Route Permission Table
The route permission table contains the host names and port numbers of the predecessor and successor points on the route (from the SAProuter’s point of view), as well as the passwords required to set up the connection (corresponds to a substring, cf. Route Strings). It is used to specify which connections are allowed and which prohibited by SAProuter. It also specifies whether SNC connections are set up and which these are.
Standard entries in a route permission table appear as follows:
P/S/D <source host> <dest host> <dest serv> <password>
<source-host> and <dest-host> could be SAProuters.
Elements of a table entry are described below:
Handling the Connection: P/S/D
The beginning of the line can be as follows:
● P(ermit) instructs SAProuter to set up the connection. P(ermit) entries can contain a password. SAProuter checks whether this password corresponds to that sent by the client.
Directly after the P you can also specify the maximum number of SAProuters allowed on this route before and after this SAProuter so that the connection is permitted: Pv,n - v stands for the maximum number of SAProuters before this one, and n stands for the maximum number of SAProuters after this one allowed on this route.
With Sv,n you can determime the number of preceding and succeeding SAProuters on the route, the same as you can with P.
● D(eny) prevents the connection from being set up.
● You can also add comment lines, which must begin with ‘#’.
Source Host <source host>
This element describes the host from where the connection comes (from viewpoint of the SAProuter). This can be a host name, an IP address or an IP subnetwork (see Creating a Route Permission Table).
Destination Host <dest host>
This element describes the host the connection is going to (from viewpoint of the SAProuter). This can be a host name, an IP address, or an IP subnetwork.
Destination Port <dest serv>
This element describes the port (service) of the destination host where the connection is going to. Here you can also specify port ranges by separating the two ports that demarcate the range by a period. If <dest serv>has the value 3200.3298, this means connections to the destination server on all ports between 3200 and 3298 (also see Example of a Route Permission Table).
If a <source-host> client wants to set up a connection to <dest-host> <dest-serv> using SAProuter, SAProuter checks its route permission before the connection is set up. If the password and route SAProuter has received correspond to the entries in the route permission table, SAProuter sets up the connection. In this is not the case, SAProuter does not set up the connection, and issues the message Route permission denied.
SNC entries always start with the letter K (like key).
There are two types of SNC entries:
1. KT entries (Key Target)
This defines which connections should be SNC connections. This can be defined for both incoming and outgoing connections (from the point of view of this SAProuter).
a. Incoming connections
The syntax is KT <SNCname src host> <src host> <src serv>.
This means that connections coming from the host <src host> <src serv> with the SNC name <SNC name src host> should be SNC connections.
The user can thus define that service connections from SAP must be SNC connections.
b. Outgoing connections
They have the syntax KT <SNC name dest host> <dest host> <dest serv>. This means that connections from the SAProuter to <dest host> <dest serv> with the SNC name <SNC name> should be SNC connections.
To make SNC connections possible, the appropriate SAProuters need to have been started with the option -K and the route permission table must contain the appropriate KT entry.
2. KD, KP, and KS entries
They have the following syntax:
K<D/P/S> <SNCname source host> <dest host> <dest serv> <password>. This means that the (encrypted) SNC connection from <SNCname source-host> via SAProuter to <dest host> <dest serv> is set up when the route string contains the correct <password>.
Evaluation of the Route Permission Table
The following rules apply when the SAProuter evaluates the route permission table.
The first entry in the route permission table for which source address, target address, and target port match is decisive. In other words, in the Example of a Route Permission Table, this means that the connection from host1 to host2, service serviceX, is not allowed (because of the first entry) although all connections with service serviceX are allowed according to the third entry.
If there is not an appropriate entry in the table for a route, the connection is rejected. It behaves as though the last line were a
D * * *.
If the SAProuter is the last SAProuter on the route (for example, the front end), and the service is not an SAP service (not an SAP protocol), a wildcard (“*”) cannot be used with the service. The connection is only allowed if the non-SAP service is explicitly selected. If the example given above contained a * instead of telnet, and the SAProuter was the last one on the route, the telnet connection would not be set up.
Note on Security
For security reasons SAP recommends, that you do not use wildcards (*) for the target host (<dest-host>) and the target port (<dest-serv>) in P and S lines in the route permission table. If the table contains P or S lines, the SAProuter issues a warning message:
WARNING: wildcard character used in route target
SAProuter Route Permission in the implementation part.