SAP Router configuration and renew of the SAP router Certificate
Source: http://sapbasiscrew.blogspot.my/2016/09/sap-router-configuration-and-renew-of.html
The first thing needs to do, is to send a customer message to SAP
Support (component XX-SER-NET-OSS-NEW) and tell them to register the
hostname and IP of your new SAProuter.
You have to register it with a official IP address (no internal IPs
allowed), but it’s allowed to use NAT in the firewall/router.
After you’ve received a confirmation from SAP that your SAProuter has
been registered, you are ready to configure your SAProuter.
If your SAProuter directory is C:\usr\sap\saprouter, these are the steps
to follow.
1. Set two environment variables: SECUDIR and SNC_LIB
C:\usr\sap\saprouter
The environment variable SNC_LIB needs to be set for the user account
SAProuter is running under.
variable Name : SNC_LIB
Variable Value : D:\usr\sap\saprouter\ntintel\sapcrypto.dll
Set the environment SECUDIR = <directory_of_saprouter>
variable Name : SECUDIR
Variable Value : D:\usr\sap\saprouter
2. Download the SAP Crypto Library from service market place.
Create folder d:\usr\sap\saprouter - on system where you are installing
unpack the downloaded softwere into folder
Copy these files to saprouter folder
saprouter.exe
niping.exe
sapgen.exe
Then copy these files to saprouter folder
LEGAL.TXT
Ticket
LICENSE.txt
Saprouttab
Copy ntintel this folder to saprouter folder
3. To generate a certificate request, run the command:
sapgenpse get_pse -v -r certreq -p local.pse "CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE"
Note: You will be asked for a PIN code. Just pick your own 4 numbers, but
you’ll have to use the same PIN every time you’re asked to enter one.
Please enter PIN:
Please reenter PIN:
Supplied distinguished name: "CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE"
Generating key (RSA, 1024-bits) ... succeeded.
certificate creation... ok
PSE update... ok
PKRoot... ok
Generating certificate request... ok.
4. Then you have to follow the guide and request the certificate from
http://service.sap.com/tcs -> Download Area -> SAProuter Certificate
Go to http://service.sap.com/saprouter-sncadd
Request certificate for SAP Router
which will give the certifcate like below.
5. Create a file C:\usr\sap\saprouter\srcert and copy the requested
certificate into this file and save
The run the command:
sapgenpse import_own_cert -c C:\usr\sap\saprouter\srcert -p local.pse
6. To generate credentials for the user that’s running the SAProuter
service, run command:
sapgenpse seclogin -p local.pse
running seclogin with USER="XXXadm"
Please enter PIN:
Added SSO-credentials for PSE "C:\usr\sap\saprouter\local.pse"
"CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE"
7. Check the configuration by running command:
sapgenpse get_my_name -v -n Issuer
(This should always give the answer “CN=SAProuter CA, OU=SAProuter,
O=SAP, C=DE”)
C:\usr\sap\saprouter>sapgenpse get_my_name -v -n Issuer
Opening PSE "D:\usr\sap\saprouter\local.pse"...
PSE open ok.
ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "wr1adm"
with PSE file "D:\usr\sap\saprouter\local.pse"
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
8,run command saprouter -r -K "p:CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE" -V 2
9. Create SAProuter service on Windows with the command:
ntscmgr install SAProuter -b C:\usr\sap\saprouter\saprouter.exe -p
“service -r C:\usr\sap\saprouter\saprouttab"
9. Edit the Windows Registry key as follows:
MyComputer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAProute
r\ImagePath –> Change both ^ to “
10. Start the SAProuter service
11. Enter the required parameters in OSS1 -> Technical Settings
How to troubleshoot the SAP router connectivity issue and the way to renew the SAP router certificate.
1) Issue: SAP global support unable to connect into the SAP system.
