SAProuter Installation

SAProuter Installation on UNIX

1. Create the subdirectory SAProuter in the directory /usr/sap/.
2. Download the latest version from service.sap.com.
3. Copy programs 'saprouter' and 'niping' into the directory
/usr/sap/saprouter.
4. Add the following lines to the file
/users/<SID>adm/startsap_<hostname>_<instance number> before the
lines '#Start OS-Collector
daemon'.
--------------------------------------------------------------#
# Start saprouter
#
SRDIR=/usr/sap/saprouter
if [ -f $SRDIR/saprouter ];then
echo "\nStarting saprouter Daemon " tee -a $LOGFILE
echo "
" tee -a $LOGFILE
$SRDIR/saprouter -r -W 30000 -R $SRDIR/saprouttab \
tee -a $LOGFILE &
fi
----------------------------------------------------------------This entry automatically starts the SAProuter during the system start and it
ensures that the SAProuter is always started. Since the SAProuter should
continue to run after R/3 is shut down no respective entry is included in the
Stopsap Script. If you boot the R/3 several times, the system displays error
messages when the SAProuter is started. You can ignore these error messages.
The entry of the SAProuter in the Startup Script is a recommendation.
5. However, you can also start the SAProuter manually using saprouter
-r
The corresponding routing table must be maintained in
/usr/sap/saprouter/saprouttab.
If you do not want an authorization check use the line 'P * * *'.
\\

Opening/Closing a Service Connection

In order to access SAPs remote services such as EarlyWatch or Remote
Consulting, or to allow a customer support consultant to have access to your
system, you need to open a service connection. To open and close a service
connection, follow these steps:
1.
2.
3.
4.
5.

Establish a remote connection

Get to the Service Connection: Select System screen.
Define your installations
Open a service connection
Close the service connection.

The following sections explain the above steps in more detail

Getting to the Service Connection:
Select System Screen
To get to the Service Connection: Select System screen, follow these steps:
1. If you are not already there, go to the Inbox: <Your Name> screen. (See
Getting Started.)
2. In the first row of buttons, select SAPNet.
3. In the SAPNet group, select Service. The group directly below SAP Net
becomes Service.
4. In the centermost Service group, select Service connection. The Service
Connection: Select System screen appears.
Defining Your Installations
Once in the Service Connection: Select System screen, follow these steps to
define your installations:
1. Double click on the installation that you would like to define.
2. Select System data. Make sure that all the information are correct, if not
3. Enter the appropriate information in the screen, using the table below as
needed.
Field

What you enter

Installation

Enter the R/3 installation number.

Database ID

Enter the three character alphanumeric

code that represents the database.

Database system

Enter the name of the database you are

using for this installation.

Database release

Enter the number representing the release

version of the database software.

SAP release

Enter the number representing the release

version of R/3 this installation uses.

State of R/3 System Enter the code representing productive,

test, or development system.
SAProuter

Enter the IP address for this system's

SAProuter.

SAProuter instance Enter the number representing the

instance of your SAProuter.
1. Save. The Service Connection: System Maintenance screen appears.
2. Under Service selection, double-click on the service that you want to
define.
Lets take R/3 as example
1. The Select Service screen appears.
2. Use the arrows at the right ends of the fields to select the appropriate
contact personnel.
3. Save.
4. Repeat steps five through seven for all the services that you might want
to use on this installation.
5. To open a service connection, follow the steps in the next section.
Opening a Service Connection
Once your installations are defined and you want to benefit from a specific
service that requires an open service connection, follow these steps to open a
service connection:
1. Get to the Service Connection: Select System screen (see Getting to the
Service Connection: Select System Screen).
2. Double-click on the system for which you would like to open a service
connection (or click once on the system and select Select system). The
Service Connection: System Maintenance screen appears.
3. Under Connections, click once on the service for which you would like to
open a service connection.

4. Select Create/Open. The Connection Information Create screen

appears.
5. NOTE
Only services that you previously defined appear here (see Defining Your
Installations).
6. In the closing in, Days and, and hours fields, enter the amount of time for
which you want to leave the service connection open. You can leave the
system open for up to 9 days and 24 hours.
7. In the Contact person field, enter a person at your company who could
assist SAP in the case that SAP has difficulty connecting to your system.
8. In the Phone, or, and Fax fields, enter the appropriate information for the
contact person you listed.
9. Save. The service connection is now open.
Closing a Service Connection
To close a service connection, follow these steps:
1. Get to the Service Connection: Select System screen (see Getting to the
Service Connection: Select System Screen).
2. Double-click on the system for which you would like to close the service
connection (or click once on the system and select Select system). The
Service Connection: System Maintenance screen appears.
3. Under Connections, click once on the service for which you would like to
close the service connection.
4. Select Close. The Confirmation Prompt screen appears.
5. Select Yes. The connection is closed.

