Home


Volker Gueldenpfennig

SAP.com

SAP Service Marketplace

Status Tracking

Other Kernel Patches

Support Packages

SAPGui Patches

IBM Infoapars

Education

Notes // Side-Effects

SAP Kernel Programs

Cust Messages

SAP Online Help PDFs

Documentation

Codepage Conversion

Unicode

Imprint

Note:

Display
Print
Important Notes SMP Quicklinks Download CDs

Easy Service Marketplace Why this website ?


Setup a SAProuter with SNC on iSeries (AS/400) - Workshop / Example

General information on SNC SAProuter


All platforms:
http://service.sap.com/saprouter-sncdoc

AS/400 / iSeries: note 567853


The following needs to be done once only and does NOT need to be done every year:

QSECOFR ToDos:

http://service.sap.com/tcs => Download Area => SAP Cryptographic Software

UNCAR this and ftp to a SAVF and restore ...

CRTLIB LIB(SAPROUTER)

RSTOBJ OBJ(*ALL) SAVLIB(SAPCRYPTO) DEV(*SAVF)
SAVF(QGPL/CRYPTO) MBROPT(*ALL) ALWOBJDIF(*ALL) RSTLIB(SAPROUTER)

GRTOBJAUT OBJ(SAPROUTER/*ALL) OBJTYPE(*ALL) USER(*PUBLIC) AUT(*ALL)

MKDIR DIR('/secude')

MKDIR DIR('/secude/etc')

RST DEV('/qsys.lib/saprouter.lib/secude_etc.file')
OBJ(('/*') ('/QSYS.LIB' *OMIT) ('/QDLS' *OMIT)) ALWOBJDIF(*ALL)

CHGPGP OBJ('/secude/etc') NEWPGP(R3OWNER) DTAAUT(*RWX) OBJAUT(*ALL)

CHGPGP OBJ('/secude/etc/*') NEWPGP(R3OWNER) DTAAUT(*RWX) OBJAUT(*ALL)


sidadm (sidofr) ToDos:

http://service.sap.com/tcs => SAProuter Certificates => Apply now (ONLY get the Distinguished Name now)

In this example:
Distinguished Name (Parameter for SAPGENPSE):
CN=saprouter, OU=0000013432, OU=SAProuter, O=SAP, C=DE

Logon with sidadm (or sidofr):

MKDIR DIR('/usr/sap/saprouter')

ADDLNK OBJ('/qsys.lib/saprouter.lib/sapcrypto.srvpgm') NEWLNK('/usr/sap/saprouter/sapcrypto')

CD DIR('/usr/sap/saprouter')

ADDLIBLE LIB(SAPROUTER)

RMVENVVAR ENVVAR('SECUDIR')

ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')

RMVENVVAR ENVVAR('SNC_LIB')

ADDENVVAR ENVVAR('SNC_LIB') VALUE('/usr/sap/saprouter/sapcrypto')

CALL PGM(SAPGENPSE) PARM('get_pse' '-v' '-r' 'certreq' '-p'
'local.pse' 'CN=saprouter, OU=0000013432, OU=SAProuter, O=SAP, C=DE')

(PIN should stay always empty in order to keep it simple next year!)

Now you should convert this file from EBCDIC to ASCII as follows:
(only if you are having it in EBCDIC (CCSID=500) right now)
CPY OBJ('/usr/sap/saprouter/certreq') TOOBJ('/usr/sap/saprouter/certreq819') TOCCSID(819) DTAFMT(*TEXT)

RNM OBJ('/usr/sap/saprouter/certreq') NEWOBJ('certreq500')

RNM OBJ('/usr/sap/saprouter/certreq819') NEWOBJ('certreq')


============================================================================================
============================================================================================
As of here, you have to do the things every year:

/usr/sap/saprouter/certreq:
-----BEGIN CERTIFICATE REQUEST-----
MIIBlDCB/gIBADBVMQswCQYDVQQGEwJERTEMMAoGA1UEChMDU0FQMRIwEAYDVQQL
EwlTQVByb3V0ZXIxEzARBgNVBAsTCjAwMDAwMzU1MDgxDzANBgNVBAMTBmFwNDAw
...
iUW0swbvXv9n/yAnoazzZeoG3ovDs5HqZAF0cCIIAfkIyf9R2h0N8FZL3Mhd0SN9
4tfNEcwJJByPj+lE87RqT4I6TpWl8gX7
-----END CERTIFICATE REQUEST-----


http://service.sap.com/tcs => SAProuter Certificates => Apply now
Put the /usr/sap/saprouter/certreq file to SAP (even the one from last year is OK) and receive the srcert file:

/usr/sap/saprouter/srcert:
-----BEGIN CERTIFICATE-----
MIIH4QYJKoZIhvcNAQcCoIIH0jCCB84CAQExADALBgkqhkiG9w0BBwGggge2MIICc
zCCAdygAwIBAgIDAQz/MA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNVBAYTAkRFMQwwCg
YDVQQKEwNTQVAxEjAQBgNVBAsTCVNBUHJvdXRlcjEVMBMGA1UEAxMMU0FQcm91dGV
....
eF7XCLkR4ho4G2EZQPXiFXaFmATC633eOjMMvwgM/Lj5dXEM2eeiYGR2FTgQBtf7c
Gl17YC0GOnY8Ms3Hh6SWCdKLjmmsNg1Ya9k7ZeQE2bu08MACw7LD0pmp1sYfSXstv
MHJzvtpEZnH8RkYCvmyGbAKTbNuMQA=
-----END CERTIFICATE-----


Put the srcert file to /usr/sap/saprouter/srcert to iSeries:
- via \\iSeries-name\rootbin
- cut&paste via EDTF (in several chunks :-((( )

logon with sidadm (or sidofr):
(depending on the user, that is running the SAPRouter)

CD DIR('/usr/sap/saprouter')

ADDLIBLE LIB(SAPROUTER)

RMVENVVAR ENVVAR('SECUDIR')

ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')

RMVENVVAR ENVVAR('SNC_LIB')

ADDENVVAR ENVVAR('SNC_LIB') VALUE('/usr/sap/saprouter/sapcrypto')

CALL PGM(SAPGENPSE) PARM('import_own_cert' '-c' 'srcert' '-p' 'local.pse')

CALL PGM(SAPGENPSE) PARM('seclogin' '-p' 'local.pse')

CALL PGM(SAPGENPSE) PARM('get_my_name' '-v' '-n' 'Issuer')

CALL PGM(SAPGENPSE) PARM('get_my_name')



STRROUTER-CL-Pgm: (needs to run with sidadm (or sidofr) !)

PGM

ADDLIBLE LIB(SAPROUTER)
MONMSG MSGID(CPF0000)

RMVENVVAR ENVVAR('SECUDIR')
MONMSG MSGID(CPF0000)
ADDENVVAR ENVVAR('SECUDIR') VALUE('/usr/sap/saprouter')
MONMSG MSGID(CPF0000)

RMVENVVAR ENVVAR('SNC_LIB')
MONMSG MSGID(CPF0000)
ADDENVVAR ENVVAR('SNC_LIB') +
VALUE('/usr/sap/saprouter/sapcrypto')
MONMSG MSGID(CPF0000)

CD DIR('/usr/sap/saprouter')

CALL PGM(SAPROUTER) PARM('-r' '-R' './saprouttab' +
'-K' 'p:CN=saprouter, OU=0000013432, +
OU=SAProuter, O=SAP, C=DE' '-G' +
'./saprout.log')

ENDPGM


EDTF '/usr/sap/saprouter/saprouttab'
# SNC-connection from and to SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC-connection from SAP to local R/3-System for Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *

# SNC-connection from SAP to telnet in your network
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * 23

# Access from the local Network to SAPNet - R/3 Frontend (OSS)
P * 194.39.131.34 3299

# deny all other connections
D * * *



back 11/04/2024, 22:11:39