SAP router Certificate Expire End of month

Similar Messages

• Error in importing SAP Router Certificate

  Hello,
  I am trying to import my SAP Router certificate with the following command
  sapgenpse import_own_cert -c srcert -p local.pse
  But I get the following reply
  import_own_cert: Installation of certificate failed
  ERROR in ssf_install_CA_response: (1280/0x0500) No certficate with your public key found
  I have placed the srcert file in c:\usr\sap\saprouter\ntintel
  any suggestions?

  Dear Vishnu,
  Thanks for your time and inputs
  I tried the procedure few times. Its just not working..... somethings really strange here
  I went through the link you provided but that does not help either
  Now I am getting a new error as pasted below
  C:\usr\sap\saprouter\ntintel>sapgenpse import_own_cert -p local.pse -c srcert
  Please enter PIN:
  import_own_cert: Installation of certificate failed
  ERROR in ssf_install_CA_response: (1281/0x0501) aux_file2OctetString failed : "No such file or directory"
  ERROR in ssf_read_certs_from_file: (1281/0x0501) aux_file2OctetString failed : "No such file or directory"
  ERROR in aux_file2OctetString: (1281/0x0501) stat("srcert") returned : "No such file or directory"
  Any suggestions?

• Renewal of SAP Router Certificate

  How can I renew the SAP Router Certificate?Do I have to create another new request or can I renew the existing one?
  Thanks

  Hi Sandipan,
  you must apply for a new certificate in the Marketplace. You can find useful the instructions detailed in this link:
  http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000234692&_SCENARIO=01100035870000000202&_OBJECT=011000358700000866032001E
  Please kindly regard with points if this answer was helpful.
  Regards,
  Gustavo

• SAP router certificate

  Hi Gurus;
  I want to re-generate my SAp certificate .
  Please elloaborate the process to follow.
  Thanks and regards
  Tushar Pathak

  Dear,
  This is the procedure that I got from SDN, last December when  have to renew my certificate, I got the success by following these steps, you can also try.
  Here were my steps to get it sucessfully working:
  1. Logon to host with username and password of SAP router service credentials
  2. Stop the Saprouter service
  3. Make a backup of the folder E:\usr\sap\saprouter
  3a. This can be deleted after a successful upgrade
  4. Delete this 4 files in E:\usr\sap\saprouter
  4a. certreq
  4b. cred_V2
  4c. localpse
  4d. srcert
  5. Generate the certificate request using the following command
  5a. E:\usr\sap\saprouter>sapgenpse get_pse u2013v u2013r certreq u2013p local.pse "CN=sapslm01.oii.dom, OU=0000810973, OU=SAProuter, O=SAP, C=DE"
  5b. Enter a PIN of 1234
  6. Copy the contents of certreq to the clipboard
  7. Go to http://www.service.sap.com/saprouter-sncadd
  8. Paste the contents of the clipboard into the form
  9. This will generate a new certificate, copy its contents into a file called srcert
  9a. You will have to create srcert
  10. Then import the certificated using the following command
  10a. E:\usr\sap\saprouter>sapgenpse import_own_cert u2013c srcert u2013p local.pse
  10b. Enter the PIN of 1234
  11. The setup the logon using the following command
  11a. E:\usr\sap\saprouter>sapgenpse seclogin u2013p local.pse
  11b. This will create a file called cred_V2
  12. Check if the certificate has been loaded correctly by using the following command
  12a. E:\usr\sap\saprouter>sapgenpse get_my_name u2013v u2013n Issuer
  13. Start the Saprouter service

• Error while importing SAP Router renew Certificate

  Hi Gurus,
  My sap router certificate got expired and got mail from SAP to renew, so I decided to renew it and followed link http://wiki.sdn.sap.com/wiki/display/Basis/HowtorenewtheSAPRouterlicense to renew saprouter certificate. All the steps were executed fine But I got below error while importing certificate from srcert file.
  C:\saprouter>sapgenpse import_own_cert -c srcert -p local.pse
  Please enter PIN:
  import_own_cert: Installation of certificate failed
  ERROR in ssf_install_CA_response: (1280/0x0500) No certficate with your
  public key found
  Please advise me to solve this issue.
  Thanks,
  Venkat

  Hi Deepak,
  thanks for your reply.
  yes i have entered correct Pin and in the first step i have moved local.pse and cred_v2, certreq, srcert files to C:/saprouter/backup folder
  After executing import command it has given error first time so i copied local.pse file to C:\saprouter folder and executed but same error result.
  please help me to solve it.
  Thanks,
  Venkat

• Got new credit card , updated card detail but adobe said i need to renew subscription ... but my subscription only expires end of nert month .. Ps does not want to open .

  got new credit card , updated card detail but adobe said i need to renew subscription ... but my subscription only expires end of nert month .. Ps does not want to open .

