Professional Documents
Culture Documents
Manual Sap Router para OS/400
Manual Sap Router para OS/400
Document Version:
$Revision:
#16 $, $DateTime:
2015/05/18 09:56:33 $
chmod 0755
/usr/local/bin/SAPCAR
rm /tmp/SAPCAR
<F3>
3. Documentation for SAPROUTER using the sapcrypto library.
The document https://support.sap.com/remote-support/help/installing-saprouter.html
describes the general steps in the setup of SAPROUTER with sapcrypto library for all supported
operating systems. The text you are reading now is largely based on this document; therefore
we strongy recommend to carefully check this document for more up-to-date information.
Please also have a look at the following documents on the Service Marketplace:
https://service.sap.com/saprouter/. General Information about SAPROUTER-Setup;
however the OS/400-specific parts are outdated.
http://service.sap.com/saprouter-sncdoc/. This is an older generic documentation
for the installation of the SAPROUTER using Secure Network Connection (SNC) with sapcrypto
Library, which doesnt include the OS/400 specifics. The links and general information may
still be of interest for you.
CHGOWN
CHGPGP
CHGAUT
CHGAUT
CHGAUT
OBJ(/HOME/SAPRTADM)
OBJ(/HOME/SAPRTADM)
OBJ(/HOME/SAPRTADM)
OBJ(/HOME/SAPRTADM)
OBJ(/HOME/SAPRTADM)
NEWOWN(SAPRTADM)
NEWPGP(SAPRTGRP)
USER(SAPRTADM) DTAAUT(*RWX)
USER(SAPRTGRP) DTAAUT(*RX)
USER(*PUBLIC) DTAAUT(*NONE)
3. Create an IFS-directory for SAPROUTER (we call it /usr/sap/saprtrpase here, but you may
choose any name you want) do not forget to backup an existing /usr/sap/saprtrpase:
CALL QP2TERM
umask 022
# Save /usr/sap/saprtrpase to /usr/sap/saprtrpase-<YYMMDDHHMMSS>:
test -d /usr/sap && cd /usr/sap && test -e saprtrpase &&
mv saprtrpase saprtrpase-$(date +%C%m%d%H%M%S)
# Create a new empty /usr/sap/saprtrpase directory:
mkdir -p /usr/sap/saprtrpase
chown SAPRTADM:SAPRTGRP /usr/sap/saprtrpase
chmod 02750
/usr/sap/saprtrpase
<F3>
4. In one of the next steps we will create a library LIBROUTER containing the objects needed by
SAPROUTER; the name used is an example you can chose any name you want. Please backup
any existing library LIBROUTER, so that you are able to restore it, if the procedure described
here would fail:
/* Create a backup library LIBROUTER@:
*/
DLTLIB LIB(LIBROUTER@)
RNMOBJ OBJ(LIBROUTER) OBJTYPE(*LIB) NEWOBJ(LIBROUTER@)
/* May fail */
/* May fail */
The last command must only fail if LIBROUTER does not exist. Otherwise check if LIBROUTER is
still in use.
5. Log out.
6. Logon as user SAPRTADM.
7. Create a new empty library LIBROUTER for SAPROUTER:
CRTLIB LIB(LIBROUTER)
8. Copy the downloaded SAPEXE.SAR package to an IFS-directory; in this document we assume
that the package has been saved to the /tmp/SRT/-directory.
9. Extract the package; it is named like SAPEXE_<nnn>-<xxxxxxxx>.SAR, where <nnn> ist the
Version of the package and <xxxxxxxx> is an internally used number. In the following we will
name such a package like SAPEXE_<nnn>.SAR:
CALL QP2TERM
umask 002
PATH=/usr/local/bin:${PATH}; export PATH
cd /usr/sap/saprtrpase
mkdir SAPEXE
chmod 02770 SAPEXE
cd SAPEXE
SAPCAR -xvf /tmp/SRT/SAPEXE_<nnn>.SAR
cd ..
ln -s SAPEXE/libsapcrypto.o .
ln -s SAPEXE/saprouter
.
ln -s SAPEXE/niping
.
ln -s SAPEXE/sapgenpse
.
ln -s SAPEXE/ILE_TOOLS
.
