cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

KT entry for SAProuter breaks other connections

former_member449168
Participant

on ‎03-08-2019 8:47 AM

0 Kudos

Hi

We are running SAProuter connecting to different SAP Systems.

Our saprouttab contains a KP entry for each instance. Based on this post we only have KP entries to allow running multiple connections at the same time.

It works fine, but now we have a case where one connection is not working. If I add the KT entry then it does work, but all the others fail.

Here is a sample of my saprouttab file:

#Client 1
#KT "p:CN=SRVPROD, OU=0000917546, OU=SAProuter, O=SAP, C=DE" * *
KP "p:CN=SRVPROD, OU=0000917546, OU=SAProuter, O=SAP, C=DE" * *

#Client 2
KP "p:CN=SERVERSAPR, OU=0001255679, OU=SAProuter, O=SAP, C=DE" * *

#Client 3
KP "p:CN=ACME" * *

With the sample above I can connect to Client 2 and 3, but not Client 1.
But if I include the KT entry at the top, then I can connect to Client 1, but not Client 2 nor Client 3.

How can I change this so that all 3 connections will work?

Error at Client 1 without the KT entry:

*** ERROR => SncPEstablishContext(): SNCERR_AUTH_MISMATCH -- wrong peer!
   expecting   = "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
   but peer is = "p:CN=OurCertName"
<<- ERROR: SncProcessInput()==SNCERR_AUTH_MISMATCH
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-41;00000042BE5F1C90;1274) [nisnc.c      1003]

Error our side:

*** ERROR => NiBufIProcMsg: hdl 18 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp    2042]
Show replies
Show replies
isaias_freitas
Advisor
Advisor
‎03-08-2019 6:40 PM

Hello Patricio.

What is the error seen at the client 1 when there is no KT entry?

And what is logged at the "dev_rout" file of the saprouter?

Regards,

Isaías

former_member449168
Participant
‎03-09-2019 6:44 AM
0 Kudos

Hi Isaias. Good to hear from you again. I updated the question with the 2 errors.

Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member237523
Explorer
‎10-20-2020 6:11 PM
0 Kudos

Hello,

the KT entry needs the hostname of the related SAProuter. " * * " means every connection is expected to be a SNC connection with SNC name "p:CN=SRVPROD, OU=0000917546, OU=SAProuter, O=SAP, C=DE"

KT "p:CN=SRVPROD, OU=0000917546, OU=SAProuter, O=SAP, C=DE" <HOSTNAME> *

Best regards,

Andreas Westphal

Show replies
Show replies
isaias_freitas
Advisor
Advisor
‎03-11-2019 1:44 PM
0 Kudos

Hello Patricio,

What is the client 1? Is it an ABAP system or another saprouter?

The lines 

*** ERROR => SncPEstablishContext(): SNCERR_AUTH_MISMATCH -- wrong peer!
   expecting   = "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
   but peer is = "p:CN=OurCertName"

Seem to indicate that the client has incorrect SNC settings.

The SNC peer, at client 1, should be "p:CN=OurCertName", no?

What is the complete landscape?

Client 1 (saprouter? SAP GUI? ABAP?) -> saprouter -> another saprouter? -> target system (ABAP?)

If "client 1" is a saprouter, then what is the actual client (before "client 1")?

Client 0 (SAP GUI? ABAP?) -> saprouter (client 1) -> another saprouter? -> target system (ABAP?)

Regards,

Isaías

Show replies
Show replies
former_member449168
Participant
‎03-12-2019 9:05 AM
0 Kudos

Thanks for the effort to assist (again).
I hope I answer all your questions:

1. What is the client 1: It is another SAProuter

2. The SNC peer, at client 1, should be "p:CN=OurCertName":
Yes. That is what is strange. They have in their saprouttab file entries for:
KT "p:CN=OurCertName 52.x.x.x *
KP "p:CN=OurCertName 10.x.x.x *
P 10.x.x.x 52.x.x.x *

Take note that they have a lot of other entries as well for other connections like solmnan, but the above is what applies to us.

3. What is the complete landscape?
Client 1, 2 and 3 are all similar. It is a SAProuter to SAProuter connection with 3x certificates installed on our side, and all 3 of them have our certificate installed in their environment. The aim is to extract data from SAP ECC via RFC calls.

