4/24/2015

InstallingthesapcryptolibraryandstartingtheSAProuter|SAPSupportPortal

April24,201510:45am
Home>RemoteSupport>FrequentlyAskedQuestions>InstallingthesapcryptolibraryandstartingtheSAProuter

InstallingthesapcryptolibraryandstartingtheSAProuter
ThissectiondescribesthenecessarystepstodownloadandinstallthesapcryptolibraryforusewithSAProuter.TheSAProutermustbestartedwiththeoptionsdescribedlaterinthis
section.ForLicenseconditionsofSAPCryptographicLibrarypleaserefertoSAPnote597059.Pleasenote,thatonlyfortheconnectionbetweenSAProutersatSAPandthefirst
SAProuteroncustomersites,certificatessignedbyaCAprovidedbySAParebeingused.ForallotherusesofSAPCRYPTOLIBforSNCinbackendconnections,customersarefree
tochooseanyCAoftheirpreferenceorsimplyuseselfsignedcertificatesasproposedbySAPforSNCconnectionsingeneral.

DownloadingnecessarysoftwarecomponentsfromSAPSupportPortal

DownloadingnecessarysoftwarecomponentsfromSAPSupportPortal
1.LogintotheSAPSupportPortalwiththeSuserIDwhichisassignedtoyourinstallation.
2.UsethelatestSAProuterversion7.20,whichcanbedownloadedfromtheSAPSoftwareDownloadCenter.

Howyoucancontactus

>SupportPackages&Patches
>AZAlphabeticalListofProducts
>S
>SAPROUTER
>SAPROUTER7.20
>yourpreferredO.S.version
>saprouter_XXXXXXXXXXX.sar

Contactus

TechnicalAssistance

NonTechnicalAssistance

Reportanincidentforyour

CallSAPSupport*orsenda

SAPsoftware

queryviathewebform

(NOTEI:InLinux:besuretosetenvironmentvariable$LIBPATHtoSAProuterdirectoryifneeded)
(NOTEII:IftheO.S.ofSAProuterisWindows,possiblyalsoimplementSAPnote684106)

*Note:Forcontractrelatedquestions,pleasefillouttheonlineform

(NOTEIII:IftheO.S.ofSAProuterisOS400,pleasefollowallinstructionsinSAPnote1818735)
3.DownloadthelatestSAPCryptographicLibraryfromtheSAPSoftwareDownloadArea.
>SupportPackages&Patches
>AZAlphabeticalListofProducts
>S
>SAPCRYPTOLIB
>COMMONCRYPTOLIB8
>yourpreferredO.S.version
>SAPCRYPTOLIBP_XXXXXXXXXXXX.SAR
(NOTE:RecommendationistounpackSAPCRYPTOLIBP_XXXXXXXXXXXX.SARinthedesignatedSAProuterdirectory)
4.YoucangettheSAPCARexecutable,whichisnecessarytounpackSARarchives,fromanyInstallationKernelCD.AlternativelyyoucandownloadthelatestSAPCAR
executablefromtheSAPSoftwareDownloadCenter.
>SupportPackages&Patches
>AZAlphabeticalListofProducts
>S
>SAPCAR
>SAPCAR7.20
>yourpreferredO.S.version
>SAPCAR_XXXXXXXXXXX.EXE
5.ExecutingthecommandSAPCAR_XXXXXXXXXXX.EXExvfsaprouter_XXXXXXXXXXX.sarwillunpackthefollowingfiles:
saprouter[.exe]
niping[.exe]
(NOTE:RecommendationistounpackallfilesinthedesignatedSAProuterdirectory)
6.ExecutingthecommandSAPCAR_XXXXXXXXXXX.EXExvfSAPCRYPTOLIBP_XXXXXXXXXXXX.SARwillunpackthefollowingfiles:
[lib]sapcrypto.[dll|so|sl]
sapgenpse[.exe]
(NOTE:RecommendationistounpackallfilesinthedesignatedSAProuterdirectory)
Creatingthecertificaterequest
1. Asuser<snc_adm>settheenvironmentvariablesSNC_LIBandSECUDIR:

UNIX

SECUDIR=<directory_of_SAProuter>
SNC_LIB=<path_to_libsecude>/<name_of_sapcrypto_library>

https://support.sap.com/remotesupport/help/installingsaprouter.html

1/4

4/24/2015

InstallingthesapcryptolibraryandstartingtheSAProuter|SAPSupportPortal
WindowsNT,2000,XPor

