> ,,`,

*************************
* OSS SNC Certificate SapRouter-Renew Install Docu *
*************************
--------Renew/Install New SNC Certificate in SapRouter
SapRouter must be started, check: D:\usr\sap\saprouter > start: saprouter -r (no switches shows help:
saprouter)
(stop: saprouter -s & check: saprouter -l )
SNC must be running: SNC runs as a service on SM1, see it under Services.msc named SapRouter
- If this is not running, OSS Connection will not work
- see Note: OSS SNC Installation For SAP SAPRouter as NT Service_525751.pdf
Check Certificate Before Starting
D:\usr\sap\saprouter > sapgenpse get_my_name

Pre-Requisties
Stop SapRouter: saprouter -s
Stop SNC Service: Services > saprouter > Stop
OSS Message Instructions

You cannot backup your certificate. You will need to generate a new
certificate with the the directions below:
Please do the following:
In the SNC SAProuter folder,
1. Delete the files, Cred_V2, local.pse and certreq from the SNC
SAProuter folder.
(I backed them up by adding _old to all 3 files, in case I had to
restore them: Cred_V2_old, local.pse_old and certreq_old)
2. Follow the instructions from step 3, under the section
"Creating the certificate request" in the SNC SAProuter setup

documentation available at http://service.sap.com/saprouter-sncdoc

or follow the following steps:
I followed these steps .....
Please do the following:
- Go to the http://service.sap.com/saprouter-sncadd
- Click on "Apply Now!"
- Select the SAProuter available from the list (saposs).
- Click "Continue" and "Insert the Certificate Signing Request"
form will be displayed. Prior to inserting any request in this page
the following need to be done:
On your SAProuter host system:
1. Generate the certificate Request with the command
sapgenpse get_pse -v -r certreq -p local.pse "CN= SAPROUTER HOSTNAME, CUSTOMER
NUMBER, OU=SAProuter, O=SAP, C=DE"
> button Continue
D:\usr\sap\saprouter >
sapgenpse get_pse -v -r certreq -p local.pse "CN=sjcsapsm, OU=0000847781,
OU=SAProuter, O=SAP, C=DE"
Please enter pin: <standard password>
2. Open the file "certreq" and copy&paste its contents into the
"Insert the Certificate Signing Request" text area of the
same form on the SAP Service Marketplace.
-----BEGIN CERTIFICATE REQUEST----MIIBlzCCAQACAQAwVzELMAkGA1UEBhMCREUxDDAKBgNVBAoTA1NBUDESMBAGA1UE
CxMJU0FQcm91dGVyMRMwEQYDVQQLEwowMDAwODQ3NzgxMREwDwYDVQQDEwhzamNz
YXBzbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA/4oNAa0PbkyvU9OmRjjN
Uctr+uynm03tlJovBmwBYT93P0N8DzkK6fxCaJWETeWNaSIbOTIZgkMC0DBf96V+
UcOAxYFJE3LyI0uowTevqtK8tRVAE3Er6Vp445vW0ms1NH4RVRg6lUYiZmjt/cqj
sIL1h3vcGIZ8svlb5wxXWSMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBABpcXL+h
K9Mn3+jb7EO2lFdN40wy8mFdsi65V+Y941kdEnjuup29a+Av4qCTeQEReNeaIgRV
XPuclF1aLl+VKHJWOeRK0wxvM4sM+TNeC7LrD9nsJvRnF+YEKsmrtt/1PBcsKY9S
bE5oZfyC16vNq/bo5wTfCvSGPfRLOhdDvo7R
-----END CERTIFICATE REQUEST-----

