SAP Router

📘 SAProuter Basics & Administration

🔹 What is SAProuter?

 SAProuter is a software application provided by SAP.

 It acts as a proxy (intermediate server) to control and secure communication between the customer’s
internal SAP systems and external systems (e.g., SAP Support Backbone).

✨ Key Features

 Improves Network Security – Filters and controls which connections are allowed.
 Logging – Keeps track of connections for auditing and troubleshooting.
 Indirect Connections – Allows communication when direct connection is not possible due to firewalls or
network segmentation.
 Performance & Stability – Reduces system load by separating LAN traffic and WAN communication.

🔹 Router Strings

 Router strings are used to define the path of communication.

 General format:

o /H/ → Hostname or IP address.

o /S/ → Service (Port). If omitted, default port 3299 is used.
o /P/ → Password. If omitted, no password is used.

Example:

🔹 Listing Clients of an Active SAProuter

Command:

👉 This displays all client connections handled by the running SAProuter.

🔹 Router Permission File (saprouttab)

Defines which connections are allowed or denied.

Syntax:

 P→ Permit connection
 D→ Deny connection
 You can add comments with #

Example:

👉 This permits connection to sapserver.company.com on port 3299 but denies all others.

🔹 Determine SAProuter Version

👉 Shows the installed SAProuter version.

🔹 Start / Stop SAProuter

 Start:

 Stop:

🔹 Upgrade SAProuter

1. Check current version

2. Download latest version from SAP Software Downloads (Marketplace).

3. Extract files:

4. Stop SAProuter:
 5. Backup old executables:

6. Copy new executables into /usr/sap/saprouter/.

7. Set ownership & permissions:

8. Start SAProuter:

9. Test functionality:

🔹 SAProuter Certificate Validity

SAProuter uses a digital certificate for secure communication with SAP Support Backbone.

To check validity:

👉 Displays the installed certificate and expiration date.

🔹 Test SAProuter Connection

You can use niping:

If successful, it shows Connection successful.

🔁 SAProuter certificate — Renewal procedure (step-by-step)
Pre-reqs / notes

 Work as the user that runs the SAProuter service (or root if that’s how it’s installed).
 Paths below assume the SAProuter folder: /usr/sap/saprouter — change if your installation differs.
 The common PSE file name used for SAProuter examples is local.pse and you’ll often see certreq,
srcert, cred_v2 in the router folder.

0) Quick verification — check current cert validity

This shows current certificate name and expiry so you can confirm renewal is necessary.

1) Stop the SAProuter and prepare backup

Why: always stop the router and keep backups of local.pse, certreq, srcert, cred_v2 before making changes.

2) (Optional) Remove / rename old request files

Either rename or remove old CSR/response files so new CSR is created cleanly:

Note: If you delete the PSE, you’ll create a new keypair and must import a matching certificate (new CSR → new
cert). Many guides recommend backing up and removing these four files to create a fresh request

3) Obtain the Distinguished Name (DN) from SAP Trust Center

 Open the SAP Support Portal / Trust Center for SAProuter certificates and click Apply Now to get the
Distinguished Name template for your router (you will paste the CSR into the portal later

4) Generate the CSR (certificate request) with sapgenpse

In the SAProuter directory:

cd /usr/sap/saprouter
# Example -- replace DN with the exact Distinguished Name from SAP Trust Center
./sapgenpse get_pse -v -r certreq -p local.pse "CN=<saprouter-hostname>, OU=<your-OU>,
OU=SAProuter, O=<YourCompany>, C=<CountryCode>"

 This produces a file certreq (the CSR).

 Use the exact DN (case-sensitive parts, CN exactly as provided by SAP Trust Center) — mismatch is a
common cause of failure.

Optional: if you need SANs or specific key parameters, consider sapgenpse gen_pse or -k GN-dNSName:...
options (advanced).

5) Submit CSR to SAP Trust Center / Service Marketplace

 Open the SAP Support Portal page for SAProuter certificates (the “Apply” / SAProuter form) and paste the
contents of the certreq file into the web form (or upload if requested). Follow the portal steps to request the
signed router certificate.

SAP will return the signed certificate (commonly saved as srcert or BNxxxxxx.p7c depending on portal output).

6) Copy the returned certificate files to the saprouter folder

Place the signed certificate (e.g. srcert or saprouter_cert.cer) and any intermediate/root CA files (if supplied)
into /usr/sap/saprouter.

If SAP provided an intermediate/root CA (or if you need the SAP root certificate smprootca.der), keep those handy
— you will import them into the PSE/truststore.

7) Import the signed certificate into the PSE

If the CSR was created with local.pse above, import the signed cert and the certificate chain:

 -c = your signed certificate file.

