on 2021 Aug 13 11:13 AM
Hi
I'm setting up a SAProuter connection between 2 of our servers and our SAP box.
The connection is working, but in the trace file I do notice this line, which I assume means that the traffic is not encrypted.
NiSncGetPeer: hdl 11 not SNC enabled
My question is, how can I enable SNC encryption on the traffic between the routers and SAP?
Here is my setup and saprouttab files:
SAProuter 1 (external network) --> SAProuter 2 (internal network) --> SAP
- I have installed a certificate from SAProuter 1 in the pse file of SAProuter 2.
- I have also installed the certificate from SAProuter 2 into the pse file of SAProuter 1
- Both saprouters are started with the -K param followed by the name of its own certificate.
saprouttab of SAProuter 1:
KT "p:CN=SAPRouter2cert" [Public_IP_SAProuter2] 3299
P [Private_IP_SAProuter1] [Public_IP_SAProuter2] *
saprouttab of SAProuter 2:
KT "p:CN=SAPRouter1cert" [Public_IP_SAProuter1] 3299<
KP "p:CN=SAPRouter1cert" [SAP_Internal_IP] *
P [Public_IP_SAProuter1] [SAP_Internal_IP] *
#Note that if this P line comes out then the connection does not work anymore.
Hello Daphne,
Just to confirm, on saprouttab of saprouter1, when you say:
P [Private_IP_SAProuter1] [Public_IP_SAProuter2] *
do you mean
P [Private_IP_or network_of_client(s)] [Public_IP_SAProuter2] *
?
Hint: the port number on the above rule could be 3299 instead of "*".
The rules on saprouter2 seem correct.
Another thing, if you start the saprouters with level 2 trace ("-V 2" in the command line), do you see them loading the PSE files?
If not, have you created the SSO credentials for the user ID running the saprouters, so they can load the PSE files without requiring a password?
sapgenpse seclogin -p [path to PSE file]
(executed while logged on as the user that will run the saprouter)
Regards,
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Isaias
Thanks for the reply. Hereby answers to the questions:
1. Do do you mean: P [Private_IP_or network_of_client(s)] [Public_IP_SAProuter2] *
I must be honest that I'm not sure exactly what you're suggesting or what I can try here. My entry looks something like this:
P 10.1.1.1 52.30.40.80 *
where 10.1.1.1 is the private IP of the server running SAProuter1 (i.e. the same machine) and 52.30.40.80 is the Public IP of the secondary SAProuter.
2. If you start the saprouters with level 2 trace ("-V 2" in the command line), do you see them loading the PSE files?
I've started them now with trace level 2. I do not see any entry in the dev_rout file containing "pse". I.e. I guess it is not loading then?
3. If not, have you created the SSO credentials for the user ID running the saprouters, so they can load the PSE files without requiring a password? sapgenpse seclogin -p [path to PSE file]
Yes, I have executed the above command for the logged in user that is running the service.
Hello Daphne,
About 3, ok.
About 2, I do not recall by heart, maybe it appears only when an SNC connection is established... What is the value of the environment variable SECUDIR for the user ID that runs the service? The PSE file must be there.
About 1, the entry should follow this syntax:
P [IP of the client connecting to this saprouter] [IP of the next saprouter / final server] [TCP port of the next saprouter / final server]
But for the first field, it was mentioned that the IP of the saprouter1 itself is maintained...
Regards,
Isaías
Hi
2: Value if SECUDIR is correct. Does point to the pse directory.
1: "It was mentioned that the IP of the saprouter1 itself is maintained..."
Ahh....I understand now. In my test environment the SAProuter1 and the client from where the connection is done is the same server.
Thanks for the effort the help!
Hi,
You are welcome!
OK... please execute "sapgenpse get_my_name -p" and confirm that the certificate's subject is the same used in the "-K" option of the saprouter startup command line (on both saprouters).
If they are correct... Confirm that the network handle you are analyzing (e.g., "NiSncGetPeer: hdl 11 not SNC enabled") is the one related to the communication between the saprouters.
I believe it could help if you could provide the output from that sapgenpse command along with a level 2 trace from both saprouters, since their startup until one connection is established.
Regards,
Isaías
Hi
The get_my_name commands does seem correct.
I have created a Word doc with screenshots of the commands as you've asked for and a text file with the dev_rout info.
As there is some sensitive info in there I do not want to post everything here.
You can download the 2x docs from a wetransfer link at: https://we.tl/t-2U0aP32uJb
If you feel uncomfortable downloading from here, you are welcome to suggest another method.
I do notice this info in the dev_rout. If that will help.
<<- SncInit()==SAP_O_K
sec_avail = "true"
<<- SncSetMyName()==SAP_O_K
in: myname = "p:CN=SAPRouter2Cert"
Hello Daphne,
I am not allowed to download the file from there, sorry.
Those entries suggest that the saprouter2 (at least) has SNC enabled.
So, it might be that the saprouters do not recognize that they should establish SNC connections to each other; or that the trace line you were focusing at the opening of this thread ("NiSncGetPeer: hdl 11 not SNC enabled") is not related to the communication between the saprouters.
However, the client might be sending SNC-encrypted data, establishing an SNC ("virtual") connection with the SAP server through the "tunnel" created by the saprouters.
Regards,
Isaías
Thanks for sticking to it.
I'm attaching 2x files. The one is the log from my saprouter (i.e. SAProuter 1).
The other one is from SAProuter2 (the customer entity).
What now also worries me, is that I've seen that even if I stop SAProuter1, I am still able to connect to SAP from the SAP GUI that's installed on the same server as SAProuter1. I assume it is due to the P-line in the saprouttab op SAProuter2. But is it correct?
You are welcome!