SECUDIR=<directory_of_SAProuter>

higher

SNC_LIB=<drive>:\<path_to_libsecude>\sapcrypto.dll

NoteI
NoteII

AfterconfiguringthevariablesinWindows,verifythemwiththecommand'set'.Incasethevariablesarenotdisplayedas
entered,pleasereboottheserver.
IftheO.S.ofSAProuterisOS400,pleaseimplementSAPnote1818735

2. ChangetoCertification.FromthelistofSAProutersregisteredtoyourinstallation,choosetherelevant"DistinguishedName".
3. GeneratethecertificateRequestwiththecommand:
sapgenpseget_psevasha256WithRsaEncryptions2048rcertreqplocal.pse"<DistinguishedName>"
Example:
sapgenpseget_psevasha256WithRsaEncryptions2048rcertreqplocal.pse"CN=example,OU=0000123456,OU=SAProuter,O=SAP,C=DE"
Alternativelyusethetwocommands:
sapgenpseget_psevasha256WithRsaEncryptions2048noreqplocal.pse"<DistinguishedName>"
sapgenpseget_psevonlyreqrcertreqplocal.pse
YouwillbeaskedtwiceforaPINhere.PleasechooseaPINanddocumentit,youhavetoenteritidenticallybothtimes.ThenyouwillhavetoenterthesamePIN
everytimeyouwanttousethisPSE.
4. Displaytheoutputfile"certreq"andwithcopy&paste(includingtheBEGINandENDstatement)insertthecertificaterequestintothetextareaofthesameformon
theSAPServiceMarketplacefromwhichyoucopiedtheDistinguishedName.
5. InresponseyouwillreceivethecertificatesignedbytheCAintheServiceMarketplace.Copy&pastethetexttoanewlocalfilenamed"srcert",whichmustbe
createdinthesamedirectoryasthesapgenpseexecutable.
6. WiththisinturnyoucaninstallthecertificateinyourSAProuterbycalling:
sapgenpseimport_own_certcsrcertplocal.pse
7. NowyouwillhavetocreatethecredentialsfortheSAProuterwiththesameprogram(ifyouomitO<user_for_SAProuter>,thecredentialsarecreatedforthelogged
inuseraccount):
sapgenpsesecloginplocal.pseO<user_for_SAProuter>
Note:Theaccountoftheserviceusershouldalwaysbeenteredinfull<domainname>\<username>
8. Thiswillcreateafilecalled"cred_v2"inthesamedirectoryas"local.pse"
ForincreasedsecuritypleasecheckthatthefilecanonlybeaccessedbytheuserrunningtheSAProuter.
Donotallowanyotheraccess(notevenfromthesamegroup)!
OnUNIXthiswillmeanpermissionsbeingsetto600oreven400!
OnWindowscheckthatthepermissionsaregrantedonlytotheusertheserviceisrunningas!
9. Checkifthecertificatehasbeenimportedsuccessfullywiththefollowingcommand:
sapgenpseget_my_namevnIssuer
ThenameoftheIssuershouldbe:
CN=SAProuterCA,OU=SAProuter,O=SAP,C=DE
After04/15/2015thanameoftheIssuershouldbe:
CN=SAProuterCA,OU=SAProuter,O=SAPTrustCommunityII,C=DE
10. Ifthisisnotthecase,deletethefiles"cred_v2","local.pse","srcert"and"certreq"andstartoveratitem3.Iftheoutputstilldoesnotmatchpleaseopenanincidentat
componentXXSERNETstatingtheactionsyouhavetakensofarandtheoutputofthecommands3.,6.,7.and9.
11. From04/15/201511:00AMCETuntil07/18/2015youneedtoimporttheoldSAProuterRootCAmanually:
TheoldSAProuterSMPRootCAcertificateisattachedtoSAPnote2131531.
ImporttheoldSAProuterSMPCARootCAcertificateastrustedintoyourPSE.
sapgenpsemaintain_pkasmprootca.derplocal.pse
Thisisnecessary,sinceSAPhastokeepusingsaproutercertificatessignedbytheoldSAProuterSMPRootCAforinteroperabilityreasons.Ifyouomitthisstep,
SNCconnectionstoSAPcannotbeestablished.
AdditionalactionsnecessarybeforeyoucanstartSAProuter
1. CheckiftheenvironmentoftheaccountrunningSAProutercontainstheenvironmentvariableSNC_LIBandSECUDIR
UNIXprintenv
WindowsNT,2000,XPUserenviornmentvariable

