Intro

The SAProuter is the link between your datacenter and SAP’s support system. It can also be useful when you need to link several datacenters, for example if you’re an SAP partner providing services to other companies.
There are several ways to establish a link between SAP and your datacenter, the easiest one is with SNC, which goes through sapserv2.

This is how SAP connects to your systems. This procedure will guide us in installing the saprouter in your datacenter. The public ip needs to be given to SAP through an OSS incident .

Network

The source for this documentation is the official documentation, but I scripted most of it.

Preparation

The saprouter has very low requirements. 2 cores, 2gb of memory and a D: drive of 5gb are more than enough.

The following files need to be downloaded, you can download more recent versions if available:

  • SAPCAR.exe (from SWDC)
  • SAPCRYPTOLIBP_8503-20011729.SAR (from SWDC)
  • saprouter_34-70000855.sar (from SWDC)
  • vcredist_x64.exe (https://www.microsoft.com/en-US/download/details.aspx?id=40784)

Copy these files to D:\saprouter_install

SAP will need to be able to connect to your SAProuter through a public IP, on port 3299. For security, you need to apply for a certificate, to secure communications between SAP and your datacenter.

Installation

A user “srpadm” will be created to run the saprouter. A Windows service will be created to start the saprouter automatically.

The following commands can be run in Powershell. Some commands require interaction.

The string “CN=<hostname>, OU=<client number>, OU=SAProuter, O=SAP, C=DE” below comes from SAP, when you apply for a certificate.

# Extract the saprouter binaries
md E:\usr\sap\saprouter
E:\saprouter_install\SAPCAR.exe -R E:\usr\sap\saprouter -xf E:\saprouter_install\saprouter_34-70000855.sar
E:\saprouter_install\SAPCAR.exe -R E:\usr\sap\saprouter -xf E:\saprouter_install\SAPCRYPTOLIBP_8503-20011729.SAR

# Install the Visual Studio C++ redistribuable, required by the saprouter
E:\saprouter_install\vcredist_x64.exe /q /install /log E:\saprouter_install\vcredist.log
Start-Sleep -Seconds 30

# Generate certificate request for SNC
cd E:\usr\sap\saprouter
.\sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p E:\usr\sap\saprouter\local.pse "CN=<hostname>, OU=<client number>, OU=SAProuter, O=SAP, C=DE"

# Give to SAP the certificate request "certreq" at https://support.sap.com/remote-support/saprouter/saprouter-certificates.html
# You will receive in exchange the response, that you should save in a file "srcert.txt"

# Import certificate in the PSE
.\sapgenpse import_own_cert -c srcert.txt -p local.pse
.\sapgenpse seclogin -p local.pse -O srpadm

# Create the saprouter user and service
NET user srpadm "<password>" /ADD
icacls E:\usr\sap\saprouter /setowner "srpadm" /T
New-Service -Name saprouter -Description "SAProuter" -StartupType Automatic -BinaryPathName "E:\usr\sap\saprouter\saprouter.exe service -r -R E:\usr\sap\saprouter\saprouttab -E -G E:\usr\sap\saprouter\saprouter.log -K `"p:CN=<hostname>, OU=<client number>, OU=SAProuter, O=SAP, C=DE, OU=SAProuter, O=SAP, C=DE`""

# Create the saprouter config

@"
# Define a SNC router-to-router connection to sapserv2 (194.39.131.34)
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
`
# Allow sapserv2 to connect to the HVL subnet by SNC
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 10.59.20.* *
`
# allow everyone to connect to sapserv2
P * 194.39.131.34 * 
`
# deny all other connections
D * * * 
"@ -replace "`n","`r`n" | Out-File E:\usr\sap\saprouter\saprouttab

# Update the environment for user srpadm
runas /User:srpadm setx SNC_LIB E:\usr\sap\saprouter\sapcrypto.dll
runas /User:srpadm setx SECUDIR E:\usr\sap\saprouter

Once done, go to service.msc, and change the logon user of service saprouter to srpadm

You will need to add lines to E:\usr\sap\saprouter\saprouttab to authorize SAP to connect to your systems. You should limit thoroughly the access.