2. • SAP Router is a program that acts as a proxy between SAP
systems and external networks
• It controls access to your network from external network
systems such as SAP AG
• It acts as an applica?on level gateway and is useful for
enhancing an exis?ng firewall
• This document focuses on the installa?on of SAP Router using
Secure Network Communica?on (SNC) and is aimed at system
administrators responsible for seGng up connec?vity from SAP
to customer
Introduc0on
3. • Download of the latest installa?on media for SAP Router and
the SAP Cryptographic library from SAP Support Portal
• Register your with SAP Router with SAP
o obtain public IP and hostname of your SAP Router host
o fill in remote connec?on data sheet from note 28976
o raise incident with SAP under component XX-‐SER-‐NET-‐NEW
o SAP will provide your Dis?nguished Name
• E.g. CN=<SAP Router host>, OU=<Customer Number>, OU=SAProuter, O=SAP, C=DE
• Prepare SAP Router host
o create a user e.g. “sapadm” in group sapsys
o create and installa?on filesystem e.g. /usr/sap/saprouter
o set ownership of installa?on filesystem to “sapadm:sapsys”
Pre-‐Requisites
4. Installa0on
• Perform the installa?on as user sapadm
• Unpack the so]ware into your installa?on file system
o SAPCAR -‐xvf <saprouter so]ware archive>
o SAPCAR -‐xvf <sapcryptographic so]ware archive>
• Update environment of sapadm
o PATH = ${PATH}:<installa?on directory>
o SECUDIR = <installa?on directory>
o SNC_LIB = <installa?on directory>/<sapcryptographic_library>
o LD_LIBRARY_PATH = <installa?on directory>
5. Registering
SAP
Router
• Go to
hfps://support.sap.com/remote-‐support/saprouter/saprouter-‐
cer?ficates.html
• Generate SAP Router cer?ficate request using dis?nguished name
registered at SAP with sapadm and command sapgenpse
o sapgenpse get_pse -‐v -‐a sha256WithRsaEncryp?on -‐s 2048 -‐r certreq -‐p
local.pse “<Dis?nguished Name>”
• Copy and paste the content of text file (certreq) created by
sapgenpse into the SAP support page and request cer?ficate
• Copy and paste the result of the cer?ficate request onto the
saprouter host as a text file “srcert” under the /usr/sap/saprouter
directory
6. Import
Cer0ficate
• Import “srcert” onto saprouter using sapgenpse command
below and create creden?als for user “sapadm” to access local
pse
o sapgenpse import_own_cert -‐c srcert -‐p local.pse
o sapgenpse seclogin -‐p local.pse -‐O sapadm
7. Create
Router
Table
• The SAP Router table is a permission file containing details of
who can communicate through the SAP Router
• As “sapadm” create the text file saproufab under /usr/sap/
saprouter and configure similar to the example below
8. Opera0ng
SAP
Router
• Operate SAP Router with the user created for the installa?on
• Issue start/stop commands from the installa?on directory
• Start the SAP Router with the following command
– saprouter -‐r -‐S <port> -‐G saprouter.log -‐K "<DN>" &
– where:
o -‐K
: to start with loading SNC library
o <DN>
: Dis?nguished Name
o -‐S
: saprouter port
o -‐G
: name of the log file
• Stop the SAP Router with the following command
– saprouter -‐s