Uploaded by eriyafu

SAPROUTER710 E

advertisement
HELP.BCCSTROUT
SAProuter
Release 7.10
SAP Online Help
29.10.2007
Copyright
© Copyright 2007 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400,
OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner,
WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPC
are trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World
Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for
technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and
services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and in several other countries all over the world. All other
product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product
specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP
AG and its affiliated companies ("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP Group products and
services are those that are set forth in the express warranty statements accompanying such
products and services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAProuter
7.10
2
SAP Online Help
29.10.2007
Icons in Body Text
Icon
Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different types of
information at a glance. For more information, see Help on Help → General Information
Classes and Information Classes for Business Information Warehouse on the first page of any
version of SAP Library.
Typographic Conventions
Type Style
Description
Example text
Words or characters quoted from the screen. These include field
names, screen titles, pushbuttons labels, menu names, menu paths,
and menu options.
Cross-references to other documentation.
Example text
Emphasized words or phrases in body text, graphic titles, and table
titles.
EXAMPLE TEXT
Technical names of system objects. These include report names,
program names, transaction codes, table names, and key concepts of a
programming language when they are surrounded by body text, for
example, SELECT and INCLUDE.
Example text
Output on the screen. This includes file and directory names and their
paths, messages, names of variables and parameters, source text, and
names of installation, upgrade and database tools.
Example text
Exact user entry. These are words or characters that you enter in the
system exactly as they appear in the documentation.
<Example text>
Variable user entry. Angle brackets indicate that you replace these
words and characters with appropriate entries to make entries in the
system.
EXAMPLE TEXT
Keys on the keyboard, for example, F2 or ENTER.
SAProuter
7.10
3
SAP Online Help
29.10.2007
Content
SAProuter .................................................................................................................................. 6
What is SAProuter? ............................................................................................................... 6
NI Network Interface........................................................................................................... 8
SAP Protocol .................................................................................................................. 9
Route Connections........................................................................................................... 10
SNC - Secure Network Communication........................................................................... 12
Installing the SAProuter ....................................................................................................... 12
Hardware Requirements for SAProuter ........................................................................... 13
Installation on UNIX.......................................................................................................... 14
Installation on Windows.................................................................................................... 15
Installation on System i .................................................................................................... 16
Using and Configuring the SAProuter.................................................................................. 17
Starting SAProuter ........................................................................................................... 17
Testing Basic Functions ................................................................................................... 18
Entering Route Strings ..................................................................................................... 20
Route Strings ................................................................................................................ 21
Creating a Route Permission Table ................................................................................. 22
Route Permission Table ............................................................................................... 23
Example of a Route Permission Table ......................................................................... 26
Example of a Route Permission Table with SNC ......................................................... 26
Setting Up Logging in the SAProuter ............................................................................... 27
Identifying and Correcting Errors ......................................................................................... 30
Successful Connection Setup and Data Transfer ............................................................ 31
SAProuter Error Messages .............................................................................................. 32
Checking the Route Permission Table ......................................................................... 33
Setting Up More Connections....................................................................................... 34
Connection Setup Errors .................................................................................................. 34
Connection Terminations ................................................................................................. 40
Other Errors...................................................................................................................... 43
SAP Notes for SAProuter ................................................................................................. 50
Reference............................................................................................................................. 51
SAProuter Options ........................................................................................................... 51
Option -s (stop saprouter)............................................................................................. 54
Option -n (new saprouttab) ........................................................................................... 54
Option -t (toggle trace).................................................................................................. 54
Option -c<n> (cancel connection n).............................................................................. 56
Option -l / -L .................................................................................................................. 56
Option -d (dump buffers)............................................................................................... 58
SAProuter
7.10
4
SAP Online Help
29.10.2007
Option -f (flush buffers) ................................................................................................. 58
Option -p (Soft Shutdown) ............................................................................................ 58
Option -a <lib> (Start with External Library) ................................................................. 59
Option -R <routtab> ...................................................................................................... 59
Option -K <mysncname> .............................................................................................. 59
Option -G< log file>....................................................................................................... 60
Option -J<size in bytes> ............................................................................................... 60
Option -T<tracefile> ...................................................................................................... 61
Option -V<tracelev>...................................................................................................... 61
Option -E....................................................................................................................... 61
Option -S <service> ...................................................................................................... 61
Option -C <clients> ....................................................................................................... 62
Option -D....................................................................................................................... 62
Option -6 (enable IPv6)................................................................................................. 63
Option -Z ....................................................................................................................... 63
Option -I <address> ...................................................................................................... 63
Option -Y <n> ............................................................................................................... 64
Option -H <host name> [-P <password>] ..................................................................... 64
Option -A <initstring> .................................................................................................... 65
Option -M <min>.<max> ............................................................................................... 66
NI and SAProuter Implementation ................................................................................... 66
Communication Modes ................................................................................................. 66
Route Connects ............................................................................................................ 67
Buffered Connection Handles....................................................................................... 68
Select Sets.................................................................................................................... 69
NI Keepalive ................................................................................................................. 69
NI Error Information ...................................................................................................... 69
NI Control Messages .................................................................................................... 69
Common Settings for Sockets ...................................................................................... 70
SAProuter Route Permission........................................................................................ 70
Route Table Examples.............................................................................................. 71
SAProuter
7.10
5
SAP Online Help
29.10.2007
SAProuter
SAProuter is an SAP program that can protect your SAP network against unauthorized
access. It is a stand-alone program that is normally installed on the system with the firewall.
SAProuter
LAN
(SAP System)
WAN (Internet)
This documentation comprises the following sections.
Section
Content
What is SAProuter? [page 6]
Introduction, concept, and architecture of SAProuter.
Installing the SAProuter [page
12]
Installation guidelines for the platforms supported by SAP
Using and Configuring the
SAProuter [page 17]
Starting and stopping, administration functions while the
SAProuter is running, and configuration of SAProuter
Identifying and Correcting
Errors [page 30]
Troubleshooting
Reference [page 51]
SAProuter Options [page 51]: Overview of all administration
options
NI and SAProuter Implementation [page 66]: Implementation
details
What is SAProuter?
SAProuter is an SAP program that acts as an intermediate station (proxy) in a network
connection between SAP systems, or between SAP systems and external networks.
