SAPRouter to SAPRouter SNC Setting

Dear Experts Teams.
It is currently established the SNC connection of their SAPRouter server and SAP AG.
I want to connect the SAPRouter to external network SAPRouter for SNC.
However, I know that there are certificates to SNC connections, but in SAPRouter server,
I don't know the procedure of issuance of the order to configure the SNC.
Tell me the procedure of SAPRouter to external network SAPRouter SNC connection.
In addition, this configuration or would not have been supported by SAP?
Regards.
Jun

Error is displayed when you start -K option SAPRouter.
By the way, SAPRouter have the following settings.
■SAPRouter Host1
※Possible SNC connection with SAP AG SAProuter
　　SNC Name：CN=SNC201401-01 OU=SAProuter, O=SAP, C=DE
　 SAProuttab:
　　 KT "p:CN=snc201306-09" * 3299
　　　P * * *
　　SAPRouter Command：
saprouter -r -S 3299 -T dev_rout -K "p:CN=SNC201401-01, OU=0000657984, OU=SAProuter, O=SAP, C=DE"
■SAPRouter Host2
　　SNC Name：CN=SNC201401-02
　 SAProuttab:
　　 KT "CN=SNC201401-01 OU=SAProuter, O=SAP, C=DE" <Host1 Gloval IP> 3299
　　　P * * *
　　SAPRouter Command：
saprouter -r -K p:CN=SNC201401-02
SAPRouter of Host1 to start normally, but, SAPRouter of Host2 can not boot properly.
And has implemented procedures to reference the URL.
http://wiki.scn.sap.com/wiki/display/Basis/How+to+setup+SNC+connection+between+SAProuters
Jun

Similar Messages

Saprouter to Saprouter using SNC

Hi.. we already have a saprouter (routerA) using SNC connected to SAP for the OSS connection.
Now we were thinking to create anothe snc connection from routerA to another saprouter (routerB).
Which distinguish name that we should use and how is the process ? found documents on setting up SNC to SAP, and we can get our distinguish name from SAP.
But for connection to another SAP i could not find any.
Suggestion and reply really appreciated.. thank you

Hi,
First of all,why do you require another router?
Call up the nearest SAP center for more details.
Rgs
vikas

SNC with SAPRouter configuration for Third party company

Hi expers,
Need your advise for my below scenario.
We are running SAP on IBM i. My question is about outside world connectivity with encryption mechanism to SAP AS.
As of now , we are not using SNC either for internal / external network connectivity with SAP apps server. But we are going to allow third party company to connect for one of the payment processing takes place. Since the third party company not accepting VPN connectivity, we are planning to implement Separate SAPRouter configured with SNC, (encryption option), and open the firewall port for them. How much secured it is ? we are in the process of installaing and configuring windows server for SNC & SAPRouter installation. What are all the required configuration in SAP Application server level & new SNC server, for this ? How exactly SAPGui ( from third party company) to SAP Apps Server will go through the traffic ? Need experts advise on this ?
Basically I want to make sure, once it is configured, trafic will go through encrypted way outside of our network. Thanks in advance for all your valuable reply !

Hi mgrant,
The information at the bottem of the article in in Keith_Beddoe's personal website may help. Link: Using your own router for Infinity
The MTU Size needs to be set as 1492
Cheers
jac_95 | BT.com Help Site | BT Service Status
Someone Solved Your Question?
Please let other members know by clicking on ’Mark as Accepted Solution’
Try a Search
See if someone in the community had the same problem and how they got it resolved.

SAPRouter problem

Hello,
I'm trying to start my SapRouter with the command :
saprouter -r -R c:\saprouter\saprouttab
But it sounds that doesn't work.
Here is the error message :
trcfile dev_rout
no logging active
ERROR => invalid lines in c:\saprouter\saprouttab, see dev_rout [nixxrout.c 2973]
This server is on a DMZ and SAPServers are on internal network but everything on the firewall was checked out.
Hereunder the content of the saprouttab file :
P LUEXT007 sapserv3 3299
P sapserv3 LUEXT007 3200
P LUEXT007 sapserv3 3399
P sapserv3 LUEXT007 3300
P ludbs010 sapserv3 3299
P ludbs019 sapserv3 3299
P ludbs020 sapserv3 3299
P ludbs013 sapserv3 3299
P ludbs026 sapserv3 3299
P ludbs027 sapserv3 3299
P ludbs028 sapserv3 3299
P ludbs031 sapserv3 3299
P ludbs032 sapserv3 3299
P ludbstest9i sapserv3 3299
P 172.30.184.66 sapserv3 3299
P ludbs010 sapserv3 3399
P ludbs019 sapserv3 3399
P ludbs020 sapserv3 3399
P ludbs013 sapserv3 3399
P ludbs026 sapserv3 3399
P ludbs027 sapserv3 3399
P ludbs028 sapserv3 3399
P ludbs031 sapserv3 3399
P ludbs032 sapserv3 3399
P ludbstest9i sapserv3 3399
P ludbs010 sapserv3 3300
P ludbs019 sapserv3 3300
P ludbs020 sapserv3 3300
P ludbs013 sapserv3 3300
P ludbs026 sapserv3 3300
P ludbs027 sapserv3 3300
P ludbs028 sapserv3 3300
P ludbs031 sapserv3 3300
P ludbs032 sapserv3 3300
P ludbstest9i sapserv3 3300
P sapserv3 LUEXT007 3299
P sapserv3 ludbs010 3200
P sapserv3 ludbs019 3200
P sapserv3 ludbs020 3200
P sapserv3 ludbs013 3200
P sapserv3 ludbs026 3200
P sapserv3 ludbs027 3200
P sapserv3 ludbs028 3200
P sapserv3 ludbs031 3200
P sapserv3 ludbs032 3200
P sapserv3 ludbstest9i 3200
P sapserv3 ludbs010 3299
P sapserv3 ludbs019 3299
P sapserv3 ludbs020 3299
P sapserv3 ludbs013 3299
P sapserv3 ludbs026 3299
P sapserv3 ludbs027 3299
P sapserv3 ludbs028 3299
P sapserv3 ludbs031 3299
P sapserv3 ludbs032 3299
P sapserv3 ludbstest9i 3299
P sapserv3 ludbs010 3300
P sapserv3 ludbs019 3300
P sapserv3 ludbs020 3300
P sapserv3 ludbs013 3300
P sapserv3 ludbs026 3300
P sapserv3 ludbs027 3300
P sapserv3 ludbs028 3300
P sapserv3 ludbs031 3300
P sapserv3 ludbs032 3300
P sapserv3 ludbstest9i 3300
p sapserv3 ludbs010 3399
p sapserv3 ludbs019 3399
P sapserv3 ludbs020 3399
P sapserv3 ludbs013 3399
P sapserv3 ludbs026 3399
P sapserv3 ludbs027 3399
P sapserv3 ludbs028 3399
P sapserv3 ludbs031 3399
P sapserv3 ludbs032 3399
P sapserv3 ludbstest9i 3399
p * 147.204.2.232 * *
p * 194.117.106.130 * *
p * 147.204.2.5 * *
Thank you in advance,
Alex

Hi Alexandre,
 If you want to use the SNC then definitely you need to have the
 secure certificate. First you have to generate it using sapgenpse
 it will create a file called cert in the folder saprouter\ntintel
 prior configure the path of SNC_LIB and Also SECUDIR
 SECUDIR-->usr/sap/saprouter
 SNC_LIB--->usr/sap/saprouter/ntintel/sapcrypto.dll
 set this variables. Then go to service market place and go to TCS
 Request for the certificate then copy that certificate and paste in a txt
 file with the name srcert.then import that certificate into saprouter.
 Maintain routetab and then start the router.
Reward points if helpful.
Regards,
Vamshi.

