on 11-27-2020 4:23 PM
Hi All,
I have Upgraded the saprouter Version to 7.53 and also Renewed the certificate but still while Starting the SAPRouter , following error is recorded in the dev_rout file .
Fri Nov 27 16:00:18 2020
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [D:/depot/b 3638]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [D:/depot/bas/75 3604]
GSS-API(maj): Miscellaneous failure
GSS-API(min): A2210220:Own certificate is expired
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0000000002119420;97) [nisnc.c 1003]
<br>
Have Tried a couple of references but still not able to resolve this Error. Any Idea , How can I Resolve this Error ?
Br,
Ketan
I was able to resolve the problem. The problem was, Username with which i executed the commands to renew the certificate was different than the Admin user.
So the solution was to delete the certificate. Login with the Admin user onto the windows server where the saprouter is running and renew the certificate and start the saprouter again.
Here are some useful commands
sapgenpse get_my_name -n validity
sapgenpse seclogin -p D:\usr\sap\SAPRouter\local.pse -O npsadm
sapgenpse get_pse -v -r certreq -p local.pse "CN=saprouter, OU=00000001, OU=SAProuter, O=SAP, C=DE"
sapgenpse import_own_cert -c srcert -p local.pse
sapgenpse seclogin -p local.pse
sapgenpse get_my_name -n all
niping -c -H sapip -S 3299 -> This normally returns Error.
Br,
Ketan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Katan,
glad to hear that your issue has been resolved
please test the RFC destination "SAPOSS" and mark thread to resolved and close
Thanks , Sankar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi sankar_27 ,
I have now tried to start the router with the command,
./sapgenpse get_my_name -v -n Issuer
and in the dev_rout file , i can see the following at the end. After that there are no further entries in dev_rout file.
******* NI-ROUTER LOOP ********
>>> NiSelISelect: Start (timeout -1)
>>> NiSelISelectInt: Start
SiSelNSelect: start select (timeout=-1)
and the result of saprouter -l is as follows:
So can i assume , it is working fine ? can you help further ? Thanks a lot.
Br,
Ketan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sankara,
I logged in as Admin user and the SECUDIR user Environment variable was pointing to some other directory. I set this to point to saprouter directory and then tried to start the saprouter service.
getting this following failure.
In the dev_rout file , there is no certificate failure as it was before, rather failure regarding the saproutttab entries.
---------------------------------------------------
trc file: "dev_rout", trc level: 1, release: "753"
---------------------------------------------------
Mon Nov 30 09:27:18 2020
SAP Network Interface Router, Version 40.4
command line arg 0: saprouter
command line arg 1: -r
main: pid = 6724, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: './saprouttab'
*** ERROR => SNC field without SNC active, skip line 2 [nirout.cpp 10915]
*** ERROR => SNC field without SNC active, skip line 4 [nirout.cpp 10915]
*** ERROR => SNC field without SNC active, skip line 9 [nirout.cpp 10915]
*** ERROR => SNC field without SNC active, skip line 13 [nirout.cpp 10915]
*** ERROR => SNC field without SNC active, skip line 17 [nirout.cpp 10915]
*** ERROR => SNC field without SNC active, skip line 21 [nirout.cpp 10915]
*** ERROR => SNC field without SNC active, skip line 22 [nirout.cpp 10915]
*** ERROR => SNC field without SNC active, skip line 40 [nirout.cpp 10915]
*** ERROR => SNC field without SNC active, skip line 41 [nirout.cpp 10915]
DO you have any further hints for these Issues ?
Br,
Ketan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Sankara,
Output of the command
./sapgenpse get_my_name -v -n Issuer
with non admin user is as follows :
I have asked for the admin user details, vl try with that once i have. But If the certificate is renewed and is visible on the sap portal, why the new certificate is not being considered while starting the saprouter.
The saprouter server is a windows server.
Br,
Ketan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ketan
Switch to sidadm user ,run below commands and get correct output
1. ./sapgenpse get_my_name -v -n Issuer
2. ./ sapgenpse get_my_name
3. ./saprouter –n
start router with below command
./saprouter -r -S 3299 -V 3 -K "p:CN=router hostname, OU=0000XXXX, OU=SAProuter, O=SAP, C=DE" &
make sure to clean related process/ reboot os before start the router
Thanks , Sankar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ketan.
Check this blog how you have to perform the SAP router certificate renewal
https://blogs.sap.com/2019/01/07/renewal-of-sap-router-certificate/
Regards
SS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sriram,
I have followed the same blog . The only difference is the result of the following command.
sapgenpse get_my_name -v -n Issuer
I am not able to view the result, probably because I am not logged in as the Administrator user in the SAPRouter server.
I can see the new certificate at the Portal but somehow when the saprouter is starting again , it is not considering the new certificate.
If it may help to suggest a solution, before doing the certificate renewal, I have also done upgrade of the SAPRouter to 7.53 .
Thanks for any further help.
Br,
Ketan
User | Count |
---|---|
80 | |
10 | |
9 | |
8 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.