Route Permission Table (SAP Library

Route Permission Table

Definition

The route permission table contains the host names and port numbers of the predecessor and successor points on the route (from the SAProuter’s point of view), as well as the passwords required to set up the connection (corresponds to a substring, cf. Route Strings). It is used to specify which connections are allowed and which prohibited by SAProuter. It also specifies whether SNC connections are set up and which these are.

Structure

Standard Entries

Standard entries in a route permission table appear as follows:

P/S/D <source-host> <dest-host> <dest-serv> <password>

<source-host> and <dest-host> could be SAProuters.

The beginning of the line can be as follows:

P (ermit) causes SAProuter to set up the connection. P (ermit) entries can contain a password. SAProuter checks whether this password corresponds to that sent by the client.

Directly after the P , you can also specify the maximum number of SAProuters permitted before and after this SAProuter on the route for the connection to be allowed: Pv,n – here v denotes the maximum number of preceding SAProuters on the route, n the maximum number of following ones.

S (ecure) only allows connections with the SAP Protocol; connections with other protocols (such as TCP) are not allowed, see Network Security with SAProuter.

D (eny) prevents the connection from being set up.

You can also add comment lines, which must begin with ‘ # ’.

If a <source-host> client wants to set up a connection to <dest-host> <dest-serv> using SAProuter, SAProuter checks its route permission before the connection is set up. If the password and route SAProuter has received correspond to the entries in the route permission table, SAProuter sets up the connection. Otherwise, SAProuter does not set up the connection.

A route permission table could appear as follows:

D	host1	host2	serviceX
D	host3
P	*	*	serviceX
P	155.56..	155.56
P	155.57.1011xxxx.*
P	host4	host5	*	pass
S	host6
P	host7	host8	telnet
*P,0**	*	*		gui

This means:

Do not allow any routes from host1 to host2 , service serviceX

Do not allow any routes starting from host3

Allow all routes to server processes using serviceX

Allow all routes within subnetwork 155.56

Allow all routes starting from subnetwork 155.57.1011xxxx (the last byte is written as a binary number, each "x" stands for 0 or 1)

Allow all routes from host4 to host5 if password pass is correct

All routes from host6 , but only SAP protocol

Native protocol routes (TCP/IP) from host7 to the non-SAP service telnet on host8

All connections to non-SAProuters (no more SAProuters allowed on this route) if password gui is correct

In the above example in Route String Entry for SAProuter the route permission table of host saprouter must have the entry

P sappc yoursaprouter

and the route permission table of host yoursaprouter must contain the entry

P saprouter yourapp sapservice pass_to_app

as well.

First Match

The first entry in the route permission table for which source address, target address, and target port match is decisive; in the above example, this means that the connection from host1 to host2 , service serviceX is not allowed (because of the first entry), although all connections with service serviceX are allowed according to the third entry.

Exception

If the SAProuter is the last SAProuter on the route (followed e.g. by the frontend) and the service is not an SAP service (no SAP protocol), the wildcard (" * ") cannot be used with the service. The connection is only allowed if the non-SAP service is selected explicitly; if the example given above contained a * instead of telnet and the SAProuter was the last one on the route, the telnet connection would not be set up.

SNC Entries

SNC entries always start with the letter K (like key).

There are two types of SNC entries:

KT entries ( Key Target)

This defines which connections should be SNC connections. This can be defined for both incoming and outgoing connections (from the point of view of this SAProuter).

Incoming connections

The syntax is KT <SNCname src-host> <src-host> <src-serv> .

This means that connections coming from the host <src-host> <src-serv> with the SNC name <SNCname src-host> should be SNC connections.

The user can thus define that service connections from SAP must be SNC connections.

Outgoing connections

They have the syntax KT <SNCname dest-host> <dest-host> <dest-serv> . This means that connections from the SAProuter to <dest-host> <dest-serv> with the SNC name <SNCname> should be SNC connections.

So that SNC connections are possible, the appropriate SAProuters need to have been started with the option -K and the route permission table must contain the appropriate KT entry!

KD , KP , and KS entries

They have the following syntax:

K<D/P/S> <SNCname source-host> <dest-host> <dest-serv> <password> . This means that an (encrypted) SNC connection from <SNCname source-host> via SAProuter to <dest-host> <dest-serv> is set up when the route string contains the correct <password> .

P

*

*

*

pass

KT

S:SR@host4

host4

3333

KT

S:SR@host4

host9

*

KD

S:SR@host4

host9

*

KP

S:SR@host4

*

*

pass2

KS

*

host10

4444

KP

*

*

*

This means:

Allow all connections if password pass is specified correctly

Connections from host4 (SNC name S:SR@host4 ), service 3333 to this SAProuter should be SNC connections

Connections from this SAProuter to host9 (SNC name S:SR@host9 ) should be SNC connections

A SNC connection from SR@host4 to host9 using this SAProuter should not be set up

A SNC connection from S:SR@host4 using this SAProuter (any target host) is allowed if the password pass2 is correct (unless the connection is to host9 , since this is not allowed according to the previous entry - the first entry which "matches" is decisive!)

All SAP-SAP connections (that is NI protocols) to host10 , service 4444 which enter as SNC connections are passed on to host10 (no SNC host) as non-SNC connections.

All SNC connections (for which the previous entries are not suitable) are allowed.

P	*	*	*	pass
KT	S:SR@host4	host4	3333
KT	S:SR@host4	host9	*
KD	S:SR@host4	host9	*
KP	S:SR@host4	*	*	pass2
KS	*	host10	4444
KP	*	*	*