|
Setup a SAProuter with SNC on iSeries (AS/400) - Workshop / Example
General information on SNC SAProuter
All platforms:
http://service.sap.com/saprouter-sncdoc
AS/400 / iSeries: note 567853
The following needs to be done once only and does NOT need to be done every year:
QSECOFR ToDos:
http://service.sap.com/tcs => Download Area => SAP Cryptographic Software
UNCAR this and ftp to a SAVF and restore ...
CRTLIB LIB(SAPROUTER)
RSTOBJ OBJ(*ALL) SAVLIB(SAPCRYPTO) DEV(*SAVF)
SAVF(QGPL/CRYPTO) MBROPT(*ALL) ALWOBJDIF(*ALL) RSTLIB(SAPROUTER)
GRTOBJAUT OBJ(SAPROUTER/*ALL) OBJTYPE(*ALL) USER(*PUBLIC) AUT(*ALL)
MKDIR DIR('/secude')
MKDIR DIR('/secude/etc')
RST DEV('/qsys.lib/saprouter.lib/secude_etc.file')
OBJ(('/*') ('/QSYS.LIB' *OMIT) ('/QDLS' *OMIT)) ALWOBJDIF(*ALL)
CHGPGP OBJ('/secude/etc') NEWPGP(R3OWNER) DTAAUT(*RWX) OBJAUT(*ALL)
CHGPGP OBJ('/secude/etc/*') NEWPGP(R3OWNER) DTAAUT(*RWX) OBJAUT(*ALL)
sidadm (sidofr) ToDos:
http://service.sap.com/tcs => SAProuter Certificates => Apply now (ONLY get the Distinguished Name now)
In this example:
Distinguished Name (Parameter for SAPGENPSE):
CN=saprouter, OU=0000013432, OU=SAProuter, O=SAP, C=DE
Logon with sidadm (or sidofr):
MKDIR DIR('/usr/sap/saprouter')
ADDLNK OBJ('/qsys.lib/saprouter.lib/sapcrypto.srvpgm') NEWLNK('/usr/sap/saprouter/sapcrypto')
CD DIR('/usr/sap/saprouter')
ADDLIBLE LIB(SAPROUTER)
RMVENVVAR ENVVAR('SECUDIR')
ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')
RMVENVVAR ENVVAR('SNC_LIB')
ADDENVVAR ENVVAR('SNC_LIB') VALUE('/usr/sap/saprouter/sapcrypto')
CALL PGM(SAPGENPSE) PARM('get_pse' '-v' '-r' 'certreq' '-p'
'local.pse' 'CN=saprouter, OU=0000013432, OU=SAProuter, O=SAP, C=DE')
(PIN should stay always empty in order to keep it simple next year!)
Now you should convert this file from EBCDIC to ASCII as follows:
(only if you are having it in EBCDIC (CCSID=500) right now)
CPY OBJ('/usr/sap/saprouter/certreq') TOOBJ('/usr/sap/saprouter/certreq819') TOCCSID(819) DTAFMT(*TEXT)
RNM OBJ('/usr/sap/saprouter/certreq') NEWOBJ('certreq500')
RNM OBJ('/usr/sap/saprouter/certreq819') NEWOBJ('certreq')
============================================================================================
============================================================================================
As of here, you have to do the things every year:
/usr/sap/saprouter/certreq:
-----BEGIN CERTIFICATE REQUEST-----
MIIBlDCB/gIBADBVMQswCQYDVQQGEwJERTEMMAoGA1UEChMDU0FQMRIwEAYDVQQL
EwlTQVByb3V0ZXIxEzARBgNVBAsTCjAwMDAwMzU1MDgxDzANBgNVBAMTBmFwNDAw
...
iUW0swbvXv9n/yAnoazzZeoG3ovDs5HqZAF0cCIIAfkIyf9R2h0N8FZL3Mhd0SN9
4tfNEcwJJByPj+lE87RqT4I6TpWl8gX7
-----END CERTIFICATE REQUEST-----
http://service.sap.com/tcs => SAProuter Certificates => Apply now
Put the /usr/sap/saprouter/certreq file to SAP (even the one from last year is OK) and receive the srcert file:
/usr/sap/saprouter/srcert:
-----BEGIN CERTIFICATE-----
MIIH4QYJKoZIhvcNAQcCoIIH0jCCB84CAQExADALBgkqhkiG9w0BBwGggge2MIICc
zCCAdygAwIBAgIDAQz/MA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNVBAYTAkRFMQwwCg
YDVQQKEwNTQVAxEjAQBgNVBAsTCVNBUHJvdXRlcjEVMBMGA1UEAxMMU0FQcm91dGV
....
eF7XCLkR4ho4G2EZQPXiFXaFmATC633eOjMMvwgM/Lj5dXEM2eeiYGR2FTgQBtf7c
Gl17YC0GOnY8Ms3Hh6SWCdKLjmmsNg1Ya9k7ZeQE2bu08MACw7LD0pmp1sYfSXstv
MHJzvtpEZnH8RkYCvmyGbAKTbNuMQA=
-----END CERTIFICATE-----
Put the srcert file to /usr/sap/saprouter/srcert to iSeries:
- via \\iSeries-name\rootbin
- cut&paste via EDTF (in several chunks :-((( )
logon with sidadm (or sidofr):
(depending on the user, that is running the SAPRouter)
CD DIR('/usr/sap/saprouter')
ADDLIBLE LIB(SAPROUTER)
RMVENVVAR ENVVAR('SECUDIR')
ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')
RMVENVVAR ENVVAR('SNC_LIB')
ADDENVVAR ENVVAR('SNC_LIB') VALUE('/usr/sap/saprouter/sapcrypto')
CALL PGM(SAPGENPSE) PARM('import_own_cert' '-c' 'srcert' '-p' 'local.pse')
CALL PGM(SAPGENPSE) PARM('seclogin' '-p' 'local.pse')
CALL PGM(SAPGENPSE) PARM('get_my_name' '-v' '-n' 'Issuer')
CALL PGM(SAPGENPSE) PARM('get_my_name')
STRROUTER-CL-Pgm: (needs to run with sidadm (or sidofr) !)
PGM
ADDLIBLE LIB(SAPROUTER)
MONMSG MSGID(CPF0000)
RMVENVVAR ENVVAR('SECUDIR')
MONMSG MSGID(CPF0000)
ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')
MONMSG MSGID(CPF0000)
RMVENVVAR ENVVAR('SNC_LIB')
MONMSG MSGID(CPF0000)
ADDENVVAR ENVVAR('SNC_LIB') +
VALUE('/usr/sap/saprouter/sapcrypto')
MONMSG MSGID(CPF0000)
CD DIR('/usr/sap/saprouter')
CALL PGM(SAPROUTER) PARM('-r' '-R' './saprouttab' +
'-K' 'p:CN=saprouter, OU=0000013432, +
OU=SAProuter, O=SAP, C=DE' '-G' +
'./saprout.log')
ENDPGM
EDTF '/usr/sap/saprouter/saprouttab'
# SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *
# SNC-connection from SAP to telnet in your network
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 23
# Access from the local Network to SAPNet - R/3 Frontend (OSS)
P * 194.39.131.34 3299
# deny all other connections
D * * *
|
back
|
11/04/2024, 22:11:39
|
|