> button: Request Certificate

3. In response you will receive the certificate signed by the CA in the
Service Marketplace, cut&paste the text to a local file named srcert
(Ensure that this file has no file extention).
New one certificate:
-----BEGIN CERTIFICATE----MIIH4wYJKoZIhvcNAQcCoIIH1DCCB9ACAQExADALBgkqhkiG9w0BBwGggge4MIICd
TCCAd6gAwIBAgIDAXFnMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNVBAYTAkRFMQwwCg
YDVQQKEwNTQVAxEjAQBgNVBAsTCVNBUHJvdXRlcjEVMBMGA1UEAxMMU0FQcm91dGV
yIENBMB4XDTA4MDQyMTIxMDEzNVoXDTA5MDQyMTIxMDEzNVowVzELMAkGA1UEBhMC
REUxDDAKBgNVBAoTA1NBUDESMBAGA1UECxMJU0FQcm91dGVyMRMwEQYDVQQLEwowM
DAwODQ3NzgxMREwDwYDVQQDEwhzamNzYXBzbTCBnzANBgkqhkiG9w0BAQEFAAOBjQ
AwgYkCgYEA/4oNAa0PbkyvU9OmRjjNUctr+uynm03tlJovBmwBYT93P0N8DzkK6fx
CaJWETeWNaSIbOTIZgkMC0DBf96V+UcOAxYFJE3LyI0uowTevqtK8tRVAE3Er6Vp4
45vW0ms1NH4RVRg6lUYiZmjt/cqjsIL1h3vcGIZ8svlb5wxXWSMCAwEAAaNgMF4wD
AYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0OBBYEFPWRrijkKGGIVd
Sle9aSNJop1qlQMB8GA1UdIwQYMBaAFHVNyyiNBQzBZi/DT6vwQzHXvzY6MA0GCSq
GSIb3DQEBBQUAA4GBADCCpuTgh7SUhCyWQgVq/QQ0lbkrxKJgLbZXm/2zcdEfhvFM
rzoBjHK8c9MLlEGvswlXg3Zj/EjKP3aUdESt8M6vI2j+8CKozYpJQF3/3/SFFcyc5
851B//ayyocEZV5nY2WlOfckWbh+rINvu0jYF3Qe11eTwnPMuLWVO+K+Fy/MIIClz
CCAgCgAwIBAgIBETANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJERTEMMAoGA1U
EChMDU0FQMRwwGgYDVQQLExNTZXJ2aWNlIE1hcmtldHBsYWNlMRQwEgYDVQQDEwtT
TVAgUm9vdCBDQTAeFw0wMDA3MTgxMDAwMDBaFw0xMDA3MTgxMDAwMDBaMEYxCzAJB
gNVBAYTAkRFMQwwCgYDVQQKEwNTQVAxEjAQBgNVBAsTCVNBUHJvdXRlcjEVMBMGA1
UEAxMMU0FQcm91dGVyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD+N2l
MRNdVBjFkJjdbz97R+f6lF1Pm1mzpxHW61rTZBRUh8/aM7c3iuLxHhZZ3+F2vHYMW
ltXnM359agc2QJCxetMvJ7C+EWFsu1BjMxRxWl9uCfV/IiEmScP/LR844ujwJKNYt
J7bvmMT0LqyZrJwsTsqvIFosz8QiDizS4HwgwIDAQABo4GLMIGIMA8GA1UdEwEB/w
QFMAMBAf8wJQYDVR0SBB4wHIYaaHR0cDovL3NlcnZpY2Uuc2FwLmNvbS9UQ1MwDgY
DVR0PAQH/BAQDAgH2MB0GA1UdDgQWBBR1TcsojQUMwWYvw0+r8EMx1782OjAfBgNV
HSMEGDAWgBSivTpjUs0Z/L7oQ9Cu5YSgSffa/DANBgkqhkiG9w0BAQUFAAOBgQC+M
6BLMkCCk1tMCWAhMFvdl006A3AJLfDJYgA+IYPAxRgCgZiV2OEbYLgYbTt5ZNUebd
UdT+ktCo8xO+7Y1JfrENMnO2utIAGlSHERAMSa/RQxIYkbaPMb7XrNC2V248MnszS
4lshM2xxHK5qYBt4JaRkK3m2cQWUspR77G77hKjCCAqAwggIJoAMCAQICARAwDQYJ
KoZIhvcNAQEFBQAwTzELMAkGA1UEBhMCREUxDDAKBgNVBAoTA1NBUDEcMBoGA1UEC
xMTU2VydmljZSBNYXJrZXRwbGFjZTEUMBIGA1UEAxMLU01QIFJvb3QgQ0EwHhcNMD
AwNzE4MTAwMDAwWhcNMzgwMTAxMTIwMDAwWjBPMQswCQYDVQQGEwJERTEMMAoGA1U
EChMDU0FQMRwwGgYDVQQLExNTZXJ2aWNlIE1hcmtldHBsYWNlMRQwEgYDVQQDEwtT
TVAgUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA/prp+T0TkizpY
7ziTJONjTx8yLYiwLN8LQ1iSncJVvRzHThywqJlnAH9X4g4gK3H4LiZSnEN4OdPTu
LqicEouqzcmPmik4AF7ek4cAE6Rr4aJqNNDgwEemB/ulvnNEB2qnsbqDHRvMY0gfE
vHVTiPNu9kkX3FQhElQHLjhp0rb8CAwEAAaOBizCBiDAPBgNVHRMBAf8EBTADAQH/
MCUGA1UdEQQeMByGGmh0dHA6Ly9zZXJ2aWNlLnNhcC5jb20vVENTMA4GA1UdDwEB/
wQEAwIB9jAdBgNVHQ4EFgQUor06Y1LNGfy+6EPQruWEoEn32vwwHwYDVR0jBBgwFo
AUor06Y1LNGfy+6EPQruWEoEn32vwwDQYJKoZIhvcNAQEFBQADgYEAD7RNvbpfRi2
D5R4XtcIuRHiGjgbYRlA9eIVdoWYBMLrfd46Mwy/CAz8uPl1cQzZ56JgZHYVOBAG1
/twaXXtgLQY6djwyzceHpJYJ0ouOaaw2DVhr2Ttl5ATZu7TwwALDssPSmanWxh9Je
y28wcnO+2kRmcfxGRgK+bIZsApNs24xAA==
-----END CERTIFICATE-----

