Skip to Content
0

SAP Router configuration on Linux RedHat platform (error with SNCInit)

May 25, 2017 at 06:56 PM

554

avatar image

Hello SAP Gurus,

I need your hilfe. I have been trying to setup a SAPRouter in Linux a while ago and kind of got stuck in a variable in Linux. I tried the command to set the variable: export SNC_LIB=/usr/sap/saprouter/sapcrypto.mfand I see there is also another filesapcrypto.lst(these two files, and more, where unzipped when ran the SAPCAR for the SAPCRYPTOLIBPxxxx.SAR). Ofcourse, also set the variables SECURDIR and PATH.
Also SAPCAR my saprouterxxx.SAR file.

When I run my script “./script” I get the following:

__________________________________________________________________
\n Starting saprouter

[root@saprouter saprouter]#

*****************************************************************************

*
* ERROR SNC processing failed:
* SncInit
*
* TIME Thu May 25 12:19:34 2017
* RELEASE 745
* COMPONENT NI (network interface)
* VERSION 40
* RC -17
* MODULE /bas/745_REL/src/base/ni/nisnc.c
* LINE 553
* DETAIL NiSncInit: sncrc=-1
* COUNTER 4
*

*****************************************************************************

trcfile dev_rout

_______________________________________________________

This is the script thta I am applying:
####################################################

export PATH=$PATH:/usr/sap/saprouter
export SECUDIR=/usr/sap/saprouter
export SNC_LIB=/usr/sap/saprouter/sapcrypto.mf

SRDIR=/usr/sap/saprouter
LOGFILE=$SRDIR/saproute.log
if [ -f $SRDIR/saprouter ]; then
echo "\n Starting saprouter" | tee -a $LOGFILE
$SRDIR/saprouter -r -R $SRDIR/saprouttab -G $LOGFILE -W 60000 -K "p:CN=saprouter, OU=0000672351, OU=saprouter, O=SAP, C=DE" | tee -a $LOGFILE &

fi
###########################################

The script above was created in Linux, not created in Windows and then exported to Linux.

When I run the command: sapgenpse get_my_name -v -n Issuer

I get the issuer digital certificate without any problem, everything appears "ok"
*****Opening PSE "/usr/sap/saprouter/local.pse"... PSE (v2) open ok. Retrieving my certificate... ok. Getting requested information... ok. SSO for USER "root" with PSE file "/usr/sap/saprouter/local.pse" Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE*****

And when I run a “cat dev_rout” I get the following message
---------------------------------------------------

trc file: "dev_rout", trc level: 1, release: "745"

---------------------------------------------------

Thu May 25 12:25:13 2017

SAP Network Interface Router, Version 40.4

command line arg 0: /usr/sap/saprouter/saprouter

command line arg 1: -r

command line arg 2: -R

command line arg 3: /usr/sap/saprouter/saprouttab

command line arg 4: -G

command line arg 5: /usr/sap/saprouter/saproute.log

command line arg 6: -W

command line arg 7: 60000

command line arg 8: -K

command line arg 9: p:CN=saprouter, OU=0000672351, OU=saprouter, O=SAP, C=DE

SncInit(): Initializing Secure Network Communication (SNC)

AMD/Intel x86_64 with Linux (mt,ascii,SAP_UC/size_t/void* = 8/64/64)

UserId="root" (0), envvar USER="root"

SncInit(): Trying environment variable SNC_LIB as

gssapi library name: "/usr/sap/saprouter/sapcrypto.mf".

