on 12-16-2013 3:59 PM
Hi Experts,
I have troubleshoot the test connection for SAPOSS in SM59 few days and still yet to find any solution.
I have ensure that the user id and password is correct in SAPOSS and saprouttab is maintained correctly.
also, the port 3299 is open and able to ping 169.145.197.110.
i also try to reapply the cert in saprouter and ensure that the saprouter is running on correct user.
Please advise if you have any idea.
Thank you.
The error as below:
Connection Error
Error when opening an RFC connection
ERROR: SNC processing failed: SncSessionInitiatorAK
LOCATION: SAProuter 40.4 on 'Ehbsol'
DETAIL: NiSncIInitHdlSecurity: sncrc=-4;000000000253FA80
COMPONENT: NI (network interface)
COUNTER: 5
MODULE: nisnc.c
LINE: 1182
RETURN CODE: -104
SUBRC: 0
RELEASE: 720
TIME: Mon Dec 16 23:41:46 2013
VERSION: 40
From dev_rout
---------------------------------------------------
trc file: "dev_rout", trc level: 1, release: "720"
---------------------------------------------------
Mon Dec 16 23:41:10 2013
SAP Network Interface Router, Version 40.4
command line arg 0: D:\usr\sap\saprouter\saprouter.exe
command line arg 1: -r
command line arg 2: -W
command line arg 3: 60000
command line arg 4: -R
command line arg 5: D:\usr\sap\saprouter\saprouttab
command line arg 6: -G
command line arg 7: D:\usr\sap\saprouter\saprouter_log.txt
command line arg 8: -K
command line arg 9: p:CN=Ehbsol, OU=0001155667, OU=SAProuter, O=SAP, C=DE
SncInit(): Initializing Secure Network Communication (SNC)
PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)
GetUserName()="saprouter" NetWkstaUser="saprouter"
SncInit(): Trying environment variable SNC_LIB as a
gssapi library name: "D:\usr\sap\saprouter\sapcrypto.dll".
File "D:\usr\sap\saprouter\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
SECUDIR="D:\usr\sap\saprouter" (from $SECUDIR)
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to SAPCRYPTOLIB
Product Version = SAPCRYPTOLIB 5.5.5C pl36 (Jul 3 2013) MT,[aesni],NB
main: pid = 1572, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: 'D:\usr\sap\saprouter\saprouttab'
Mon Dec 16 23:41:46 2013
*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]
GSS-API(maj): No credentials were supplied
GSS-API(min): No credentials found for this name (not logged on) (USER=saprouter)
Could't acquire INITIATING credentials for
name="p:CN=Ehbsol, OU=0001155667, OU=SAProuter, O=SAP, C=DE"
<<- SncSessionInitiatorAK()==SNCERR_GSSAPI
'target_acl_key' (addr=000000000CA9C9F4, len=86) full hexdump
0x00000 00030401 00080606 2b240301 25010000 ........ +$..%...
0x00010 00443042 310b3009 06035504 06130244 .D0B1.0. ..U....D
0x00020 45310c30 0a060355 040a1303 53415031 E1.0...U ....SAP1
0x00030 12301006 0355040b 13095341 50726f75 .0...U.. ..SAProu
0x00040 74657231 11300f06 03550403 13087361 ter1.0.. .U....sa
0x00050 70736572 7639 pserv9
*** ERROR => NiSncIInitHdlSecurity: SncSessionInitiatorAK failed (sncrc=-4;000000000253FA80) [nisnc.c 1185]
*** ERROR => NiSncHandleForAddr C25/-1, 169.145.197.110 (rc=-17) [nirout.cpp 3275]
*** ERROR => NiRClientHandle: NiRExRouteCon for C25/-1 'EHBAPPS' failed (rc=-17) [nirout.cpp 2653]
from dev_rfc0
**** Trace file opened at 20131213 105117 Malay Peninsula Standard Time, SAP-REL 701,0,137 RFC-VER U 3 1238848 MT-SL
Error RFCIO_ERROR_SYSERROR in abrfcpic.c : 2517
LB: Hostname or service of the message server unknown
DEST =SAPOSS
MSHOST =/H/192.180.170.20/S/sapdp99/H/169.145.197.110/S/sapdp99/H/oss001
R3NAME =OSS
GROUP =EWA
ABAP Programm: RSRFCPIN (Transaction: SM59)
User: BT_PP (Client: 100)
Destination: SAPOSS (handle: 2, , )
Best regards,
Por.