SAProuter
7.10
6
SAP Online Help
29.10.2007
SAProuter controls the access to your network (application level gateway), and, as such, is a
useful enhancement to an existing firewall system (port filter).
Figuratively speaking, the firewall acts as an impenetrable wall around your network.
However, since particular types of connections need to penetrate this wall, a “hole” has to be
made in the firewall. SAProuter assumes the control of this hole.
In short, SAProuter provides you with the means of controlling access to your SAP system.
Purpose
You can use SAProuter to do the following:
●
Control and log the connections to your SAP system, for instance from an SAP service
center
●
Set up an indirect connection when programs involved in the connection cannot
communicate with each other due to the network configuration
●
●
○
Address conflicts when using non-registered IP addresses
○
Restrictions arising from firewall systems
Improve network security by means of the following:
○
A password, which protects your connection and data from unauthorized
external access
○
Allowing access from particular SAProuters only.
○
Only allowing encrypted connections from a known partner (using the SNC
layer)
Increase performance and stability by reducing the SAP system workload within a local
area network (LAN) when communicating with a wide area network (WAN)
The following graphic illustrates your network (LAN) using a firewall as protection against
access from outside. There is SAProuter running on the firewall host serving as a “door” to
your network. This door is only opened for connections you specify.
SAProuter
LAN
(SAP System)
WAN (Internet)
SAProuter
7.10
7
SAP Online Help
29.10.2007
This is often useful if, for example, there is a support connection from SAP to your SAP
system that SAP staff use to access your system in the case of problems. SAProuter controls
and monitors these connections.
Note that installing SAProuter without the use of a firewall does not protect your
network against access from external networks. You must ensure that all
incoming connections go through the SAProuter “hole”.
Increasing Network Security with SAProuter
The SAProuter running on your firewall host should be configured to allow the following:
●
Only the NI protocol (SAP-Protokoll [page 9]) is accepted from external systems
●
Not just any number of SAProuters are allowed before and after this one in a route
station.
Under UNIX, we recommend starting the SAProuter on a port reserved for root.
More Information
NI Network Interface [page 8]
Route Connections [page 10]
SNC - Secure Network Communication [page 12]
Installing the SAProuter [page 12]
Using and Configuring the SAProuter [page 17]
NI Network Interface
Definition
To provide independency from the various platforms, SAP has developed the intermediate
layer NI (Network Interface) for all network connections. It is used by SAProuter and all SAP
programs, as well as by the development kits for CPI-C and Remote Function Call (RFC).
Structure
In the OSI 7 layer model, the NI layer forms the upper part of the transport layer, and is
therefore the part nearer the applications. Specifically, this means that NI uses TCP or UDP.
The protocol is also known as the SAP Protocol [page 9].
NI in the OSI 7 layer model
OSI Layer
Protocol
7 Application
6 Presentation
5 Session
4 Transport
NI
TCP / UDP
3 Network
SAProuter
IP
7.10
8
SAP Online Help
2 Data Link
29.10.2007
Ethernet,...
1 Transfer method
The test program niping, which tests the the NI functions belongs to the NI layer. A
predefined number of data packets is sent from the client to the server, sent back from the
server, and read again by the client. The program also outputs average transfer times and depending on the trace level - detailed information on the data transfer. niping can be used
to test network connections with or without SAProuter.
If niping is entered without parameters, an online help is displayed with possible
parameters and additional options.
Further Information
Testing Basic Functions [page 18]
NI and SAProuter Implementation [page 66]
IPv6 Support in SAP NetWeaver [external]
SAP Protocol
Definition
The protocol used by SAP programs that communicate using the NI interface is called the
SAP Protocol. This is an enhanced version of the TCP/IP protocol, which has been
supplemented by one length field and some options for error information .
Use
When defining the route permission table, you can use S as the initial letter. This then only
allows the SAP protocol, that is, the line is interpreted as usual, but only SAP programs (SAP
GUI, SAP application servers, etc.) are permitted to communicate with each other.
More information: Creating a Route Permission Table [page 22]
Integration
The NI network interface provides the SAP protocol as the default for communication,
although it can also use the TCP/IP protocol with external programs (for example, telnet or
lpd) that do not 'speak' SAP protocol.
More Information
Route Connections [page 10]
SNC - Secure Network Communication [page 12]
SAProuter
7.10
9
SAP Online Help
29.10.2007
Route Connections
Definition
A route connection is a connection between two hosts via a network. The route is the
sequence of intermediate stations used to set up the connection.
Structure
You can set up a connection between SAP systems with or without SAProuter.
Connections Without SAProuter
The following graphic shows a network connection from SAP to the customer without
SAProuter:
SAP
LAN
WAN
(Internet)
Customer
LAN
Customer
Workstations
SAP
Workstations
We are assuming that both the SAP LAN (local area network) as well as the customer LAN
are protected against unwanted access by firewalls.
If a connection is to be set up between an SAP workstation and a customer workstation, a
“hole” needs to be made in the firewall. The more connections required to external hosts, the
more holes (and therefore security gaps) the firewall contains.
If a connection is set up without SAProuter, the following information is required:
...
1. IP address of the host
or the logical name of the host on which the server process is running. The target host
must therefore have a unique IP address.
2. Port number or the logical name of the port used by the process.
The server process must use an exclusive port number on its host. Also, this port
number must be known to the client.
When the NI network interface [page 8] is used, the host address and port
number can be passed as logical names (for example, host saposs, service
SAProuter
7.10
10
SAP Online Help
29.10.2007
sapdp00) or address strings (for example, a host IP address in the form
www.xxx.yyy.zzz, port 3200).
Connections with SAProuter
The following graphic shows a network connection with SAProuter:
WAN
(Internet)
SAP
LAN
SAProuter
Customer
LAN
SAProuter
Customer
Workstations
SAP
Workstations
SAProuter only allows a network to be accessed from fixed points. The number of access
points (“holes”) is therefore reduced, since fewer direct lines are required for connections.
Each "hole" is guarded by an SAProuter whose route permission table determines the routes
that can be used and the necessary passwords for gaining access. The hole in the firewall is
therefore monitored.