*** ERROR => DlLoadLib()==DLENOACCESS - dlopen("/usr/sap/saprouter/sapcrypto.mf") FAILED

"/usr/sap/saprouter/sapcrypto.mf: invalid ELF header" [dlux.c 521]

*** ERROR => SncPDLInit()==SNCERR_INIT, Adapter #1 (/usr/sap/saprouter/sapcrypto.mf) not loaded [/bas/745_R 727]

<<- SncInit()==SNCERR_INIT

sec_avail = "false"

*** ERROR => NiSncInit: SncInit failed (sncrc=-1) [nisnc.c 555]

*** ERROR => main: NiSncInit failed (rc=-17) [nirout.cpp 1958]

*****************************************************************************

*

* ERROR SNC processing failed:
* SncInit

*

* TIME Thu May 25 12:25:13 2017

* RELEASE 745

* COMPONENT NI (network interface)

* VERSION 40

Thu May 25 12:25:13 2017

* RC -17

* MODULE /bas/745_REL/src/base/ni/nisnc.c

* LINE 553

* DETAIL NiSncInit: sncrc=-1

* COUNTER 4

*

*****************************************************************************

<<- ERROR: SncDone()==SNCERR_INIT_FIRST

I am log as root user, I would highly appreciate your help towards this matter.

Thank you in advanced,

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Alfonso Alvarado May 26, 2017 at 10:51 PM
0

Hello Experts,

After a few tweaks, I am getting the following message after running my script:

\n Starting saprouter
[root@saprouter saprouter]#
***************************************************************************** *
* LOCATION SAProuter 40.4 on 'saprouter'
* ERROR service '0.0.0.0:3299' in use *
* TIME Fri May 26 17:43:33 2017
* RELEASE 745
* COMPONENT NI (network interface)
* VERSION 40
* RC -4
* MODULE /bas/745_REL/src/base/ni/nixxi.cpp
* LINE 3831
* DETAIL NiIBindSocket
* SYSTEM CALL bind
* ERRNO 98
* ERRNO TEXT Address already in use
* COUNTER 2 Fri May 26 17:43:33 2017
* *****************************************************************************

trcfile dev_rout

My script looks now like this:
export PATH=$PATH:/usr/sap/saprouter
export SECUDIR=/usr/sap/saprouter
export SNC_LIB=/usr/sap/saprouter/libsapcrypto.so

SRDIR=/usr/sap/saprouter
LOGFILE=$SRDIR/saproute.log
if [ -f $SRDIR/saprouter ]; then
echo "\n Starting saprouter" | tee -a $LOGFILE
$SRDIR/saprouter -r -R $SRDIR/saprouttab -G $LOGFILE -W 60000 -K "p:CN=saprouter, OU=0000672351, OU=saprouter, O=SAP, C=DE" | tee -a $LOGFILE &

fi

Thanks again for your support. I believe there was a post similar to this but I am getting a different error message. PLease hilfe.

Share
10 |10000 characters needed characters left characters exceeded
Isaias Freitas
May 29, 2017 at 11:40 PM
0

Hello Alfonso,

The new error indicates that there is another process (another saprouter?) already using the TCP/IP port 3299:

* ERROR service '0.0.0.0:3299' in use *
* TIME Fri May 26 17:43:33 2017
* RELEASE 745
* COMPONENT NI (network interface)
* VERSION 40
* RC -4
* MODULE /bas/745_REL/src/base/ni/nixxi.cpp
* LINE 3831
* DETAIL NiIBindSocket
* SYSTEM CALL bind
* ERRNO 98
* ERRNO TEXT Address already in use

You can follow this WIKI page for assistance in identifying which is the other process.

Then, you need to stop this other process, so the saprouter can use the port 3299.

Regards,

Isaías

Show 10 Share
10 |10000 characters needed characters left characters exceeded

Thank you Isaías for your help. I did run the command in the post you recommended: "netstat -nepal | grep 3299

and got the following output:

[root@saprouter saprouter]# netstat -nepal|grep 3299
tcp 0 0 0.0.0.0:3299 0.0.0.0:* LISTEN 0 13527 1343/saprouter

Seems that the port is being used by the service saprouter, which is good. However, I cannot connect to SAPNet when I try to go to transaction oss1 -> Parameters-> Technical Settings and put the name of my saprouter and IP, then press Logon (should appear "Select Group; 1_Public, 2_Japanesse... and so on) instead I get: "unable to connect to SAPNet message Server" (Default Connectionwill be used...)

Thank you again Isaías for your support, and al the SAP community that may want to help.

Kind Regards,

Alfonso

0

Hello Alfonso,

You are welcome!

So, OK, you already have a saprouter running.