4. If "client 1" is a saprouter, then what is the actual client (before "client 1")?
I'm not sure if I understand fully, but client 1 is the first entry in our saprouttab file. Client 2 and 3 are below that, but the file starts with Client 1.

isaias_freitas
Advisor
Advisor
‎03-12-2019 1:30 PM
0 Kudos

Hello Patricio,

You are welcome! 🙂

If client 1 is a saprouter, then what is "client 0"? Is it like below?


Client 0 (ABAP system) ---- connects to --> client 1 (saprouter) --> client 2 (your saprouter) --> final target (ECC system)

former_member449168
Participant
‎03-13-2019 6:13 AM
0 Kudos

Hi. I'm not sure what you mean by client 0. What I mean by "client" is a "customer". So we connect to SAP Systems of different Companies.

Our system works something like this:
Our SAProuter --> Company A SAProuter ---> Company A SAP System
Our SAProuter --> Company B SAProuter ---> Company B SAP System
Our SAProuter --> Company C SAProuter ---> Company C SAP System

isaias_freitas
Advisor
Advisor
‎03-19-2019 10:47 PM
0 Kudos

Hello Patricio,

From the tests I could do so far, it seems that you would have to:

  • Setup the SNC trust between your SAP system and the target SAP systems ("Company A SAP System", "Company B SAP System", ...), "ignoring" the saprouters;
  • Setup the SNC trust between the saprouters

it seems that the network connection / communication from SAP to a saprouter is not SNC enabled...

I am also only finding references of enabling SNC between saprouters, not between SAP and a saprouter.

I still have to do more tests to figure it out...

Regards,

Isaías

former_member449168
Participant
‎03-21-2019 1:04 PM
0 Kudos

Thanks for the effort and reply. Just a note: we do not have a SAP System on our part. We are using a 3rd party app to read the data from SAP using RFC's. So we can't setup a trust relationship between the SAP Systems.

You also mention "Setup the SNC trust between the saprouters" and that SNC is not enabled. I would have thought that the fact that we are using certificates on both sides will mean that there is an SNC trust relationship.

If you have references or suugestion on how to setup it up we can try it.

isaias_freitas
Advisor
Advisor
‎03-21-2019 11:18 PM
0 Kudos

Hello Patricio,

You are welcome!

The KT and KP entries in the saprouttab are used to establish an SNC-activated connection between saprouters.

SNC is based on certificates...

How does this 3rd party app connect to SAP? I mean, does it use RFC or HTTP?

If it is RFC, then SNC is the way to encrypt the communication.

About the client system (at your end) not being an SAP system, it would not matter.

I could do some more tests and these are my findings so far:

  1. Considering the following landscape:

    client system (3rd party app at your end) -> saprouter1 (at your end) -> saprouter2 (at customer's end) -> SAP (at customer's end)
  2. Establish the SNC trust directly between the client system and SAP, as if the saprouters were not involved;
  3. At the saprouter 1 (at your end), add the following lines:

    P   <IP from client system - 3rd party app>       <IP of saprouter 2>   <port of saprouter 2>
KT  <SNC name of saprouter 2>                     <IP of saprouter 2>   <port of saprouter 2>
KP  <SNC name of client system - 3rd party app>   <IP of saprouter 2>   <port of saprouter 2>
  4. At the saprouter 2 (at customer's end), add the following lines:

    P <IP of saprouter 1>   <IP of SAP>   <port of SAP>
KP <SNC name of saprouter 1>    <IP of SAP>  <port of SAP>
  5. Add the entries from #3 for each customer / target system.
    At each customer, add entries from #4.

About the rules from item #3, I need to do more tests to determine whether both P and KP are required.

Regards,

Isaías

former_member449168
Participant
‎04-17-2019 12:49 PM
0 Kudos

Thanks for your efforts. After chatting to SAP it would seem that the correct approach is to keep the KT entries and run multiple SAProuters via different ports.

isaias_freitas
Advisor
Advisor
‎04-17-2019 12:57 PM
0 Kudos

You are welcome!

I do not see the need to run multiple saprouters on different ports.

It would be just a matter of creating the correct saprouttab entries and establishing the trust between your saprouter and your customers' saprouters.

Regards,

Isaías

Ask a Question