#
#
#
#
#
#
#
<F3>
10. Build up the ILE library:
CLRLIB LIB(QTEMP)
CPYFRMSTMF FROMSTMF(/usr/sap/saprtrpase/ILE_TOOLS)
TOMBR(/QSYS.LIB/QTEMP.LIB/ILE.FILE) MBROPT(*REPLACE)
RSTOBJ OBJ(*ALL) SAVLIB(QTEMP) DEV(*SAVF) OBJTYPE(*PGM *CMD)
SAVF(QTEMP/ILE)
CRTDUPOBJ OBJ(ILEWRAPPER) FROMLIB(QTEMP) OBJTYPE(*PGM)
TOLIB(LIBROUTER) NEWOBJ(SAPROUTER)
CRTDUPOBJ OBJ(ILEWRAPPER) FROMLIB(QTEMP) OBJTYPE(*PGM)
TOLIB(LIBROUTER) NEWOBJ(NIPING)
CRTDUPOBJ OBJ(ILEWRAPPER) FROMLIB(QTEMP) OBJTYPE(*PGM)
TOLIB(LIBROUTER) NEWOBJ(SAPGENPSE)
CRTDUPOBJ OBJ(CMDMAINP)
FROMLIB(QTEMP) OBJTYPE(*PGM)
TOLIB(LIBROUTER)
CRTDUPOBJ OBJ(SAPROUTER) FROMLIB(QTEMP) OBJTYPE(*CMD)
TOLIB(LIBROUTER)
CLRLIB LIB(QTEMP)
+
+
+
+
+
+
+
11. In order to work correctly with SAPROUTER, you need some kind of logon or configuration program,
an example of which is outlined here feel free to modify it according to your needs:
+
+
+
+
+
+
+
+
+
+
Generating a certificate request for the public key stored in the PSE specified by the -p
parameter and store it into the IFS-file given by the -r parameter:
CALL PGM(SAPGENPSE) PARM(gen_pse +
-onlyreq -p <Path>/local.pse -x <PIN> -r <reqfile>)
Example:
CALL PGM(SAPGENPSE) PARM(gen_pse -onlyreq -p /tmp/ex.pse +
-x 123456789U_u -r /tmp/reqf)
The command import_own_cert is used to import the CA-response to a PKCS#10 certification
request:
6
How to proceed
1. Go to: http://service.sap.com/saprouter-sncadd Trust Center Service in Detail
SAProuter Certificates Apply Now!-Button and get the Distinguished Name for your
SAPROUTER from the list of SAProuters registered for your installation.
The Distinguished Name normally is structured this way:
<Your Distinguished Name>
= CN=<saprouter-server-name>, OU=<cust-number>, OU=SAProuter, O=SAP, C=DE
2. Choose an arbitrary PIN or Passphrase to protect the PSE-Files that will be generated in the
following steps. These files are containers for the private and public keys used to encrypt and
decrypt the communication and should therefore be protected by a PIN.
3. Logon on as SAPRTADM
4. Build up the correct environment:
CALL PGM(LIBROUTER/LOGON)
5. Now create your private/public key-pair:
CALL PGM(SAPGENPSE) PARM(gen_pse -v +
-noreq
-p local.pse -x <your PIN> <Your Distinguished Name>)
It is stored in the IFS-file /usr/sap/saprtrpase/local.pse.
Please keep in mind, that here you have to use single-quotes around the distinguished name and
not double-quotes. You also have to provide the PIN via parameter -x, because the program
SAPGENPSE has no interactive mode on IBM i to request a missing PIN.
6. Now you create the SSO (Single Sign On) credentials for the SAPROUTER by another SAPGENPSE
subfunction namely seclogin:
CALL PGM(SAPGENPSE) PARM(seclogin -x <your PIN> -p local.pse)
The credentials are only valid for the currently logged in user, which must be SAPRTADM. They are
stored in the file /usr/sap/saprtrpase/cred_v2. For increased security change its permissions
so that ist is only accessible by the OS-user SAPRTADM which will be running the SAPROUTER:
CHGAUT OBJ(/usr/sap/saprtrpase/cred_v2) USER(SAPRTADM) DTAAUT(*RW)
CHGAUT OBJ(/usr/sap/saprtrpase/cred_v2) USER(SAPRTGRP) DTAAUT(*NONE)
CHGAUT OBJ(/usr/sap/saprtrpase/cred_v2) USER(*PUBLIC) DTAAUT(*NONE)
Check its permissions:
DSPAUT OBJ(/usr/sap/saprtrpase/cred_v2) SYMLNK(*NO)
This should give you an output like this:
Display Authority
Object . . . . . . . . . . . . :
8
/usr/sap/saprtrpase/cred_v2
Type . . . . . . .
Owner . . . . . .
Primary group . .