You can make changes to the saprouttab file and then reload it by running "saprouter -n". This will tell the already running saprouter to reload the saprouttab.

If you have the relevant entries at the saprouttab, OSS1 should work.

Do you see any entries being created at the "dev_rout" file around the time you try connecting with OSS1?

Regards,

Isaías

0

That is awesome Isaias, when I type saprouter -r (which is to restart the service, right?) I get the following:
""" [root@saprouter saprouter]# saprouter -n

Thu Jun 1 10:22:34 2017
SAP Network Interface Router, Version 40.4
Thu Jun 1 10:22:35 2017
peer SAProuter with NI version 40 ...
send new-routtab-request to running SAProuter ...
request successfully completed. """

For now, I have set the saprouttab with all permissionsto accept all connections (P * * *), is the only sentence for now, for testing purposes. The saprouttab I created it on Linux because I´ve read in another post that import it from Windows was not advised (create it on Windows and then transfer to Linux).


But, still could not connect, even disable the "service iptables stop" to disable firewall, I was desperate for a connection.
When I type cat dev_rout, I get the following:
---------------------------------------------------
trc file: "dev_rout", trc level: 1, release: "745"
---------------------------------------------------
Mon May 29 11:35:30 2017
SAP Network Interface Router, Version 40.4
command line arg 0: saprouter
command line arg 1: -r
main: pid = 45767, ppid = 44962, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: './saprouttab'
*** ERROR => SNC field without SNC active, skip line 1 [nirout.cpp 10670]

Line 1 in my saprouttab is P * * * , and is the only line I have set for testing purposes.
Please let me know if I am doing something wrong, I belive we are very close to solve this issue.

Thanks in advanced Isaias for your constant support and all expert/gurus that may want to join this adventure :)

Alfonso

0

Hello Alfonso,

The "-r" argument is to start the saprouter.

There is no argument to restart it. So, you would need to stop it with "saprouter -s" and then start it again manually.

About the SNC error, that is curious (as there is no SNC field at your file :-) ).

Try adding a blank line at the end of the saprouttab file.

For example:

(...FILE STARTS ON THE NEXT LINE...)

P * * *
<blank line>

(...FILE ENDS AT THE LINE ABOVE...)

Regards,

Isaías

0

Thanks Isaías,

Something odd happened, I stopped the service saprouter -s and then tried to start it manuall saprouter -r but couldn´t start it manually. I had to run my script in order to be able to start my service, then every thing looked in order. Another weird thing I noticed recently is every time I set my variables, the 3 of them look find except for SNC_LIB=/usr/sap/saprouter/libsapcrypto.so (libsapcrypto.so changes by itself to sapcrypto.lst) I need to change it everytime with export SNC_LIB=/usr/sap/saprouter/libsapcrypto.so

I tried change/add it in vi /etc/rc.local and also did chmod 755 /etc/rc.d/rc.local just in case. But, everytime I reboot it changes. Is there any other place I need to change this?

Now after I press saprouter -n everything is OK and get this note after typing cat dev_rout:

[root@saprouter saprouter]# cat dev_rout

---------------------------------------------------
trc file: "dev_rout", trc level: 1, release: "745"
---------------------------------------------------
Thu Jun 1 19:29:29 2017
SAP Network Interface Router, Version 40.4
command line arg 0: /usr/sap/saprouter/saprouter
command line arg 1: -r
command line arg 2: -R
command line arg 3: /usr/sap/saprouter/saprouttab
command line arg 4: -G
command line arg 5: /usr/sap/saprouter/saproute.log
command line arg 6: -W
command line arg 7: 60000
command line arg 8: -K
command line arg 9: p:CN=saprouter, OU=0000672351, OU=saprouter, O=SAP, C=DE SncInit(): Initializing Secure Network Communication (SNC) AMD/Intel x86_64 with Linux (mt,ascii,SAP_UC/size_t/void* = 8/64/64) UserId="root" (0), envvar USER="root"
SncInit(): Trying environment variable SNC_LIB as gssapi library name: "/usr/sap/saprouter/libsapcrypto.so". File "/usr/sap/saprouter/libsapcrypto.so" dynamically loaded as GSS-API v2 library. SECUDIR="/usr/sap/saprouter" (from $SECUDIR) The internal Adapter for the loaded GSS-API mechanism identifies as: Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib Product Version = CommonCryptoLib 8.5.12 (Apr 12 2017) [SSE3] main: pid = 9432, ppid = 1, port = 3299, parent port = 0 (0 = parent is not a saprouter) ***LOG Q0I=> NiIBindSocket: bind (98: Address already in use) [/bas/745_REL/src/base/ni/nixxi.cpp 3831] *** ERROR => NiIBindSocket: SiBind failed for hdl 1/sock 5 (SI_EPORT_INUSE/98; I4; ST; 0.0.0.0:3299) [nixxi.cpp 3831] *** ERROR => main: NiBufServerHandleForAddr failed (rc=-4) [nirout.cpp 2208]
*****************************************************************************
* * LOCATION SAProuter 40.4 on 'saprouter'
* ERROR service '0.0.0.0:3299' in use *
* TIME Thu Jun 1 19:29:29 2017
* RELEASE 745
* COMPONENT NI (network interface)
* VERSION 40
* RC -4
* MODULE /bas/745_REL/src/base/ni/nixxi.cpp
* LINE 3831
* DETAIL NiIBindSocket
* SYSTEM CALL bind
* ERRNO 98
* ERRNO TEXT Address already in use
* COUNTER 2
* *****************************************************************************

I guess this means that the service is running and is already in used, after running netstat -anp|grep 3299

[root@saprouter saprouter]# netstat -anp|grep 3299
tcp 0 0 0.0.0.0:3299 0.0.0.0:* LISTEN 1344/saprouter

Maybe I am missing something else, this is a Linux environment in a Virtual PC HyperV, I have ran it on an Amazon machine as well and see same behavior. Does it have something to do with virtual box? I doubt it but just wondering.

Thanks in advanced for your time and effort,

Kind regards,

Alfonso A.

0

Hello Alfonso,

The script shared at the opening of this thread is setting the environment variable SNC_LIB:

export SNC_LIB=/usr/sap/saprouter/sapcrypto.mf

Maybe you need to adjust the value in the script.

About starting the saprouter, ensure that there is no saprouter running before you try starting it.

The trace file you shared in your last update shows that the saprouter could not start because the port 3299 was already in use and your netstat command showed that it was used by a saprouter.

About this being a virtual machine, no problem.

Kind regards,

Isaías

0

Hola Isaias,

Sorry for my late reply. Yes, I have changed it on the scrypt as well, but same output. To make sure there is no saprouter running, I have rebooted the VM Linux server, and re-run the script, everything starts OK. My problem now is when I go to tx: sso1 and try to Logon ( I put my Linux saprouter hostname and IP address) and get the following:
Unable to connect to SAPNet message server (Default connection will be used...) Message no. S1452

Please help with anyideas what could be going on with the saprouter I searched.

Kind Regards,

Alfonso

0

Hello Alfonso,

I think you meant tcode OSS1, right? :o)

Try following the suggestions at the SAP Note 33135 and the SAP Notes linked at it.

Kind regards,

Isaías

0

hahaha you are right, I guess I was falling asleep. I saw the SAP Note, very interesting, I did all the recomnendations for America settings, but no luck. Do you think is becuase my saprouttab only has the parameter P * * *?
For test purposes I thought it would be best, also the variable keeps changing after few hours.

This is my script:

export PATH=$PATH:/usr/sap/saprouter
export SECUDIR=/usr/sap/saprouter
export SNC_LIB=/usr/sap/saprouter/libsapcrypto.so

SRDIR=/usr/sap/saprouter
LOGFILE=$SRDIR/saproute.log
if [ -f $SRDIR/saprouter ]; then
        echo "\n Starting saprouter" | tee -a $LOGFILE
$SRDIR/saprouter -r -R $SRDIR/saprouttab -G $LOGFILE -W 60000 -K "p:CN=saprouter, OU=0000672351, OU=saprouter, O=SAP, C=DE" | tee -a $LOGFILE &

fi

And this is my variables after 2 hours, changes it byitself, some of the variables where the main 3 components appear: PATH, SNC_LIB, and SECUDI.