Saprouter starting problem

Hi All,
I configured saprouter in solman server(windows) iam unable start saprouter . I gave the follwoing command its not giving any output.
C:\saprouter\ntintel>saprouter -r -G routlog -S 3299 -K "p:CN=solman, OU=SAProut
er, O=SAP, C=DE"
trcfile dev_rout
logfile routlog
Regards
Siva

Hi All,
I ran this command. saprouter -r -V 3 -K "p:<Distinguished name>"
I get the following message in a 'trace file'
trc file: "dev_rout", trc level: 3, release: "700"
Thu Oct 23 09:22:28 2008
NiHsLInit: alloc host/serv bufs (200/200 entries)
NiIInit: allocated nitab (811 at 02CA02C8)
NiIInit: host/serv bufs already initialized
NiPGetNodeAddrList: got 1 interface(s) from operating system
 [0] IP-Address: 10.14.147.32
SAP Network Interface Router, Version 38.10
Compiled May 22 2007 00:31:59
command line arg 0: saprouter
command line arg 1: -r
command line arg 2: -V
command line arg 3: 3
command line arg 4: -K
command line arg 5: p:CN=solman, OU=0000731019, OU=SAProuter, O=SAP, C=DE
service : 3299
routtab : ./saprouttab
plug-in : no plug-in
-argument: 'no argument'
clients : 800
max servers : 1
quelength : 1
maxheap : 20000000
timeoutL : 5000
tracefile : dev_rout
logfile : no logging active
portrange : no portrange active
local address : default address
->> SncInit(prg=0, ini_fname=(NULL), &sec_avail=0157F6BF)
SncInit(): Initializing Secure Network Communication (SNC)
 PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/32/32)
SncInit(): Trying environment variable SNC_LIB as a
 gssapi library name: "C:\saprouter\ntintel\sapcrypto.dll ".
load shared library (C:\saprouter\ntintel\sapcrypto.dll ), hdl 0
 using "C:\saprouter\ntintel\sapcrypto.dll"
DlLoadFunc: GetProcAddress(sapsnc_init_adapter) Error 127
 Error 127 = "The specified procedure could not be found."
load shared func (gss_acquire_cred) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_release_cred) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_init_sec_context) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_accept_sec_context) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_process_context_token) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_delete_sec_context) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_context_time) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_get_mic) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_verify_mic) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_wrap) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_unwrap) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_display_status) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_indicate_mechs) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_compare_name) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_display_name) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_import_name) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_release_name) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_release_buffer) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_release_oid_set) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_inquire_cred) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_add_cred) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_inquire_cred_by_mech) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_inquire_context) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_wrap_size_limit) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_export_sec_context) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_import_sec_context) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_create_empty_oid_set) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_add_oid_set_member) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_test_oid_set_member) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_inquire_names_for_mech) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_inquire_mechs_for_name) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_canonicalize_name) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_export_name) from C:\saprouter\ntintel\sapcrypto.dll
load shared func (gss_duplicate_name) from C:\saprouter\ntintel\sapcrypto.dll
File "C:\saprouter\ntintel\sapcrypto.dll " dynamically loaded as GSS-API v2 library.
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
<<- SncPDLInit()==SAP_O_K
<<- SncInit()==SAP_O_K
 sec_avail = "true"
->> SncSetMyName(snc_hdl=00000000, myname="p:CN=solman, OU=0000731019, OU=SAProuter, O=SAP, C=DE")
<<- SncSetMyName()==SAP_O_K
 in: myname = "p:CN=solman, OU=0000731019, OU=SAProuter, O=SAP, C=DE"
NiBufISetParam: set max heap to 20000000
NiSetParamEx: switch NIP_CONNLOCAL off (not supported by platform)
NiIMyHostName: hostname = 'solman'
main: pid = 1032, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
NiICreateHandle: hdl 0 state NI_INITIAL
NiIInitSocket: set default settings for new hdl 0 / sock 876 (I4; ST)
NiITraceByteOrder: CPU byte order: little endian, reverse network, low val .. high val
NiIBind: hdl 0 bound to 3299 (IP only)
NiIBlockMode: set blockmode for hdl 0 FALSE
NiIListen: state of hdl 0 NI_LISTEN
NiIListen: listen for client requests on hdl 0
NiSelICreateSet: new set0
SiSelNInit: allocate 134560 bytes for FI (811)
NiSelIInit: size of set0 is 811
SiSelNSet: sock 876 added to set pos 0
NiSelIAddMsg: added hdl 0 to set0
SiSelNSet: set events of sock 876 to: rp-
reading routtab: './saprouttab'
NiStrToAddrMask: '194.117.106.129' -> 194.117.106.129 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
NiStrToAddrMask: '10.14.147.32' -> 10.14.147.32 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
NiIGetServNo: servicename '3200' = port 0C.80/3200
NiStrToAddrMask: '194.117.106.129' -> 194.117.106.129 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
NiIGetServNo: servicename '3299' = port 0C.E3/3299
NiStrToAddrMask: '10.14.147.32' -> 10.14.147.32 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
NiStrToAddrMask: '194.117.106.129' -> 194.117.106.129 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
NiIGetServNo: servicename '3299' = port 0C.E3/3299
contents of routtab ('./saprouttab', 4 entries):
P, 194.117.106.129 ffff:ffff:ffff: 10.14.147.32 ffff:ffff:ffff: 3200 *
P, 0:0:0:0:0:0:0:0 0:0:0:0:0:0:0:0 194.117.106.129 ffff:ffff:ffff: 3299 *
P, 10.14.147.32 ffff:ffff:ffff: 194.117.106.129 ffff:ffff:ffff: 3299 *
D, 0:0:0:0:0:0:0:0 0:0:0:0:0:0:0:0 0:0:0:0:0:0:0:0 0:0:0:0:0:0:0:0 * *
NI-ROUTER LOOP ********
SiSelNSelect: start select (timeout=-1)
Regards
Siva

