cancel
Showing results for 
Search instead for 
Did you mean: 

Enabling SNC encryption on SAProuter traffic

daphneo
Explorer
0 Kudos

Hi

I'm setting up a SAProuter connection between 2 of our servers and our SAP box.

The connection is working, but in the trace file I do notice this line, which I assume means that the traffic is not encrypted.

NiSncGetPeer: hdl 11 not SNC enabled

My question is, how can I enable SNC encryption on the traffic between the routers and SAP?

Here is my setup and saprouttab files:

SAProuter 1 (external network) --> SAProuter 2 (internal network) --> SAP

- I have installed a certificate from SAProuter 1 in the pse file of SAProuter 2.

- I have also installed the certificate from SAProuter 2 into the pse file of SAProuter 1

- Both saprouters are started with the -K param followed by the name of its own certificate.

saprouttab of SAProuter 1:

KT "p:CN=SAPRouter2cert"    [Public_IP_SAProuter2]   3299
P  [Private_IP_SAProuter1]  [Public_IP_SAProuter2]   *

saprouttab of SAProuter 2:

KT "p:CN=SAPRouter1cert" [Public_IP_SAProuter1]  3299<
KP "p:CN=SAPRouter1cert" [SAP_Internal_IP] *
P [Public_IP_SAProuter1] [SAP_Internal_IP] *
#Note that if this P line comes out then the connection does not work anymore.

Accepted Solutions (1)

Accepted Solutions (1)

isaias_freitas
Advisor
Advisor

Hello Daphne,

Just to confirm, on saprouttab of saprouter1, when you say:

P [Private_IP_SAProuter1] [Public_IP_SAProuter2] *

do you mean

P [Private_IP_or network_of_client(s)] [Public_IP_SAProuter2] *

?

Hint: the port number on the above rule could be 3299 instead of "*".

The rules on saprouter2 seem correct.

Another thing, if you start the saprouters with level 2 trace ("-V 2" in the command line), do you see them loading the PSE files?

If not, have you created the SSO credentials for the user ID running the saprouters, so they can load the PSE files without requiring a password?

sapgenpse seclogin -p [path to PSE file]
(executed while logged on as the user that will run the saprouter)

Regards,

Isaías

daphneo
Explorer
0 Kudos

Hi Isaias

Thanks for the reply. Hereby answers to the questions:

1. Do do you mean: P [Private_IP_or network_of_client(s)] [Public_IP_SAProuter2] *

I must be honest that I'm not sure exactly what you're suggesting or what I can try here. My entry looks something like this:
P 10.1.1.1 52.30.40.80 *
where 10.1.1.1 is the private IP of the server running SAProuter1 (i.e. the same machine) and 52.30.40.80 is the Public IP of the secondary SAProuter.

2. If you start the saprouters with level 2 trace ("-V 2" in the command line), do you see them loading the PSE files?

I've started them now with trace level 2. I do not see any entry in the dev_rout file containing "pse". I.e. I guess it is not loading then?

3. If not, have you created the SSO credentials for the user ID running the saprouters, so they can load the PSE files without requiring a password? sapgenpse seclogin -p [path to PSE file]

Yes, I have executed the above command for the logged in user that is running the service.

isaias_freitas
Advisor
Advisor
0 Kudos

Hello Daphne,

About 3, ok.

About 2, I do not recall by heart, maybe it appears only when an SNC connection is established... What is the value of the environment variable SECUDIR for the user ID that runs the service? The PSE file must be there.

About 1, the entry should follow this syntax:

P [IP of the client connecting to this saprouter] [IP of the next saprouter / final server] [TCP port of the next saprouter / final server]

But for the first field, it was mentioned that the IP of the saprouter1 itself is maintained...

Regards,

Isaías

isaias_freitas
Advisor
Advisor
0 Kudos

PS: you are welcome 🙂

daphneo
Explorer
0 Kudos

Hi

2: Value if SECUDIR is correct. Does point to the pse directory.

1: "It was mentioned that the IP of the saprouter1 itself is maintained..."
Ahh....I understand now. In my test environment the SAProuter1 and the client from where the connection is done is the same server.

Thanks for the effort the help!

isaias_freitas
Advisor
Advisor
0 Kudos

Hi,

You are welcome!

OK... please execute "sapgenpse get_my_name -p" and confirm that the certificate's subject is the same used in the "-K" option of the saprouter startup command line (on both saprouters).

If they are correct... Confirm that the network handle you are analyzing (e.g., "NiSncGetPeer: hdl 11 not SNC enabled") is the one related to the communication between the saprouters.

I believe it could help if you could provide the output from that sapgenpse command along with a level 2 trace from both saprouters, since their startup until one connection is established.

Regards,

Isaías

daphneo
Explorer
0 Kudos

Hi

The get_my_name commands does seem correct.

