cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Connecting two own saprouters with SNC and then to OSS?

Go to solution
m_bezemer
Explorer

on ‎09-07-2012 4:50 PM

0 Kudos

Hi all,

As we all know it is possible to secure your SAProuter connection to SAP Support with SNC. This requires the generation of a SNC key-pair.

The situation is as follows:

Client <-> SAProuter <-> Internet <-> SAProuter <-> SAP Support (known solution)

Client <-> SAProuter <-> Internet <-> SAProuter <-> Me

I would like to know if it is possible to connect two of our own SAProuters with SNC and how. If this is not possible then we would have to install some VPN solution.

Thanks in advance.

Cheers!

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Toby_Johnston
Advisor
Advisor
‎01-22-2013 3:58 PM
0 Kudos

Hi Martin and all,

The scenario you describe is definitely possible.

You can refer to this help page for information on setting up SAProuter and SAPGUI with SNC.

Sincerely,

Toby Johnston

SAP America, Inc.

Show replies
Show replies
m_bezemer
Explorer
‎01-30-2013 4:23 PM
0 Kudos

Hi Toby,

Thanks for the reply.

One question remains to me: Does the SAPRouter automagically encrypt the traffic, and if yes : how does it determine the encryption-key?

When connecting a SAProuter to SAP Support I have to generate a PSE-key with 'sapgenpse', send it in and import the replied PSE-key. This takes care of the encryption between my SAProuter and SAP.

Is it possible to generate PSE-keys in (a) SAP system using transaction STRUST and use these as encryption-keys ?

Otherwise how would I create the Reply to the Key-exchange with 'sapgenpse' ?

Thanks in advance,

Martin

Former Member
‎06-09-2013 12:53 PM
0 Kudos

Hi Toby,

Continuing Martin's question:

if the traffic intended to go through the SAPRouter is already SNC encrypted, does the SAPRouter terminates it and then re-encrypts?

if so, how is the original user identity kept and passed to the actual server?

Regards,

Eran

Answers (2)

Answers (2)

former_member24001
Explorer
‎09-13-2012 9:50 PM
0 Kudos

An SNC connection can only be done between SAP and a customer. In this case you would have to look toward your VPN solution.

-Tim

Show replies
Show replies
Former Member
‎12-18-2012 2:59 AM
0 Kudos

Pffff..... and your a SAP employee? - good gracious for a quality on answers... and you've even been tagged with a Helpful answer".... I think it's a pretty blunt answer instead of referring to something more solid... Have you really read the SAPROUTER documentation?

In fact the documentation does not state any such limit for the SNC setup. SNC have from time to time been promoted to improve also internal network security and is not limited solely for connecting to OSS.

You might also explain why you in SAP Logon have a tab related to Network settings where you can specify "Activate Secure Network Communication" ...

"SNC is used to make network connections using the Internet, in particular WAN connections,

secure. It provides reliable authentication as well as encryption of the data to be transferred."

... but it could be questioned if it's a good idea to solve Martin's issue like this...

... as if he haven't done any studies and figured out more about how to create a secure setup with saprouter, he might be better off with a VPN solution preferably managed by someone who know about firewalls.

It's easy to create big holes with saprouter !

/2r

Former Member
‎12-21-2012 2:44 AM
0 Kudos

Hi folks,

we also have a requirement to set up two networks using a saprouter and SNC. I have the same question that Timothy asked - how do you set up the SNC key-pair?

Thanks,

Judy.

Toby_Johnston
Advisor
Advisor
‎01-21-2013 11:00 PM
0 Kudos

Dear Judy / Tor-Arne,

I am double checking to see if this is possible.  Normally, SAProuter is used in SAP support scenarios (so that SAP can securely connect to your network).  However, I am checking to see if it can be used purely between two or more customer networks (with no connection to SAP whatsoever).

I will let you know asap.

Thanks,

Toby Johnston

SAP America, Inc.

Toby_Johnston
Advisor
Advisor
‎09-09-2012 6:02 PM
0 Kudos

Hello,

I'm not sure I'm clear on what your trying to do. In most cases, it is only necessary to have one SAProuter although I have seen cases where there is a SAProuter for SAP landscape and one for BOE landscape and this is possible.

However, in your situation it looks like your trying to setup SAProuter to have the client communicate with you instead of with SAP.  Is this the case?

Thanks,

Toby Johnston

SAP America, Inc.

Show replies
Show replies
m_bezemer
Explorer
‎09-09-2012 6:27 PM
0 Kudos

Hello Toby,

Yes, I am trying to figure out a way to have a secure connection to the client besides the connection to OSS.

If possible this would be an alternative to having to setup a VPN connection.

Thanks for your answer.

Cheers!

Martin Bezemer

Toby_Johnston
Advisor
Advisor
‎09-11-2012 9:04 PM
0 Kudos

Hi Martin,

This scenario is possible under certain circumstances (depending on your affiliation with SAP).

I have referred your request to my colleague Tim Coffman who will be following up with you on Thursday (we are both at the ASUG conference Mon-Wed) to check the necessary criteria needed to setup this type of connection. 

Thanks,

Toby

Ask a Question