SAProuter Installation on Windows XP

On UNIX, SAProuter is installed as a daemon. On Windows it is installed as a
service. Windows XP allows you to run programs as service.
This document will help you install SAProuter on windows XP.
Download SAProuter.
You will find the latest SAProuter in the SAP Service Marketplace under
Download SAP Software here
In the hierarchy choose My Company's Application Components >>
SAPROUTER >>SAPROUTER 7.00 >>Windows server on IA 32 bit.

Download the file saprouter..

You might also need SAPCAR, which can be downloaded from here for
Windows to unpack these files.
Installation.
Create a directory \usr\sap\saprouter, and unpack all the files in this directory.
I unpacked it in d:\usr\sap\saprouter
Create the saprouttab file in d:\usr\sap\saprouter. More detail about saprouttab
Define the service with the following command:
ntscmgr install SAProuter -b d:\usr\sap\saprouter\saprouter.exe -p service -r -R
saprouttab
Note: ntscmgr can be downloaded from SAP note 618053.
Define the general attributes of the service: In Control Panel Services, set the
startup type to automatic and enter a user. SAProuter should not run under the
SystemAccount.
To avoid the error message The description for Event ID (0) in the Windows
NT event log, you must enter the following in the registry: Under
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services
Eventlog Application, create the key saprouter and define the following
values under it:
EventMessageFile (REG_SZ): d:\usr\sap\saprouter\saprouter.exe
TypesSupported (REG_DWORD): 0x7
Note: These adjustments are not obligatory for running SAProuter. They are only
used for providing detailed error messages in the event log.

OSS Configuring VPN

Introduction

SAP has embarked on a project to enable its customers to establish secure connections to SAP over the
Internet for support purposes. Currently, SAP offers two alternative ways to connect to the Support
Network over the Internet:

SAProuter with Secure Network Communications (SNC) over the Internet

Internet Virtual Private Network (VPN)

Overview of Technical Setup

SAP has implemented a functional subset of the Remote Customer Support Network services in an
Internet DMZ (demilitarized zone) in SAP AG, Walldorf. With this infrastructure in place, the suite of
Remote Customer Support Network service offerings is accessible over the Internet.

SAProuter/SNC via Internet

Internet VPN
SNC secured SAProuter SAProuter
LAN-to-LAN IPSec VPNs are
connections are established between
established between SAP and the
SAP and the customers SAProuter to
customers network to provide data
provide data confidentiality and
confidentiality and integrity services.
integrity services. These SNC
These VPNs complement the leased
connections complement the leased
lines in the current Remote Customer
lines in the current SAPNet R/3
Support Network environment. State-ofFrontend environment. State-of-the-art
the-art encryption, authentication, and
encryption, authentication, and access
access control technology will be
control technology will be employed.
employed. VPN equipment is required at
No additional hardware compared to a
both ends of the connection. The VPN
leased-line setup is required at either
switch at customers side must be
end of the connection. (See diagram
reachable from the Internet. (See
below).
diagram below).
Customers are required to install a
Besides the VPN equipment (also called
SAProuter with an official, static IP
VPN switch or VPN gateway),
address (DHCP Addresses will not
customers are also required to install a
work) running SNC inbound and
SAProuter with an official IP address at
outbound connection to SAP at their
their end of the connection. All service
end of the connection in a
connections between SAP and the
Demilitarized Zone. This SAProuter
customer must be made over the
must be accessible from the Internet.
respective SAProuters.
All service connections between SAP
For the pilot project, access control and
and the customer must be made over
authentication at the VPN gateways will
the respective SAProuters.
be regulated using static keys. SAP will
Certificates needed are available on the
generate these keys and provide them to
SAP Service Marketplace.
the customer. In future, certificate-based
authentication is likely to be utilized.

VPN access can also be achieved

through a telecommuncations provider.
The provider will then be connected to
SAPs VPN switch, and the provider can
offer connections to customers over the
Internet. SAP will make a list of VPNenabled providers. This option is not

covered in this document. For more

information, contact SAP.

