Re: SAP Router Issue in AS400

Hi Vel,

as the saprouter is looking for the file sncgss.o, I cannot believe, that in that user context, the following variable is really as described:

SNC_LIB - /usr/sap/saprouter/libsapcrypto.o

but: I read the note and would say: I'm really sorry for you ;-(((

I would say, that it was not possible, to describe it even more complicated ... (in my eyes, it is correct, but really complicated)

Our documenation is a bit simpler for this, but would require an installed SAP system on the box, what should be the case in 99% of al cases ...

SAProuter SNC for PASE for iSeries - Version 2.05:

==================================================

Replace all occurrences of "EX6" to your "SID" ... !!!

Test the connection to SAP with Transaction SM59 RFC SAPOSS

Check for the SAP/Common-Cryptolib first:

- Up to 7.2x it is mostly libsapcrypto.o

- As of 7.4x it is mostly libsapcrypto.so

You can check as follows:

WRKLNKSAP DIR('/usr/sap/EX6/sys/exe/run/libsapcryp*')

Based on the results, you should leave it to libsapcrypto.so in this file

or replace all occurencens of "libsapcrypto.so" with "libsapcrypto.o"

for older kernels.

This tool assumes, you are on iSeries and want to make use

of the saprouter & CommonCryptoLib in each (new) kernel of each SID ;-)

Further information for all platforms:

https://support.sap.com/remote-support/help/installing-saprouter.html

The following needs to be done once only and does NOT need to be done every year:

BUT: If you redo the certificate request, you need to wipe out the following files in /usr/sap/saprouter first:

- certreq

- cred_v2

- local.pse

http://support.sap.com/remote-support/saprouter/saprouter-certificates.html => Apply for a SAProuter certificate (ONLY in order to retrieve the correct "Distinguished Name" (DN) right now)

In this example:

Distinguished Name of SNC SAProuter (Parameter for SAPGENPSE):

(This is typically on the SAP site the server sapserv2 - otherwise, you have to change the saprouttab accordingly.)

CN=AURORA, OU=0000121933, OU=SAProuter, O=SAP, C=DE  

(You should replace all occurences of this in this document.)

EX6ADM ToDos:

Logon with EX6ADM:

MKDIR DIR('/usr/sap/saprouter')

CD DIR('/usr/sap/saprouter')

RMVENVVAR ENVVAR('SECUDIR')

ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')

RMVENVVAR ENVVAR('SNC_LIB')

ADDENVVAR  ENVVAR('SNC_LIB') VALUE('/usr/sap/EX6/sys/exe/run/libsapcrypto.so')                                        

As the command it pretty long, you might want to use QCMD:

CALL PGM(QCMD)

STRQSH     CMD('SAPGENPSE get_pse -v -a sha256WithRsaEncryption -s 2048 -x "" -r /usr/sap/saprouter/certreq -p /usr/sap/saprouter/local.pse "CN=AURORA, OU=0000121933, OU=SAProuter, O=SAP, C=DE"')

(PIN should stay always empty in order to keep it simple next year! (-x "" => No PIN ...))

============================================================================================

============================================================================================

As of here, you have to do the things every year:

/usr/sap/saprouter/certreq:

-----BEGIN CERTIFICATE REQUEST-----                            

MIIBnDCCAQUCAQAwXDELMAkGA1UEBhMCREUxDDAKBgNVBAoTA1NBUDESMBAGA1UE

CxMJU0FQcm91dGVyMRMwEQYDVQQLEwowMDAwMjUwMTc0MRYwFAYDVQQDFA1zbmNf

...

pF84rCeMNxzrkZjeMNNjQgOFGjmzo32bu4Zj4EH7HBcyDsmpmvfrKzmH27JFukyS

R/7PZ2Cq5wfRKkbGl9Ntdr1RsMoVsIPSzyWLTqtToA4=                   

-----END CERTIFICATE REQUEST-----                              

http://support.sap.com/remote-support/saprouter/saprouter-certificates.html => Apply for a SAProuter certificate

Put the /usr/sap/saprouter/certreq file to SAP (even the one from last year is OK) and receive the srcert file:

EDTF STMF('/usr/sap/saprouter/certreq')

/usr/sap/saprouter/srcert:

-----BEGIN CERTIFICATE-----

MIIH6AYJKoZIhvcNAQcCoIIH2TCCB9UCAQExADALBgkqhkiG9w0BBwGggge9MIICe

jCCAeOgAwIBAgIDAW8/MA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNVBAYTAkRFMQwwCg

...