Not able to start Saprouter from services.msc

Hi,
We have installed a saprouter into Windows 2003 Server. It is running fine. When we start the system then we need to manually start the saprouter by a batch file, so i am trying to register a service so that we need not to start the router manually.
i have read the note 525751 and install a new service by this command
ntscmgr install saprouter -b c:\saprouter\saprouter.exe -p "service -r -W 60000 -R c:\saprouter\saprouttab -K "p:CN=SAPROUTER, OU=0000835750, OU=SAProuter, O=SAP, C=DE""
Service successfully created. I have followed the note and done everything as per the note, but when i try to start the service i am getting this error couldnot start saprouter service on local computer, error 1067 process terminated unexpectedly
When i checked the event log i found this message.
RROR       Unable to load the GSS-API DLL
             named "sncgss32.dll"
TIME        Tue Oct 06 16:30:17 2009
RELEASE     640
COMPONENT   NI (network interface)
VERSION     5
RC          -17
MODULE      sncxxdl.c
LINE        342
DETAIL      SncPDLInit
SYSTEM CALL LoadLibrary
COUNTER     1
I have checked some thread on related to issue but not able to solve the problem. Could you please assist what's wrong.
Regards,
Subhash

>
Tomas Gustafsson wrote:
> I'm sorry to put a silly question here, but this message is a little bit hard to get the grip on:
> Do you use the same user for both the command prompt and the service?
Yes I understand it's frustrating now., and Yes i am using the same user srvsolmgr to run from Services.msc and from command prompt also.
> Also
> Can you please post the command which runs successfulll (from the command prompt)
> and the complete command for the saprouter-service.
C:\>cd saprouter
C:\saprouter>saprouter -r -G log.txt -R C:\saprouter\saprouttab -S 3299 -K "p:CN
=SAPROUTER, OU=0000835750, OU=SAProuter, O=SAP, C=DE"
trcfile dev_rout
logfile log.txt
Connection test OK
u Oct 08 16:03:56 2009
SAP Network Interface Router, Version 37.11
command line arg 0:     saprouter
command line arg 1:     -r
command line arg 2:     -G
command line arg 3:     log.txt
command line arg 4:     -R
command line arg 5:     C:\saprouter\saprouttab
command line arg 6:     -S
command line arg 7:     3299
command line arg 8:     -K
command line arg 9:     p:CN=SAPROUTER, OU=0000835750, OU=SAProuter, O=SAP, C=DE
SncInit(): Initializing Secure Network Communication (SNC)
      PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
SncInit(): Trying environment variable SNC_LIB as a
      gssapi library name: "C:\saprouter\sapcrypto.dll".
File "C:\saprouter\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
main(): pid = 2776, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a SAProuter)
reading routtab: C:\saprouter\saprouttab
Regards,
Subhash