Authorization list
User
*PUBLIC
SAPRTADM
SAPRTGRP
.
.
.
.
.
.
.
.
Data
Authority
*EXCLUDE
*RW
*NONE
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
STMF
SAPRTADM
SAPRTGRP
*NONE
X
X
X
X
X
X
User
*PUBLIC
SAPRTADM
SAPRTGRP
.
.
.
.
.
.
.
.
.
.
Data
Authority
*EXCLUDE
*RW
*NONE
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
/usr/sap/saprtrpase/local.pse
STMF
SAPRTADM
SAPRTGRP
*NONE
X
X
X
X
X
X
and with copy & paste insert the certificate request including the lines -BEGIN... and
-END... into the text area of the same form on the SAP Service Marketplace from which you
copied the Distinguished Name. In response you will receive the certificate signed by the CA in
the Service Marketplace, cut & paste the text to a local file named /usr/sap/saprtrpase/srcert.
As this signed certificate is quite long, it might be better to create this file with a PC based
text editor and then upload it via NetServer/400. You can now install the certificate in your
SAPROUTER with the following call:
CALL PGM(SAPGENPSE) PARM(import_own_cert -c srcert
-x <your PIN> -p local.pse)
9. From 04/15/2015 11:00 AM CET until 07/18/2015 you also need to import the old SAProuter
Root CA manually:
The old SAProuter SMP Root CA certificate is attached to SAP note 2131531. It is the file
smprootca.der. Copy this file to the /tmp/SRT/-directory of your IBM i
Import the old SAProuter SMP Root CA certificate as trusted into your PSE:
CALL PGM(SAPGENPSE) PARM(maintain_pk -a /tmp/SRT/smprootca.der +
-x <your PIN> -p local.pse)
This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter
SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot
be established.
You should see an output like:
maintain_pk for PSE "/usr/sap/saprtrpase/local.pse"
Subject : CN=SMP Root CA, OU=Service Marketplace, O=SAP, C=DE
PKList updated (1 entries total, 1 newly added)
10. Check that the certificate has been imported correctly:
CALL PGM(SAPGENPSE) PARM(get_my_name -v -n Issuer)
The name of the Issuer should be:
CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
After 04/15/2015 tha name of the Issuer should be:
CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE
10
If this is not the case, delete the files cred_v2, local.pse, srcert and certreq they are
in the IFS-directory /usr/sap/saprtrpase and start over with item 5 Now create your
private/public key-pair (page 8). If the output still does not match, please open an incident
at component XX-SER-NET stating the actions you have taken so far and the output of the
commands following Generate the certificate request.
11. You can check the expiration date of your certificate as follows:
CALL PGM(SAPGENPSE) PARM(get_my_name)
These certificates are only valid for one year, so dont forget to create and install a new one in
good time, otherwise it wont be possible to use the connection to SAP any longer. If you should
experience any problems, please open a customer message in component BC-OP-AS4, describing
what you have done so far and giving the output of each command you used.
saprouttabs mentioned above. Then the connection from the local SAPGUI running on your PC via
hostA to hostX (PC hostA hostX(61)) can be testet by using this SAPROUTER-String in your
SAPGUI:
/H/hostA/H/hostX/S/3261
or
/H/hostA/S/<SAProuter Port Number>/H/hostX/S/3261
For automation purposes, you might want to submit a program via SBMJOB into batch otherwise
an interactive terminal session will be blocked by the SAPROUTER. To this end write the following
CL-Program into the Member RUNSAPRTR of LIBROUTER/QCLSRC
With SNC:
PGM
CALL PGM(LIBROUTER/LOGON)
CALL PGM(SAPROUTER) PARM(-r -R /usr/sap/saprtrpase/saprouttab +
-K p:<Your Distinguished Name>)
ENDPGM
Without SNC:
PGM
CALL PGM(LIBROUTER/LOGON)
CALL PGM(SAPROUTER) PARM(-r -R /usr/sap/saprtrpase/saprouttab)
ENDPGM
and create the program RUNSAPRTR in library LIBROUTER:
CRTBNDCL PGM(LIBROUTER/RUNSAPRTR) SRCFILE(LIBROUTER/QCLSRC) +
SRCMBR(RUNSAPRTR) DBGVIEW(*ALL)
So you may submit this program as a batch job:
SBMJOB CMD(CALL PGM(LIBROUTER/RUNSAPRTR)) USER(SAPRXADM)
14
Troubleshooting
Problems with SNC
1. Logon on as SAPRTADM
2. Build up the correct environment:
CALL PGM(LIBROUTER/LOGON)
3. Provide the output of the following commands:
CALL PGM(SAPGENPSE) PARM(seclogin -l)
Typical output:
running seclogin with USER="SAPRTADM"
0: CN=<hostX>, OU=##########, OU=SAProuter, O=SAP, C=DE
/usr/sap/saprtrpase/local.pse
Options: LIFETIME= Wed, 12 Feb 2014 10:16:10 (GMT)
DIRACCESS=FALSE
CRLCHECK=FALSE
1 readable SSO-Credentials available
Typical error messages:
seclogin:
or
running seclogin with USER="SAPRTADM"
0 (LPS:OFF): CN=<hostX>, OU=##########, OU=SAProuter, O=SAP, C=DE
(LPS:OFF): /usr/sap/saprtrpase/local.pse
NOT readable for SAPRTADM
15
or
get_my_name: no PSE name supplied, SSO credentials not readable for you!