Hi ,
try saprouter -r -V 2 -K "p:CN=saprouter, OU=0001059133, OU=SAProuter, O=SAP, C=DE" -W 120000
same command to start the router .....do not change the CN also ......CN will be saprouter .....and try ...else try sapgenpse seclogin -p local.pse -O <sidadm>,,,,,,
Rableen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
As suggested please provide the output of the below command.
sapgenpse seclogin –l
sapgenpse get_my_name -v -n Issuer
Was this working before or this is the first time you are trying.
Have yo maintained the below entry in your host file .
# for customers in Asia
169.145.197.110 sapserv9
Below is the Doc that you should follow for the configuration.
http://service.sap.com/saprouter-sncdoc
Thanks
RishI Abrol
Hi Rishi,
This is new installation for the server.
I have maintained the host file in saprouter server. but, still the same.
D:\usr\sap\saprouter>sapgenpse seclogin -l
running seclogin with USER="saprouter"
0: CN=Ehbsol, OU=0001155664, OU=SAProuter, O=SAP, C=DE
D:\usr\sap\saprouter\local.pse
Options: LIFETIME= Tue, 16 Dec 2014 05:47:20 (GMT)
DIRACCESS=FALSE
CRLCHECK=FALSE
1: CN=Ehbsol, OU=0001155664, OU=SAProuter, O=SAP, C=DE
D:\usr\sap\saprouter\local.pse
NOT readable for saprouter
1 readable SSO-Credentials available (total 2)
D:\usr\sap\saprouter>sapgenpse get_my_name -v -n Issuer
Opening PSE "D:\usr\sap\saprouter\local.pse"...
PSE (v2) open ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "saprouter"
with PSE file "D:\usr\sap\saprouter\local.pse"
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
Regards,
Por.
Hi,
As this is a new Router please create message with sap to register your router with the below details.
XX-SER-NET-NEW to SAP. You have to attach "Remote Connection Data Sheet" to this oss-message (note 28976).
Please provide the details of the routertab file .
Can you please also go to the link as provided earlier and check if you have done all the steps.
One more thing in the start command you gave the below details
CN=Ehbsol, OU=0001155667, OU=SAProuter, O=SAP, C=DE
But your router certs are relating to
CN=Ehbsol, OU=0001155664, OU=SAProuter, O=SAP, C=DE
So the OU is different in both used the same OU in the command.
Thanks
RishI Abrol
Hello Soon Joo Por,
Check that SAP Note 1178684 No service connection SNC processing failed, or follow that steps:
Secure Network Communications:
1. Register SAProuter at service marketplace. Send an oss-message with component XX-SER-NET-NEW to SAP. You have to attach "Remote Connection Data Sheet" to this oss-message (note 28976).
2. Download SAPSECULIB and SAPCRYPTO from service marketplace.
You'll find SAPSECULIB underDownload - SAP support Packages - Entry by application group - SAP Technology Components.
3. Download SAPROUTER from service marketplace.
You'll find it under Download - SAP support Packages - Entry by application group - SAP Technology Components.