  Unfortunately, only Adobe customer service can assist you with your issue. These are user forums; you are not addressing Adobe here.
  Click on the link below, and after that click on "Still need Help? Contact us."
  Then on the next page, click Chat
  There is also a phone option. 1 (800) 833-6687
  http://helpx.adobe.com/contact.html?step=PHXS_downloading-installing-setting-up_licensing- activation

• Sap Router not connecting

  When I check via SM59  to SAPOSS. It giving messege before 4 days It was working ,But Noe
  Sap Router giving Error
  Logon     Connection Error
  Error Details     Error when opening an RFC connection
  Error Details     ERROR: CPIC program connection ended (read error)
  Error Details     LOCATION: SAP-Server appkg_PRD_01 on host appkg (wp 0)
  Error Details     COMPONENT: CPIC
  Error Details     COUNTER: 4662
  Error Details     MODULE:
  Error Details     LINE:
  Error Details     RETURN CODE: 223
  Error Details     SUBRC: 0
  Error Details     RELEASE: 700
  Error Details     TIME: Thu Oct  9 09:21:22 2008
  Error Details     VERSION:
  What-2 option we should check.Where should be problem.
  Thanks manu

  Thanks rahul for your repply. I check in my Portel that SAP Router has been Expired.When I activate in service market place, what i should  give value in  " Insert the Certificate Signing Request "
  I am giving    SAProuter name : saprouter
                     Distinguinshed name: CN=saprouter, OU=0000870506, OU=SAProuter, O=SAP, C=DE
  Then continue  It give messege  "  Error - Applying for a certificate for SAProuter "
  What the value or Text will come in   "Insert the Certificate Signing Request "
  Thanks
  manu

• Unable to Start SAP Router

  Hi All,
  I have installed SAP Router before but this time when I installed and tried to start SAP Router its not getting started, and also not giving any error log file in SAP Router directory.
  Please check the below command and correct me if I am wrong.
  Microsoft Windows XP [Version 5.1.2600]
  (C) Copyright 1985-2001 Microsoft Corp.
  C:\Documents and Settings\sap_admin>cd \
  C:\>cd SAPRTR
  C:\SAPRTR>saprouter -r -S 3299 -K "p:CN=<MyRouterHOSTNAME>, OU=<Cust_NUM>, OU=SAProuter,
  O=SAP, C=DE"
  SAP Network Interface Router, Version 38.10
  Compiled Oct  7 2009 03:08:09
  start router : saprouter -r
  stop router  : saprouter -s
  soft shutdown: saprouter -p
  router info  : saprouter -l (-L)
  new routtab  : saprouter -n
  toggle trace : saprouter -t
  cancel route : saprouter -c id
  dump buffers : saprouter -d
  flush   "    : saprouter -f
  hide errInfo : saprouter -z
  start router with third-party library: saprouter -a library
  additional options
  -R routtab   : name of route-permission-file  (default ./saprouttab)
  -G logfile   : name of log file               (default no logging)
  -T tracefile : name of trace file             (default dev_rout)
  -V tracelev  : trace level to run with        (default 1)
  -H hostname  : of running SAProuter           (default localhost)
  -S service   : service-name / number          (default 3299)
  -P infopass  : password for info requests
  -C clients   : maximum no of clients          (default 800)
  -Y servers   : maximum no of servers to start (default 1)
  -K [myname]  : activate SNC; if given, use 'myname' as own sec-id
  -A initstring: initialization options for third-party library
  -D           : switch DNS reverse lookup off
  -E           : append log- and trace-files to existing
  -J filesize  : maximum log file size in byte  (default off)
  -6           : IPv6 enabled
  -Z           : hide connect error information for clients
  expert options
  -B quelength : max. no. of queued packets per client  (default 1)
  -Q queuesize : max. total size for all queues (default 20000000 bytes)
  -W waittime  : timeout for blocking net-calls (default 5000 millisec)
  -M min.max   : portrange for outgoing connects, like -M 1.1023
  -I address   : address for outgoing connects, like -I 155.56.76.6
  this is a sample routtab : -----------------------------------------
  D     host1                host2     serviceX
  D     host3
  P     *                    *         serviceX
  P     155.56..           155.56
  P     155.57.1011xxxx.*
  P     host4                host5     *          xxx
  P     host6                localhost 3299
  P     host7                host8     telnet
  S     host9
  P0,*  host10
  KP    sncname1             *         *
  KS    *                    host11    *
  KD    "sncname "abc"       *         *
  KT    sncname3             host11    *
  deny routes from host1 to host2 serviceX
  deny all routes from host3
  permit routes from anywhere to any host using serviceX
  permit all routes from/to addresses matching 155.56
  permit ... with 3rd byte matching 1011xxxx
  permit routes from host4 to host5 if password xxx supplied
  permit information requests from host6
  permit native-protocol-routes to non-SAP-server telnet
  permit ... excluding native-protocol-routes (SAP-servers only)
  permit ... if number of preceding/succeeding hops (SAProuters) <= 0/*
  permit SNC-connection with partnerid = 'sncname1' to any host
  permit all SAP-SAP SNC-connections to host11
  deny all SNC-connections  with partnerid = 'sncname "abc'
  open connects to host11 with SNC enabled and partnerid = 'sncname3'
  first match [host/sncname host service] is used
  permission is denied if no entry matches
  service wildcard (*) does not apply to native-protocol-routes
  C:\SAPRTR>
  Rg
  Ramesh