I have created a Word doc with screenshots of the commands as you've asked for and a text file with the dev_rout info.

As there is some sensitive info in there I do not want to post everything here.
You can download the 2x docs from a wetransfer link at: https://we.tl/t-2U0aP32uJb
If you feel uncomfortable downloading from here, you are welcome to suggest another method.

I do notice this info in the dev_rout. If that will help.

<<- SncInit()==SAP_O_K 
sec_avail = "true"
<<- SncSetMyName()==SAP_O_K
in: myname = "p:CN=SAPRouter2Cert"
isaias_freitas
Advisor
Advisor
0 Kudos

Hello Daphne,

I am not allowed to download the file from there, sorry.

Those entries suggest that the saprouter2 (at least) has SNC enabled.

So, it might be that the saprouters do not recognize that they should establish SNC connections to each other; or that the trace line you were focusing at the opening of this thread ("NiSncGetPeer: hdl 11 not SNC enabled") is not related to the communication between the saprouters.

  • The communication from the client to saprouter1 would not be SNC enabled (even if the client has SNC enabled too).
  • The communication between saprouter1 and saprouter2 should be SNC enabled, based on what we discussed so far.
  • The communication between saprouter2 and the SAP server would not be SNC enable (even if the server has SNC enabled too).

However, the client might be sending SNC-encrypted data, establishing an SNC ("virtual") connection with the SAP server through the "tunnel" created by the saprouters.

Regards,

Isaías

daphneo
Explorer
0 Kudos

Thanks. Makes sense. We will then work on the basis that SNC is enabled. Thanks!

isaias_freitas
Advisor
Advisor
0 Kudos

You are welcome!

For further confirmation, I would really need the level 2 trace from the saprouter 🙂

daphneo
Explorer
0 Kudos

Thanks for sticking to it.

I'm attaching 2x files. The one is the log from my saprouter (i.e. SAProuter 1).

The other one is from SAProuter2 (the customer entity).

What now also worries me, is that I've seen that even if I stop SAProuter1, I am still able to connect to SAP from the SAP GUI that's installed on the same server as SAProuter1. I assume it is due to the P-line in the saprouttab op SAProuter2. But is it correct?

saprouter1-dev-rout.txt

saprouter2-dev-rout.txt

isaias_freitas
Advisor
Advisor
0 Kudos

You are welcome!

The trace from the saprouter1 does not show any connections going through...

The trace from the saprouter2 shows a non-SNC connection going through.

It seems that the client might be connecting to saprouter2 directly. This will never be SNC-enabled...

Can you confirm that the saprouter string (on the client running at the same server as saprouter1) is going through both saprouters?

It should be something like

/H/Private_IP_SAProuter1/H/Public_IP_SAProuter2

or (the complete, final saprouter string)

/H/Private_IP_SAProuter1/H/Public_IP_SAProuter2/H/SAP_Internal_IP/S/SAP_port

Regards,

Isaías

daphneo
Explorer
0 Kudos

Hi

You are correct! The connection was bypassing SAProuter1 completely. I've fixed that and now the dev_rout files looks correct. I can SNC is now enabled both sides.

Thank you so much for picking that up!!

isaias_freitas
Advisor
Advisor
0 Kudos

Hi! 🙂

You are welcome!

Now it should be possible to eliminate the "P" line in the saprouttab file of saprouter2, keeping only KT and KP, ensuring that a non-SNC connection cannot be made 😉

daphneo
Explorer
0 Kudos

Hi

That is what you should think, and it was my expectation as well. However, removing the P-line prevents the connection from working. With the P-line included it does seem that SNC is enabled and is working. But I have been told that the P-line should preferable be removed. Should it?

Attached is the log files for the connection with the P-line removed. I.e. the failure.

saprouter1-dev-rout.txt

saprouter2-dev-rout.txt

isaias_freitas
Advisor
Advisor
0 Kudos

Hi,

Yes, the P line should be removed, as it is not required and it is allowing non-SNC connections to go through.

The issue, now, seems to be with the KP line:

*** from saprouter2

contents of routtab ('./saprouttab', 2 entries):
KT*,* p:CN=SAPRouter1cert Public_IP_SAProuter1/32 3299 *
KP*,* p:CN=SAPRouter1cert SAP_Internal_IP/32 3299 *

That KP rule allows the connection to port 3299 only 😉

Just change it to:

KT*,*  p:CN=SAPRouter1cert              Public_IP_SAProuter1/32               3299
KP*,* p:CN=SAPRouter1cert SAP_Internal_IP/32 *

-> the fact that the port is defined as "*" does not allow the connection to all ports. See https://help.sap.com/viewer/e245703406684d8a81812f4c6334eb2f/202009.002/en-US/486c7a3fc1504e6ce10000... .

daphneo
Explorer
0 Kudos

Hi

Deepest thanks once again. I do realize this is not your primary problem, but I highly appreciate the help.