4. With this in turn you can install the certificate in your saprouter

by calling
sapgenpse import_own_cert -c srcert -p local.pse
D:\usr\sap\saprouter >
sapgenpse import_own_cert -c srcert -p local.pse
Please enter pin: <standard password>
Result message: success

5. Now you will have to create the credentials for the SAProuter with
the same program (if you omit -O <user>, the credentials are
created for the logged in user account)
sapgenpse seclogin -p local.pse -O <user_for _saprouter>
This will create a file called cred_v2 in the same directory
sapgenpse seclogin -p local.pse

6. Check if the certificate has been imported correctly

sapgenpse get_my_name -v -n Issuer
The name of the Issuer should be: CN=SAProuter CA, OU=SAProuter,
O=SAP, C=DE
Check: OK, see below

Once step 6 is done and the output of the issuer is defined as above,
then the certificate import is correct. You can then go ahead and start
the SNC saprouter and test the connection to SAPnet R/3 Frontend again.

Post Install

Start SNC Service: Services > saprouter > Start

Start SapRouter for SNC:

saprouter -r -K "p:CN=sjcsapsm, OU=0000847781, OU=SAProuter, O=SAP, C=DE"

Check for Errors: D:\usr\sap\saprouter\dev_rout
Certificate Installation Completed
General Notes
New: sapgenpse get_my_name