https://support.sap.com/remotesupport/help/installingsaprouter.html

2/4

4/24/2015

InstallingthesapcryptolibraryandstartingtheSAProuter|SAPSupportPortal

2. Thecorrespondingfilesaprouttab[alocalfilethatmustbecreatedmanuallyanditisnormallycreatedinthemainSAProuterdirectory]mustcontainatleastthefollowing
entries:
ExampleSAPROUTTAB
forSNCconnectionsregisteredtosapserv2inGermany
#SNCconnectiontoandfromSAP
KT"p:CN=sapserv2,OU=SAProuter,O=SAP,C=DE"194.39.131.34*
#SNCconnectiontolocalsystemforR/3Support
#R/3Server:192.168.1.1
#R/3Instance:00
KP"p:CN=sapserv2,OU=SAProuter,O=SAP,C=DE"192.168.1.13200[optionalSAProuterpassword]
#SNCconnectiontolocalWINDOWSsystemforWTS,ifapplicable
#Windowsserver:192.168.1.2
#DefaultWTSport:3389
KP"p:CN=sapserv2,OU=SAProuter,O=SAP,C=DE"192.168.1.23389[optionalSAProuterpassword]
#SNCconnectiontolocalUNIXsystemforSAPtelnet,ifapplicable
#UNIXserver:192.168.1.3
#DefaultTelnetport:23
KP"p:CN=sapserv2,OU=SAProuter,O=SAP,C=DE"192.168.1.323[optionalSAProuterpassword]
#SNCconnectiontolocalPortalsystemforURLaccess,ifapplicable
#Portalserver:192.168.1.4
#Portnumber:50003
KP"p:CN=sapserv2,OU=SAProuter,O=SAP,C=DE"192.168.1.450003[optionalSAProuterpassword]
#AccessfromthelocalNetworktoSAP
P192.168.*.*194.39.131.343299
#denyallotherconnections
D***
ExampleSAPROUTTAB
forSNCconnectionsregisteredtosapserv9inSingapore
#SNCconnectiontoandfromSAP
KT"p:CN=sapserv9,OU=SAProuter,O=SAP,C=DE"169.145.197.110*
#SNCconnectiontolocalsystemforR/3Support
#R/3Server:192.168.1.
#R/3Instance:00
KP"p:CN=sapserv9,OU=SAProuter,O=SAP,C=DE"192.168.1.13200[optionalSAProuterpassword]
#SNCconnectiontolocalWINDOWSsystemforWTS,ifapplicable
#Windowsserver:192.168.1.2
#DefaultWTSport:3389
KP"p:CN=sapserv9,OU=SAProuter,O=SAP,C=DE"192.168.1.23389[optionalSAProuterpassword]
#SNCconnectiontolocalUNIXsystemforSAPtelnet,ifapplicable
#UNIXserver:192.168.1.3
#DefaultTelnetport:23
KP"p:CN=sapserv9,OU=SAProuter,O=SAP,C=DE"192.168.1.323[optionalSAProuterpassword]
#SNCconnectiontolocalPortalsystemforURLaccess,ifapplicable
#Portalserver:192.168.1.4
#Portnumber:50003
KP"p:CN=sapserv9,OU=SAProuter,O=SAP,C=DE"192.168.1.450003[optionalSAProuterpassword]
#AccessfromthelocalNetworktoSAP
P192.168.*.*169.145.197.1103299
#denyallotherconnections
D***

3. StarttheSAProuterwiththefollowingcommandline(tostarttheSAProuterasaWindowsservice,pleasefollowthestepsdescribedinSAPnote525751):
KtellstheSAProutertostartwithloadingtheSNClibrary

https://support.sap.com/remotesupport/help/installingsaprouter.html

3/4

4/24/2015

InstallingthesapcryptolibraryandstartingtheSAProuter|SAPSupportPortal
<DistingushedName>:youfindthisparameteronthewebpageCertificationafteryouclickthebutton"ApplyNow!"
Example
saprouterrK"p:CN=example,OU=0000123456,OU=SAProuter,O=SAP,C=DE"
IfyouomitS,theprocessisbeingstartedondefaultPort3299.
(NOTE:iftheO.S.ofSAProuterisOS400,pleaseimplementSAPnote1818735)

4. YoucanalsostartSAProuterasaMicrosoftWindowsserviceinsteadofstartingit"manually"fromcommandline.PleasereadSAPnote525751InstallationoftheSNC
SAPRouterasNTService
IfSAProuterfailstostart,alsoimplementSAPnote684106MicrosoftruntimeDLLs

https://support.sap.com/remotesupport/help/installingsaprouter.html

4/4