Removing the P entry still does not work. Even after the change you've suggested.

I do see this in the log file now which looks correct based on your previous reply:

KT*,*  p:CN=SAPRouter1cert              Public_IP_SAProuter1/32               3299      * 
KP*,* p:CN=SAPRouter1cert SAP_Internal_IP/32 * *

The saprouttab for SAProuter2 now only has this:

KT "p:CN=SAPRouter1cert" Public_IP_SAProuter1 3299 
KP "p:CN=SAPRouter1cert" SAP_Internal_IP *

I'm also attaching the log files that I now get without the P line.

saprouter1-dev-rout.txt

saprouter2-dev-rout.txt

daphneo
Explorer
0 Kudos

Interestingly, if I add * values everywhere, but no P-line then the connection still does not work.

I.e. for SAProuer1 I now have:

KT "p:CN=SAPRouter2cert" * *
KP "p:CN=SAPRouter2cert" * *
P * * *

and for SAProuter2 I have:

KT "p:CN=SAPRouter1cert" * * 
KP "p:CN=SAPRouter1cert" * *

just no P-line.

No connection when doing:
/H/SAProuter1_InternalIP/H/SAProuter2_PublicIP/S/3299/H/SAP_Internal_IP

I can't get it working unless the P-line is specified. Weird.

isaias_freitas
Advisor
Advisor
0 Kudos

Hi,

The previous saprouttab you had for saprouter2 would be the correct one:

KT "p:CN=SAPRouter1cert"  Public_IP_SAProuter1  3299
KP "p:CN=SAPRouter1cert" SAP_Internal_IP *

When looking at the trace for saprouter2, I see that the incoming connection is SNC-enabled.

I also see that the connection is coming from the client to saprouter1, and then to saprouter2.

I do not understand why saprouter2 is denying the connection. All looks correct now.

I have created a test lab and it is working correctly to me, with the above setup.

And this is my saprouttab for saprouter1:

KT  "p:CN=SAPRouter2cert"  Public_IP_SAProuter2   3299
P   End_User_IP            Public_IP_SAProuter2   3299

About the trace for saprouter2, did you mask / anonymized the 'data block' seen just before the connection is denied?

NiStrToAddrMask: local nodeAddrStr: SAP_Internal_IP len 8
NiIGetServNo: servicename '3200' = port 3200
<<- SncGetPeerAclKey()==SAP_O_K
  'peer_aclkey' (addr=00000256700CD0B0, len=103) full hexdump
  0x00000  00030401 00080606 2b240301 25010000  ........ +$..%...
  0x00010  00553053 3151304f 060b2b06 01040185  .U0S1Q0O ..+.....
  0x00020  36020501 03134032 33314539 33343741  6.....@2 31E9347A
Tue Aug 31 14:42:20 2021
  0x00030  45353941 39443730 45414443 38383444  E59A9D70 EADC884D
  0x00040  41414231 33423830 36333539 33394532  AAB13B80 635939E2
  0x00050  31433943 46393036 37374542 37313638  1C9CF906 77EB7168
  0x00060  44464131 323732                      DFA1272         
no match for [Public_IP_SAProuter1 to SAP_Internal_IP, 3200] found
*** ERROR => NiRClientHandle: NiRExRouteCon for C9/-1 'Public_IP_SAProuter1' failed (rc=-94) [nirout.cpp   3526]

If yes, then I do not understand why it is not working...

If not, then something weird is going on in the SNC connection, as that does not look like the data I would expect to see there.

daphneo
Explorer
0 Kudos

Thanks

>did you mask / anonymized the 'data block'

No I did not. I only replaced the IP addresses and certificate names.

daphneo
Explorer
0 Kudos

Quite strange. I created another environment in place of SAProuter1 and this one does work correctly even without the P-line.
I double checked all the entries of the original setup and I can't see anything wrong. All looks good. It's a bit confusing, but it works. Would love to know why the original is not working, but I guess that is not your concern. The logic works. Thanks for all the effort!!!

isaias_freitas
Advisor
Advisor
0 Kudos

You are welcome! 🙂

If the data there was not masked, my best guess is that there is something wrong with the PSE file used by the original saprourter1...

daphneo
Explorer

Mystery has been resolved. I've had the SAP GUI installed on the SAProuter1 server. If during the installation you enable the "SNC Client Encryption 2.0", the installer will create an environmental variable for SNC_LIB_64. That is the problem. Removing that environmental variable makes everything work (i.e. without the P-line).

Thanks again for your assistance!

isaias_freitas
Advisor
Advisor
0 Kudos

Cool! 🙂

Thank you for sharing your findings! 🙂

Answers (0)