  Hello my friend
  It could be certificate didn't import properly or routtab content is not correct. Here's your checklist:
  Creating the certificate request
  1) As user <snc_adm> set the environment variables SNC_LIB and SECUDIR
  2) Change to the alias SAPROUTER-SNCADD. From the list of SAProuters registered to your installation, choose the relevant u201CDistinguished Nameu201D.
  3) Generate the certificate Request with the command:
  sapgenpse get_pse -v -r certreq -p local.pse u201C<Distinguished Name>u201D
  You will be asked twice for a PIN here. Please choose a PIN and document it, you have to enter it identically both times. Then you will have to enter the same PIN every time you want to use this PSE.
  4) Display the output file "certreq" and with copy&paste (including the BEGIN and END statement) insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.
  5) In response you will receive the certificate signed by the CA in the Service Marketplace. Copy&paste the text to a new local file named "srcert", which must be created in the same directory as the sapgenpse executable.
  6) With this in turn you can install the certificate in your saprouter by calling:
  sapgenpse import_own_cert -c srcert -p local.pse
  7) Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user_for_saprouter>, the credentials are created for the logged in user account). 
  sapgenpse seclogin -p local.pse -O <user_for _saprouter>
  Note: The account of the service user should always be entered in full <domainname>\<username>
  8) This will create a file called "cred_v2" in the same directory as "local.pse"
  9) Check if the certificate has been imported successfully with the following command:
  sapgenpse get_my_name -v -n Issuer
  The name of the Issuer should be:
  CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
  10) If this is not the case, delete the files "cred_v2"and "local.pse" and start over at Item 3.
  Additional actions necessary before you can start SAProuter
  1.     Check if the environment of the user running SAProuter contains the environment variable SNC_LIB and SECUDIR
  2.     Start the SAProuter with the following command line (to start the SAProuter as a Windows service, please follow the steps described in SAP note 525751):
                 saprouter -r -S <port> -K "p:<Distingushed Name>"
                 -K tells the saprouter to start with loading the SNC library
  3.     The corresponding file "saprouttab" should look like:
  SNC-connection from and to SAP                               
  KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *  
  SNC-connection from SAP to local R/3-System for Support      
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *              
  SNC-connection from SAP to telnet in your network            
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 23             
  Access from the local Network to SAPNet - R/3 Frontend (OSS) 
  P * 194.39.131.34 3299                                         
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <your IP> <port> 
  Regards,
  Effan
  DON'T KNOW WHY THE FORMAT MESSED UP, PLEASE USE QUOTE ORIGINAL IN REPLY MODE TO READ THE CORRECT FORMAT CONTENT. SORRY!

• How to install and configure SAP Router

  Dear SAP Expert !
  I want to install SAP Router but i dont know the SAP router package is allocated on DVD ? what is the DVD number ?
  If you already configure SAP router please let me know how to configure ?