Saprouter scn problem

Hello!
I am trying to make s sap router tunnel with this instruction:
How to setup SNC connection between SAProuters - Basis Corner - SCN Wiki
When I run niping I get an error:
I run sapgenpse get_pse -v -noreq -p local.pse "CN=saprouter" where saprouter is the name of the local user. Maybe I am wrong ?
What should I write in CN ? Maybe host\username ? In other instructions I see that peoples make the certificate like:
CN=sgw, OU=IT, O=FTVL, C=COM, but I don't know how to use it for the local user on host, like CN=username, O=computername, C=domainname. C=local
Thanks!

Sapgenpse get_my_name -v -n Issuer:
first host:
Opening PSE "C:\saprouter\local.pse"...
PSE (v2) open ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "saprouter"
with PSE file "C:\saprouter\local.pse"
Issuer : CN=<myhost>
second host:
Opening PSE "C:\saprouter\local.pse"...
PSE (v2) open ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "saprouter"
with PSE file "C:\saprouter\local.pse"
Issuer : CN=<my_second_host>

Using saprouter in solution manager 4.0 environment with SMD

I am currently using Solution manager 3.2 (on SAP basis 6.20 technology). We have not used any Solution Manager functionality that necessitated using the internal ITS, thus all access to solution manager SAP has been through sapgui or RFC. Both these protocols can be routed through saprouter and we make use of this fact, having placed non-natting firewalls between both sapgui users ans SAP; and some ccmagents and SAP.
Now we want to move on to solution manager 4.0 with the JAVA stack and also run SMD. We need SMD because we have also begun using SAP Netweaver 04 Enterprise Portal (Java only SAPs) which we wish to monitor with SAP solution monitor. The portals are all on an internet facing eithernet segment outside the non-natting firewall protecting our ABAP SAPs (including Solution Monitor host).
Is it possible to route SDM agent connections to SDM through saprouter? If so, are there any examples?
What about sapwebdispatcher? Can it also be routed through saprouter? examples?
What about SLD? same questions...
What about Mercury Loadrunner?

No! No! I am not interested in using a saprouter between OSS and my http connection that is effectively http://myhost:5xx00/smd. I am wondering about the SMD agent connection to SMD server (and vise versa). The hosts I want to monitor cannot ping the solution monitor diagnostics machine, but ccmsping via saprouter is possible. Can the SMD agent talk to the SMD server via saprouter? Examples? Can the SMD server talk to the agent via saprouter (perhaps different saprouter)?
SMD agent ---> firewall1 --> intranet --> firewall2/saprouter --> SMD server
SMD server --> firewall2/saprouter --> firewall1/saprouter --> SMD agent

Error in saprouter

Hi guys,
I am getting an error in my sap router as my network team made some changes in the VPN connections
SAP Network Interface Router, Version 34, August 30 1999
command line arg 0:     saprouter
command line arg 1:     -r
ERROR => fopen ./saprouttab (2: No such file or directory) [nixxrout.c   2666]
***LOG Q0I=> NiRRouttab: fopen (2: No such file or directory) [nixxrout.c 2667]
cannot open ./saprouttab: all routing disabled!!!
Could not open permission table
Please reply with ur suggestions.
Thank you,
Irshad Mohammed

