on 03-08-2019 8:47 AM
Hi
We are running SAProuter connecting to different SAP Systems.
Our saprouttab contains a KP entry for each instance. Based on this post we only have KP entries to allow running multiple connections at the same time.
It works fine, but now we have a case where one connection is not working. If I add the KT entry then it does work, but all the others fail.
Here is a sample of my saprouttab file:
#Client 1
#KT "p:CN=SRVPROD, OU=0000917546, OU=SAProuter, O=SAP, C=DE" * *
KP "p:CN=SRVPROD, OU=0000917546, OU=SAProuter, O=SAP, C=DE" * *
#Client 2
KP "p:CN=SERVERSAPR, OU=0001255679, OU=SAProuter, O=SAP, C=DE" * *
#Client 3
KP "p:CN=ACME" * *
With the sample above I can connect to Client 2 and 3, but not Client 1.
But if I include the KT entry at the top, then I can connect to Client 1, but not Client 2 nor Client 3.
How can I change this so that all 3 connections will work?
Error at Client 1 without the KT entry:
*** ERROR => SncPEstablishContext(): SNCERR_AUTH_MISMATCH -- wrong peer!
expecting = "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
but peer is = "p:CN=OurCertName"
<<- ERROR: SncProcessInput()==SNCERR_AUTH_MISMATCH
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-41;00000042BE5F1C90;1274) [nisnc.c 1003]
Error our side:
*** ERROR => NiBufIProcMsg: hdl 18 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp 2042]
Hello,
the KT entry needs the hostname of the related SAProuter. " * * " means every connection is expected to be a SNC connection with SNC name "p:CN=SRVPROD, OU=0000917546, OU=SAProuter, O=SAP, C=DE"
KT "p:CN=SRVPROD, OU=0000917546, OU=SAProuter, O=SAP, C=DE" <HOSTNAME> *
Best regards,
Andreas Westphal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Patricio,
What is the client 1? Is it an ABAP system or another saprouter?
The lines
*** ERROR => SncPEstablishContext(): SNCERR_AUTH_MISMATCH -- wrong peer!
expecting = "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
but peer is = "p:CN=OurCertName"
Seem to indicate that the client has incorrect SNC settings.
The SNC peer, at client 1, should be "p:CN=OurCertName", no?
What is the complete landscape?
Client 1 (saprouter? SAP GUI? ABAP?) -> saprouter -> another saprouter? -> target system (ABAP?)
If "client 1" is a saprouter, then what is the actual client (before "client 1")?
Client 0 (SAP GUI? ABAP?) -> saprouter (client 1) -> another saprouter? -> target system (ABAP?)
Regards,
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the effort to assist (again).
I hope I answer all your questions:
1. What is the client 1: It is another SAProuter
2. The SNC peer, at client 1, should be "p:CN=OurCertName":
Yes. That is what is strange. They have in their saprouttab file entries for:
KT "p:CN=OurCertName 52.x.x.x *
KP "p:CN=OurCertName 10.x.x.x *
P 10.x.x.x 52.x.x.x *
Take note that they have a lot of other entries as well for other connections like solmnan, but the above is what applies to us.
3. What is the complete landscape?
Client 1, 2 and 3 are all similar. It is a SAProuter to SAProuter connection with 3x certificates installed on our side, and all 3 of them have our certificate installed in their environment. The aim is to extract data from SAP ECC via RFC calls.
4. If "client 1" is a saprouter, then what is the actual client (before "client 1")?
I'm not sure if I understand fully, but client 1 is the first entry in our saprouttab file. Client 2 and 3 are below that, but the file starts with Client 1.
Hi. I'm not sure what you mean by client 0. What I mean by "client" is a "customer". So we connect to SAP Systems of different Companies.
Our system works something like this:
Our SAProuter --> Company A SAProuter ---> Company A SAP System
Our SAProuter --> Company B SAProuter ---> Company B SAP System
Our SAProuter --> Company C SAProuter ---> Company C SAP System
Hello Patricio,
From the tests I could do so far, it seems that you would have to:
it seems that the network connection / communication from SAP to a saprouter is not SNC enabled...
I am also only finding references of enabling SNC between saprouters, not between SAP and a saprouter.
I still have to do more tests to figure it out...
Regards,
Isaías
Thanks for the effort and reply. Just a note: we do not have a SAP System on our part. We are using a 3rd party app to read the data from SAP using RFC's. So we can't setup a trust relationship between the SAP Systems.
You also mention "Setup the SNC trust between the saprouters" and that SNC is not enabled. I would have thought that the fact that we are using certificates on both sides will mean that there is an SNC trust relationship.
If you have references or suugestion on how to setup it up we can try it.
Hello Patricio,
You are welcome!
The KT and KP entries in the saprouttab are used to establish an SNC-activated connection between saprouters.
SNC is based on certificates...
How does this 3rd party app connect to SAP? I mean, does it use RFC or HTTP?
If it is RFC, then SNC is the way to encrypt the communication.
About the client system (at your end) not being an SAP system, it would not matter.
I could do some more tests and these are my findings so far:
P <IP from client system - 3rd party app> <IP of saprouter 2> <port of saprouter 2>
KT <SNC name of saprouter 2> <IP of saprouter 2> <port of saprouter 2>
KP <SNC name of client system - 3rd party app> <IP of saprouter 2> <port of saprouter 2>
P <IP of saprouter 1> <IP of SAP> <port of SAP>
KP <SNC name of saprouter 1> <IP of SAP> <port of SAP>
About the rules from item #3, I need to do more tests to determine whether both P and KP are required.
Regards,
Isaías
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.