Installing the sapcrypto library and starting

the SAProuter
Contents
• Downloading necessary software components from SAP Service Marketplace
• Creating the certificate request
• Additional actions necessary before you can start saprouter
This section describes the necessary steps to download and install the sapcrypto library for use with saprouter. The
saprouter must be started with the options described later in this section.
The license for the sapcrypto library covers saprouter connections between saprouters at SAP and the first
saprouter on customer sites and backend connections within the customer`s network. For all other purposes the
library CANNOT be used!

Downloading necessary software components from SAP

Service Marketplace
1. Login to the SAP Service Marketplace with the Service Marketplace USERID which is assigned to your
installation.
2. Change to the alias SAPROUTER-SNCADD. Before you can download the software components two
preconditions must be met.
a. You must have been allowed to download the software. This authorization is added as soon as
SAP has received a positive statement from the "Bundesausfuhramt". This procedure is necessary
since the software falls under EU regulations.
b. For more information on how to obtain authorization if download is not possible see note 397175.
c. You must accept that you must follow the regulations imposed by the EU on the use and
distribution of the cryptographic software components downloaded from the SAP Service
Marketplace.
3. The acceptance of the terms and conditions is logged with your USERID and stored for reporting purposes
to the "Bundesausfuhramt".
4. Accepting with the button on the web-based form takes you to the folder where you can download the
Software components.
These are packed into a single CAR file sapcrypto.car
5. Copy the file to the direcory where the saprouter executable is located
6. You can get the file car.exe/sapcar.exe, which is necessary to unpack the archive from any Installation
Kernel CD.
Executing the command car -xvf SAPCRYPTO.CAR will unpack the following files:
[lib]sapcrypto.[dll|so|sl]
sapgenpse[.exe]
ticket

Creating the certificate request

1. As user <snc>adm set the environment variables
SECUDIR = <directory_of_saprouter>
2. Change to the Shortlink SAPROUTER-SNCADD. From the list of SAProuters registered to your
installation, choose the relevant "Distinguished Name"
3. Generate the certificate Request with the command
sapgenpse get_pse -v -r certreq -p local.pse "<Your Distinguished Name>"
4. Alternatively use the two commands:
sapgenpse get_pse -v -noreq -p local.pse "<Your Distinguished Name>"
sapgenpse get_pse -v -onlyreq -r certreq -p local.pse
 5. Display the output file "certreq" and with copy&paste insert the certificate request into the text area of the
same form on the SAP Service Marketplace from which you copied the Distinguished Name
6. In response you will receive the certificate signed by the CA in the Service Marketplace, cut&paste the text
to a local file named srcert
7. With this in turn you can install the certificate in your saprouter by calling
sapgenpse import_own_cert -c srcert -p local.pse
8. now you will have to create the credentials for the SAProuter with the same program (if you omit -O
<user>, the credentials are created for the logged in user account)
sapgenpse seclogin -p local.pse -O <user_for _saprouter>
9. This will create a file called cred_v2 in the same directory.
For increased security please check that the file can only be accessed by the
user running the SAProuter.

Do not allow any other access (not even from the same group)!
On UNIX this will mean permissions being set to 600 or even 400!
On NT check that the permissions are granted only to the user the
service is running as!
10. Check if the certificate has been imported correctly
sapgenpse get_my_name -v -n Issuer

The name of the Issuer should be: CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
11. If this is not the case, delete the files cred_v2, local.pse and start over at Item 4. If the output still does not
match please open a customer message in component XX-SER-NET-OSS stating the actions you have
taken so far and the output of the commands
4.,7.,8. and 10.

Additional actions necessary before you can start saprouter

1.The environment variable SNC_LIB needs to be set for the user account SAProuter is running under.
SNC_LIB has the form
<path_to_libsecude>/<name_of_sap
UNIX crypto_library>
<drive>:\<path_to_libsecude>\<na
Windows NT, Windows 2000 me_of_sapcrypto_library>
2. Check if the environment of the user running saprouter contains the environment variable SNC_LIB
UNIX printenv
Windows NT System environment variable
3. start the saprouter with the following command line:
saprouter -r -S <port> -K "p:<Your Distingushed Name>"
-K tells the saprouter to start with loading the SNC
library
the corresponding file ./saprouttab should contain at least the following entries
# inbound connections MUST use SNC
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
<your_server1> <port_number>
# repeat this for the servers and port_numbers you will
need to allow,
# please make sure that all explicit ports are inserted in
front of a
# generic entry '*' for port_number

# outbound connections to <sapservX> will use SNC

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <sapservX>
<sapservX_inbound_port>
 # permission entries to check if connection is allowed at
all
P <IP address of a local host> <IP address of sapserv2>

# all other connections will be denied

D * * *

Example
For a SNC encrypted connection to the SAPRouter on sapserv2 (194.39.131.34), the saprouttab should
contain the following entries:
# SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server>
<R/3-Instance>
# SNC-connection from SAP to local R/3-System for
NetMeeting, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server>
1503
# SNC-connection from SAP to local R/3-System for
saptelnet, if it is needed
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <R/3-Server>
23
# Access from the local Network to SAPNet - R/3 Frontend
(OSS)
P <IP-addess of a local PC> 194.39.131.34 3299
# deny all other connections
D * * *