When i m trying to start saprouter from saprouter utility im getting this error
External Call
0
31 Could not open permission table
0
17 trcfile dev_rout
17 no logging active
51 routtab cannot open ./saprouttab: EXIT PROGRAM !!!
0
80          (running without saproutab is no longer supported for security reasons)
46 External program terminated with exit code 255

Saprouter connection refused

Hello Guru,
Well after configuring the SAP Router and doing everything possible to let it run.
When, I finally tested it with the SAPOSS-connection it didn't work at all.
In fact I'm getting an error msg fron sap serv2a with my external ip address, where the connection has been refused.
ERROR : " sapserv2a router permission denied (XX.XX.XX.XX to oss001,sapmsOSS) "
Now, I wonder why it's not working.
Another problem that the OU name of my Distinguish name of my saprouter is different from my super user logon in sap marketplace, why is it different, it should be actually the same, unfortunatelly I can't change it because only SAP could (because of the certificat).
A third and last problem is also the fact that my sap router name is actually named e.g. ROUTI but the Distinguish name contain the name SAProuter, I only added a line containing the saprouter name i.e. SAProuter with it's ip adresse on windows-file hosts (C:\WINDOWS\system32\drivers\etc)
Please, let me now, if you have any idea.
Best Regards,
Kais

Use these commands if you encounter problems connecting to OSS or sapserv4.
Stop saprouter
1. logon to system as <sid>adm
2. ps -ef|grep saprouter - should show process as saprouter -r
3. saprouter -s - this will STOP saprouter service
4. ps -ef|grep saprouter - should not show saprouter process
Start saprouter
1. logon to system as <sid>adm
2. ps -ef|grep saprouter - should not show saprouter process, cd /usr/sap/saprouter
3. nohup saprouter -r & or nohup saprouter -r -G /usr/sap/saprouter/saprout.log (Saprouter start with Log / command has been incluede in the /etc/init tab to start with the OS / server) (wait a few seconds then press <enter> to return to prompt...this will start saprouter service in the background)
4. ps -ef|grep saprouter - should show process as saprouter -r
5. Logon to to OSS to test (should work from tcode OSS1 and from OSS entry on saplogon screen)

SAProuter Installation on iSystem

Hello,
We are planning to install SAProuter on our iSystem. I refer the SAP Note: 567853 - iSeries: Installing sapcrypto library with SAProuter. But the SAP Note is confusing me. Pease take a look at the following information which I copied from the SAP Note. The SAP note says download th crypto s/w and save it as a save file to move to iSystem. But when we refer SAP Note: 758667 for installing SAPCrypto library on iSystem fo Kernel 700, the instllation proceure is different. The save file concept seems is for 620/640 versions.
And then under the "Restoring the contents on the iSeries system" in the SAP Note: 567853 has a statement
    - RSTOBJ OBJ(ALL) SAVLIB(SAPCRYPTO) DEV(SAVF) SAVF(QGPL/CRYPTO)
                MBROPT(ALL) ALWOBJDIF(ALL) RSTLIB(SAPROUTER)
But we don't have any SAPCRYPTO library exists on the system.
Its very confusing me. Could anybody help me?
SAP Note: 567853
Solution
    o Downloading necessary software components from SAP Service Marketplace
         Please have a look at the following document on the Service Marketplace before
         downloading the sapcrypto library for OS/400:
              - http://service.sap.com/saprouter-sncdoc
               (This is the generic documentation for the installation of the sapcrypto Library,
                 which doesn't include the AS/400 specifics. The links and general information may,
                 however, still be of interest for you.)
             - You can then download the software at => http://service.sap.com/tcs => Download
                Area => SAP Cryptographic Software (see note 758667 for details).
              - The downloaded file is a CAR file which you can unpack with SAPCAR on your PC
                and then upload to the iSeries with binary FTP into the *SAVF QGPL/CRYPTO.
     o Restoring the contents on the iSeries system
              - Logon with QSECOFR
              - CRTLIB LIB(SAPROUTER)
              - RSTOBJ OBJ(ALL) SAVLIB(SAPCRYPTO) DEV(SAVF) SAVF(QGPL/CRYPTO)
                MBROPT(ALL) ALWOBJDIF(ALL) RSTLIB(SAPROUTER)
                If the message CPF3848 "4 security or data format changes occurred" is displayed,
                it can be ignored.
              - GRTOBJAUT OBJ(SAPROUTER/ALL) OBJTYPE(ALL) USER(PUBLIC) AUT(ALL)
              - MKDIR DIR('/secude')
              - MKDIR DIR('/secude/etc')
              - RST DEV('/qsys.lib/saprouter.lib/secude_etc.file') OBJ(('/*') ('/QSYS.LIB' *OMIT)
                ('/QDLS' OMIT)) ALWOBJDIF(ALL)
                If the message CPD377B "Security changes occurred for 4 objects" is displayed, it
                can be ignored.
             - CHGPGP OBJ('/secude/etc') NEWPGP(R3GROUP) DTAAUT(RWX) OBJAUT(ALL)
             - CHGPGP OBJ('/secude/etc/') NEWPGP(R3GROUP) DTAAUT(RWX) OBJAUT
               (*ALL)
Best Regars,
Kris