running seclogin with USER="SAPRTADM"
0 (LPS:OFF): CN=<hostX>, OU=##########, OU=SAProuter, O=SAP, C=DE
(LPS:OFF): /usr/sap/saprtrpase/local.pse
NOT readable for SAPRTADM
Appendices
Appendix I: How to establish a SNC-connection between two SAProuters
To create a SNC-Connection between two SAProuters running on hostA and hostB respectively follow
these steps:
1. On each of the hosts substituting X by A and B do:
16
The credentials are only valid for the currently logged in user, which must be SAPRTADM.
They are stored in the file /usr/sap/saprtrpase/cred_v2. For increased security change
its permissions so that ist is only accessible by the OS-user SAPRTADM which will be running
the SAProuter:
CHGAUT OBJ(/usr/sap/saprtrpase/cred_v2) USER(SAPRTADM) DTAAUT(*RW)
CHGAUT OBJ(/usr/sap/saprtrpase/cred_v2) USER(SAPRTGRP) DTAAUT(*NONE)
CHGAUT OBJ(/usr/sap/saprtrpase/cred_v2) USER(*PUBLIC) DTAAUT(*NONE)
Check its permissions:
DSPAUT OBJ(/usr/sap/saprtrpase/cred_v2) SYMLNK(*NO)
This should give you an output like this:
Display Authority
Object . . . . . .
Type . . . . . . .
Owner . . . . . .
Primary group . .
Authorization list
Data
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
/usr/sap/saprtrpase/cred_v2
STMF
SAPRTADM
SAPRTGRP
*NONE
--Object Authorities-17
User
*PUBLIC
SAPRTADM
SAPRTGRP
Authority
*EXCLUDE
*RW
*NONE
Exist
Mgt
Alter
Ref
X
X
X
X
X
X
X
X
User
*PUBLIC
SAPRTADM
SAPRTGRP
.
.
.
.
.
Data
Authority
*EXCLUDE
*RW
*NONE
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
/usr/sap/saprtrpase/local.pse
STMF
SAPRTADM
SAPRTGRP
*NONE
X
X
X
X
X
X
CALL PGM(LIBROUTER/LOGON)
CALL PGM(SAPGENPSE) PARM(maintain_pk +
-a router_A.cer -p local.pse -x <PIN>)
4. You need to maintain the saprouttab on each of the hosts:
On host_A
# Outbound connections to host_B will use SNC
KT "p:CN=SRThostB" host_B 3299
# Allow all inbound connections
P *
*
*
# EOF
On host_B
# Accept incoming SNC-connections from host_A to any host and any port
KP "p:CN=SRThostA" *
*
# EOF
5. Start both SAProuters:
On host_A
CALL PGM(LIBROUTER/LOGON)
CALL PGM(SAPROUTER) PARM(-r -R /usr/sap/saprtrpase/saprouttab +
-K p:CN=SRThostA)
On host_B
CALL PGM(LIBROUTER/LOGON)
CALL PGM(SAPROUTER) PARM(-r -R /usr/sap/saprtrpase/saprouttab +
-K p:CN=SRThostB)
Of course you should create CL-programs containing these commands.
6. Test the SAProuter connection: The program niping may be used to test the setup.
(a) Open a new 5250-Terminal-session to host_B and start niping in server mode:
CALL PGM(LIBROUTER/LOGON)
CALL PGM(NIPING) PARM(-s)
The server listens on TCP-port 3298, which could be changed by using the -S <Port Number>parameter.
19
times
0.298
0.655
0.251
----ms
ms
ms
All commands that create PSEs or Credentials support the option -lps.
(These commands are gen_pse, import_p12, import_p8, keytab, seclogin)
The -lps option enables the usage of the Local Protection Storage (LPS) to
20
21
-s <size>
-x <pin>
-noreq
-onlyreq
-2
-4
-h
-v
Examples:
- create an lps protected file SAPSNCS.pse with server DName
(prompts for PSE password)
sapgenpse gen_pse -lps -p SAPSNCS.pse "CN=SAPServerABC, C=DE"
- create PKCS#10 certification request for an existing PSE
sapgenpse gen_pse -p SAPSNCS.pse -onlyreq -r cert.p10
- create an lps protected file SAPSNCS1.pse with server DName and PKCS#10 Request
(prompts for PSE password)
sapgenpse gen_pse -lps -p SAPSNCS1.pse "CN=SAPServerABC1, C=DE" -r cert1.p10
The command CALL PGM(SAPGENPSE) PARM(import_own_cert -h) produces the output:
Import the CA-response to a PKCS#10 certification request
Normally the CA-response should be a PKCS#7 response containing the
full certification path up to and including the RootCA certificate
However, a lot of CAs respond with only your signed certificate
-- in this case you will have to supply one or more additional
22
-h
-v
(delete SSO-credentials)
23
-p <pse-file>
<num>
Options for -l
-O <username>
(list SSO-credentials)
list credentials for user <username>
-O <username>
(replace SSO-credential)
use LPS to protect the new SSO-credential
PSE for which SSO-credential should be changed (optional parameter)
Without this option, all readable credentials are changed.
Use -r without -p to change LPS mode for all credentials.
PIN/Passphrase for PSE (default: no PIN, PIN from old credential,
query interactively)
protect SSO-credential for OTHER user <username> (non LPS mode only)
-h
-v
-x <pin>
Examples:
- create lps protected SSO-credential for SAPSNCS.pse
(prompts for PSE password)
sapgenpse seclogin -lps -p SAPSNCS.pse -O abcadm
- replace one lps unprotected SSO-credential with lps protected SSO-credential
sapgenpse seclogin -r -lps -p SAPSNCS.pse
- replace all lps unprotected SSO-credentials with lps protected
SSO-credentials (password prompted if PSE has a new password)
sapgenpse seclogin -r -lps -p SAPSNCS.pse
- show SSO-credentials created for a dedicated user
sapgenpse seclogin -l -O abcadm
24
-h
-v
Examples:
- display the subject of SAPSNCS.pse
sapgenpse get_my_name -p SAPSNCS.pse -n subject -v
- display all attributes of SAPSNCSKERB.pse
sapgenpse get_my_name -p SAPSNCSKERB.pse
25
-d
-d
-f
more Options:
-p <pse-file>
-x <pin>
-y
-h
-v
Examples:
- Export SAPSNCS.pse own certificate only and save it as file
(password prompted if no credentials available)
sapgenpse export_own_cert -o psecert.cer -p SAPSNCS.pse
- Export SAPSNCS.pse own certificate including certificate chain
without root certificate and save it as file
(password prompted if no credentials available)
sapgenpse export_own_cert -f pkcs7 -o psecert.p7b -p SAPSNCS.pse
- Export SAPSNCS.pse own certificate including certificate chain
including root certificate and save it as file
(password prompted if no credentials available)
sapgenpse export_own_cert -r -f pkcs7 -o psecert.p7b -p SAPSNCS.pse
27
niping
niping
niping
niping
niping
niping
-s
-c
-t
-v
-i
-m
additional options
-H hostname
name of server-host
(default
-S service
service-name or port-number
(default
-K sncname
SNC-name server
(default
-B bufsize
size of data-buffer
(default
-L loops
number of loops
(default
-V tracelev
trace level (0 - 3)
(default
-T tracefile
name of trace file
(default
-I idle time
maximum idle time
(default
t > 0 shutdown after t secs idle
t = 0 no automatic shutdown
t < 0 shutdown after -t secs idle or
first client disconnect (server only)
-R
raw mode
-P
detail print
localhost)
3298)
no SNC)
1000)
10)
1)
stdout)
300 sec)
expert options
-N timeout
for completion of fragmented packages (default 200 msecs)
-O
one way mode
-Q maxbytes
fragment test mode
-D delay
delay between sends
(default 0 msec)
--acl_file=acl-file # load acl-file (server mode)
--acl_check
# load and check acl and exit
28
29