Steps to verify the SAP router connectivity at the SAP systems level
a) Execute TCODE: SM59 -> "ABAP Connections" -> double click "SAPOSS"
b) Click "Connection Test"
c) Sample error on the SAP router connectivity
Some times can be password for user OSS_RFC default password "CPIC" or network issues
check and fix it.
2) Steps to check the SAP router validity and how to renew the certificate
Steps to check the SAP router certificate validity
a) Login to the system where the sap router been install with the <SID>adm account
Execute: sapgense get_my_name -v -n Issuer, sapgenpse get_my_name
Expired certificate that cause the SAP system connectivity failed
3) ERROR: The connection to the specified message server (/H/XXX.XXX.X.XX/S/sapd
1) Login to the SAP support portal -> Maintenance & Services -> SAP Trust Center Services -> SAProuter certificates
2) Click "Apply Now"
3) Ensure the SAP router details been created and click "Continue"
4) Copy the "Distinguished name" to be use for certificate creation process later.
5) Login to the system where the sap router been install with the <SID>adm account
Backup these files: certreq, cred_v2, local.pse, srcert
6) Stop the SAP router service
7) Execute: sapgenpse get_pse -v -r certreq1 -p local.pse
Create a new PIN when prompt that will be use later in the certificate creation process
Paste the distinguished name that copy from the SAP support portal previously
8) Examine that the "certreq1" file that been created. Copy all the contents of the file.
9) Paste the "certreq1" file contents into the SAP portal text box and click "Request Certificate"
10) Again copy all the contents generated from the portal.
11) Paste the copied contents into notepad and save in as "srcert" file in the SAP router folder
12) Install the certificate, execute: sapgenpse.exe import_own_cert -c srcert -p local.pse
13) Create the "cred_v2" file, execute: sapgenpse seclogin -p local.pse with the PIN created earlier (Step 7)
14) Check the newly created certificate and the validity date been updated
Execute: sapgense get_my_name -v -n Issuer, sapgenpse get_my_name
15) Start the SAP router service
16) Test the connectivity with TCODE: SM59
SAP Router configuration and renew of the SAP router Certificate
The first thing needs to do, is to send a customer message to SAP
Support (component XX-SER-NET-OSS-NEW) and tell them to register the
hostname and IP of your new SAProuter.
You have to register it with a official IP address (no internal IPs
allowed), but it’s allowed to use NAT in the firewall/router.
After you’ve received a confirmation from SAP that your SAProuter has
been registered, you are ready to configure your SAProuter.
If your SAProuter directory is C:\usr\sap\saprouter, these are the steps
to follow.
1. Set two environment variables: SECUDIR and SNC_LIB
C:\usr\sap\saprouter
The environment variable SNC_LIB needs to be set for the user account
SAProuter is running under.
variable Name : SNC_LIB
Variable Value : D:\usr\sap\saprouter\ntintel\sapcrypto.dll
Set the environment SECUDIR = <directory_of_saprouter>
variable Name : SECUDIR
Variable Value : D:\usr\sap\saprouter
2. Download the SAP Crypto Library from service market place.
Create folder d:\usr\sap\saprouter - on system where you are installing
unpack the downloaded softwere into folder
Copy these files to saprouter folder
saprouter.exe
niping.exe
sapgen.exe
Then copy these files to saprouter folder
LEGAL.TXT
Ticket
LICENSE.txt
Saprouttab
Copy ntintel this folder to saprouter folder
3. To generate a certificate request, run the command:
sapgenpse get_pse -v -r certreq -p local.pse "CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE"
Note: You will be asked for a PIN code. Just pick your own 4 numbers, but
you’ll have to use the same PIN every time you’re asked to enter one.
Please enter PIN:
Please reenter PIN:
Supplied distinguished name: "CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE"
Generating key (RSA, 1024-bits) ... succeeded.
certificate creation... ok
PSE update... ok
PKRoot... ok
Generating certificate request... ok.
