The SAProuter is a program that acts as an intermediate location in the network between SAP systems where access is controlled before data is sent further along the communication path.
Connections can also be established between SAP systems over several SAProuters. You can then secure connections between adjacent SAProuters using SNC. A typical example is shown in the figure below.
SNC Communication Between SAProuters
The connection between the adjacent SAProuters is protected using SNC. The SAProuters authenticate each other and encrypt the exchanged messages. In this way, you can establish a secure tunnel for communications between components that may not be able to use SNC.
A single SAProuter can be both the initiator and acceptor for an SNC-protected connection.
For a detailed description on the SAProuter, see SAProuter. In this document, we only describe the aspects that relate to SNC.
To establish SNC-protected connections between two SAProuters:
· You must establish an SNC environment for both SAProuters.
· You must activate SNC for the connection in the SAProuter's route permission table.
Perform the following steps to establish the SNC environment for each SAProuter:
1. On each SAProuter host, make sure that the environment variable SNC_LIB contains the path and file name of the external library.
2. Start the SAProuter with the option -K <snc-name>, where <snc-name> is the SNC name of the SAProuter being started.
The SAProuter then loads the external library and initializes the SNC environment.
There are two types of entries that you need to make in the SAProuter route permission table:
● KT (Key-Target) entries
A Key-Target entry specifies that the designated SAProuter à SAProuter connection should use SNC.
● KP- / KD- / KS- entries
These entries are similar to the normal P- / D- / S- entries, but are used for SNC connections instead of standard connections. They specify the hosts and services that are or are not allowed to communicate with one another. As with normal P- / D- / S- entries, you can also specify a password for the connection.
You must pay attention to the order of the entries in the route permission table. For incoming connections, the SAProuter applies the first matching entry it finds in the route permission table. If a matching P- / D- / S- entry precedes an SNC entry, the SAProuter ignores the SNC entry. See the examples at the end of this topic.
To specify a KT entry, enter a line in the SAProuter's route permission table using the following syntax:
KT <SNC_partnername> <dest-host> <dest-serv>
· SNC should be activated for connections to <dest-host> <dest-serv>.
· <SNC_partnername> is the SNC name of the communication partner.
· <dest-host> is the name of the host (either the symbolic name or the IP address).
· <dest-serv> is the name of the service (either the symbolic name or the port number).
A wildcard entry (*) for <dest-host> or <dest-serv> is not practical because the SNC partner name refers to a distinct partner.
To avoid conflicting entries, make K- entries before any normal P- / D- / S- entries.
You must also enter KP- / KD- / KS- entries in the route permission table instead of P- / D- / S- entries for the SNC connections. These entries have the same meanings as the P- / D- / S- entries, except that the name of the source host or IP address is replaced with the SNC name of the source host. They have the following syntax:
K<D/P/S> "<SNCname_of_source-host>" <dest-host> <dest-serv> <Password>
The SAProuter establishes (KT, KS) or denies (KD) a connection if the values received from the connection request match those in the above mentioned route permission table entries.
When using SNC protection between SAProuters, the maximum available quality of protection is always applied.
The SAProuter accepts an incoming connection if it finds a corresponding entry in it's route permission table. For normal incoming connections (that do not use SNC protection), it identifies the communication partner using the source host (IP address) and the destination (host and service). However, for SNC-protected connections coming from a SAProuter, it uses the source SAProuter's SNC name for identification.
Two SAProuters, one on host1, the other on host2, are to communicate with another using SNC protection. The SAProuter on host2 should accept only SNC-protected connections from host1that are directed to a dispatcher or gateway with a system number 00.
SNC names of SAProuters on host1 and host2
● SNC name on host1: "p:CN=saprout1, OU=TEST01, O=myCompany, C=US"
● SNC name on host2: "p:CN=saprout2, OU=TEST01, O=myCompany, C=US"
Starting SAProuter on host1
The following entry starts the SAProuter on host1:
saprouter -r -K "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" &
Route Permission Table on host1
The route permission table on host1 contains the following entries:
# Initiating SNC for all connections to host2 :
Starting SAProuter on host2
The following entry starts SAProuter on host2:
saprouter -r -K "p:CN=saprout2, OU=TEST01, O=myCompany, C=US" &
Route Permission Table on host2
The route permission table on host2 contains the following entries:
# accept incoming connections from SAProuter1
As previously mentioned, you must pay attention to the order of the entries in the route permission table. The SAProuter applies the first matching entry it finds. In the following example, the SAProuter will not accept the SNC-protected connection request from host1 to host2 because of the first entry.
D host1 * *
In the following example, the second line is unnecessary because the first line allows all connections from host1. Therefore, the second line does not enforce SNC protection for connections to sapdp00.
P host1 * *