  Hello Thao
  what is th exact issue that are u facing.
  The account must be the administartor of the machine where u are installing SAPROUTER.Make sure you are following the correct steps as follows:
  Downloading necessary software components from SAP Service Marketplace
  1. Login to the SAP Service Marketplace with the Service Marketplace at using
  the USERID/PASSWORD which was assigned for your installation.
  2. Change the alias to www.service.sap.com/tcs to downloaded the SAP
  cryptographic software. Select the correct SAPcrptographic software
  depending on your saprouter operating system as shown below.
  3. You must have the sapcar.exe in order to extract the SAP cryptographic
  software file.
  4. With the command of u201Csapcar -xvf xxxxxxx.saru201D, /ntintel directory would be
  created and the following files would be extracted.
  (Example C:/saprouter/ntintel)
  ( when the Microsoft Windows NT Intel version is downloaded)
  C:/saprouter/ntintel/sapcrypto.dll
  C:/saprouter/ntintel/sapgenpse.exe
  C:/saprouter/ticket
  Issue of Electronic Certificate
  5. It is necessary to define the environment variable for u201CSECUDIRu201D and
  u201CSNC_LIBu201D under system account.
  Window NT environment variable setup :
  Right-clicked the icon of you computer
  Property -> details -> environment variable
  SECUDIR = < Directory name >
  Example. Variable name : SECUDIR
  Variable value
  : C:/saprouter/SNC_LIB = < Directory name >
  Example. Variable name : SNC_LIB
  Variable value : C:/saprouter/ntintel/sapcrypto.dll
  UNIX
  <path_to_libsecude>/<name_of_sapcrypto_library>
  Windows
  NT,
  <drive>:/<path_to_libsecude>/<name_of_sapcrypto_library>
  Windows
  2000
  6. Check if the environment of the user running saprouter contains the
  environment variable SNC_LIB.
  UNIX
  Printenv
  Windows NT
  System environment Variable
  7. You may now apply for a SAProuter certificate from the SAP Trust Center
  Service of SAP service marketplace
  http://service.sap.com/tcs
  > SAP Trust Center Service in Detail
  > SAProuter Certificates
  SAProuter Certificate "Apply Now"
  Click the button.
  8. Please take note of your "Distinguished Name"
  Please refer to the example above
  -SAPRouter Name
  : JPL50020586
  -Distinguished Name
  CN=JPL50020586, OU=0000036946, OU=SAProuter, O=SAP, C=DE
  Then, clicked the "Continue" button.
  9. Execute the following command in the /saprouter/ntintel
  directory in order to generate your certificate to be exchanged with SAP.
  sapgenpse get_pse -v -r certreq -p local.pse "Distinguished Name"
  Example
  sapgenpse get_pse u2013v -r certreq -p local.pse "CN=JPL50020586, OU=0000036946,
  OU=SAProuter, O=SAP, C=DE"
  Enter the PIN number. (you may enter any PIN Number you wish.)
  Please enter PIN :
  Please re-enter PIN :
  <- you must use the same PIN Number as the above.
  10. The "certreq" file is created in the /saprouter/ntintel directory.
  11. Use a notepad to open the "certreq" file and copy the displayed information
  (From the -BEGIN .to the END -)
  12.You now have to paste the above copy content into the space provided
  shown below. After you have pasted the text, click the u201CRequest certificateu201D
  button to submit your request.
  13. Once you click on the u201CRequest Certificateu201D a new screen will be displaying
  your certificate issued by SAP CA (Certification Authority).
  14. Using a notepad to copy the content (From u2013Beingu2026 to -END) and save it
  as u201Csrcertu201D into /saprouter/ntintel/srcert.
  Note :
  - Please rename srcert.txt into srcert without any extension.
  15. You then need to import this certificate into SAProuter using the following
  command.
  Please run on /saprouter/ntintel directory.
  sapgenpse import_own_cert -c srcert -p local.pse
  Please enter PIN : (same as point 9)
  16. Execute the following command in the /saprouter/ntintel directory.
  sapgenpse seclogin -p local.pse
  Please enter PIN : (same as point 9)
  This will create a file "cred_v2" in the same directory.
  17. Please check whether the certificate has been imported correctly.
  Execute this command in /saprouter/ntintel directory.
  sapgenpse get_my_name -v -n Issuer
  The result should be "CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE".
  18. When the above results are not obtained , please delete local.pse and
  cred_v2 and work again from steps 9. Please seek the assistance from your
  local SAP helpdesk or create an OSS message via component XX-SER-NET-
  OSS, if you are not able to obtain the above-mentioned result after you have
  repeated the above steps.
  Route permission table (saprouttab)
  19. The corresponding file ./saprouttab should contain at least the following
  entries.
  Example : by SNC connection, when connecting to sapserv2
  (194.39.131.34) the following entries need to be indicated by saprouttab.,
  SNC-connection to SAP
  KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34
  SNC-connection from SAP to local R/3-System for Support
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> <R/3-Instance>
  SNC-connection from SAP to local R/3-System for pcANYWHERE, if it is needed
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 5631
  SNC-connection from SAP to local R/3-System for NetMeeting, if it is needed
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 1503
  SNC-connection from SAP to local R/3-System for saptelnet, if it is needed
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
  Access from the local Network to SAPNet - R/3 Frontend (OSS)
  P <IP-addess of a local PC> 194.39.131.34 3299
  deny all other connections
  D * * *
  Start the SAProuter with the following command.
  Saprouter -r -S <port> -K
  "p: <Your Distingiushed Name>"
  -K tells the saprouter to start with loading the SNC library.
  Example: saprouter -r -S 3299 u2013K "p:CN=JPL50020586, OU=0000036946,
  OU=SAProuter, O=SAP, C=DE"
  Additional Note
  -You may refer to SAP note: 30289 in the SAP service marketplace for detail
  information with regards to SAProuter
  http://www.service.sap.com/note