4. Then you have to follow the guide and request the certificate from
http://service.sap.com/tcs -> Download Area -> SAProuter Certificate
Go to http://service.sap.com/saprouter-sncadd
Request certificate for SAP Router
which will give the certifcate like below.
5. Create a file C:\usr\sap\saprouter\srcert and copy the requested
certificate into this file and save
The run the command:
sapgenpse import_own_cert -c C:\usr\sap\saprouter\srcert -p local.pse
6. To generate credentials for the user that’s running the SAProuter
service, run command:
sapgenpse seclogin -p local.pse
running seclogin with USER="XXXadm"
Please enter PIN:
Added SSO-credentials for PSE "C:\usr\sap\saprouter\local.pse"
"CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE"
7. Check the configuration by running command:
sapgenpse get_my_name -v -n Issuer
(This should always give the answer “CN=SAProuter CA, OU=SAProuter,
O=SAP, C=DE”)
C:\usr\sap\saprouter>sapgenpse get_my_name -v -n Issuer
Opening PSE "D:\usr\sap\saprouter\local.pse"...
PSE open ok.
ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "wr1adm"
with PSE file "D:\usr\sap\saprouter\local.pse"
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
8,run command saprouter -r -K "p:CN=SOLMAN, OU=0000491517, OU=SAProuter, O=SAP, C=DE" -V 2
9. Create SAProuter service on Windows with the command:
ntscmgr install SAProuter -b C:\usr\sap\saprouter\saprouter.exe -p
“service -r C:\usr\sap\saprouter\saprouttab"
9. Edit the Windows Registry key as follows:
MyComputer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAProute
r\ImagePath –> Change both ^ to “
10. Start the SAProuter service
11. Enter the required parameters in OSS1 -> Technical Settings
How to troubleshoot the SAP router connectivity issue and the way to renew the SAP router certificate.
Steps to verify the SAP router connectivity at the SAP systems level
a) Execute TCODE: SM59 -> "ABAP Connections" -> double click "SAPOSS"
b) Click "Connection Test"
c) Sample error on the SAP router connectivity
Some times can be password for user OSS_RFC default password "CPIC" or network issues
check and fix it.
2) Steps to check the SAP router validity and how to renew the certificate
Steps to check the SAP router certificate validity
a) Login to the system where the sap router been install with the <SID>adm account
Execute: sapgense get_my_name -v -n Issuer, sapgenpse get_my_name
Expired certificate that cause the SAP system connectivity failed
3) ERROR: The connection to the specified message server (/H/XXX.XXX.X.XX/S/sapd
24177 - OSS1: Message S1452: Connection to Message Server
Steps to renew the SAP router certificate
1) Login to the SAP support portal -> Maintenance & Services -> SAP Trust Center Services -> SAProuter certificates
2) Click "Apply Now"
3) Ensure the SAP router details been created and click "Continue"
4) Copy the "Distinguished name" to be use for certificate creation process later.
5) Login to the system where the sap router been install with the <SID>adm account
Backup these files: certreq, cred_v2, local.pse, srcert
6) Stop the SAP router service
7) Execute: sapgenpse get_pse -v -r certreq1 -p local.pse
Create a new PIN when prompt that will be use later in the certificate creation process
Paste the distinguished name that copy from the SAP support portal previously
8) Examine that the "certreq1" file that been created. Copy all the contents of the file.
9) Paste the "certreq1" file contents into the SAP portal text box and click "Request Certificate"
10) Again copy all the contents generated from the portal.
11) Paste the copied contents into notepad and save in as "srcert" file in the SAP router folder
12) Install the certificate, execute: sapgenpse.exe import_own_cert -c srcert -p local.pse
13) Create the "cred_v2" file, execute: sapgenpse seclogin -p local.pse with the PIN created earlier (Step 7)
14) Check the newly created certificate and the validity date been updated
Execute: sapgense get_my_name -v -n Issuer, sapgenpse get_my_name
15) Start the SAP router service
16) Test the connectivity with TCODE: SM59