Without SAProuter, the IP addresses must be unique. This is not always possible, particularly
in the case of a connection between two networks that do not normally have an external
connection. SAProuter enables two points with identical IP addresses to be connected.
SAProuter cannot only be used to connect one host with a particular service, but also several
hosts and services with each other. The route information is provided in the form of a route
string. The passwords required for access are also specified in the route string.
More Information
Route Permission Table [page 23]
Route Strings [page 21]
Using and Configuring the SAProuter [page 17]
Route Connects [page 67] in the implementation part
SAProuter
7.10
11
SAP Online Help
29.10.2007
SNC - Secure Network Communication
Use
SNC is used to make network connections using the Internet, in particular WAN connections,
secure. It provides reliable authentication as well as encryption of the data to be transferred.
SAProuter allows SNC connections to be set up. The route permission table can be used to
specify precisely whether SNC connections are allowed, and if so, which ones.
Integration
See the following documentation for a detailed description of how to use the Secure Network
Communications (SNC) [external] in the SAP environment:
Prerequisites
You are using at least version 30 of SAProuter, and have configured SNC using the relevant
guide.
The following are prerequisites for setting up an SNC connection between two SAProuters:
●
Both SAProuters must have been started using the option -K <SNCname> (System i:
'-K <SNCname>'). These names ensure the authenticity of a host.
●
There must be a KT entry in the route permission table of the source host. This causes
the connection to the target host to use the SNC layer.
●
There must be a KP entry in both route permission tables, allowing the connection.
Activities
To set up an SNC connection between two SAProuters, you need to start them using the
option -K and configure the route permission table appropriately.
More Information
Option -K <mysncname>
Route Connections [page 10]
Route Permission Table
Installing the SAProuter
Use
The following describes how to install SAProuter. On UNIX, SAProuter is installed as a
daemon. On Windows it is installed as a service.
Prerequisites
For information about the hardware prerequisites see Hardware Requirements for SAProuter
[page 13].
SAProuter
7.10
12
SAP Online Help
29.10.2007
Procedure
Download
You will find the latest SAProuter in the SAP Service Marketplace under Download SAP
Software → <Support Packages & Patches>,
service.sap.com/patches .
On the Support Packages and Patches page choose links in navigation bar Entry by
Application Group, and then Additional Components → SAPROUTER → SAPROUTER 7.00
→ <Platform>.
Here you will find the saprouter packet.
Installation
How you install the SAProuter depends on the operating system you are using. Choose the
appropriate method:
Installation on UNIX [page 14]
Installation on Windows [page 15]
Installation on System i [page 16]
Hardware Requirements for SAProuter
SAProuter Architecture and Requirement Profile
Since the work of the SAProuter (also with SNC) is mainly I/O-based (input/output), you do
not require any especially powerful CPU.
The workload handled by the SAProuter is determined by the number of open connections.
If over 800 connections have to be maintained, we recommend that you start new SAProuter
processes with Option -Y <n> [page 64]. This distributes the load across several processes
and reduces the risk of any problem occurring (if a problem does occur, it never affects all
the open connections.) The rule of thumb is 1 SAProuter for every 500 connections.
Alternatively to option -Y you can also set a script that monitors the SAProuter process and
restarts the SAProuter (soft shutdown with Option -p [page 58], then restart), as soon as a
certain number of connections is exceeded, or when the message Maximum number of
clients reached [page 34] is issued for the first time.
Since the SAProuter process is running in one thread (single threaded) and is often busy with
I/O calls or with host name resolutions, a computer with one CPU manages well with several
SAProuter processes running in parallel.
Recommended Hardware
For an SAProuter with 3000 parallel connections between SAP GUIs and application servers,
transferring an average volume of data, a small number of file downloads and uploads
(approximately 8kB data transfer in both directions per connection and per 10 seconds), we
recommend:
●
Quick network adapter (very important)
●
2 hyper-threading (HTT) CPUs with 2GHz tact frequency
●
512 MB RAM
●
50 MB free space on the hard drive
SAProuter
7.10
13
SAP Online Help
29.10.2007
Background
For 3000 users we estimate six SAProuter processes (set Option -C <clients> [page 62] to
1000).
Each of these processes requires 4.5 MB of memory, and 9% of a two-way HTT 3 GHz CPU,
if you assume one third of the CPU workload is for the users and two thirds for the system.
The six SAProuter processes together require approximately 30 MB and 55% of the CPU.
Sometimes it takes a few seconds to determine the host name from the IP address (reverse
lookup), and during this time the process is blocked. The cause is usually an error in the DNS
configuration. Users will notice these delays particularly if the workload on the SAProuter is
large. Use Option -D [page 62], to prevent this happening.
Recommended Start Options
Start the SAProuter as follows:
saprouter -r -K <SNC name> -Y 0 -C 1000 -D -G <log file> -J 2000000
For information about operating the SAProuter under Windows see SAP note
734095.
Installation on UNIX
...
1. Create the subdirectory saprouter in the directory /usr/sap/.
Get the latest version of the SAProuter from the SAP Service Marketplace
(service.sap.com/patches), as described under Installation of the SAProuter
[page 12]. The SAProuter is in packet saprouter*.SAR; the program niping is also
in this packet. Copy programs saprouter and niping to the newly created directory
/usr/sap/saprouter.
If you cannot copy the programs from SAP Service Marketplace, you can copy a
version (may be obsolete) from your directory /usr/sap/<SID>/SYS/exe/run.
2. (Optional) If you want to start the SAProuter on the same computer used for an SAP
instance, insert the following line into file
/usr/sap/<SID>/SYS/exe/run/startsap:
#
# Start saprouter
#
SRDIR=/usr/sap/saprouter
if [ -f $SRDIR/saprouter ] ; then
echo “\nStarting saprouter Daemon “ | tee -a $LOGFILE
echo “----------------------------“ | tee -a $LOGFILE
$SRDIR/saprouter -r -R $SRDIR/saprouttab \
| tee -a $LOGFILE &
fi
Insert the lines before the commands to start the SAP instance.
Normally the SAProuter runs on a different computer. If this is so, this step is omitted
and you start the SAProuter as described in Starting the SAProuter [page 17].
SAProuter
7.10
14
SAP Online Help
29.10.2007
Maintain the route permission table [page 23] in directory /usr/sap/saprouter. If
you want to keep it in another directory or under a name other than saprouttab, you
must specify this with the SAProuter option -R (see Option R <routtab> [page 59]).