• Reg : SAP Router Configuration

  Dear Friends,
  How to configure the SAP router? If anybody have configuration details pls help me.
  Our System is ECC 6.0
  OS - 2003 Server
  DB : MS SQL Server
  Then How to Communicate to SAP.
  Regards
  kesav

  Hi,
  > How to configure the SAP router? If anybody have configuration details pls help me.
  1) Download the latest SAP Router files (saprouter.car, nipping, cryptographic library) from SAP Service Market Place --- Patches.
  2)Create a user called sncadm as a member of Administrator. Log off administrator and login as sncadm. Create the following environment variables for this user.
  SECUDIR = c:\usr\sap\saprouter
  SNC_LIB = c:\usr\sap\saprouter\sapcrypto.dll
  3) Create folder c:\usr\sap\saprouter and copy the downloaded files into that folder. Extract all the compressed files. Now typically this folder will have the following files.
  Sapcrypto.dll
  Sapgenpse.exe
  Ticket
  Ntscmgr.exe
  Nipping.exe
  Saprouter.exe
  (other required files can be copied from kernel directory of other SAP Systems)
  4) Go to http://service.sap.com/saprouter-sncadd. Click on u201CApply Nowu201D
  You will get information like this (on first screen):
  Click on Continue. Now we have to create the request for SAProuter which is to be given as input in the next screen u201CRequest Certificate for SAProuteru201D.
  5)Open a command prompt and execute the following commands.
  Cd \usr\sap\saprouter
  sapgenpse get_pse u2013r sap-router.p10 u2013p sap-router.pse u201CCN=SAP-ROUTER, OU=0000733879, OU=SAProuter, O=SAP, C=DEu201D
  You will be asked for a PIN: input any (but do not forget!!!!!) No Password is given in this installation.
  This command will create the file sap-router.p10 and sap-router.pse.
  Open the file sap-router.p10 with notepad, copy & paste this certificate request to the text area of the u201CRequest Certificate for SAProuteru201D page.
  Click on Request Certificate
  In response you will get certificate signed by CA.
  Copy & paste the text into a text file including the header & footer (saprt.txt is the file created here)
  6)Now install the certificate as follows
  Sapgenpse import_own_cert u2013c saprt.txt u2013p sap-router.pse
  7)Now create credentials for saprouter
  Sapgenpse seclogin u2013p sap-router.pse u2013O sncadm
  This will create a file called cred_v2 in c:\usr\sap\saprouter
  8)Now Check whether certificate has been imported correctly or not
  Sapgenpse get_my_name u2013v u2013n Issuer
  The name of issuer should be: CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE. If the name is not correct, then delete the file cred_v2 and start all over again from Step u2013 4.
  9)Now create a file u201Csaprouttabu201D in the folder c:\usr\sap\saprouter and make the following entries in that.
  SNC connection to SAP
  KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
  Access from your local Network to SAPNet - R/3 Frontend
  P 172.16.. 194.39.131.34 3299
  P 172.17.. 194.39.131.34 3299
  P 172.18.. 194.39.131.34 3299
  P 172.19.. 194.39.131.34 3299
  D * * *
  Save the file and close
  10) Make the following changes in the hosts file and services file (under windows\system32\drivers\etc folder ) SAP-ROUTER system
  hosts file:
  172.18.9.8 SAP-ROUTER
  194.39.131.34 sapserv2
  services file:
  sapdp99 3299/tcp
  sapgw99 3399/tcp
  sapmsO01 3601/tcp
  11) Now check the entry in the services files for all servers and all front-end PCs under %winnt%/system32/drivers/etc/ there should have:
  sapdp99 3299/tcp
  sapmsO01 3601/tcp
  12) Now start the sap router using the command (from the saprouter directory)
  Saprouter u2013r u2013V 3 u2013K u201Cp:CN=SAP-ROUTER,OU=0000733879,OU=SAProuter,O=SAP,C=DEu201D
  13)Connection to SAP can tested using the command
  lgtst u2013H /H/172.18.9.8//H/194.39.131.34/S/sapdp99/H/oss001/S/sapmsO01 u2013S x u2013W 30000
  Note : The file lgtst.exe can be copied from other SAP systemu2019s kernel directory.
  The output should look like these:
  Using trcfile: dev_lg
  List of reachable application servers
  u2026.
  u2026..
  u2026u2026.
  u2026u2026u2026.
  If the lgtst command does not display the list of reachable application servers, then the connection to SAP could not be established. Troubleshoot the error and rectify.
  For more info see the following sapnote
  note 30289 : SAProuter documentation
  note 525751: Installation of the SNC-SAPRouter as NT Service
  note 46902 : Security aspects in remote access
  note 48243 : Integrating SAProuter into a firewall
  note 33135 : Guidelines for OSS1 (Version for SAPSERV3).
  note 35010 : Service connections: Composite note (overview)

