From u2013Beingu2026 to -END) and save it
as u201Csrcertu201D into /saprouter/ntintel/srcert.
Note :
- Please rename srcert.txt into srcert without any extension.
15. You then need to import this certificate into SAProuter using the following
command.
Please run on /saprouter/ntintel directory.
sapgenpse import_own_cert -c srcert -p local.pse
Please enter PIN : (same as point 9)
16. Execute the following command in the /saprouter/ntintel directory.
sapgenpse seclogin -p local.pse
Please enter PIN : (same as point 9)
This will create a file "cred_v2" in the same directory.
17. Please check whether the certificate has been imported correctly.
Execute this command in /saprouter/ntintel directory.
sapgenpse get_my_name -v -n Issuer
The result should be "CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE".
18. When the above results are not obtained , please delete local.pse and
cred_v2 and work again from steps 9. Please seek the assistance from your
local SAP helpdesk or create an OSS message via component XX-SER-NET-
OSS, if you are not able to obtain the above-mentioned result after you have
repeated the above steps.
Route permission table (saprouttab)
19. The corresponding file ./saprouttab should contain at least the following
entries.
Example : by SNC connection, when connecting to sapserv2
(194.39.131.34) the following entries need to be indicated by saprouttab.,
SNC-connection to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34
SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-Instance>
SNC-connection from SAP to local R/3-System for pcANYWHERE, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 5631
SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503
SNC-connection from SAP to local R/3-System for saptelnet, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
Access from the local Network to SAPNet - R/3 Frontend (OSS)
P <IP-addess of a local PC> 194.39.131.34 3299
deny all other connections
D * * *
Start the SAProuter with the following command.
Saprouter -r -S <port> -K
"p: <Your Distingiushed Name>"
-K tells the saprouter to start with loading the SNC library.
Example: saprouter -r -S 3299 u2013K "p:CN=JPL50020586, OU=0000036946,
OU=SAProuter, O=SAP, C=DE"
Additional Note
-You may refer to SAP note: 30289 in the SAP service marketplace for detail
information with regards to SAProuter
http://www.service.sap.com/note

Pre requisites for installing SAP Router

Hi Friends,
As i am going through the implementation phase, I have to install sap router which i am new at. Also i am doing it because i have to connect Maintenance Optimizer to Sap service Market place for which Router would be essentially required.
I have some questions to put forth.
1. what are the pre requisites for SAP Router
2. Do we require Public IP and what would be the use of this ip
3. how to configure the SAP Router
4. Can i install the SAP router on the same host on which we have Solution manager, is it advisable. or we should go for a seperate host.
Regards
Aayush

Installing the sapcrypto library and starting the SAProuter
Contents
u2022     Downloading necessary software components from SAP Service Marketplace
u2022     Creating the certificate request
u2022     Additional actions necessary before you can start saprouter
This section describes the necessary steps to download and install the sapcrypto library for use with saprouter. The saprouter must be started with the options described later in this section.
The license for the sapcrypto library covers saprouter connections between saprouters at SAP and the first saprouter on customer sites and backend connections within the customer`s network. For all other purposes the library CANNOT be used!
Downloading necessary software components from SAP Service Marketplace
1.     Login to the SAP Service Marketplace with the Service Marketplace USERID which is assigned to your installation.
2.     Change to the alias SAPROUTER-SNCADD. Before you can download the software components two preconditions must be met.
     a.     You must have been allowed to download the software. This authorization is added as soon as SAP has received a positive statement from the "Bundesausfuhramt". This procedure is necessary since the software falls under EU regulations.
     b.     For more information on how to obtain authorization if download is not possible see note 397175.
     c.     You must accept that you must follow the regulations imposed by the EU on the use and distribution of the cryptographic software components downloaded from the SAP Service Marketplace.
3.     The acceptance of the terms and conditions is logged with your USERID and stored for reporting purposes to the "Bundesausfuhramt".
4.     Accepting with the button on the web-based form takes you to the folder where you can download the Software components.
These are packed into a single CAR file sapcrypto.car
5.     Copy the file to the direcory where the saprouter executable is located
6.     You can get the file car.exe/sapcar.exe, which is necessary to unpack the archive from any Installation Kernel CD.
Executing the command car -xvf SAPCRYPTO.CAR will unpack the following files:
[lib]sapcrypto.[dll|so|sl]
sapgenpse[.exe]
ticket
Creating the certificate request
1.     As user <snc>adm set the environment variables
SECUDIR = <directory_of_saprouter>
2.     Change to the Shortlink SAPROUTER-SNCADD. From the list of SAProuters registered to your installation, choose the relevant "Distinguished Name"
3.     Generate the certificate Request with the command
sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"
4.     Alternatively use the two commands:
sapgenpse get_pse -v -noreq -p local.pse "<Your Distinguished Name>"
sapgenpse get_pse -v -onlyreq -r certreq -p local.pse
5.     Display the output file "certreq" and with copy&paste insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name
6.     In response you will receive the certificate signed by the CA in the Service Marketplace, cut&paste the text to a local file named srcert
7.     With this in turn you can install the certificate in your saprouter by calling
sapgenpse import_own_cert -c srcert -p local.pse
8.     now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user>, the credentials are created for the logged in user account)
sapgenpse seclogin -p local.pse -O <user_for _saprouter>
9.     This will create a file called cred_v2 in the same directory.
For increased security please check that the file can only be accessed by the user running the SAProuter.
Do not allow any other access (not even from the same group)!
On UNIX this will mean permissions being set to 600 or even 400!
On NT check that the permissions are granted only to the user the service is running as!
1.     Check if the certificate has been imported correctly
sapgenpse get_my_name -v -n Issuer
The name of the Issuer should be: CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
2.     If this is not the case, delete the files cred_v2, local.pse and start over at Item 4. If the output still does not match please open a customer message in component XX-SER-NET-OSS stating the actions you have taken so far and the output of the commands
4.,7.,8. and 10.
Additional actions necessary before you can start saprouter
1.     The environment variable SNC_LIB needs to be set for the user account SAProuter is running under.
SNC_LIB has the form
UNIX      <path_to_libsecude>/<name_of_sapcrypto_library>
Windows NT, Windows 2000     <drive>:\<path_to_libsecude>\<name_of_sapcrypto_library>
2.     Check if the environment of the user running saprouter contains the environment variable SNC_LIB
UNIX     printenv
Windows NT     System environment variable
3.     start the saprouter with the following command line:
saprouter -r -S <port> -K "p:<Your Distingushed Name>"
-K tells the saprouter to start with loading the SNC library
the corresponding file ./saprouttab should contain at least the following entries
inbound connections MUST use SNC
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your_server1> <port_number>
repeat this for the servers and port_numbers you will need to allow,
please make sure that all explicit ports are inserted in front of a
generic entry '*' for port_number
outbound connections to <sapservX> will use SNC
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <sapservX> <sapservX_inbound_port>
permission entries to check if connection is allowed at all
P <IP address of a local host> <IP address of sapserv2>
all other connections will be denied
D * * *
Example
For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34), the saprouttab should contain the following entries:
SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-Instance>
SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503
SNC-connection from SAP to local R/3-System for saptelnet, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
Access from the local Network to SAPNet - R/3 Frontend (OSS)
P <IP-addess of a local PC> 194.39.131.34 3299
deny all other connections
D * * *
Lalit Kumar

Renewal of SAP Router Certificate

Similar Messages

Maybe you are looking for