Installation on Windows
Prerequisites
You have the latest version of SAProuter (available from the SAP Service Marketplace
(http://service.sap.com/patches) (see Installation of the SAProuter [page 12]), and have read
the readme file.
The SAProuter version must not be under 23.
Procedure
...
1. Create the subdirectory saprouter in the directory <drive>:\usr\sap.
2. Download the latest version of the SAProuter from SAP Service Marketplace. Read the
README file in this package. Copy the executables saprouter.exe and
niping.exe to the directory you have just created.
If there is no SAProuter there, you can get a version (may be obsolete) from your
directory <drive>:\usr\sap\<SID>\SYS\exe\run.
3. If SAProuter has already been entered as a service with srvany.exe, remove the
definition of the service from the Registry and restart the host.
4. Define the service with the following command:
ntscmgr install SAProuter -b ...\saprouter\saprouter.exe -p
“service -r <parameter>“
Note:
The points stand for <drive>:\usr\sap
<parameter> can be replaced by other parameters with which SAProuter is to be
started. See SAProuter Options [page 51]). It is important that the parameters are
within the character string enclosed in double quotation marks.
5. Define standard service properties in Control Panel → Services, set the startup type to
“automatic” and enter a user. SAProuter should not run under the system account.
6. To avoid the error message “The description for Event ID (0)” in Windows NT event log,
you have to enter the following in the registry: Under HKEY_LOCAL_MACHINE →
SYSTEM → CurrentControlSet → Services → Event Log → Application enter the key
saprouter and define the following values for it:
EventMessageFile (REG_SZ): ....\saprouter\saprouter.exe
TypesSupported (REG_DWORD): 0x7
These adjustments are not obligatory for running SAProuter. They are only used
for providing detailed error messages in the event log.
Maintain the Route Permission Table [page 23] in the system32 Windows directory. If you
want to keep it in another directory or under a name other than saprouttab, you must
specify this with the SAProuter option -R (see Option R <routtab> [page 59]).
SAProuter
7.10
15
SAP Online Help
29.10.2007
Installation on System i
Prerequisites
You have the latest version of SAProuter (available from the SAP Service Marketplace (see
Installation of the SAProuter [page 12]), and have read the readme file.
Procedure
Install the programs SAPROUTER and NIPING in a separate library (such as SAPROUTER).
...
1. Log on to the System i machine as <SID>ADM.
2. Create a library
CRTLIB <library name>
3. Create the file SAPROUTER
CRTSAVF <library name>/SAPROUTER
4. Create the backup file NIPING
using the command <library name>/NIPING
5. Download the programs SAPROUTER.SVF and NIPING.SVF from the SAP Service
Marketplace to your local PC, using the following commands:
ftp <System i>
cd QGPL
lcd <dir> (<dir> is the directory where SAPROUTER.SVF and NIPING.SVF are
located)
bin:
put SAPROUTER.SVF SAPROUTER
put NIPING.SVF NIPING
quit
6. Re-create the SAPROUTER or NIPING objects. Use the command APYR3FIX as
described in SAP Note 49365, and for parameter KRNLIB use the library that you
created above.
7. Create the directory /usr/sap/saprouter.
8. Make sure to maintain the corresponding Route Permission Table [page 23] under
/usr/sap/saprouter/saprouttab (see also Creating a Route Permission Table
[page 22]).
More Information
Starting SAProuter [page 17]
SAProuter
7.10
16
SAP Online Help
29.10.2007
Using and Configuring the SAProuter
This section describes how SAProuter is started, tested, and configured.
The following tasks are described:
Operation
Starting SAProuter [page 17]
Testing Basic Functions [page 18]
Entering Route Strings [page 20]
Configuration
Creating a Route Permission Table [page 22]
Setting Up Logging in the SAProuter [page 27]
More Information
SAProuter Options [page 51]
Error Diagnosis [page 30]
Starting SAProuter
Prerequisites
Before using SAProuter, you should test its basic functions.
Testing SAProuter Basic Functions [page 18]
Procedure
To start SAProuter:
Enter saprouter -r in the input field. (System i: enter saprouter '-r' in the input field
in batch mode if possible.)
This command starts SAProuter.The connections allowed are contained in the route
permission table saprouttab. You can automatically start SAProuter when you start the
system. In UNIX for example, you would change file /etc/rc.
If you want to run a high number of connections (more than 1000) via
SAProuter, start the SAProuter using Option -r -Y <n> [page 64], and set the
maximum number of clients to 2000 using Option -C <clients> [page 62], thus:
saprouter -r -Y 0 -C 2000
If this option is set, a new SAProuter is automatically started if the client table
becomes full. New connection can then use this new SAProuter.
The table below contains the most important SAProuter commands:
Command
SAProuter
Meaning
7.10
17
SAP Online Help
29.10.2007
saprouter
Displays a complete list of SAProuter parameters on the
screen
saprouter -r
(System i: saprouter 'r')
Starts SAProuter
saprouter -s
(System i: saprouter 's')
Stops the running SAProuter
More Information
Creating a Route Permission Table [page 22]
SAProuter Options [page 51]
Testing Basic Functions
Prerequisites
Before using SAProuter, you should test whether there are any network problems.
To test the basic functions of the SAProuter, you require the programs saprouter and
niping as well as three open windows (shells) on one or more hosts.
Procedure
The following table shows the test scenario when using niping:
SAProuter runs in window 1, the server in window 2, and the client in window 3.
UNIX/Windows
Window 2 (host2) Window 1 (host1)
Without
SAProuter
niping -s
With SAProuter
niping -s
Window 3 (host3)
niping -c -H host2
saprouter -r
niping -c -H
/H/host1/H/host2
System i
Window 2 (host2)
Window 1 (host1)
Window 3 (host3)
Without
SAProuter
call niping '-s'
call niping '-c' '-H'
'host2'
With SAProuter
call niping '-s' saprouter '-r' call niping '-c' '-H'
'/H/host1/H/host2'
Steps
...
1. Start SAProuter in window 1 (on host1). To do this, enter the following command:
UNIX/Windows: saprouter -r
System i: saprouter '-r'
This command calls SAProuter without any parameters.
