Monday, December 01, 2008

Installing SNC SAP Router as NT Service

SAP router is a program that acts as a mediator in the network between SAP system and access is controlled before data is sent further along the communication path. Connections can also be established between SAP systems over several SAProuters. You can then secure connections between adjacent SAProuters using SNC.

SNC is used to make network connections using the Internet, in particular WAN connections, secure. It provides reliable authentication as well as encryption of the data to be transferred.SAProuter allows SNC connections to be set up. The route permission table can be used to specify precisely whether SNC connections are allowed, and if so, which ones.

Before you start the installation, download the necessary software component from SAP Service Marketplace. Besides, you have to request a certification in

Following steps will describe how to install SAPRouter in your system.
1. Set the environment variables of SNC_LIB and SECUDIR
SNC_LIB = drive:\path_to_libsecude\ntintel\sapcrypto.dll
SECUDIR = directory_of_saprouter
2. Generate the certificate request using command
sapgenpse get_pse -v -r certreq -p local.pse “Distinguished Name"
3. You will be asked twice for a PIN here. Please choose a PIN and document it, you have to enter it identically both times. Then you will have to enter the same PIN every time you want to use this PSE.
4. Display the output file "certreq" and with copy & paste (including the BEGIN and END statement) insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.
5. In response you will receive the certificate signed by the CA in the Service Marketplace. Copy&paste the text to a new local file named "srcert", which must be created in the same directory as the sapgenpse executable.
6. With this in turn you can install the certificate in your saprouter using command:
sapgenpse import_own_cert -c srcert -p local.pse
7. Now you will have to create the credentials for the SAProuter with the same program by calling: sapgenpse seclogin -p local.pse
8. Check if the certificate has been imported successfully with the following command:
sapgenpse get_my_name -v -n Issuer
The name of the Issuer should be:
CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
9. Check if the certificate has a valid date with the following command:
sapgenpse get_my_name

Check your saprouttab file. It contains routing table from SAPROUTER to OSS . Add manually connection as many as you need. for more information you can go to

After installing SAPRouter, you have to install the SNC as a NT service.
1. Minimum saprouter version 30
2. Create the subdirectory saprouter in the directory drive:\usr\sap
3. Copy the executables saprouter.exe and niping.exe to the directory you have just created
4. If the Saprouter has already been entered as a service with srvany.exe, the
definition of the service from the registry (path: HKLM -> System -> CurrentControlSet -> Services -> SAPRouter) should first be removed and then the machine should be rebooted.
5. To define new service. Enter this command :
ntscmgr install saprouter -b \saprouter.exe -p "service -r -W 60000 -R path\saprouttab -K ^p:^"
6. Edit the string in the registry under :
MyComputer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\saprouter\ImagePath –> Change both ^ to “
7. Additionally you'll have to do the following steps to make SAPCRYPTOLIB credentials available to a process that runs as an NT service. Run the command:
sapgenpse seclogin -p local.pse
8. Proceed as follows after the installation to maintain the general attributes of the service : Go to 'Control Panel -> Services: SAPRouter -> Button: Startup',set the startup type to 'Automatic' and enter the user .The SAPRouter should NOT run under the system account