hU4EAbX+3Bpde2AtBjp2PDLNx4eklgnSi45prDYNWGvZO2XkBNm7tPDAAsOyw9KZq

dbGH0l7LbzByc77aRGZx/EZGAr5shmwCk2zbjEA

-----END CERTIFICATE-----

Put the srcert file to /usr/sap/saprouter/srcert to iSeries:

- via \\iSeries-name\rootbin

- cut&paste via EDTF (in several chunks :-((( )

logon with EX6ADM :

(depending on the user, that is running the SAPRouter)

CD DIR('/usr/sap/saprouter')

CALL       PGM(SAPEX6IND/SAPINLPGM)

RMVENVVAR ENVVAR('SECUDIR')

ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')

RMVENVVAR ENVVAR('SNC_LIB')

ADDENVVAR  ENVVAR('SNC_LIB') VALUE('/usr/sap/EX6/sys/exe/run/libsapcrypto.so')                                        

STRQSH     CMD('SAPGENPSE import_own_cert -c srcert -p local.pse')

STRQSH     CMD('SAPGENPSE seclogin -p local.pse')

STRQSH     CMD('SAPGENPSE get_my_name -v -n Issuer')

STRQSH     CMD('SAPGENPSE get_my_name')

The following certificate is needed up to 07/18/2015 only:

(Note 2131531 - New Root Certification Authority for saprouter certificates)

(After this change you need to restart the SAProuter !)

Check the PSE for a certificate before:

STRQSH     CMD('SAPGENPSE maintain_pk -l -p /usr/sap/saprouter/local.pse')

Add the old saprouter certificate to the PSE:

smprootca.der: Either from V:\knowhow\SAP\WEBAS\saprouter\smprootca.der or from note 2131531

STRQSH     CMD('SAPGENPSE maintain_pk -a /usr/sap/saprouter/smprootca.der -p /usr/sap/saprouter/local.pse')

Check the PSE for a certificate afterwards:

STRQSH     CMD('SAPGENPSE maintain_pk -l -p /usr/sap/saprouter/local.pse')

CL-Programs to start the SAProuter automatically:

CRTLIB LIB(SAPROUTER) TEXT('SAProuter Lib for PASE SAProuter with sidadm')

CRTSRCPF FILE(SAPROUTER/QCLSRC)

EDTF FILE(SAPROUTER/QCLSRC) MBR(STRROUTSM)

CRTCLPGM PGM(SAPROUTER/STRROUTSM) SRCFILE(SAPROUTER/QCLSRC)

Source of STRROUTSM-CL-Pgm:

PGM                                                   

SBMJOB     CMD(CALL PGM(SAPROUTER/STRROUTER)) JOB(SAPROUTSNC) + 

             JOBQ(QCTL) USER(EX6ADM) LOG(4 00 *SECLVL)             

ENDPGM                                                

EDTF FILE(SAPROUTER/QCLSRC) MBR(STRROUTER)

CRTCLPGM PGM(SAPROUTER/STRROUTER) SRCFILE(SAPROUTER/QCLSRC)

Source of STRROUTER-CL-Pgm: (needs to run with EX6ADM):

PGM

CALL       PGM(SAPEX6IND/SAPINLPGM)

RMVENVVAR ENVVAR('SECUDIR')

MONMSG MSGID(CPF0000)

ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')

MONMSG MSGID(CPF0000)

RMVENVVAR ENVVAR('SNC_LIB')

MONMSG MSGID(CPF0000)

ADDENVVAR  ENVVAR('SNC_LIB') +                           

  VALUE('/usr/sap/EX6/sys/exe/run/libsapcrypto.so')                                       

MONMSG MSGID(CPF0000)

CD DIR('/usr/sap/saprouter')

STRQSH     CMD('SAPROUTER -r -S 3299 -R ./saprouttab -K +

  "p:CN=AURORA, OU=0000121933, OU=SAProuter, O=SAP, C=DE" -G +            

             ./saprouter.log -T ./saprouter_dev_rout.log')  

ENDPGM

Test the connection to SAP with Transaction SM59 RFC SAPOSS

Attention: The file needs to be "CR & LF" or "LF ONLY" BUT NOT "CR ONLY" => change it in EDTF with F15 accordingly !!!

EDTF '/usr/sap/saprouter/saprouttab'

# SNC-connection from and to SAP

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC-connection from SAP to local R/3-System for Support

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *

# SNC-connection from SAP to telnet in your network

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 23

# Access from the local Network to SAPNet - R/3 Frontend (OSS)

P * 194.39.131.34 3299

# deny all other connections

D * * *

Regards,

Volker Gueldenpfennig, consolut international ag