DevOps and System Administration Blogs
Explore DevOps and system administration blog posts. Stay current with best practices, tools, and insights into efficient IT management strategies.
Showing results for 
Search instead for 
Did you mean: 
We as Basis administrators are often tasked with setting up new SAPRouter during the migration of SAP workloads from on-premise to the cloud. Recently I too was involved in such an activity and found the steps a bit all over the place but finally managed to do the configuration successfully so I have tried to summarise the steps, I hope it is of help.

Installation Procedure:

  • Follow these steps to install SAPRouter:

    • Step 1: Download SAPROUTER, SAPCAR, and SAPCRYPTOLIB files from the SAP Marketplace.

    • Step 2: Create the required directory structure.

    • Step 3: Install SAPRouter using the downloaded SAPCAR and SAPROUTER files.

    • Step 4: Set environmental variables for SECUDIR and SNC_LIB.

    • Step 5: Generate a certificate using sapgenpse get_pse.

    • Step 6: Create a srcert file and import your certificate.

    • Step 7: Create credentials for your user ID using sapgenpse seclogin.

    • Step 8: Check the issuer name with sapgenpse get_my_name -v -n Issuer.

    • Step 9: Start the SAPRouter service by creating it with the sc.exe command.

    • Step 10: Test the new SAPRouter setup by changing IP and hostname in the system and checking SM59 and SAPOSS connections.


Setting Up SAPRouter on a New Server 

  1. Server Information:

    • SAP Server: sapserv2 (    ---> This is the IP Address of EMEA SAP Connection via Internet SNC 

    • SAPRouter will be running on port 3299.

  1. Open Necessary Ports: 

To enable SAPRouter to function correctly, open the following ports on your SAPRouter server and firewall:

    • 32nn: R3 Support Connection --> "nn" is the instance number of your R3 system

    • 23: Telnet

    • 1503: Net-meeting

    • 5601: PC-Anywhere

    • 3389: Windows Terminal Server (WTS)

  1. Register with SAP: 

    • Register your new SAPRouter's public IP and hostname with SAP.

    • You can raise an OSS (Online Service System) request under the component "XX-SER-NET-NEW."

  1. Receive Distinguished Name: 

    • After SAP registers the new IP, you will receive the new distinguished name for your SAPRouter.

  1. Update Host and Services Files: 

    • Update the host file on the SAPRouter server with all server details.

    • Update the services file entry in the system, usually found at C:\Windows\System32\drivers\etc.

  1. Configure saprouttab: 

    • Create a saprouttab file with the necessary definitions. Here's a sample saprouttab for SNC:

                Copy code

    • # SNC is used to sapserv2 because of the following line for each protocol
      KT “p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE” *
      # Access from all locations in the customer Network to the
      # SAPNet – R/3 Frontend (SAP Support System) via sapserv2
      KP * “p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE” 3299
      # SNC-connection from SAP to the customer R/3-System for Support
      # (one line of these per each system or app-server)
      KP “p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE” <R/3-Server> <R/3-Instance> <pwd>
      # SNC-connection from SAP to the customer R/3-System for NetMeeting
      # (set this up ONLY if needed)
      KP “p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE” <R/3-Server> 1503 <pwd>
      # SNC-connection from SAP to the customer R/3-System for telnet
      # (set this up ONLY if needed)
      KP “p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE” <R/3-Server> 23 <pwd>
      # Deny all other connections
      D * * *​


  1. SAPRouter Commands:

          You can use the following SAPRouter commands:

    • Start router: saprouter -r

    • Stop router: saprouter -s

    • Soft shutdown: saprouter -p

    • Router info: saprouter -l (-L)

    • Create a new routtab: saprouter -n

    • Toggle trace: saprouter -t

    • Cancel route: saprouter -c id

    • Dump buffers: saprouter -d

    • Flush: saprouter -f

    • Start router with a third-party library: saprouter -a library

For Windows please follow the following

  1. Removing a Previously Defined SAProuter Service: If you have already set up the Saprouter as a service using srvany.exe, you should follow these steps:

    • First, remove the service definition from the Windows registry. You can do this by navigating to the following path: HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> Services -> SAPRouter.

    • After removing the registry entry, reboot your machine.

  1. Defining a New SAProuter Service from the Command Line: To define a new SAProuter service from the command line, use the following command. Make sure to replace <path> with the actual path to saprouter.exe and <your_distinguished_name> with the "Distinguished Name" registered for your installation from the Trust Center Service - Download Area. Ensure that all parameters are enclosed in double quotes ("):

sqlCopy code: (This will register the service SAPRouter and assign the local user                               mentioned)

    • sc.exe create SAPRouter binPath= "<path>\saprouter.exe service -r -W 60000 -R <path>\saprouttab -K ^p:<your_distinguished_name>^" start= auto obj= "NT AUTHORITY\LocalService"

  1. Specifying a Route Permission Table File (SAPROUTTAB): Starting from version 25 (3.0E), you must specify a route permission table file (SAPROUTTAB) for SAProuter. You can find more information in Note 30289.

  2. Editing the Registry String: Modify the string in the Windows registry under HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Services -> saprouter by replacing ^ with double quotes (") in the ImagePath.

  3. Making SAPCRYPTOLIB Credentials Available to a Service Process: Perform the following steps to make SAPCRYPTOLIB credentials available to a process running as an NT service:

    • Run the command: sapgenpse seclogin -p <path>\<psefile> -O <SNC_admin> (Ensure that the account of the service user is entered in the format <domainname><username>)

    • Check if the certificate has been imported correctly by running the command: sapgenpse get_my_name -v -n Issuer The Issuer should have the name: CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE

    • Check if the environment variables SNC_LIB and SECUDIR have been set under the user account that SAProuter is running under by running the command: sapgenpse

    • Verify that your Distinguished Name and the validity date are correct by running the command: sapgenpse get_my_name

  1. Maintaining General Attributes of the Service: After installation, follow these steps to maintain the general attributes of the SAProuter service:

    • Go to 'Control Panel -> Services,' find 'SAPRouter,' and click on 'Startup.'

    • Set the startup type to 'Automatic' and enter the user <SNC_admin>. It's essential not to run SAPRouter under the system account.

  1. Avoiding Error Messages in NT Event Viewer: To prevent the error message 'The description for Event ID (0) ...' in the NT Event Viewer, make the following entries in the Registry:

    • Navigate to HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Services -> Eventlog -> Application.

    • Create the following key: SAPRouter.

    • Define the two following values within the SAPRouter key:

    • EventMessageFile (REG_SZ): <local_path>\sapevents.dll

    • TypesSupported (REG_DWORD): 0x7

  1. Check the issuer name with "sapgenpse" 

    • sapgenpse get_my_name -v -n Issuer

      You should get an output like this. CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

  2. Start the SAPRouter service by creating it with the sc.exe command

  3. Test the new SAPRouter setup by changing the IP and hostname in the system and checking SM59 and SAPOSS connections.



Conclusion: I hope this documentation will help you install/configure the SAPRouter from scratch on Windows and save you time.

Please share your feedback if you go through this and follow my page as I will be producing such technical documentation in future as well.
Labels in this area
Top kudoed authors