4. Create directory "saprouter" at your saprouter-host. In this example I created \usr\sap\saprouter.
5. Uncar your saprouter-file and copy saprouter.exe andniping.exeinto your saprouter-folder (\usr\sap\saprouter).
6. Check if you can findntscmgr.exe in thewindows\system32-folder. If it's not there - find it and copy.
7. Create saprouter as an service.
Example: ntscmgr install SAProuter -b E:\usr\sap\saprouter\saprouter.exe -p "service -r -R E:\usr\sap\saprouter\saprouttab -S 3299"
8. Set saprouter-service to "Automatic" and user "adm".
9. Create key "saprouter" under
HKEY_LOCAL_MACHINE ? SYSTEM ? CurrentControlSet ? Services ? Event Log ? Application
Then this values:
EventMessageFile (REG_SZ): ....\saprouter\saprouter.exe
TypesSupported (REG_DWORD): 0x7
10. Check if you can find MSVCR71.DLL and MSVCP71.dll in yoursystem32-folder.
11. Download MS Runtime DLL attached to note 684106 (r3dllinst.zip). Unzip and run R3DLLINS.EXE from \NTPATCH - restart if necessary.
12. Uncar SECULIB and copy files from nt-i386 (if 32-bit windows) into \usr\sap\saprouter folder.
Uncar SAPCRYPTOLIB and copy files from \ntintel into\usr\sap\saprouter. You also have to copy files directly from the uncared SAPCRYPTOLIB-folder (files as ticket) into\usr\sap\saprouter.
13. Create environment variables for user:
SECUDIR = E:\usr\sap\saprouter
PATH = E:\usr\sap\saprouter
SNC_LIB = E:\sap\saprouter\sapcrypto.dll
export SECUDIR=/home/luis/saprouter/
export PATH=/home/luis/saprouter/
export SNC_LIB=/home/luis/saprouter/libsapcrypto.so
export LD_LIBRARY_PATH=/home/luis/saprouter
14. Go to service marketplace:
https://websmp201.sap-ag.de/SAPROUTER-SNCADD
Press Apply Now!
You'll receive some data. Save it and copy the Distinguished Name.
Press Continue.
15. Open dos-command at your saprouter-host and type:
sapgenpse get_pse -v -r certreq -p local.pse "CN=SAPSUPPORTDES, OU=0000225382, OU=SAProuter, O=SAP, C=DE"
Just press "Enter" twice if you have to enter PIN.
16. check files, Files local.pse and certreq is now created in saprouter-folder.
Open file certreq in notepad and copy the content.
17. edit files, Go back to service marketplace (window from nr. 14) and paste the content from certreq there. Press Request Certificate.
You will then receive your certificate.
18. Copy your certificate into notepad at your saprouter-host. Save this notepad-file as srcert in your saprouter-folder.
19. Open dos-command and import the certificate:
sapgenpse import_own_cert -c srcert -p local.pse
20. Create credentials. Open dos-command and type:
sapgenpse seclogin -p local.pse
21. Verify the import of the certificate. Open dos-command and type:
sapgenpse get_my_name -v -n Issuersaprouter
Everything should be ok.
22. Create a file called saprouttab in your saprouter-folder and enter thise entries:
KT "p:CN=sapsystemsOSS, OU=0000225382, OU=SAProuter, O=SAP, C=DE" * *
KP "p:CN=sapsystemsOSS, OU=0000225382, OU=SAProuter, O=SAP, C=DE" *
P * * *
23. Go into registry at your saprouter-host.
HKEY_LOCAL_MACHINE - SYSTEM - ControlSet001 - Services - SAProuter
Modify string ImagePath.
It should look like this:
G:\saprouter\saprouter.exe service -r -R G:\saprouter\saprouttab -S 3299 -K "CN=SAPSUPPORTDES, OU=0000225382, OU=SAProuter, O=SAP, C=DE"
saprouter.exe -r -R G:\saprouter\saprouttab -S 3299 -K "CN=SAPSUPPORTDES, OU=0000225382, OU=SAProuter, O=SAP, C=DE"
24. Start saprouter-service
25. Open port 3299, 3200 between SAP and your saprouter.
Check SAPOSS RFC
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
It seems that your sap router is not configured properly.
Run following command to resolve your problem.
for running this command you have to login with SIDADM user and scroll to the saprouter folder
sapgenpse seclogin -p local.pse -O <sidadm>
Thanks
Nirmal.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
96 | |
6 | |
5 | |
5 | |
5 | |
5 | |
4 | |
4 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.