Page tree
Skip to end of metadata
Go to start of metadata

For SAProuter SNC connection between SAP SAProuter and your own SAProuter, please refer to the following link:

This document is talking about SNC connection between non-SAP SAProuters. In this example, COMMONCRYPTOLIB is used for SNC.

SNC Communication Between SAProuters


  1. Download SAProuter and COMMONCRYPTOLIB from SAP Software Download Center and extract the files. Copy the extracted files to SAProuter host1 and SAProuter host2.
  2. Set the environment variables SNC_LIB and SECUDIR.
    SNC_LIB = <path of COMMONCRYPTOLIB> (eg.Windows C:\COMMONCRYPTOLIB\sapcrypto.dll)
    SECUDIR = <Directory of SAProuter>/sec

  3. Generate PSE file.

    In the extracted files of COMMONCRYPTOLIB, you can find sapgenpse tool and it can be used to generate PSE file.
    Here are commands for generating PSE files and credentials.
    On SAProuter host1, run:
    sapgenpse get_pse -v -noreq -p local.pse "CN=MYSAPROUTER1"
    sapgenpse seclogin -p local.pse

    On SAProuter host2, run:
    sapgenpse get_pse -v -noreq -p local.pse "CN=MYSAPROUTER2"
    sapgenpse seclogin -p local.pse

    After the commands are executed successfully, you will see local.pse and cred_v2 files are generated under the path you have set for environment variable SECUDIR.


  4.  Exchange certificates of the SAProuters to establish mutual trust relationship.
    Export own certificate on SAProuter host1, run command:
    sapgenpse export_own_cert -o router1.cer -p local.pse

    Copy router1.cer to SAProuter host2, and on SAProuter host2 run command:
    sapgenpse maintain_pk -a router1.cer -p local.pse

    Export own certificate on SAProuter host2, run:
    sapgenpse export_own_cert -o router2.cer -p local.pse

    Copy router2.cer to SAProuter host1, and on SAProuter host1 run command:
    sapgenpse maintain_pk -a router2.cer -p local.pse

  5. Maintain Route Permission Table(saprouttab).

    On SAProuter host1, maintain saprouttab:

    # Allow Outbound connections to SAProuter host2 will use SNC
    KT "p:CN=MYSAPROUTER2" <Host name or IP of SAProuter host2> 3299
    # Allow all inbound connections
    P * * * 

    On SAProuter host2:

    # accept incoming connections from SAProuter1
    # with destination sapdp00 and 3298 on any host
    KP "p:CN=MYSAPROUTER1" *     sapdp00
    KP "p:CN=MYSAPROUTER1" *     3298

  6. Start SAProuter.

    On SAProuter host1 run command:
    saprouter -K p:CN=MYSAPROUTER1 -r

    On SAProuter host2 run command:
    Saprouter -K p:CN=MYSAPROUTER2 -r

  7. Test connection.

    On SAProuter host2, start niping server with command:
    niping -s

    On SAProuter host1, run niping client:
    niping -c -H /H/localhost/S/3299/H/<Host name or IP of SAProuter host2>/S/3299/H/localhost

    If it returns information like below, the setup is finished successfully:

    Thu Oct 24 13:39:19 2013
    connect to server o.k.

    Thu Oct 24 13:39:22 2013
    send and receive 10 messages (len 1000)
    ------- times -----
    avg   241.648 ms
    max   251.283 ms
    min   238.070 ms
    tr      8.083 kB/s
    excluding max and min:
    av2   240.891 ms
    r2     8.108 kB/s 

  8. If you would like to use CA signed certificates instead of self-signed certificates, you need to perform the following steps:

    1. Generate certificate request:
      sapgenpse get_pse -v -onlyreq -r certreq -p local.pse
    2. Send certificate request(certreq) to CA.
    3. After you get certificate response from CA, import it via command:
      sapgenpse import_own_cert -c srcert -r <root CA certificate> -p local.pse
    4. Add root certificate of CA to certificate list of PSE file on partner host.
      If certificate of SAProuter on SAProuter host1 is signed by CA,you need to add the root CA certificate to PSE file on SAProuter host2 and vice versa.
      Command should be:
       sapgenpse maintain_pk -a <root CA certificate> -p local.pse

  • No labels