• SAP router service is not running.

  Hi Everyone.,
  Today I have tried to renew the certificate in windows system every thing went well till the end but after importing newly generated certificate sap router service failed to start. Below is the error message when i try to start the service.
  D:\usr\sap\SOL\SYS\exe\uc\NTI386>saprouter -r -S 3299 -K "p:CN=SOLMGR, OU=000086
  1986, OU=SAPRouter, O=SAP, C=DE"
  trcfile  dev_rout
  no logging active
  DEV_rout
  trc file: "dev_rout", trc level: 1, release: "700"
  Sat Dec 04 09:30:26 2010
  SAP Network Interface Router, Version 38.0
  command line arg 0:     saprouter
  command line arg 1:     -r
  command line arg 2:     -S
  command line arg 3:     3299
  command line arg 4:     -K
  command line arg 5:     p:CN=SOLMGR, OU=0000861986, OU=SAPRouter, O=SAP, C=DE
  SncInit(): Initializing Secure Network Communication (SNC)
        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/32/32)
  SncInit(): Trying environment variable SNC_LIB as a
        gssapi library name: "D:\usr\sap\SOL\SYS\exe\uc\NTI386\sapcrypto.dll".
    File "D:\usr\sap\SOL\SYS\exe\uc\NTI386\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
    The internal Adapter for the loaded GSS-API mechanism identifies as:
    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
  main: pid = 7560, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
  reading routtab: './saprouttab'
  When i tried to start the service manually then service is starting fine but when i tried to check OSS-001 connection in SM59 it says routtab permission failed rc-94.
  Please suggest if any one ever faced this issue.
  REgards,
  Vinod

  Hi Sunil,
  I have cross checked the orutab file. Please see below routab file and sugegst me incase if you find mistakes.
  SNC connection to and from SAP
  KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
  SNC-connection from SAP to your system SOL with SAPGUI
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 88.85.224.92 3200
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" solmgr 3200
  SNC-connection from SAP to your system SOL with WTS
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 88.85.224.92 3389
  SNC-connection from SAP to your system ECC DEV with SAPGUI
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.128.2.239 3200
  SNC-connection from SAP to local R/3-System for PCANYwhere
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 5631
  SNC-connection from SAP to local R/3-System for saptelnet
  KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server> 23
  Access from your local Network to SAP R/3 Frontend (OSS)
  P * 194.39.131.34 3299
  deny all other connections
  D * * *
  Also today i recieved a mail saying that client has chnaged the IP address of the saolution manager recently. Do they need to re register the IP with sap again. But i am able to telnet sapserv2 server IP using 3299 port and also able to ping the server. Please suggest.
  Regards,
  Vinod

• Public-real IP changed for SAP Router

  Hello,
  The real IP for SAP Router system has changed, therefore I would need to re configure the same.
  I have gone through existing threads, but not throwing much light related to my query.
  I tried to reconfigure, but when generating the certificate I get below error. The /usr folder is the old folder of the router and am trying to reconfigure in folder is /newrouter. The OS is windows server 2008.
  D:\NewRouter\ntintel>sapgenpse get_pse -v -r certreq -p local.pse "CN=<hostname>,
  OU=0000872340, OU=SAProuter, O=SAP, C=D"
  Got absolute PSE path "D:/usr\local.pse".
  get_pse ERROR: PSE already exists "D:/usr\local.pse"
  I have already changed the environment variables for SECU_DIR and LIB one.
  My questions are :
  1) Is there any way to just update the ip address on the market place by just opening the ticket at XX-SER-NET OR do I need to perform the whole procedure after uninstalling previous configuration.
  2) What is the method for uninstallation of SAP Router?
  Thanks.
  Sat

