Install And Configure Sap Router Port
INTRODUCTION:
- Install And Configure Sap Router Ports
- Configure Router Port Forwarding
- Configure Router Commands
- Install And Configure Sap Router Portugal
- Sap Router Installation
Home sap basis SAP Beginner How to activate HTTP,HTTPS,SMTP ports in SAP system. Monday, 14 August 2017. IF you want to add the HTTP,HTTPS,SMTP port use Instance Profile. How to install and configure SAP Router in SUSE Linux. Dear SAP Expert! I want to install SAP Router but i dont know the SAP router package is allocated on DVD? What is the DVD number? If you already configure SAP router please let me know how to configure?
I found a lot of notes and documents when i wanted to configure saprouter. Here i would like to collaborate all how-to’s into a single document.
- For a comprehensive list of which SAP Business Analytics products benefits from SAProuter connections, see SAP Note 1478974. SAProuter controls access to your network on application level and is a useful enhancement to an existing firewall system (port filter).
- 2.3) Specify the package for the SAP Web Dispatcher installation. Download the packages as indicated at the SAP note 908097. The installation screen also has links to the corresponding download pages. 2.4) SAP Host Agent. If the SAP Host Agent is not installed at the server already, the SWPM tool will install it. Just follow the installation.
SAProuter is kind application level firewall, allows your SAP servers to be accessed globally in a secured way. Nowadays it is a basic requirement for every customer who uses Solution manager for getting support from SAP. Following are the situations where you need SAPRouter.
- You want your users access SAP server out of LAN without having VPN .
- You want to get support from SAP.
- You are planning to implement SAP Solution manager.
- You want to download SAP notes and corrections via snote assistant
This document is targeted for those who have following environment.
OS platform : Windows 2008 or higher (indeed for windows 7)
Architecture : nt-x86_64
PREREQUISITES:
1.Get a Public IP from your ISP for SAProuter.
2. Create message on support portal as in this note 28976 – Remote connection data sheet
You would receive a confirmation from SAP with a Destination SAP IP and Distinguished name.
3. NAT policy in firewall with permission to the TCP ports 3200-3299 for the above registered public IP
(TCP ports for message servers 32<instance_no> and any free TCP port as a dedicated port for SAProuter)
4. Download latest version of SAPRouter from support portal.
(visit Support Packages –> Browse Download catalogue –> Additional components– >SAProuter)
5. Download latest version of SAPCRYPTOLIB from support portal.
(visit Support Packages –> Browse Download catalogue –> Additional components– >SAPCRYPTOLIB)
6. Download latest version of SAPCAR to extract the above downloaded software.
(visit Support Packages –> Browse Download catalogue –> Additional components– >SAPCAR)
PREPARATIONS:
1. Copy all the above downloaded files in to temporary dir and uncar the Saprouter and cryptolib files.
2. Open cmd and navigate to above temp location and execute sapcar_<version>.exe -xvf <filename>.sar
3. Make new directory (ex: D:usrsapsaprouter) and paste the extracted files of router and cryptolib files.
4. I recommend you to create an exclusive local user “sncadm” and set password never expires.
(in my case i use to change pwd for sidadm and this caused issues in starting router)
5. Logon with user for saprouter and set following user environmental variables.
SECUDIR = <dir_saprouter> (ex: SECUDIR = D:usrsapsaprouter)
SNC_LIB = <dir_saprouter>nt-x86_x64sapcrypto.dll(ex: D:usrsapsaprouternt-x86_x64sapcrypto.dll)
CONFIGURATION:
1. Generating a new certificate request.
a. Goto SAProuter Certificates –> click Apply Now and copy your distinguished name and click next
b. Open cmd as administrator and navigate to <path_saprouter>nt-x86_x64 and execute,
sapgenpse get_pse -v -r certreq -p local.pse “<Distinguished Name>“
example: sapgenpse get_pse -v -r certreq -p local.pse“CN=example, OU=00123456, OU=SAProuter, O=SAP, C=DE”
c. It will ask to enter and re-enter a PIN. This is used to access the local.pse, so better note it down.
b. A file “local.pse” will be created in the saprouter directory. (Ex: D:usrsapsaprouterlocal.pse)
d. A file “certreq” will under <dir_saprouter>nt-x86_x64 (Ex: D:usrsapsaproutercertreq)
2. Aquiring certificate signed by CA.
a. Open the “certreq” file with notepad and copy the text (including BEGIN and END)
Install And Configure Sap Router Ports
b. Paste it on the above opened certificate page and click next.
c. You would get a certificate (series of jumbled characters) copy this (including BEGIN and END)
d. create a new file “routcert.txt” under <dir_saprouter>nt-x86_x64 and paste the above certificate text.