Kris wrote:
And then under the "Restoring the contents on the iSeries system" in the SAP Note: 567853 has a statement
- RSTOBJ OBJ(ALL) SAVLIB(SAPCRYPTO) DEV(SAVF) SAVF(QGPL/CRYPTO)
MBROPT(ALL) ALWOBJDIF(ALL) RSTLIB(SAPROUTER)
But we don't have any SAPCRYPTO library exists on the system.
Its very confusing me. Could anybody help me?
This statement doesn't require that SAPCRYPTO library exists on your system.
The SAVLIB parameter on the RSTOBJ command indicates the name of the library that was saved on the original system where the savf was created.
The library that it is restoring it to is specified in the RSTLIB Parameter, which is SAPROUTER.
SAPROUTER library needs to exist on your system, but not SAPCRYPTO.
This usage of SAVLIB and RSTLIB is standard AS400 / iSeries / System i functionality.
Good luck
Brian

SNC Configuration

Hi Gurus,
I am working on the Contract Manufacturing Scenario for SNC. The system landscape is ECC-XI-APO-ICH.
When Purchase Order is created idoc is sent out to XI already but having problems with sending XI to APO.
Do you know if there are SNC Configurations to be done in SCM as the receiver of the XML Message.
Thanks a lot for your answers.
Regards,
Armi

Hi Armi,
Hi,
SAProuter/SNC via Internet
u2022 SNC secured SAProuter u2013 SAProuter connections are established between SAP and the customeru2019s SAProuter to provide data confidentiality and integrity services. These SNC connections complement the leased lines in the current SAPNet R/3 Frontend environment. State-of-the-art encryption, authentication, and access control technology will be employed. No additional hardware compared to a leased-line setup is required at either end of the connection. (See diagram below).
u2022 Customers are required to install a SAProuter with an official, static IP address (DHCP Addresses will not work) running SNC inbound and outbound connection to SAP at their end of the connection in a Demilitarized Zone. This SAProuter must be accessible from the Internet. All service connections between SAP and the customer must be made over the respective SAProuters.
u2022 Certificates needed are available on the SAP Service Marketplace.
Requirement:-
Internet connection: recommended
minimum bandwidth = 64 kbps
SAProuter machine
Official IP address (static) for the SAProuter host.
SAProuter installation package
SAP SNC libraries and executables.
These may be downloaded from the SAP Service Marketplace.
A Demilitarized Zone at the customer site with a minimal setup as described in the networking section at: http://service.sap.com/SYSTEMMANAGEMENT Choose: Security > Technical Track
SAP Security Guide.
More information on SNC connections is also available in the SAP Service Marketplace.
Since the host running the SAProuter software is a full computer with operating system, the security at the operating system level must be hardened in order to minimise the risk of the machine being hacked from the Internet. One recommendation will be for example to run a C2 security level compliant operating system. SAP takes no liability if the security of the companyu2019s network is compromised.
Other networking equipment (routers and hubs) needed to form the network at the customeru2019s premises
Comparisions
Property SAProuter / SNC via Internet
Hardware requirements Firewall + SAProuter host in DMZ
Software SAProuter starting from NI version 35
SAPSECULIB can be obtained from the Service Marketplace
Network addresses (besides address of Internet router, firewall, u2026) 1 official static IP address for SAProuter
Configuration issues Careful setup of saprouttab necessary for security. Saprouttab influences security strongly as access is controlled via saprouttab and firewall.
Encryption By software
Encrypted data TCP packets
Only the data stream between SAProuters is encrypted
Encryption is handled on Application layer (OSI network layer 7)
Minimum required free bandwidth 64 kbit/s but may work also with
32 kbit/s
Supported services on SAP side All except FTP (files download)
Key management Digital certificates being requested via Service Marketplace Public Key Infrastructure (PKI)
Key storage In file system
Operating system SAProuter resides on a computer
therefore it is necessary to harden the security at the operating system level (for example, C2 level OS) to minimize the risk of the machine being hacked from the Internet
Additional expertise SAProuter knowledge usually available, SNC configuration requires additional knowledge
Standards Based on SNC, SAP proprietary standard
Contributing to costs u2022 Firewall hardware and software
u2022 Firewall administration costs
u2022 No additional license fee for security library based on SECUDE
Hope this helps.,
Thanks,
Naga