PATH=/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/usr/sap/saprouter
PIPESTATUS=([0]="0")
PPID=46306
PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'
PS1='[\u@\h \W]\$ '
PS2='> '
PS4='+ '
PWD=/usr/sap/saprouter
QTDIR=/usr/lib64/qt-3.3
QTINC=/usr/lib64/qt-3.3/include
QTLIB=/usr/lib64/qt-3.3/lib
SECUDIR=/usr/sap/saprouter
SELINUX_LEVEL_REQUESTED=
SELINUX_ROLE_REQUESTED=
SELINUX_USE_CURRENT_RANGE=
SHELL=/bin/bash
SHELLOPTS=braceexpand:emacs:hashall:histexpand:history:interactive-comments:monitor
SHLVL=1
SNC_LIB=/usr/sap/saprouter/sapcrypto.lst

I am really stuck at this point not sure what else to try. Is there a way I may contact you and talk live? :)

Thanks again Isaias,

Regards,

Alfonso

0

Hello Alfonso,

Something must be changing the environment variables.

I'm not sure how you could track what is doing it, no ideas come to my mind at this point :).

About the connection not working, do you see any entries being written at the saprouter trace (dev_rout) or log file (saproute.log)? You can perform "connection tests" at SM59 and see whether the same entries are written every time the test is performed.

If you see entries related to the connection issue, please post them here.

If this is urgent, you could open an SAP incident under the component XX-SER-NET. They can help with the connection between customers and SAP.

I do not work with that area, but I work with the saprouter component.

Regards,

Isaías

0
Alfonso Alvarado Jun 27, 2017 at 05:58 PM
0

Hola Isaias,

Sorry for my late reply. I will check it, and let you know. I tried setting up a saprouter and works perfectly (in a Windows environment).

This is the dev_rout I get, which is weird again since I got it right after I stopped the saprouter -s and then start my script:

[root@saprouter saprouter]# cat dev_rout
---------------------------------------------------
trc file: "dev_rout", trc level: 1, release: "745"
---------------------------------------------------
Tue Jun 27 12:55:52 2017
SAP Network Interface Router, Version 40.4
command line arg 0:     /usr/sap/saprouter/saprouter
command line arg 1:     -r
command line arg 2:     -R
command line arg 3:     /usr/sap/saprouter/saprouttab
command line arg 4:     -G
command line arg 5:     /usr/sap/saprouter/saproute.log
command line arg 6:     -W
command line arg 7:     60000
command line arg 8:     -K

Tue Jun 27 12:55:53 2017
command line arg 9:     p:CN=saprouter, OU=0000672351, OU=saprouter, O=SAP, C=DE
SncInit(): Initializing Secure Network Communication (SNC)
      AMD/Intel x86_64 with Linux (mt,ascii,SAP_UC/size_t/void* = 8/64/64)
      UserId="root" (0), envvar USER="root"
SncInit(): Trying environment variable SNC_LIB as
    gssapi library name: "/usr/sap/saprouter/libsapcrypto.so".
  File "/usr/sap/saprouter/libsapcrypto.so" dynamically loaded as GSS-API v2 library.
  SECUDIR="/usr/sap/saprouter" (from $SECUDIR)
  The internal Adapter for the loaded GSS-API mechanism identifies as:
  Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib
  Product Version = CommonCryptoLib 8.5.12 (Apr 12 2017) [SSE3]
main: pid = 972, ppid = 1, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: '/usr/sap/saprouter/saprouttab'
If I open a ticket with SAP, are they going to charge me? :(  We can only open 2 tickets a year in SAP.

When I run the following command netstat -anp|grep 3299; I get:

tcp 0 0 0.0.0.0:3299 0.0.0.0:* LISTEN 972/saprouter

Thank you in advanced for all your help,

Alfonso

Share
10 |10000 characters needed characters left characters exceeded