  Hi,
  Thanks for your reply.
  Actually I changed the env variables and after restarting the sapgenpse command worked.
  But I did not proceed further.
  I have informed SAP to update the new ip address.
  My query is what action should I perform at my end instead of reconfiguring the router again.
  Thanks.
  Sat

• Saprouter Certificate Expired

  It appears that our the certificate that our saprouter.exe uses has expired.  I am not able to create connections to our saprouter from the Service Marketplace.  I get the following in the dev_rout file in E:\usr\sap\saprouter
  Mon Dec 10 15:18:39 2007
  ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'
  [sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3340]
        GSS-API(maj): The referenced credentials have expired
        GSS-API(min): Validity date of certificate is invalid
      Unable to establish the security context
      target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
  ERROR => ErrISetSys: error info too large [err.c        931]
  Mon Dec 10 15:18:39 2007
  LOCATION    SAProuter 38.0 on 'sapslm01'
  ERROR       GSS-API(maj): The referenced credentials have expired
  GSS-API(min): Validity date of certificate is invalid
  target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
  TIME        Mon Dec 10 15:18:39 2007
  RELEASE     700
  COMPONENT   SNC (Secure Network Communication)
  VERSION     5
  RC          -4
  MODULE      sncxxall.c
  LINE        3340
  DETAIL      SncPEstablishContext
  SYSTEM CALL gss_init_sec_context
  ERRNO      
  ERRNO TEXT 
  DESCR MSG NO
  DESCR VARGS GSS-API(maj): The referenced credentials have expired;;;;
  ;;;;GSS-API(min): Validity date of certificate is invalid;;;;
  ;;;;target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
  DETAIL MSG N
  DETAIL VARGS
  COUNTER     72
  <<- ERROR: SncProcessOutput()==SNCERR_GSSAPI
  ERROR => NiSncIInitHdlSecurity: SncProcessOutput failed (rc=-4;00000000002A7050) [nisnc.c      1098]
  ERROR => NiSnc2Connect C1/-1, 194.39.131.34 (rc=-17) [nirout.cpp   2811]
  ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 'sapslm01.OII.DOM' failed (rc=-17) [nirout.cpp   2238]
  How do I renew this certificate?  I did not setup the saprouter and the person who did is no longer here.  Please advise.

  Hello Drew,
  For configuring the SAP router follow the steps below.
  Step 1:
  Download the SAP Router and SAP Cryptographic software from market place and place this under the folder usr\sap\saprouter. This folder is called as saprouter’s home folder. Extract these files with sapcar.
  Step 2:
  Apply for the certificate with the distinguished name of your company. This distinguished name can be found in service market place under the link
  http://service.sap.com/saprouter-sncadd and the certificate for saprouter should be applied in the same link.
  Step 3:
  With this distinguished name generate the PSE file with sapgenpse program located in saprouter folder.
  Step 4:
  After generating certreq file in saprouter folder edit the file and copy the content of the file under the link http://service.sap.com/saprouter-sncadd
  Step 5:
  After copying click “Request Certificate” in right most corner which generates the required certificate.Copy the content of the generated file and paste it into a text file in saprouter folder. Rename the file into “srcert” and install the certificate using sapgenpse command.The PIN which we have given in the previous step should be correctly to install the certificate.
  Step 6:
  After installing the certificate successfully credentials were to be added to the certificate. Only the added credentials will be allowed to start the saprouter program.
  Step 7:
  After adding credentials we can check the installation of certificate with sapgenpse command.
  Step 8:
  After verifying the certificate the SAPRouter program will be started in port number 3299.
  Note:
  SAP Router table should be correctly defined for accessing the systems through SAP router.
  regards,
  Anandha Krishnan R