Diagrams and Infrastructure

Figure 1 - SAProuter with SNC over Internet

Figure 2 - Internet VPN

Comparison of the Two Options

Property

SAProuter / SNC via Internet

Internet VPN

Hardware
requirements

Firewall + SAProuter host in DMZ

VPN switch + firewall + SAProuter

host (VPN and firewall may be the
same box)

Software

SAProuter starting from NI version 35 N.A.

SAPSECULIB can be obtained from
the Service Marketplace

Network
1 official static IP address for
addresses
SAProuter
(besides address
of Internet router,
firewall, )

1 official static IP address for VPN

switch + 1 official static IP address
for SAProuter host

Configuration
issues

Careful setup of routing configuration

in VPN switch necessary for security.
Saprouttab influences security less
strongly as access is controlled via
VPN switch, SAProuter software and

Careful setup of saprouttab necessary

for security. Saprouttab influences
security strongly as access is
controlled via saprouttab and firewall.

firewall
Encryption

By software

Encrypted data

TCP packets
IPsec (IP packets)
Only the data stream between
Encryption is handled on IP layer
SAProuters is encrypted
(OSI network layer 3)
Encryption is handled on Application
layer (OSI network layer 7)

Minimum
required free
bandwidth

64 kbit/s but may work also with

32 kbit/s

Supported
All except FTP (files download)
services on SAP
side

By hardware

64 kbit/s

All including FTP (files download)

Key managementDigital certificates being requested via Pre-shared keys provided by SAP,
Service Marketplace Public Key
later Public Key Infrastructure (PKI)
Infrastructure (PKI)
Key storage

In file system

Operating systemSAProuter resides on a computer

therefore it is necessary to harden the
security at the operating system level
(for example, C2 level OS) to
minimize the risk of the machine
being hacked from the Internet

Additional
expertise

Standards

In VPN switch
VPN switch has a very small and
limited operating system, thus no
additional security hardening is
required. The SAProuter machine is
not reachable from the Internet, thus
the risk of hacking is much less.
However, security hardening measures
at the SAProuter operating system
level are also recommended

SAProuter knowledge usually

VPN hardware requires special
available, SNC configuration requires knowledge, higher technical expertise
additional knowledge

Based on SNC, SAP proprietary

standard
Firewall hardware and
Contributing to
software
costs

Based on IPSec, well established

industry standard
Firewall hardware and
software

Firewall administration costs

Firewall administration costs

No additional license fee for

security library based on
SECUDE

Costs for VPN hardware and

setup

Why VPN over SNC

In this project Internet VPN was selected over SNC for the following reason
VPN using IPsec is industry standard and have better encryption
FTP is not possible with SNC.
Requirement

Internet connection: recommended

minimum bandwidth = 64 kbps
SAProuter machine
Official IP address (static) for the SAProuter host.
SAProuter installation package
SAP SNC libraries and executables.
These may be downloaded from the SAP Service Marketplace.
A Demilitarized Zone at the customer site with a minimal setup as described in the networking
section of the SAP Security Guide, Parts 1-3 available in the Service Marketplace at:
http://service.sap.com/SYSTEMMANAGEMENT Choose: Security > Technical Track
> SAP Security Guide.
More information on SNC connections is also available in the SAP Service Marketplace.
Since the host running the SAProuter software is a full computer with operating system, the
security at the operating system level must be hardened in order to minimise the risk of the
machine being hacked from the Internet. One recommendation will be for example to run a C2
security level compliant operating system. SAP takes no liability if the security of the
companys network is compromised.
Other networking equipment (routers and hubs) needed to form the network at the customers
premises (see Figure 1).
Adding OSS to SAP logon

Create a file saproute.ini under %winnt% directory and add

[Router]
sapserv1=/H/xx.xx.xx.xx/H/yy.yy.yy.yy/H/
Where xx.xx.xx.xx is SAP router at customer site

yy.yy.yy.yy is SAP router at SAP

Note: This info can be found by using /nOSS1

Create sapmsg.ini under %winnt% directory and add

[Message Server]
O01=oss001.wdf.sap-ag.de

<< Add this line>>

Open SAP logon

Click groups
System ID O01
Message server oss001.wdf.sap-ag.de
SAP Router for sapserv1