Connecting 2 SNC SAProuters

Hi all,
how can we connect 2 Saprouters?
i.e.... how can we connect different SAP servers in separate geographical locations?
all geographical locations SAP servers are having SAProuter (registered SAProuter and running with SNC)
how to establish RFC connection between these SAP servers?
what kind of Ports to be forworded from firewall to SAProuter system?
please give your valuable information.
thanking you in anticipation.
best regards,
by
Raghav

Hi Raghav,
you can use
SNC secured SAProuter SAProuter connections are established between two SAProuter to provide data confidentiality and integrity services
You have to install a SAProuter with an official, static IP address (DHCP Addresses will not work) running SNC inbound and outbound connection to SAP at their end of the connection in a Demilitarized Zone. This SAProuter must be accessible from the Internet.
or
LAN-to-LAN IPSec VPNs are established to provide data confidentiality and integrity services VPN equipment is required at both ends of the connection. The VPN switch at customers side must be reachable from the Internet
if helpful reward points are appreciated

Purchase req details from ECC to SNC

hi All,
Any standard IDOC or FM to send the Purchase req details from ECC to SNC system.
any pointers will be highly appreciated.
thanks

Hi SanKumar
The purchase requisitions can be sent to SNC using the standard report RSMIPROACT for Dynamic Replenishment Scenario.
The Purchase requistions are sent as a part of Customer firm net requirements.
In the screen Transfer Stocks and Requirements to SAP ICH/SNC
Set the Tab to Dynamic Replenishment.
Then input the Plant,MRP Area, Material and Target System.
Select the data to be sent(only for DR)
Duely check the Purchase Requisition.
Then the data can be seen in webui under Demand -
Order Forecast Monitor.--Overview/Details
Thanks
Vinod

APO - SNC integration

Hi All,
We have activated both the BF's SCM_APO_DISTR_REC & SCM_SNC_GEN_1. We have mapped the Proact_Out to Proact_In to receive demand from APO system to SNC system. We are using /SAPAPO/PROACT_OUT - Send Demand Data to send Deamd from APO system to SNC.
But when we receive Proact_In message from SAP XI system into SNC sysetm it remains in scheduled status. The message does not get processed.
Are we missing any SNC setting to receive the Forecast in SNC from APO?
Thanks
Gaurav

Hi Gaurav Gupta
Were you able to fix this issue ? We are also facing the same issue with APO SNC integration. PROACT_In messages are stuck in scheduled status.
Please let me know how did you fix it.
THanks,
Ankit

SAPRouter to SAPRouter SNC Setting

Similar Messages

Maybe you are looking for