New SAProuter CA: Clock is ticking time to act now
You (or whoever managing your saprouter) may have received the following advisory already.
If not, regardless it’s been past April 15th and we only have less than 3 months to act on this.
For those who are using saprouter VPN appliance, fear not as this only affects those customers who connect to SAP via SNC.
Affected customers should act now, else your SAPOSS connection will cease July 18th 2015.
SAP suggests to follow SAP note 2131531 to renew the saprouter certificate signed by the new SAP CA.
In addition to the instructions that are readily available in the SAP note and the detailed instructions link, this blog provides additional information in the hopes of helping you go through this renewal process easily and with little impact as possible. For example, the steps detailed in this blog allows you to test the connection before switching live to it.
SAP note/KBA:
2131531 – New Root Certification Authority for saprouter certificates
Detailed instructions:
Installing the sapcrypto library and starting the SAProuter | SAP Support Portal
Steps
1. Download the latest saprouter
As in the detailed instructions, follow the path. Also note that SAProuter 7.42 is available as of writing (latest patch level 111)
> Support Packages & Patches
> A-Z Alphabetical List of Products
> S
> SAPROUTER
> SAPROUTER 7.20
> your preferred O.S. version
> saprouter_XXX-XXXXXXXX.sar
2. Download the latest SAP Cryptographic Library
SAP Cryptographic Library Patch version 8435 is available as of this writing
>Support Packages & Patches
> A-Z Alphabetical List of Products
> S
> SAPCRYPTOLIB
> COMMONCRYPTOLIB 8
> your preferred O.S. version
> SAPCRYPTOLIBP_XXXX-XXXXXXXX.SAR
3. Create a new saprouter folder and extract the saprouter and cryptographic library files
NOTE: This is important if you want minimal disruption in your SAP link!
Create the new folder (e.g. /usr/sap/saprouter2). Copy the 2 sar files which you have previously downloaded to this folder.
Extract the sar files
e.g.
# SAPCAR -xvf saprouter_111-*.sar
# SAPCAR -xvf SAPCRYPTOLIBP_8435-*.SAR
Also copy your existing saprouttab to this new folder
e.g.
# cp /usr/sap/saprouter/saprouttab /usr/sap/saprouter2
4. Generate a new PSE and CSR
Set SECUDIR and SNC_LIB environment variables first
e.g. for csh in UNIX
# setenv SECUDIR /usr/sap/saprouter2
# setenv SNC_LIB /usr/sap/saprouter2/libsapcrypto.so
Then generate the PSE and CSR – where your CN is provided by SAP when you first requested the setup of your saprouter
# sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse “CN=, OU=, OU=SAProuter, O=SAP, C=DE”
Type in your PIN/passphrase when prompted.
View contents of the generated certreq CSR file, copy the text beginning from
—–BEGIN CERTIFICATE REQUEST—–
until
—–END CERTIFICATE REQUEST—–
into your clipboard
5. Paste the request/CSR to SAPRouter Certificates area
Logon to SAProuter Certificates | SAP Support Portal
Click on “Apply for a SAProuter certificate”
If you have multiple saprouters, choose the right one that you’re working on
Click Continue
In the TextArea, paste your CSR content
Click Request Certificate
The next screen will show you the signed certificate.
Copy text beginning from
—–BEGIN CERTIFICATE—–
until
—–END CERTIFICATE—–
to your clipboard
6. Create a new srcert file and paste the signed certificate
In your new saprouter directory, create a new file called srcert.
Paste the signed certificate to that file and save.
7. Import the signed certificate to your PSE
# sapgenpse import_own_cert -c srcert -p local.pse
Confirm that the import was successful.
e.g.
CA-Response successfully imported into PSE “/usr/sap/saprouter2/local.pse”
8. Create credentials for your PSE and secure your credentials file
# sapgenpse seclogin -p local.pse -O
Type in your PIN/Passphrase when prompted
This generates the cred_v2 file
Secure your credentials file
e.g. for UNIX
# chmod 400 cred_v2
9. Confirm if certificate is imported successfuly
# sapgenpse get_my_name -v -n Issuer
This should result to
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE
10. Import the old SMP CA Root certificate if today’s date is before July 18th 2015.
Download the CA certificate from SAP note 2131531 (scroll down to attachment section)
https://service.sap.com/sap/support/notes/2131531
Copy the smprootca.der to the new saprouter directory.
Import the certificate
# sapgenpse maintain_pk -a smprootca.der -p local.pse
Type your PIN/Passphrase when prompted
11. Test your new saprouter
e.g. in UNIX
# saprouter -r -S 3298 -K “p:CN=, OU=, OU=SAProuter, O=SAP, C=DE” -V 3
Note that with -S option you set the saprouter to listen to a different port other than the usual 3299. You can also set -V 3, so you get more trace info.
Set your SAPGUI or in transaction SM59, create a copy of your SAPOSS connection (e.g. copy to SAPOSS2).
Set the saprouter string (Msg.Server field) to use the above port
e.g.
/H//S/3298/H/169.145.197.110/S/sapdp99/H/oss001
Test the connection.
Open or tail the dev_rout trace file to see if there are any errors
e.g.
# tail -f dev_rout
11. Switch to your new saprouter when ready!
In UNIX you can do the following
saprouter -s
mv /usr/sap/saprouter /usr/sap/saprouter.old
mv /usr/sap/saprouter2 /usr/sap/saprouter
– something like
New NetWeaver Information at SAP.com
Very Helpfull