The trace from the saprouter1 does not show any connections going through...
The trace from the saprouter2 shows a non-SNC connection going through.
It seems that the client might be connecting to saprouter2 directly. This will never be SNC-enabled...
Can you confirm that the saprouter string (on the client running at the same server as saprouter1) is going through both saprouters?
It should be something like
/H/Private_IP_SAProuter1/H/Public_IP_SAProuter2
or (the complete, final saprouter string)
/H/Private_IP_SAProuter1/H/Public_IP_SAProuter2/H/SAP_Internal_IP/S/SAP_port
Regards,
Isaías
Hi
That is what you should think, and it was my expectation as well. However, removing the P-line prevents the connection from working. With the P-line included it does seem that SNC is enabled and is working. But I have been told that the P-line should preferable be removed. Should it?
Attached is the log files for the connection with the P-line removed. I.e. the failure.
Hi,
Yes, the P line should be removed, as it is not required and it is allowing non-SNC connections to go through.
The issue, now, seems to be with the KP line:
*** from saprouter2
contents of routtab ('./saprouttab', 2 entries):
KT*,* p:CN=SAPRouter1cert Public_IP_SAProuter1/32 3299 *
KP*,* p:CN=SAPRouter1cert SAP_Internal_IP/32 3299 *
That KP rule allows the connection to port 3299 only 😉
Just change it to:
KT*,* p:CN=SAPRouter1cert Public_IP_SAProuter1/32 3299
KP*,* p:CN=SAPRouter1cert SAP_Internal_IP/32 *
-> the fact that the port is defined as "*" does not allow the connection to all ports. See https://help.sap.com/viewer/e245703406684d8a81812f4c6334eb2f/202009.002/en-US/486c7a3fc1504e6ce10000... .
Hi
Deepest thanks once again. I do realize this is not your primary problem, but I highly appreciate the help.
Removing the P entry still does not work. Even after the change you've suggested.
I do see this in the log file now which looks correct based on your previous reply:
KT*,* p:CN=SAPRouter1cert Public_IP_SAProuter1/32 3299 *
KP*,* p:CN=SAPRouter1cert SAP_Internal_IP/32 * *
The saprouttab for SAProuter2 now only has this:
KT "p:CN=SAPRouter1cert" Public_IP_SAProuter1 3299
KP "p:CN=SAPRouter1cert" SAP_Internal_IP *
I'm also attaching the log files that I now get without the P line.
Interestingly, if I add * values everywhere, but no P-line then the connection still does not work.
I.e. for SAProuer1 I now have:
KT "p:CN=SAPRouter2cert" * *
KP "p:CN=SAPRouter2cert" * *
P * * *
and for SAProuter2 I have:
KT "p:CN=SAPRouter1cert" * *
KP "p:CN=SAPRouter1cert" * *
just no P-line.
No connection when doing:
/H/SAProuter1_InternalIP/H/SAProuter2_PublicIP/S/3299/H/SAP_Internal_IP
I can't get it working unless the P-line is specified. Weird.
Hi,
The previous saprouttab you had for saprouter2 would be the correct one:
KT "p:CN=SAPRouter1cert" Public_IP_SAProuter1 3299
KP "p:CN=SAPRouter1cert" SAP_Internal_IP *
When looking at the trace for saprouter2, I see that the incoming connection is SNC-enabled.
I also see that the connection is coming from the client to saprouter1, and then to saprouter2.
I do not understand why saprouter2 is denying the connection. All looks correct now.
I have created a test lab and it is working correctly to me, with the above setup.
And this is my saprouttab for saprouter1:
KT "p:CN=SAPRouter2cert" Public_IP_SAProuter2 3299
P End_User_IP Public_IP_SAProuter2 3299
About the trace for saprouter2, did you mask / anonymized the 'data block' seen just before the connection is denied?
NiStrToAddrMask: local nodeAddrStr: SAP_Internal_IP len 8
NiIGetServNo: servicename '3200' = port 3200
<<- SncGetPeerAclKey()==SAP_O_K
'peer_aclkey' (addr=00000256700CD0B0, len=103) full hexdump
0x00000 00030401 00080606 2b240301 25010000 ........ +$..%...
0x00010 00553053 3151304f 060b2b06 01040185 .U0S1Q0O ..+.....
0x00020 36020501 03134032 33314539 33343741 6.....@2 31E9347A
Tue Aug 31 14:42:20 2021
0x00030 45353941 39443730 45414443 38383444 E59A9D70 EADC884D
0x00040 41414231 33423830 36333539 33394532 AAB13B80 635939E2
0x00050 31433943 46393036 37374542 37313638 1C9CF906 77EB7168
0x00060 44464131 323732 DFA1272
no match for [Public_IP_SAProuter1 to SAP_Internal_IP, 3200] found
*** ERROR => NiRClientHandle: NiRExRouteCon for C9/-1 'Public_IP_SAProuter1' failed (rc=-94) [nirout.cpp 3526]
If yes, then I do not understand why it is not working...
If not, then something weird is going on in the SNC connection, as that does not look like the data I would expect to see there.
Quite strange. I created another environment in place of SAProuter1 and this one does work correctly even without the P-line.
I double checked all the entries of the original setup and I can't see anything wrong. All looks good. It's a bit confusing, but it works. Would love to know why the original is not working, but I guess that is not your concern. The logic works. Thanks for all the effort!!!
Mystery has been resolved. I've had the SAP GUI installed on the SAProuter1 server. If during the installation you enable the "SNC Client Encryption 2.0", the installer will create an environmental variable for SNC_LIB_64. That is the problem. Removing that environmental variable makes everything work (i.e. without the P-line).
Thanks again for your assistance!
User | Count |
---|---|
61 | |
11 | |
7 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.