Definition
The route permission table contains the host names and port numbers of the predecessor and successor points on the route (from the SAProuter’s point of view), as well as the passwords required to set up the connection (corresponds to a substring, cf.
Route Strings). It is used to specify which connections are allowed and which prohibited by SAProuter. It also specifies whether SNC connections are set up and which these are.Structure
Standard Entries
Standard entries in a route permission table appear as follows:
P/S/D <source-host> <dest-host> <dest-serv> <password>
<source-host> and <dest-host> could be SAProuters.
The beginning of the line can be as follows:
Directly after the P , you can also specify the maximum number of SAProuters permitted before and after this SAProuter on the route for the connection to be allowed: Pv,n – here v denotes the maximum number of preceding SAProuters on the route, n the maximum number of following ones.
If a <source-host> client wants to set up a connection to <dest-host> <dest-serv> using SAProuter, SAProuter checks its route permission before the connection is set up. If the password and route SAProuter has received correspond to the entries in the route permission table, SAProuter sets up the connection. Otherwise, SAProuter does not set up the connection.
A route permission table could appear as follows:
D |
host1 |
host2 |
serviceX |
|
D |
host3 |
|||
P |
* |
* |
serviceX |
|
P |
155.56.*.* |
155.56 |
||
P |
155.57.1011xxxx.* |
|||
P |
host4 |
host5 |
* |
pass |
S |
host6 |
|||
P |
host7 |
host8 |
telnet |
|
P*,0 |
* |
* |
gui |
This means:
In the above example in
Route String Entry for SAProuter the route permission table of host saprouter must have the entryP sappc yoursaprouter
and the route permission table of host
yoursaprouter must contain the entryP saprouter yourapp sapservice pass_to_app
as well.
First Match
The first entry in the route permission table for which source address, target address, and target port match is decisive; in the above example, this means that the connection from
Exception
If the SAProuter is the last SAProuter on the route (followed e.g. by the frontend) and the service is not an SAP service (no SAP protocol), the wildcard ("
* ") cannot be used with the service. The connection is only allowed if the non-SAP service is selected explicitly; if the example given above contained a * instead of telnet and the SAProuter was the last one on the route, the telnet connection would not be set up.SNC Entries
SNC entries always start with the letter
K (like key).There are two types of SNC entries:
This defines which connections should be SNC connections. This can be defined for both incoming and outgoing connections (from the point of view of this SAProuter).
The syntax is
This means that connections coming from the host
<src-host> <src-serv> with the SNC name <SNCname src-host> should be SNC connections.The user can thus define that service connections from SAP must be SNC connections.
They have the syntax
KT <SNCname dest-host> <dest-host> <dest-serv> . This means that connections from the SAProuter to <dest-host> <dest-serv> with the SNC name <SNCname> should be SNC connections.So that SNC connections are possible, the appropriate SAProuters need to have been started with the option
-K and the route permission table must contain the appropriate KT entry!They have the following syntax:
K<D/P/S> <SNCname source-host> <dest-host> <dest-serv> <password>
. This means that an (encrypted) SNC connection from <SNCname source-host> via SAProuter to <dest-host> <dest-serv> is set up when the route string contains the correct <password> .
P |
* |
* |
* |
pass |
KT |
S:SR@host4 |
host4 |
3333 |
|
KT |
S:SR@host4 |
host9 |
* |
|
KD |
S:SR@host4 |
host9 |
* |
|
KP |
S:SR@host4 |
* |
* |
pass2 |
KS |
* |
host10 |
4444 |
|
KP |
* |
* |
* |
This means: