Skip to Content
0

saprouter A2200202:Actual server name differs from requested one

Dec 14, 2016 at 08:49 PM

608

avatar image

Hi,

I have done everything (I think) mentionned in the online documentation to setup my saprouter but I still can't connect with saposs.

Here is my dev_rout:

[root@saprouter saprouter]# cat dev_rout --------------------------------------------------- trc file: "dev_rout", trc level: 1, release: "745" --------------------------------------------------- Wed Dec 14 13:58:47 2016 SAP Network Interface Router, Version 40.4 command line arg 0: ./saprouter command line arg 1: -r command line arg 2: -K SncInit(): Initializing Secure Network Communication (SNC) AMD/Intel x86_64 with Linux (mt,ascii,SAP_UC/size_t/void* = 8/64/64) UserId="root" (0), envvar USER="root" SncInit(): Trying environment variable SNC_LIB as gssapi library name: "/usr/sap/saprouter/libsapcrypto.so". File "/usr/sap/saprouter/libsapcrypto.so" dynamically loaded as GSS-API v2 library. SECUDIR="/usr/sap/saprouter" (from $SECUDIR) The internal Adapter for the loaded GSS-API mechanism identifies as: Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib Product Version = CommonCryptoLib 8.5.5 (Sep 23 2016) [AES-NI,CLMUL,SSE3,SSSE3] main: pid = 1819, ppid = 1734, port = 3299, parent port = 0 (0 = parent is not a saprouter) reading routtab: './saprouttab' Wed Dec 14 13:59:33 2016 *** ERROR => SncPEstablishContext() failed for target='p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE' [/bas/745_R 3638] *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [/bas/745_REL/sr 3604] GSS-API(maj): Miscellaneous failure GSS-API(min): A2200202:Actual server name differs from requested one. Unable to establish the security context target="p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" <<- SncProcessInput()==SNCERR_GSSAPI *** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0x1e62740;1421) [nisnc.c 1003]

If I created the credentials with root, is this an issue?

What else could be the issue?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Best Answer
Reagan Benjamin
Dec 16, 2016 at 12:02 AM
0
*** ERROR => SncPEstablishContext() failed for target='p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE' [/bas/745_R 3638]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [/bas/745_REL/sr 3604]
      GSS-API(maj): Miscellaneous failure
      GSS-API(min): A2200202:Actual server name differs from requested one.
Thu Dec 15 08:48:39 2016
    Unable to establish the security context
    target="p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE"
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0x1f95b50;1421) [nisnc.c      1003

Your saprouttab could be the issue.

[root@saprouter saprouter]# cat saprouttab
# SNC connection to and from SAP
KT "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

Modify the above entry to:

KT "p:CN=sapserv2, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC connection to local system for R/3 support
KP "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.229 3200
KP "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.178 3200

Modify the above two entries to:

KP "p:CN=sapserv2, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.229 3200
KP "p:CN=sapserv2, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.178 3200

Restart the saprouter and check if it helps.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

It worked, thank you Reagan.

For some reason, I thought "CN=sapserv2, OU=SAProuter, O=SAP, C=DE" was a generic example to be replaced everywhere with the distinguished name I received.

I'm happy I did everything else right... glass half full!

0
Reagan Benjamin
Dec 14, 2016 at 11:13 PM
0

Did you register the router with SAP prior to the configuration? As you are setting up the saprouter with SNC, are you using the distinguished name provided by SAP?

Share
10 |10000 characters needed characters left characters exceeded
Dominique Labrecque Dec 15, 2016 at 02:47 PM
0

Hi Reagan,

Yes, I filled and sent the remote connection data sheet to SAP as component XX-SER-NET-NEW.

I named the server where saprouter is installed "saprouter" so the distinguished name provided by SAP is really "CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE"

I currently have an open incident for support regarding this. They asked for the saprouter to be stopped and restarted with:

# ./saprouter -r -V 2 -K "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE"

I sent them the following information:

[root@saprouter saprouter]# ./sapgenpse get_my_name -n all

SSO for USER "root"
  with PSE file "/usr/sap/saprouter/local.pse"

Subject               :   CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE
Issuer                :   CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE
Serialno              :   72:65:B0:8B:8C:A8:90:1B:10:01:EA:00
KeyInfo               :   RSA, 2048-bit
Validity  -  NotBefore:   Tue Dec 13 10:08:07 2016 (161213150807Z)
             NotAfter :   Wed Dec 13 10:08:07 2017 (171213150807Z)
KeyUsage              :   digitalSignature nonRepudiation keyEncipherment dataEncipherment
ExtKeyUsage           :   none
SubjectAltName        :   none
[root@saprouter saprouter]# ./sapgenpse seclogin -l

 running seclogin with USER="root"
 0 (LPS:OFF): CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE
         (LPS:OFF): /usr/sap/saprouter/local.pse
 1 readable SSO-Credentials available
[root@saprouter saprouter]# ./niping -c -O -S 3299 -H 194.39.131.34

Thu Dec 15 09:42:15 2016
connect to server o.k.
send 10 messages (len 1000)
------- times -----
avg     0.006 ms
max     0.029 ms
min     0.001 ms
tr  174386.161 kB/s
excluding max and min:
av2     0.003 ms
tr2 300480.769 kB/s
[root@saprouter saprouter]# ./niping -c -H /H/192.168.10.222/H/194.39.131.34/H/localhost

Thu Dec 15 09:43:06 2016
*** ERROR => NiBufIProcMsg: hdl 1 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp    2042]
*** ERROR => NiBufIConnect: route connect for non-buffered hdl 1 failed (rc=-104;/H/192.168.10.222/H/194.39.131.34/H/localhost); pong not received [nibuf.cpp    4730]
*** ERROR => NiTClientLoop: NiHandle (rc=-104) [nixxtst.cpp  2935]

*****************************************************************************
*
*  LOCATION    SAProuter 40.4 on 'saprouter'
*  ERROR       SNC processing failed:
*              SncProcessInput
*
*  TIME        Thu Dec 15 09:43:06 2016
*  RELEASE     745
*  COMPONENT   NI (network interface)
*  VERSION     40
*  RC          -104
*  MODULE      /bas/745_REL/src/base/ni/nisnc.c
*  LINE        1000
*  DETAIL      NiSncIProcIn: sncrc=-4;0x1fa2010
*  COUNTER     17
*
*****************************************************************************
[root@saprouter saprouter]# cat saprouttab
# SNC connection to and from SAP
KT "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC connection to local system for R/3 support
KP "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.229 3200
KP "p:CN=saprouter, OU=0001584558, OU=SAProuter, O=SAP, C=DE" 192.168.10.178 3200

# Access from the local network to SAP
P 192.168.10.* 194.39.131.34 3299

# Deny all other connections
D * * *

And the content of dev_rout after these commands, which I attached to this message.

Thanks for your help!

06-dev-rout.txt


06-dev-rout.txt (26.7 kB)
Share
10 |10000 characters needed characters left characters exceeded
Deepak Kori Dec 16, 2016 at 02:48 PM
0

Hi,

Could you perform dns host look up and check whether same host name resolves.

You may also update local host file with appropriate hostname including FQDN.

Regards,

Deepak Kori

Share
10 |10000 characters needed characters left characters exceeded