SAProuter
7.10
18
SAP Online Help
29.10.2007
For a complete list of the SAProuter commands, refer to the chapter SAProuter Options
[page 51] or the online help. To call the online help, enter saprouter.
2. In window 2 (host2), start the test program niping to emulate a test server. Enter the
following command:
UNIX/ Windows: niping -s
System i: call niping '-s'
For a complete list of the niping commands, refer to the online help. To call the
online help, enter niping.
3. In window 3 (host3), start the test program niping to emulate a client. Enter the
following command:
UNIX/ Windows: niping -c -H host2
System i: call niping '-c' '-H' 'host2'
This command tests the connection without SAProuter, that is directly between host2
and host3.
4. In window 3, start the test program niping again with the following command:
UNIX/ Windows: niping -c -H /H/host1/H/host2
System i: call niping '-c' '-H' '/H/host1/H/host2'
This command tests the connection with SAProuter. A host name is interpreted as a
route (over one or more SAProuters to the server) if /H/ is added as a prefix to the
host name (see Route Strings [page 21] ).
In steps 3 and 4, data packages are sent to the server, and the server sends the data
packages back. In step 3, the data packages should be sent to the server more frequently,
since more process changes take place.
To perform a self test for the local host:
Enter the command niping -t ( System i: call niping '-t').
A list with function names, parameters, and return codes is displayed. If the self test is
successful, the following message appears:
*** SELFTEST O.K. ***
To get an idea of the options provided by niping, enter niping without any
parameters.
SAP Note 500235 contains comprehensive documentation about the niping
tool.
More Information
Entering Route Strings for SAProuter [page 20]
Creating a Route Permission Table [page 22]
NI Network Interface [page 8]
SAProuter
7.10
19
SAP Online Help
29.10.2007
Entering Route Strings
Use
A route string describes a connection required between two hosts using one or more
SAProuters. Each of these SAProuters then checks its Route Permission Table [page 23] to
see whether the connection between its predecessor and successor is allowed, and if it is,
sets it up.
Procedure
The entry of route strings is best illustrated by an example.
The following graphic shows an example of a connection between SAP and a customer
system. In this example, an SAP employee working on sappc wants to log on to a customer
application server yourapp, which provides or uses the service sapsrv.
SAPLAN
WAN
(Internet)
Customer
LAN
sappc
sap_rout
your_rout
sapsrv
yourapp
The SAP service employee logs on to the SAP System, and sets up a connection between
sappc and yourapp using the SAProuter on sap_rout and the customer’s SAProuter
your_rout.
your_rout requires the password pass_to_app for connections with yourapp.
The route string appears as follows:
/H/sap_rout/H/your_rout/W/pass_to_app/H/yourapp/S/sapsrv
This route string is interpreted by the SAProuters involved in the route as follows:
Host/address
Service/port
Password
Substring 1
/H/sap_rout
/S/<default>
<no password>
Substring 2
/H/your_rout
/S/<default>
/W/pass_to_app
Substring 3
/H/yourapp
/S/sapsrv
The connection from sappc to the application server is set up in the following steps:
SAProuter
7.10
20
SAP Online Help
29.10.2007
sappc (front end)
Sets up the connection to SAProuter sap_rout according
to substring 1 and relays the route information.
sap_rout (SAProuter
on SAP side)
Uses the route permission table to check whether the route
“sappc to your_rout 3299” is allowed, sets up the connection
to the customer SAProuter on the host your_rout, and passes
substring 2 and 3.
your_rout
Checks whether the route “sap_rout to yourapp,
sapsrv” is allowed. The password pass_to_app is
(SAProuter on
customer side)
also checked. SAProuter then sets up the connection to the
application server.
A SAProuter always checks only the previous host name or the previous IP address and the
next substring (/H/.../S/.../W/...) for host name or IP address, service and password.
The last substring does not contain a password, since there is no successor in the route.
If the /S/ section is missing, the default port number of the SAProuter is used. If the /W/
section is missing, a password is not used.
With the old password entry, the above route string would appear as follows:
/H/sap_rout/H/your_rout/H/yourapp/S/sapsrv/P/pass_to_app
Note that the host name (which follows the /H/ in the route string) must be at
least two characters long.
More Information
Route Strings [page 21]
Route Permission Table [page 23]
Route Connects [page 67] in the implementation part
Route Strings
Definition
A route string describes the stations of a connection required between two hosts. A route
string has the syntax
(/H/host/S/service/W/pass)*
It consists of any number of substrings in the form /H/host/S/service/W/pass.
H, S, and W must be uppercase!
Structure
A route string contains a substring for each SAProuter and for the target server.
Each substring contains the information required by the SAProuter to create a connection in
the route - host name, port name, and password if applicable.
Syntax for substrings:
●
/H/ indicates the host name
SAProuter
7.10
21
SAP Online Help
29.10.2007
Note that the host name must be at least two characters long.
●
/S/ is used for specifying the service (port); it is an optional entry, the default value is
3299
●
/W/ indicates the password for the connection between the predecessor and
successor on the route and is also optional (default is “”, no password)
In earlier Releases (<4.0A), the password entry was made one substring later
and with the letter /P/.
New: /H/saprouter/W/pass/H/target server
Old: /H/saprouter/H/zielserver/P/pass
(Here pass is the password which is checked by the SAProuter on host
saprouter to set up or prohibit the connection from the source host to the
target host.)
Due to downward compatibility, the old password entry form is still possible.
More Information
Entering Route Strings [page 20]
Route Connects [page 67] in the implementation part
Creating a Route Permission Table
You can create a route permission table with a standard text editor.
You must create a separate route permission table for each SAProuter in your
network.
If no specific route permission table has been assigned to the SAProuter,
./saprouttab is used on UNIX and System i. The file saprouttab in the
working directory of the SAProuter (<lwk>:\usr\sap\saprouter) is
used on Windows. If this file is not available, SAProuter terminates with an
appropriate message.
Procedure
Create the file in the relevant directory. You can find a description of the syntax under Route
Permission Table [page 23].
You can use generic entries (“*”) in hosts, ports, and passwords.
You can use sub-networks in host routes.