3. Importing router certificate.
a. Open cmd as administrator and navigate to <dir_saprouter>nt-x86_x64 and execute,
sapgenpse import_own_cert -c routcert.txt -p local.pse
Configure Router Port Forwarding
Running the above command would ask you to enter PIN, enter the one you have given on step 1c
4. Authorizing windows user for accessing SAPRouter.
Execute the following cmd with the saprouter user (sncadm).
sapgenpse seclogin -p local.pse -O <exclusive_user_SAProuter>
example: sapgenpse seclogin -p local.pse -O hostnamesncadm
Now you will prompted to enter the PIN. enter the one you have given on step 1c
Check whether a file “cred_v2” is created under saprouter directory.
5. Verifying authorization for the sncadm of saprouter.
log on to user for saprouter, open cmd and navigate to <dir_saprouter>nt-x86_x64 and execute
sapgenpse get_my_name -v -n Issuer
You should get an output like this. CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
Voila ! you have configured your SAPRouter successfully.
But wait. We have to check whether the router works or not.
Start your sap router using command <dir_saprouter>saprouter.exe -r
You should be getting an out put “trcfile dev_rout no logging active“. This shows that the router started successfully. But if you close the above cmd prompt, then your SAPRouter will shutdown.
We can avoid this by registering SAProuter as windows service, so that it can run on background
Registering SAProuter as Windows service:
1. open command prompt as administrator, and navigate to <dir_saprouter>
2. execute following commands as it is. Replace the <path> with your saprouter directory path and <your distinguished name>
sc.exe create SAPRouter binPath= “<path>saprouter.exe service -r -S 3299 -W 60000 -R <path>saprouttab -K ^p:<distinguished name>^”
example: sc.exe create SAPRouter binPath= “D:usrsapsaproutersaprouter.exe service -r -S 3299 -W 60000 -R
D:usrsapsaproutersaprouttab -K ^p:CN=example, OU=00123456, OU=SAProuter, O=SAP, C=DE^”
3. You would get an output saying service “SAPRouter” created successfully.
4. Open “regedit.exe” and edit the string “ImagePath” under following location.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices saprouter
5. Replace ^with “ and click OK. The updated value should look like below
<path>saprouter.exe service -r -S 3299 -W 60000 -R<path>saprouttab -K “p:CN=example, OU=00123456, OU=SAProuter, O=SAP, C=DE“
6. Now open “services” right click “SAPRouter” and choose properties. click on “Log On” tab and choose “This account”.
Type the user ID created for configuring saprouter (sncadm), type password and then click apply.
7. Now start the saprouter service and you’re done.
Congrats !! You have implemented SAP ROUTER successfully.
What is setroubleshootd
SELinux (Security Enhanced Linux) provides mandatory access control to the Linux operating system. SELinux is quite pervasive, even if only in PERMISSIVE mode. This can expose latent bugs in non-SELinux components that are not visible unless SELinux is running. Frustrated users have developed the perception that SELinux is difficult to use.
The setroubleshoot service is intended to make SELinux more friendly. It collects SELinux audit events from the kernel and runs a series of analysis plug-ins to examine an access violation detected by SELinux. It then records the results of the analysis and signals any clients which have requested notifications of these events. Once tool which makes use of this is the sealert tool, which presents desktop notifications similar to email biff alerts.
SELinux must be enabled to run this service.
Service Control
On CentOS/RHEL 6 and above, the setroubleshootd doesn’t require a init script to start/stop, whereas it uses dbus to start it, but still it is used to analyze the AVC message. Two new programs act as a method to start setroubleshoot when needed i.e sedispatch and seapplet. “sedispatch” gets all the messages from audit system and use the audit library to search for the AVC messages and when it finds an AVC denial occurs message, it will go to setroubleshootd if it is already running or it will start setroubleshootd if it is not running. The seapplet utility runs in the system toolbar, waiting for dbus messages in setroubleshootd. It launches the notification bubble, allowing the user to review AVC messages.
Configure Router Commands
Installation
1. Install the setroubleshoot package.
Install And Configure Sap Router Portugal
2. Verify the selinux status and make sure that it is set to Enforcing
3. The setroubleshoot service is controlled by the /etc/setroubleshoot/setroubleshoot.cfg configuration file.
Sap Router Installation
Testing the functionality
Bind the sshd daemon to non-standard port. i.e Define additional port on /etc/sshd/sshd_config file:
Restart the sshd, it will bind to port 22 with success, but it won’t be allowed to bind to port 222. Since that’s blocked by SELinux as a non-standard port for the ssh_port_t port type. While restarting the sshd service, verify “ps aux grep setroubleshoot” command output and the dbus service would have triggerred the setroubleshoot process.
While restarting the SSHD service it will try to bind to Port 222 but setroubleshoot will block it and the log details would be captured in the /var/log/audit/audit.log file for the denial of access to the non-statndard port 222.
audit.log file can be read using the sealert tool.