For SAProuter SNC connection between SAP SAProuter and your own SAProuter, please refer to the following link:
This document is talking about SNC connection between non-SAP SAProuters. In this example, COMMONCRYPTOLIB is used for SNC.
SNC Communication Between SAProuters
- Download SAProuter and COMMONCRYPTOLIB from SAP Software Download Center https://support.sap.com/swdc and extract the files. Copy the extracted files to SAProuter host1 and SAProuter host2.
Set the environment variables SNC_LIB and SECUDIR.
SNC_LIB = <path of COMMONCRYPTOLIB> (eg.Windows C:\COMMONCRYPTOLIB\sapcrypto.dll)
SECUDIR = <Directory of SAProuter>/sec
Generate PSE file.
In the extracted files of COMMONCRYPTOLIB, you can find sapgenpse tool and it can be used to generate PSE file.
Here are commands for generating PSE files and credentials.
On SAProuter host1, run:
sapgenpse get_pse -v -noreq -p local.pse "CN=MYSAPROUTER1"
sapgenpse seclogin -p local.pse
On SAProuter host2, run:
sapgenpse get_pse -v -noreq -p local.pse "CN=MYSAPROUTER2"
sapgenpse seclogin -p local.pse
After the commands are executed successfully, you will see local.pse and cred_v2 files are generated under the path you have set for environment variable SECUDIR.
Exchange certificates of the SAProuters to establish mutual trust relationship.
Export own certificate on SAProuter host1, run command:
sapgenpse export_own_cert -o router1.cer -p local.pse
Copy router1.cer to SAProuter host2, and on SAProuter host2 run command:
sapgenpse maintain_pk -a router1.cer -p local.pse
Export own certificate on SAProuter host2, run:
sapgenpse export_own_cert -o router2.cer -p local.pse
Copy router2.cer to SAProuter host1, and on SAProuter host1 run command:
sapgenpse maintain_pk -a router2.cer -p local.pse
Maintain Route Permission Table(saprouttab).
On SAProuter host1, maintain saprouttab:
# Allow Outbound connections to SAProuter host2 will use SNC
KT "p:CN=MYSAPROUTER2" <Host name or IP of SAProuter host2> 3299
# Allow all inbound connections
P * * *
On SAProuter host2:
# accept incoming connections from SAProuter1
# with destination sapdp00 and 3298 on any host
KP "p:CN=MYSAPROUTER1" * sapdp00
KP "p:CN=MYSAPROUTER1" * 3298
On SAProuter host1 run command:
saprouter -K p:CN=MYSAPROUTER1 -r
On SAProuter host2 run command:
Saprouter -K p:CN=MYSAPROUTER2 -r
On SAProuter host2, start niping server with command:
On SAProuter host1, run niping client:
niping -c -H /H/localhost/S/3299/H/<Host name or IP of SAProuter host2>/S/3299/H/localhost
If it returns information like below, the setup is finished successfully:
Thu Oct 24 13:39:19 2013
connect to server o.k.
Thu Oct 24 13:39:22 2013
send and receive 10 messages (len 1000)
------- times -----
avg 241.648 ms
max 251.283 ms
min 238.070 ms
tr 8.083 kB/s
excluding max and min:
av2 240.891 ms
r2 8.108 kB/s
If you would like to use CA signed certificates instead of self-signed certificates, you need to perform the following steps:
- Generate certificate request:
sapgenpse get_pse -v -onlyreq -r certreq -p local.pse
- Send certificate request(certreq) to CA.
- After you get certificate response from CA, import it via command:
sapgenpse import_own_cert -c srcert -r <root CA certificate> -p local.pse
- Add root certificate of CA to certificate list of PSE file on partner host.
If certificate of SAProuter on SAProuter host1 is signed by CA,you need to add the root CA certificate to PSE file on SAProuter host2 and vice versa.
Command should be:
sapgenpse maintain_pk -a <root CA certificate> -p local.pse