SAProuter
Entry in the Route
Permission Table
Meaning
156.56.*.*
All host addresses beginning with 156.56
7.10
22
SAP Online Help
29.10.2007
133.27.17.*
All host addresses beginning with 133.27.17
133.27.16.0/24
All host addresses beginning with 133.27.16 (0/24
at the end means that the first 24 bits are relevant,
that is, the first three blocks)
156.56.1011xxxx.*
All host addresses from 156.56.176.* to
156.56.191.*.
(Binary interpretation of the third byte of the address.
‘x’ is a freely selectable binary value (1 or 0).)
Examples
You can display an example of a route permission table on the screen. To do this, enter
saprouter to call the SAProuter online help:
You can find more examples of route permission tables in the following sections:
Example of a Route Permission Table [page 26]
Example of a Route Permission Table with SNC [page 26]
Further Information
Route Permission Table [page 23]
Route String Entry for SAProuter [page 20]
Route Connects [page 67] in the implementation part
Route Permission Table
Definition
The route permission table contains the host names and port numbers of the predecessor
and successor points on the route (from the SAProuter’s point of view), as well as the
passwords required to set up the connection (corresponds to a substring, cf. Route Strings
[page 21]). It is used to specify which connections are allowed and which prohibited by
SAProuter. It also specifies whether SNC connections are set up and which these are.
Structure
Standard Entries
Standard entries in a route permission table appear as follows:
P/S/D <source host> <dest host> <dest serv> <password>
<source-host> and <dest-host> could be SAProuters.
Elements of a table entry are described below:
Handling the Connection: P/S/D
The beginning of the line can be as follows:
●
P(ermit) causes SAProuter to set up the connection. P(ermit) entries can contain a
password. SAProuter checks whether this password corresponds to that sent by the
client.
SAProuter
7.10
23
SAP Online Help
29.10.2007
Directly after the P you can also specify the maximum number of SAProuters allowed
on this route before and after this SAProuter so that the connection is permitted: Pv,n
- v stands for the maximum number of SAProuters before this one, and n stands for the
maximum number of SAProuters after this one allowed on this route.
●
S(ecure) only allows connections with the SAP Protocol [page 9]; connections with
other protocols (such as TCP) are not allowed.
With Sv,n you can determime the number of preceding and
succeeding SAProuters on the route, the same as you can with P.
●
D(eny) prevents the connection from being set up.
●
You can also add comment lines, which must begin with ‘#’.
Source Host <source host>
This element describes the host from where the connection comes (from viewpoint of the
SAProuter). This can be a host name, an IP address or an IP subnetwork (see Creating the
Route Permission Table [page 22]).
Destination Host <dest host>
This element describes the host the connection is going to (from viewpoint of the SAProuter).
This can be a host name, an IP address, or an IP subnetwork.
Destination Port <dest serv>
This element describes the port (service) of the destination host where the connection is
going to. Here you can also specify port ranges by separating the two ports that demarcate
the range by a period. If <dest serv> has the value 3200.3298, this means connections to
the destination server on all ports between 3200 and 3298.
If a <source-host> client wants to set up a connection to <dest-host>
<dest-serv> using SAProuter, SAProuter checks its route permission before
the connection is set up. If the password and route SAProuter has received
correspond to the entries in the route permission table, SAProuter sets up the
connection. In this is not the case, SAProuter does not set up the connection,
and issues the message, Route permission denied.
More information:
Example of a Route Permission Table [page 26]
Identifying and Correcting Errors [page 30]
SNC Entries
SNC entries always start with the letter K (like key).
There are two types of SNC entries:
...
1. KT entries (Key Target)
This defines which connections should be SNC connections. This can be defined for
both incoming and outgoing connections (from the point of view of this SAProuter).
...
a. Incoming connections
The syntax is KT <SNCname src host> <src host> <src serv>.
This means that connections coming from the host <src host> <src serv>
with the SNC name <SNC name src host> should be SNC connections.
The user can thus define that service connections from SAP must be SNC
connections.
SAProuter
7.10
24
SAP Online Help
29.10.2007
b. Outgoing connections
They have the syntax KT <SNC name dest host> <dest host> <dest
serv>. This means that connections from the SAProuter to <dest host>
<dest serv> with the SNC name <SNC name> should be SNC connections.
To make SNC connections possible, the appropriate SAProuters need to have
been started with the option -K and the route permission table must contain the
appropriate KT entry.
2. KD, KP, and KS entries
They have the following syntax:
K<D/P/S> <SNC name source host> <dest host> <dest serv>
<password>. This means that the (encrypted) SNC connection from <SNCname
source-host> via SAProuter to <dest host> <dest serv> is set up when the
route string contains the correct <password>.
More information: Example of a Route Permission Table with SNC [page 26]
Evaluation of the Route Permission Table
The following rules apply when the SAProuter evaluates the route permission table.
First Match
The first entry in the route permission table for which source address, target address, and
target port match is decisive. In other words, in the above example of a route permission
table, this means that the connection from host1 to host2, service serviceX, is not allowed
(because of the first entry) although all connections with service serviceX are allowed
according to the third entry.
No match
If there is not an appropriate entry in the table for a route, the connection is rejected. It
behaves as though the last line were a
D
*
*
*.
Wildcards Exception
If the SAProuter is the last SAProuter on the route (for example, the front end), and the
service is not an SAP service (not an SAP protocol), a wildcard (“*”) cannot be used with the
service. The connection is only allowed if the non-SAP service is explicitly selected. If the
example given above contained a * instead of telnet, and the SAProuter was the last one
on the route, the telnet connection would not be set up.
Security Note
For security reasons SAP recommends, that you do not use wildcards (*) for the target host
(<dest-host>) and the target port (<dest-serv>) in P and S lines in the route permission
table. If the table contains P or S lines, the SAProuter issues a warning message:
WARNING: wildcard character used in route target
Further Information
Creating a Route Permission Table [page 22]
SAProuter Route Permission [page 70] in the implementation part.