• SAP router error on windows server 2008 64bit

  Hi All,
  I am installing sap router on windows 2008 server 64 bit.
  While trying to generate certificate request it showing below error.
  E:\usr\sap\saprouter\nt-x86_64>sapgenpse get_pse -v -r certreq -p local.pse "CN=
  solman, OU=000XXXXXXX, OU=SAProuter, O=SAP, C=DE"
  Got absolute PSE path "C:\Users\soladm\sec\local.pse".
  Please enter PIN:
  Please reenter PIN:
  Supplied distinguished name: "CN=solman, OU=000XXXXXXX, OU=SAProuter, O=SAP, C=
  DE"
  Creating PSE with format v2 (default)
  get_pse: Can't create PSE.
  ERROR in af_create: (4352/0x1100) could not flush : "SW-PSE"
  ERROR in create_PSE: (4352/0x1100) could not flush : "SW-PSE"
  ERROR in modified_PSEFile: (4352/0x1100) could not flush : "SW-PSE"
  ERROR in flush_PSEFile: (1283/0x0503) Can't write file : "C:\Users\soladm\sec\lo
  cal.pse"
  ERROR in aux_OctetString2file: (1283/0x0503) Can't write file : "C:\Users\soladm
  \sec\local.pse"
  I couldn't find the cryptography software specifically for windows 2008 server 64 bit ? So I downloaded the software for windows server 64 bit platform.
  Do any one have idea on this...
  Please reply..
  Regards
  Vinay

  Hi,
  Yes, there is no specific cryptography software for windows server 2008 and whatever u have chosen is correct.
  Fom the following error message I could see where the issue arises.
  Can't write file : "C:\Users\soladm\sec\local.pse"
  I think you have not set the following ENV variable for the SAPRouter admin user (in your case soladm) and hence the sapgenpse tries to import the certificate in the SOLADM user's document folder.
  Set the following variables for the user SOLADM and then try to import the certificate as mentioned in the [link|http://service.sap.com/saprouter-sncdoc].
  SECUDIR = E:\usr\sap\saprouter
  SNC_LIB = E:\usr\sap\saprouter\nt-x86_64\sapcrypto.dll
  Hope this resolves ur issue.
  Regards,
  Varadharajan M

• ISE - What happens when the on-boarded certificate expires?

  I'm trying to design a good BYOD deployment model but have a few questions that need direct answers.  I have down how to go about on-boarding and getting a certificate on a device, the ISE provides great flow for this to happen in many ways.  My questions come from a design perspective before and after the BYOD deployment is completed.
  1. Figuring out a method to validate the device is a Corporate asset or a BYOD asset.
       (I don't want to install a certificate on just any device, or perhaps I do but I need to give permissions to all resources if its a Corporate Device, and more resitrictions if it's BYOD, so how do I figure this out during the provisioning phase?)
       a. Use MDM (May not have one, or if you do we are still waiting on ISE 1.2 for that integration)
       b. Build a Group for provisioning admins, if user PEAP-MSCHAPv2 account is from this group install a certificate. (issue here is that the end user looses administration of the device in the my device portal as the device is now registered to the provisioning admin)
       c. Pre-populate MAC into ISE as all Corporate devices should be provisioned by I.T. before they go to the end user (I think this is good but can see push back from customers as they don't want to add more time to the process)
       d. Certs on any IOS or Android device, provide access based on user group and do not worry if device is Company asset or not (I believe that this is the easiest solution and seems to be what I find in the guides)
       e. Other options I have not thought about, would love input from the crowd
  2. What happens to the device once the Certificate expires?
       (I don't know the answer to this, my thought would be the user or device will fail during the authentication policy and this creates a mess)
       a. Tell the user to delete the profile so they can start all over again (creates help desk calls and frustrated users)
       b. Use MDM for Cert management (may not have one)
       c. Perhaps the client uses SCEP to renew based on the cert template renew policy and there are no issues (this is me wishing)
  Would appreciate some feed back and would like to know if anyone has run into these issues.                   

  Neno,
  Sorry but I don't have any other info on using a public CA, Cisco says to use internal CA's for PKI.  I think the best practice in 1.2 comes out will be to use one interface for Web Management and a different interface for Radius, profiling, posture, and on boarding.  This way you can use your private CA for EAP and a public CA for web traffic.  Have you tried a public CA bound to management and a private CA for EAP yet?
  I did do a session on EAP-TEAP, they explained how it will work and also discussed EAP-FASTv2.  EAP-FASTv2 is available now but you must use anyconnect as your supplicant.  Microsoft and all other vendors will have EAP-TEAP native once it is fully released and comissioned as it will be the new gold standard for EAP.  It will support TLS, MD5, and CHAPv2.  If you are interested I have the PDF of the presentation I attended that shows the flow of how EAP-TEAP will work.  This is much better than wasMachineAuthenticated and machine auth caching, which has many down falls.
  I currently do machine and user auth I just don't require them.  If Machine auth then allow machine on vlan-x with access to AD, DNS, and blah blah.  Then a seperate rule to say user auth gets more access, although I require EAP-TLS for both and if you think about it you are accomplishing the same thing if your PKI is setup correctly.  Make it so users and machines can only auto enroll, that way you know the only way they got their cert was from GPO policy.  I won't go into anymore detail, but there is lots you can do.