Skip to Content

KT entry for SAProuter breaks other connections

Hi

We are running SAProuter connecting to different SAP Systems.

Our saprouttab contains a KP entry for each instance. Based on this post we only have KP entries to allow running multiple connections at the same time.

It works fine, but now we have a case where one connection is not working. If I add the KT entry then it does work, but all the others fail.

Here is a sample of my saprouttab file:

#Client 1
#KT "p:CN=SRVPROD, OU=0000917546, OU=SAProuter, O=SAP, C=DE" * *
KP "p:CN=SRVPROD, OU=0000917546, OU=SAProuter, O=SAP, C=DE" * *

#Client 2
KP "p:CN=SERVERSAPR, OU=0001255679, OU=SAProuter, O=SAP, C=DE" * *

#Client 3
KP "p:CN=ACME" * *

With the sample above I can connect to Client 2 and 3, but not Client 1.
But if I include the KT entry at the top, then I can connect to Client 1, but not Client 2 nor Client 3.

How can I change this so that all 3 connections will work?

Error at Client 1 without the KT entry:

*** ERROR => SncPEstablishContext(): SNCERR_AUTH_MISMATCH -- wrong peer!
   expecting   = "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
   but peer is = "p:CN=OurCertName"
<<- ERROR: SncProcessInput()==SNCERR_AUTH_MISMATCH
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-41;00000042BE5F1C90;1274) [nisnc.c      1003]

Error our side:

*** ERROR => NiBufIProcMsg: hdl 18 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp    2042]
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Mar 11 at 01:44 PM

    Hello Patricio,

    What is the client 1? Is it an ABAP system or another saprouter?

    The lines

    *** ERROR => SncPEstablishContext(): SNCERR_AUTH_MISMATCH -- wrong peer!
       expecting   = "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
       but peer is = "p:CN=OurCertName"

    Seem to indicate that the client has incorrect SNC settings.

    The SNC peer, at client 1, should be "p:CN=OurCertName", no?

    What is the complete landscape?

    Client 1 (saprouter? SAP GUI? ABAP?) -> saprouter -> another saprouter? -> target system (ABAP?)

    If "client 1" is a saprouter, then what is the actual client (before "client 1")?

    Client 0 (SAP GUI? ABAP?) -> saprouter (client 1) -> another saprouter? -> target system (ABAP?)

    Regards,

    Isaías

    Add comment
    10|10000 characters needed characters exceeded

    • You are welcome!

      I do not see the need to run multiple saprouters on different ports.

      It would be just a matter of creating the correct saprouttab entries and establishing the trust between your saprouter and your customers' saprouters.

      Regards,

      Isaías