SAProuter
7.10
25
SAP Online Help
29.10.2007
Example of a Route Permission Table
A route permission table could appear as follows:
D
host1
host2
serviceX
D
host3
P
*
*
3200.3298
P
155.56.*.*
155.56.*.*
P
155.57.1011xxxx.*
P
host4
S
host6
P
P*,0
host5
*
host7
host8
telnet
*
*
pass
gui
This means:
●
Do not allow any routes from host1 to host2, service serviceX
●
Do not allow any routes starting from host3
●
Allow all routes to server processes that use a service in area 3200 to 3298
●
Allow all routes within subnetwork 155.56.0.0/16
●
All routes starting from subnetwork 155.57.1011xxxx are allowed (the last byte is
written as a binary number; each “x” stands for 0 or 1).
●
Allow all routes from host4 to host5 if password pass is correct
●
All routes from host6, but only SAP protocol
●
Native protocol routes (TCP/IP) from host7 to the non-SAP service telnet on host8
●
All connections to non-SAProuters (no more SAProuters allowed on this route) if
password gui is correct
In the above example in Entering Route Strings [page 20] the route permission table of host
saprouter must have the entry:
P
sappc
your_rout
and the route permission table of host yoursaprouter must contain the entry
P
saprouter
yourapp
sapsrv
pass_to_app
More Information
Example of a Route Permission Table with SNC [page 26]
Route Permission Table [page 23]
Example of a Route Permission Table with SNC
A route permission table using SNC could look like this:
SAProuter
7.10
26
SAP Online Help
29.10.2007
P
*
*
*
KT
S:SR@host4
host4
3333
KT
S:SR@host4
host9
*
KD
S:SR@host4
host9
*
KP
S:SR@host4
*
*
KS
*
host10
4444
KP
*
*
*
pass
pass2
This means:
●
Allow all connections if password pass is specified correctly
●
Connections from this SAProuter to host4 (SNC name S:SR@host4), service 3333
must be SNC connections.
●
Connections from host9 (SNC name S:SR@host9) to this SAProuter must be SNC
connections.
●
A SNC connection from SR@host4 to host9 using this SAProuter should not be set
up
●
A SNC connection from S:SR@host4 using this SAProuter (any target host) is allowed
if the password pass2 is correct (unless the connection is to host9, since this is not
allowed according to the previous entry - the first entry which “matches” is decisive!)
●
All SAP-SAP connections (that is NI protocols) to host10, service 4444 which enter
as SNC connections are passed on to host10 (no SNC host) as non-SNC
connections.
●
All SNC connections (for which the previous entries are not suitable) are allowed.
More Information
Route Permission Table [page 23]
Creating a Route Permission Table [page 22]
Setting Up Logging in the SAProuter
Use
To get an overview of the function and capacity of the SAProuter, a log can be kept of all the
connections established and actions performed via the SAProuter.
Procedure
You can configure the log using Option -G<logfile> [page 60]. Here you create the name of
the log file and specify where it is to be created.
Structure of the Log File
The log file is structured line by line. Each line contains the following information:
SAProuter
7.10
27
SAP Online Help
29.10.2007
●
Date and time: weekday, month, day, time, year
●
Action: Possible actions are INIT LOGFILE (start of log file), READ ROUTTAB (read
Route Permission Table [page 23]), CONNECT FROM/TO (set up connection from/to),
DISCONNECT (close connection), PERM DENIED (connection not permitted by route
permission table).
After the action is always a handle pair <C|S>n/m, whereby the letter means whether the
action was initialized by the client or the server, and the two numbers refer to the internal NI
handle numbers.
For example, the handle pair 'C1/2' means that this log refers to the connection
with handle 1 to the client (the first number) and with handle 2 to the server
(second number). The C at the front means that the action was initialized by the
client. A CONNECT FROM is therefore always written with C, a CONNECT TO with
S. With DISCONNECT the page specified is the one the connection has closed.
The IP address and port always refer to the connection’s counter page (peer). A
log with a handle pair C1/- means that no server-side connection between a
pair exists yet.
The most important log entries are described below.
Example
Actions
Assuming that logging has been activated, the following actions are executed through the
SAProuter. The SAProuter stands between the physical hosts ldp007 with the IP address
10.21.72.60 and binmain (IP address 10.21.82.77).
...
1. Connection is opened between host ldp007 (10.21.72.60) and host binmain
(10.21.82.77) with port sapmsBIN, which is closed by the client again.
2. Administrator calls up local SAProuter to display the list of connections (saprouter
-l).
3. Connection is established between host ldp007 (10.21.72.60) and the same host
ldp007 with port 3298, which is closed by the server again.
4. Attempt to open connection from host ldp007 (10.21.72.60) to the same host with telnet
port 23 is rejected by the SAProuter.
Route Permission Table
The route permission table in this example allows connections from any host to host
10.21.82.77 with port sapmsBIN, as well as to host 10.21.72.60 with port 3298:
P
*
10.21.82.77 sapmsBIN
P
*
10.21.72.60 3298
Log File
After these actions have been executed, the log file would look like the following (the line
numbers are not displayed, but are added here to help with the description).
SAProuter
7.10
28
SAP Online Help
29.10.2007
(1)
Wed Dec
7 13:13:59 2005 INIT LOGFILE
(2)
Wed Dec
7 13:13:59 2005 READ ROUTTAB ./saprouttab o.k.
(3) Wed Dec 7 13:14:05 2005 CONNECT FROM C1/- host 10.21.72.60/1245
(ldp007.wdf.sap.corp)
(4) Wed Dec 7 13:14:05 2005 CONNECT TO
10.21.82.77/sapmsBIN (binmain)
S1/2 host
(5) Wed Dec 7 13:14:05 2005 DISCONNECT
(ldp007.wdf.sap.corp)
C1/2 host 10.21.72.60/1245
(6) Wed Dec
(localhost)
(7) Wed Dec
(8) Wed Dec
(localhost)
7 13:14:13 2005 CONNECT FROM C2/- host 127.0.0.1/44997
7 13:14:13 2005 SEND INFO TO C2/7 13:14:13 2005 DISCONNECT
C2/- host 127.0.0.1/44997
(9) Wed Dec 7 13:14:23 2005 CONNECT FROM C2/- host 10.21.72.60/1276
(ldp007.wdf.sap.corp)
(10) Wed Dec
(ldp007)
(11) Wed Dec
(ldp007)
7 13:14:23 2005 CONNECT TO
7 13:14:24 2005 DISCONNECT
S2/1 host 10.21.72.60/3298
S2/1 host 10.21.72.60/3298
(12) Wed Dec 7 13:14:31 2005 CONNECT FROM C2/- host 10.21.72.60/1352
(ldp007.wdf.sap.corp)
(13) Wed Dec 7 13:14:31 2005 PERM DENIED
(ldp007.wdf.sap.corp) to ldp007/23
C2/- host 10.21.72.60
(14) Wed Dec 7 13:14:31 2005 DISCONNECT
(ldp007.wdf.sap.corp)
C2/- host 10.21.72.60/1352
Meaning
The lines mean the following:
Line(s)
Meaning
(1), (2)
The first two lines are always at the start of the log file. The first line marks the
start, the second means that the Route Permission Table [page 23] has been
read in successfully.
