IMPORTANT – NEW METHOD OF TO RENEW SAPROUTER CERTIFICATE:
Refer to SAP Note 2131531 and below link,
https://support.sap.com/remote-support/help/installing-saprouter.html
Prerequisites
• Prepare a Public IP Address.
• Download SAProuter and SAP Cryptographic from the SAP Service Marketplace.
• Ensure both 3299 & 3298 are open to SAP.
SAProuter SNC Setup
Create a new folder name saprouter under the /usr/sap/ directory. Extract both downloaded files (SAProuter & SAP Cryptographic) into the saprouter folder.
Set the following environment,
SECUDIR=C:\usr\sap\saprouter (path to saprouter directory) SNC_LIB=C:\usr\sap\sapcrypto.dll (path to sapcrypto.dll)
Create an OSS message to SAP by referring to the SAP Note 28976. Send the message by attaching the remote connection data sheet to the message. Put the component as XX-SER-NET-NEW and the short text for that message as “Remote Connection Data Sheet“.
Once SAP reply saying that the registration is done – You can navigate to this link http://service.sap.com/saprouter-sncadd. Click on Apply Now.
Select the SAProuter which you want to register with SAP. Click Continue.
The following page is to create the CSR on SAProuter.
To get over this, go back to the /usr/sap/saprouter directory and execute the below commnad (single line command) – As result, 2 files will be generate – certreq and local.pse. You will be asked to enter 4 pin code – Just enter 4 digit number eg 1234. [Note: Distinguished Name = “CN=ITsiti, OU=000012345, OU=SAProuter, O=SAP, C=DE”]
sapgenpse get_pse -v -r C:\usr\sap\saprouter\certreq -p C:\usr\sap\saprouter\local.pse "<Distinguished Name>"
Got absolute PSE path "C:\usr\sap\saprouter\local.pse". Please enter PIN: Please reenter PIN: Supplied distinguished name: "CN=ITsiti, OU=000012345, OU=SAProuter, O=SAP , C=DE" Creating PSE with format v2 (default) Generating key (RSA, 2048-bits) ... succeeded. certificate creation... ok PSE update... ok PKRoot... ok Generating certificate request... ok.
Open the certreq, copy and paste the content to text area of Certificate Signing Request (above screenshot). Click Request Certificate.
Now, copy the generated certificate from the Import Certificate into SAProuter. Create a new file name srcert(with no extension) and paste the certificate inside.
Install the SAP certificate (srcert) into your SAP router. The command will create dev_rout file.
sapgenpse import_own_cert -c C:\usr\sap\saprouter\srcert -p C:\usr\sap\ saprouter\local.pse
Please enter PIN: CA-Response successfully imported into PSE "C:\usr\sap\saprouter\local.pse"
Next, assign the credentials to the user which running the saprouter (normally, just use sidadm). The file named cred_v2 will be created.
sapgenpse seclogin -p C:\usr\sap\saprouter\local.pse -O sidadm
running seclogin with USER="sidadm" creating credentials for user "HOSTNAME\sidadm" (yourself)... Please enter PIN: Adjusting credentials and PSE ACLs to include "HOSTNAME\sidadm"... Oh, you supplied your own name explicitly ... ok. C:\usr\sap\saprouter\sec\cred_v2 ... ok. C:\usr\sap\saprouter\local.pse ... ok. Added SSO-credentials (#0) for PSE "C:\usr\sap\saprouter\local.pse" "CN=HOSTNAME, OU=0000123456, OU=SAProuter, O=SAP, C=DE"
Check your SAProuter configuration.
sapgenpse get_my_name -v -n Issuer
Opening PSE "C:\usr\sap\saprouter\local.pse"... PSE (v2) open ok. Retrieving my certificate... ok. Getting requested information... ok. SSO for USER "sidadm" with PSE file "C:\usr\sap\saprouter\local.pse" Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
Create a saprouttab file.
KT "p:CN=sapservX, OU=SAProuter, O=SAP, C=DE" <SAPSERV-IP> * KP "p:CN=sapservX, OU=SAProuter, O=SAP, C=DE" <YOUR-SAP-IP> PORT P <YOUR-SAP-IP> <SAPSERV-IP> 3299
Note:
sapserv1 (194.117.106.129) connection via Internet VPN
sapserv2 (194.39.131.34) connection via Internet SNC
sapserv3 (147.204.2.5) for customers with connection to Germany
sapserv4 (204.79.199.2) for customers in America
sapserv5 (194.39.138.2) for customers with connection to Japan
sapserv7 (194.39.134.35) for customers in Asia
sapserv9 (169.145.197.110) for customers in Asia.
Now, start the SAProuter using below command,
saprouter -r -S 3299 -V 3 -K "Distinguished-Name"
Finally, configure the OSS1 connection and verify the connection is working fine.