Old: sapgenpse get_my_name

SAP Router install in Linux

On this posting, Ill try to explain about how to install and configure SAProuter and also how to
set your SAProuter to match with Secure Network Communication (SNC) just SAP want to if
they have to support you.
The first thing you need to do, is to send a customer message to SAP
Support (component XX-SER-NET-OSS-NEW) and tell them to register the
hostname and IP of your new SAProuter.
You have to register it with a official IP address (no internal IPs
allowed), but its allowed to use NAT in the firewall/router.
After youve received a confirmation from SAP that your SAProuter has
been registered, you are ready to configure your SAProuter.
If your SAProuter directory is C:\usr\sap\saprouter, these are the steps
to follow.
Note: You will be asked for a PIN code. Just pick your own 4 numbers, but
youll have to use the same PIN every time youre asked to enter one.
1. Set 2 environment variables: SECUDIR and SNC_LIB according to the
guide youve downloaded.
2. Download the SAP Crypto Library and unpack it into
C:\usr\sap\saprouter
3. To generate a certificate request, run the command:
sapgenpse get_pse -v -r C:\usr\sap\saprouter\certreq -p
C:\usr\sap\saprouter\local.pse
4. Then you have to follow the guide and request the certificate from
http://service.sap.com/tcs -> Download Area -> SAProuter Certificate
5. Create a file C:\usr\sap\saprouter\srcert and copy the requested
certificate into this file. The run the command:
sapgenpse import_own_cert -c C:\usr\sap\saprouter\srcert -p
C:\usr\sap\saprouter\local.pse
6. To generate credentials for the user thats running the SAProuter
service, run command:
sapgenpse seclogin -p C:\usr\sap\saprouter\local.pse -O
(this will create the file cred_v2)
7. Check the configuration by running command:
sapgenpse get_my_name -v -n Issuer
(This should always give the answer CN=SAProuter CA, OU=SAProuter,
O=SAP, C=DE)
8. Create SAProuter service on Windows with the command:
sc.exe create SAPRouter binPath= "D:\usr\sap\saprouter\saprouter.exe service -r -S 3299 -W
60000 -R D:\usr\sap\saprouter\saprouttab -K "p:CN=ETGPSOLM, OU=0001171499,
OU=SAProuter, O=SAP, C=DE"

9. Edit the Windows Registry key as follows:

MyComputer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAProute
r\ImagePath > Change both ^ to
10. Start the SAProuter service
11. Enter the required parameters in OSS1 -> Technical Settings

A guide to configure SAProuter

INTRODUCTION:
I found a lot of notes and documents when i wanted to configure saprouter. Here i would like
to collaborate all how-to's into a single document.
SAProuter is kind application level firewall, allows your SAP servers to be accessed globally
in a secured way. Nowadays it is a basic requirement for every customer who uses Solution
manager for getting support from SAP. Following are the situations where you need
SAPRouter.

1. You want your users access SAP server out of LAN without having VPN .

2. You want to get support from SAP.

3. You are planning to implement SAP Solution manager.
4. You want to download SAP notes and corrections via snote assistant
This document is targeted for those who have following environment.
OS platform : Windows 2008 or higher (indeed for windows 7)
Architecture : nt-x86_64
PREREQUISITES:
1. Get a Public IP from your ISP for SAProuter.
2. Create message on support portal as in this note 28976 - Remote connection data
sheet
You would receive a confirmation from SAP with a Destination SAP IP and Distinguished
name.
3. NAT policy in firewall with permission to the TCP ports 3200-3299 for the above registered
public IP
(TCP ports for message servers 32<instance_no> and any free TCP port as a dedicated port
for SAProuter)
4. Download latest version of SAPRouter from support portal.
(visit Support Packages --> Browse Download catalogue --> Additional components->SAProuter)
5. Download latest version of SAPCRYPTOLIB from support portal.
(visit Support Packages --> Browse Download catalogue --> Additional components->SAPCRYPTOLIB)
6. Download latest version of SAPCAR to extract the above downloaded software.
(visit Support Packages --> Browse Download catalogue --> Additional components->SAPCAR)
PREPARATIONS:
1. Copy all the above downloaded files in to temporary dir and uncar the Saprouter and
cryptolib files.
2. Open cmd and navigate to above temp location and execute sapcar_<version>.exe
-xvf <filename>.sar
3. Make new directory (ex: D:\usr\sap\saprouter) and paste the extracted files of router and
cryptolib files.

