Just for grins this past week, SAP decided to perform some maintenance that resulted in invalidating many SAP customers' certificates. Three of my client sites lost connectivity to SAP via SAProuter immediately following this maintenance last week, and all three had valid certificate inside the 1-year period... nevertheless, I got to help brush some people up on how to renew these certificates.
So, here is the procedure for you, and I will go ahead and leave in the parts you will need of you are starting from scratch.
If you are just renewing your certificates, you can ignore the first part:
First, submit a customer message to SAP Support (component XX-SER-NET-OSS-NEW) and ask them to register the hostname and external IP address of your new SAProuter. You will have to get the firewall opened for communication between this IP address and the SAP network. NAT is okay.
After you’ve received a confirmation from SAP that your SAProuter has been registered, you are ready to configure your SAProuter.
In the following scenario, the SAProuter directory is D:\usr\sap\saprouter. The following SAProuter executables can be found in your kernel directory and should be copied over to the SAProuter directory:
niping.exe
ntscmgr.exe
saprouter.exe
SAPROUTTAB (this is the table you will need to setup for permitting/denying traffic)
1. Set 2 System Environment Variables:
a. SECUDIR = D:\usr\sap\saprouter\SNC
b. SNC_LIB = D:\usr\sap\saprouter\SNC\nt-x86_64\sapcrypto.dll
2. Download the SAP Crypto Library and unpack it into D:\usr\sap\saprouter\SNC (see path above)
3. To request the new certificate, go to http://service.sap.com/tcs > Download Area > SAProuter > Certificates > Apply Now. Take note of the Distinguished Name provided in the lower box.
4. To generate a certificate request, run the command
- “sapgenpse get_pse -v -r D:\usr\sap\saprouter\SNC\certreq -p D:\usr\sap\saprouter\SNC\local.pse”
- Enter a 4-digit PIN, or leave blank
- Repeat PIN, or blank
- Enter the Distinguished Name (Provided by SAP in Step 3), i.e. CN=
5. Create a text file D:\usr\sap\saprouter\SNC\srcert and copy the requested certificate into this file. Then run the command:
sapgenpse import_own_cert -c D:\usr\sap\saprouter\SNC\srcert -p D:\usr\sap\saprouter\SNC\local.pse
6. To generate credentials for the user that’s running the SAProuter service, run command:
sapgenpse seclogin -p D:\usr\sap\saprouter\SNC\local.pse -O [Domain\SAPServiceSID] (this will create the file “cred_v2”)
7. Check the configuration by running command:
sapgenpse get_my_name -v -n Issuer
8. Create SAProuter service on Windows with the command:
ntscmgr install SAProuter -b D:\usr\sap\saprouter\saprouter.exe -p "service -r -R D:\usr\sap\saprouter\saprouttab -W 60000 -K ^p:^"
9. Edit the Windows Registry key:
My Computer\ HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SAProuter\ ImagePath –> Change both ^ to "
10. Start the SAProuter service
11. Enter the required parameters in OSS1 -> Technical Settings
Hope this helps...