 -r = use once per CA in the chain (intermediates then root).
 -x = the PSE PIN you created when generating the CSR.
 You can also import the SAP root CA into the PSE trustchain with sapgenpse maintain_pk -a
smprootca.der -p local.pse.
 If you only get a .p7c or container, make sure to use the exact file the portal returned (some responses
are PKCS#7).
8) (Re-)create stored credentials so SAProuter can use the PSE

Create the cred_v2 entry (store PSE PIN for the service user), so the router process can access the private key
without interactive PIN entry:

This writes cred_v2 so the PSE PIN is available to the running process.

9) Set ownership & permissions

Why: PSE/private key must be readable only by the service account. Adjust <saprouter_user> to the user running
saprouter on your host.

10) Start the SAProuter and test

Verify the router starts without certificate errors and that SAP systems / OSS marketplace can reach your router.

Troubleshooting — common issues & fixes

 Import fails: No certificate with your public key found
The signed certificate does not match the CSR (private key). Ensure you imported the certificate that was
generated from the same CSR and PSE. If you deleted the PSE after generating CSR, you must re-issue a new
CSR and get a new certificate.
 Case sensitivity / DN mismatch
The CN and other DN parts must match exactly (case sensitive). Use the exact DN string provided by the SAP
Trust Center when generating the CSR.
 Want to keep the old private key (reuse keypair)?
You can request a renewal (onlyreq) to reuse the private key (sapgenpse gen_pse -p <PSE> -j -
onlyreq), but it’s usually safer to create a new PSE (new keypair) to rotate keys — see sapgenpse docs.

Quick checklist (copyable)

1. Stop router ./saprouter -s.
2. Backup local.pse certreq srcert cred_v2.
3. Get DN from SAP Trust Center (Apply Now).
4. sapgenpse get_pse -v -r certreq -p local.pse "<DN>".
5. Paste CSR into SAP portal; get signed srcert.
6. sapgenpse import_own_cert -p local.pse -c srcert -r <CAfiles> -x <PIN>.
7. sapgenpse seclogin -p local.pse -O <user> -x <PIN>.
8. Start router ./saprouter -r and test.

 Renewal of SAP Router Certificate (Windows)

1. Login to SAP Router Server and Stop Router Service

2. Take a backup of /usr/sap/saprouter

3. Steps of check the router validity

 sapgenpse get_my_name -v -n Issues
 sapgenpse get_my_name
 sapgenpse get_my_name -n Validity
4. Generating the certificate
5. Import the Certificate

6. Create the credentials for user responsible to start the SAP Router
7. Verification of the Router

8. Start the SAP Router

9. Validation Check in Support Portal

 10. Run the command whether the Router is running or not

11. Check SAP Router Validity

 Installation of SAP Router (Windows)

📝 SAProuter Checklist – Linux/UNIX
🔄 Renewal of SAProuter Certificate
🆕 Installation of SAProuter

🔄 Renewal of SAProuter Certificate (Linux/UNIX)

1. Preparation

 Login to SAProuter server.

 Stop router service:

 Backup directory:
2. Check Certificate Validity

3. Generate CSR (Certificate Request)

 Enter new PIN twice.

 Enter Distinguished Name (DN):

 File certreq will be created.

➡ Copy contents of certreq → SAP Support Portal → Request Certificate → paste CSR → Download response.

Save response as srcert in /usr/sap/saprouter.

4. Import Certificate

 Enter PIN when prompted.

5. Create Credentials

 Creates file cred_v2.

6. Verify
7. Start SAProuter

Check status:

8. Test Connection in SAP

 Go to SM59 → ABAP Connection → SAPOSS → Connection Test.

🆕 SAProuter Installation & Configuration (Linux/UNIX)

1. Prerequisites

 Root access on server.

 S-user access to SAP Support Portal.
 Hostname + IP registered in SAP Portal.
 Open Ports: 3299, 3298 (SAProuter), 3399, 3389 (Gateway).
 Distinguished Name (DN).

2. OSS Message to SAP

  Component: XX-SER-NET-NEW
 Provide:
o SAProuter Server IP
o Hostname
o Ports to be used (3299, 3298 must be free)

3. Download Required Files

 SAProuter binary
 SAP Cryptographic Library

4. Create Directory

5. Set Environment Variables

Add in <SID>adm’s .bash_profile:

6. Generate Certificate Request

➡ Upload certreq to SAP Portal → Request Certificate → Download response → Save as srcert.
7. Import Certificate
8. Create Credentials

 Note: It will create a file “cred_v2”

9. Create saprouttab File

Example (/usr/sap/saprouter/saprouttab):

10. Start SAProuter

11. Stop SAProuter

12. Post Configuration

 Verify logs in /usr/sap/saprouter/log/.

 Check routing with:

 Test SAPOSS in SM59.

 SAProuter Installation & Configuration (Windows)

OSS1 Configuration