4. I recommend you to create an exclusive local user "sncadm" and set password never
expires.
(in my case i use to change pwd for sidadm and this caused issues in starting router)
5. Logon with user for saprouter and set following user environmental variables.
SECUDIR = <dir_saprouter>

(ex: SECUDIR = D:\usr\sap\saprouter)

SNC_LIB = <dir_saprouter>\nt-x86_x64\sapcrypto.dll
D:\usr\sap\saprouter\nt-x86_x64\sapcrypto.dll)

(ex:

CONFIGURATION:
1. Generating a new certificate request.
a. Goto SAProuter Certificates --> click Apply Now and copy your distinguished name and
click next
b. Open cmd as administrator and navigate to <path_saprouter>\nt-x86_x64\ and
execute,
sapgenpse get_pse -v -r certreq -p local.pse "<Distinguished Name>"
example: sapgenpse get_pse -v -r certreq -p local.pse "CN=example, OU=00123456,
OU=SAProuter, O=SAP, C=DE"
c. It will ask to enter and re-enter a PIN. This is used to access the local.pse, so better
note it down.
b. A file "local.pse" will be created in the saprouter directory. (Ex:
D:\usr\sap\saprouter\local.pse)
d. A file "certreq" will under <dir_saprouter>\nt-x86_x64 (Ex:
D:\usr\sap\saprouter\certreq)
2. Aquiring certificate signed by CA.
a. Open the "certreq" file with notepad and copy the text (including BEGIN and END)
b. Paste it on the above opened certificate page and click next.
c. You would get a certificate (series of jumbled characters) copy this (including BEGIN
and END)
d. create a new file "routcert.txt" under <dir_saprouter>\nt-x86_x64 and paste the above
certificate text.
3. Importing router certificate.
a. Open cmd as administrator and navigate to <dir_saprouter>\nt-x86_x64\ and execute,
sapgenpse import_own_cert -c routcert.txt -p local.pse
Running the above command would ask you to enter PIN, enter the one you have
given on step 1c
4. Authorizing windows user for accessing SAPRouter.
Execute the following cmd with the saprouter user (sncadm).
sapgenpse seclogin -p local.pse -O <exclusive_user_SAProuter>

example: sapgenpse seclogin -p local.pse -O hostname\sncadm

Now you will prompted to enter the PIN. enter the one you have given on step
1c
Check whether a file "cred_v2" is created under saprouter directory.
5. Verifying authorization for the sncadm of saprouter.
log on to user for saprouter, open cmd and navigate to <dir_saprouter>\nt-x86_x64\
and execute
sapgenpse get_my_name -v -n Issuer
You should get an output like this. CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

Voila ! you have configured your SAPRouter successfully.

But wait.. We have to check whether the router works or not.
Start your sap router using command <dir_saprouter>\saprouter.exe -r
You should be getting an out put "trcfile dev_rout no logging active". This shows that
the router started successfully. But if you close the above cmd prompt, then your SAPRouter
will shutdown.
We can avoid this by registering SAProuter as windows service, so that it can run on
background
Registering SAProuter as Windows service:
1. open command prompt as administrator, and navigate to <dir_saprouter>
2. execute following commands as it is. Replace the <path> with your saprouter directory
path and <your distinguished name>
sc.exe create SAPRouter binPath= "<path>\saprouter.exe service -r -S 3299 -W
60000 -R <path>\saprouttab -K ^p:<distinguished name>^"
example: sc.exe create SAPRouter binPath= "D:\usr\sap\saprouter\saprouter.exe service
-r -S 3299 -W 60000 -R
D:\usr\sap\saprouter\saprouttab -K ^p:CN=example, OU=00123456, OU=SAProuter,
O=SAP, C=DE^"
3. You would get an output saying service "SAPRouter" created successfully.
4. Open "regedit.exe" and edit the string "ImagePath" under following location.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ saprouter
5. Replace ^ with " and click OK. The updated value should look like below

<path>\saprouter.exe service -r -S 3299 -W 60000 -R<path>\saprouttab -K

"p:CN=example, OU=00123456, OU=SAProuter, O=SAP, C=DE"
6. Now open "services" right click "SAPRouter" and choose properties. click on "Log On" tab
and choose "This account".
Type the user ID created for configuring saprouter (sncadm), type password and then click
apply.
7. Now start the saprouter service and you're done.

Congrats !! You have implemented SAP ROUTER successfully.