Configuring SNC: SAProuter à SAProuter

Use

The SAProuter is a program that acts as an intermediate location in the network between SAP systems where access is controlled before data is sent further along the communication path.

Connections can also be established between SAP systems over several SAProuters. You can then secure connections between adjacent SAProuters using SNC. A typical example is shown in the figure below.

SNC Communication Between SAProuters

This graphic is explained in the accompanying text

The connection between the adjacent SAProuters is protected using SNC. The SAProuters authenticate each other and encrypt the exchanged messages. In this way, you can establish a secure tunnel for communications between components that may not be able to use SNC.

A single SAProuter can be both the initiator and acceptor for an SNC-protected connection.


For a detailed description on the SAProuter, see SAProuter. In this document, we only describe the aspects that relate to SNC.

To establish SNC-protected connections between two SAProuters:

· You must establish an SNC environment for both SAProuters.

· You must activate SNC for the connection in the SAProuter's route permission table.

Establishing the SNC Environment

Perform the following steps to establish the SNC environment for each SAProuter:

...

1. On each SAProuter host, make sure that the environment variable SNC_LIB contains the path and file name of the external library.

2. Start the SAProuter with the option -K , where is the SNC name of the SAProuter being started.

The SAProuter then loads the external library and initializes the SNC environment.

Configuring SNC in the Route Permission Table

There are two types of entries that you need to make in the SAProuter route permission table:

KT (Key-Target) entries

A Key-Target entry specifies that the designated SAProuter à SAProuter connection should use SNC.

KP- / KD- / KS- entries

These entries are similar to the normal P- / D- / S- entries, but are used for SNC connections instead of standard connections. They specify the hosts and services that are or are not allowed to communicate with one another. As with normal P- / D- / S- entries, you can also specify a password for the connection.


You must pay attention to the order of the entries in the route permission table. For incoming connections, the SAProuter applies the first matching entry it finds in the route permission table. If a matching P- / D- / S- entry precedes an SNC entry, the SAProuter ignores the SNC entry. See the examples at the end of this topic.

KT Entries

To specify a KT entry, enter a line in the SAProuter's route permission table using the following syntax:

Syntax

KT

Where:

· SNC should be activated for connections to .

· is the SNC name of the communication partner.

· is the name of the host (either the symbolic name or the IP address).

· is the name of the service (either the symbolic name or the port number).

A wildcard entry (*) for or is not practical because the SNC partner name refers to a distinct partner.

Recommendation

To avoid conflicting entries, make K- entries before any normal P- / D- / S- entries.

KP- / KD- / KS- Entries

You must also enter KP- / KD- / KS- entries in the route permission table instead of P- / D- / S- entries for the SNC connections. These entries have the same meanings as the P- / D- / S- entries, except that the name of the source host or IP address is replaced with the SNC name of the source host. They have the following syntax:

Syntax

K ""

The SAProuter establishes (KT, KS) or denies (KD) a connection if the values received from the connection request match those in the above mentioned route permission table entries.

Quality of Protection (QoP)

When using SNC protection between SAProuters, the maximum available quality of protection is always applied.

Accepting the Incoming Connection

The SAProuter accepts an incoming connection if it finds a corresponding entry in it's route permission table. For normal incoming connections (that do not use SNC protection), it identifies the communication partner using the source host (IP address) and the destination (host and service). However, for SNC-protected connections coming from a SAProuter, it uses the source SAProuter's SNC name for identification.

Example SAProuter Configurations when Using SNC

Example 1

Two SAProuters, one on host1, the other on host2, are to communicate with another using SNC protection. The SAProuter on host2 should accept only SNC-protected connections from host1that are directed to a dispatcher or gateway with a system number 00.

SNC names of SAProuters on host1 and host2

SNC name on host1: "p:CN=saprout1, OU=TEST01, O=myCompany, C=US"

SNC name on host2: "p:CN=saprout2, OU=TEST01, O=myCompany, C=US"

Starting SAProuter on host1

The following entry starts the SAProuter on host1:

saprouter -r -K "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" &

Route Permission Table on host1

The route permission table on host1 contains the following entries:

# Initiating SNC for all connections to host2 :
KT = "p:CN=saprout2, OU=TEST01, O=myCompany, C=US" host2 *
# Accepting all connections
P * * *

Starting SAProuter on host2

The following entry starts SAProuter on host2:

saprouter -r -K "p:CN=saprout2, OU=TEST01, O=myCompany, C=US" &

Route Permission Table on host2

The route permission table on host2 contains the following entries:

# accept incoming connections from SAProuter1
# with destination sapdp00 on any host
KP "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" * sapdp00
# accept incoming connections from SAProuter1
# with destination sapgw00 on any host
KP "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" * sapgw00

Example 2

As previously mentioned, you must pay attention to the order of the entries in the route permission table. The SAProuter applies the first matching entry it finds. In the following example, the SAProuter will not accept the SNC-protected connection request from host1 to host2 because of the first entry.

D host1 * *
KP "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" * sapdp00

Example 3

In the following example, the second line is unnecessary because the first line allows all connections from host1. Therefore, the second line does not enforce SNC protection for connections to sapdp00.

P host1 * *
KP "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" * sapdp00

No comments:

topics