(3), (4)
The client (host 10.21.72.60, Port 1245) connects to the SAProuter and through
this host it can connect to host 10.21.82.77, port sapmsBIN, since this
connection is permitted according to the route permission table.
(5)
The connection between host 10.21.72.60, port 1245 and host 10.21.82.77, port
sapmsBIN is closed by the client.
(6)
On the local host (IP address 127.0.0.1, port 44997) the connection list display
is called up (saprouter –l). The connection is opened with the SAProuter.
(7)
The SAProuter sends the client the requested connection information.
(8)
The connection is closed again. As it is not a client/server connection via the
SAProuter, the connection is closed by the SAProuter.
(9), (10)
Client host 10.21.72.60, port 1276 wants to connect to server 10.21.72.60, port
3298 v via the SAProuter, which is permitted according to the route permission
table. The SAProuter opens the connection.
SAProuter
7.10
29
SAP Online Help
29.10.2007
(11)
The connection is closed again (from the server).
(12), (13)
Client host 10.21.72.60, port 1352 wants to connect to server 10.21.72.60, port
23 (telent) via the SAProuter, which is not permitted according to the route
permission table. The SAProuter returns message, “permission denied”.
(14)
The connection is closed by the SAProuter. (With unpermitted connections and
in error situations the SAProuter closes the connections.)
Identifying and Correcting Errors
Use
If an error occurs while a SAProuter is in operation, an error message is displayed by the
SAProuter client. The message helps you to locate the cause of the error and find a solution.
Prerequisites
You can find more information about error handling in the log file. Logging in SAProuter [page
27] must be activated (Option -G<logfile> [page 60]).
Procedure
Restrict the error to one of the following error groups:
●
Connection setup error
●
Connection terminations
●
Other errors /occasional errors
To find the relevant group, you can enter the error text in the full text search in the
documentation.
Once you have restricted the error to a group, proceed as follows:
Connection Setup Error [page 34]
Connection Terminations [page 40]
Other Errors [page 43]
Further Information
If no error occurs, you can tell this from the log file. Entries are described in Successful
Connection Setup and Data Transfer [page 31].
You can find information about the syntax of SAProuter error messages, and examples of
frequently occurring errors in SAProuter Error Messages [page 32]
SAP Notes
With other error messages or problems with SAProuter you can look for solutions in the SAP
Note system under component BC-CST-NI.
You can find notes about the SAProuter environment in the section SAP Notes for the
SAProuter [page 50].
SAProuter
7.10
30
SAP Online Help
29.10.2007
Successful Connection Setup and Data Transfer
When the connection is set up and data transferred without any errors, you see the following
entries in the log file:
Operation Without SNC
Thu Jun 14 16:08:04 2007 CONNECT FROM C9/- host 10.66.66.90/19114
(host1.company.corp)
Thu Jun 14 16:08:04 2007 CONNECT TO
(host2)
S9/17 host 10.21.83.41/3299
Thu Jun 14 16:08:06 2007 ESTABLISHED
S9/17
Thu Jun 14 16:21:06 2007 DISCONNECT
(host1.company.corp)
C9/17 host 10.66.66.90/19114
Thu Jun 14 14:28:40 2007 CONNECT FROM C19/- host 10.66.66.90/12127
(host1.company.corp)
Thu Jun 14 14:28:40 2007 CONNECT TO
(host3), *** NATIVE ROUTING ***
S19/11 host 10.21.72.60/3299
Thu Jun 14 14:28:41 2007 ESTABLISHED
S19/11 , *** NATIVE ROUTING ***
Thu Jun 14 14:58:43 2007 DISCONNECT
(host3), *** NATIVE ROUTING ***
S19/11 host 10.21.72.60/3299
Operation with SNC
When using SNC for data communication between two SAProuters there are two different
mechanisms for setting up the connection.
SNC Forwards Setup
With this mechanism, the client-side SAProuter initiates the SNC connection/encryption. The
SAProuter on the client-side has an entry of the type KT in the router permission table for the
server-side SAProuter and therefore establishes the SNC connection. The SNC name is
written to the 'CONNECT TO' log when the connection to the server-side SAProuter is
established. The 'ESTABLISHED' log displays the recipient side of the SNC communication
once the connection has been set up successfully.
Client Side
Thu Jun 14 17:13:22 2007 CONNECT FROM C9/- host 10.66.66.90/30888
(host1.company.corp)
Thu Jun 14 17:13:25 2007 CONNECT TO
S9/17 host 10.18.211.3/3299
(10.18.211.3) (p:CN=D039768, O=SAP-AG, C=DE)
Thu Jun 14 17:13:25 2007 ESTABLISHED
S9/17 (-/SNC)
Thu Jun 14 17:19:12 2007 DISCONNECT
(host1.company.corp)
C9/17 host 10.66.66.90/30888
Server Side
SAProuter
7.10
31
SAP Online Help
29.10.2007
Thu Jun 14 17:13:22 2007 CONNECT FROM C9/- host 10.18.211.3/1150
(host2)
Thu Jun 14 17:13:25 2007 CONNECT TO
(binmain)
S9/17 host 10.66.66.91/3253
Thu Jun 14 17:13:25 2007 ESTABLISHED
S9/17 (SNC/-)
Thu Jun 14 17:19:12 2007 DISCONNECT
(host2)
C9/17 host 10.18.211.3/1150
SNC Backwards Setup
The server-side SAProuter can also initiate SNC. This is what happens if the incoming
connection from the client-side SAProuter does not use SNC (see above) but the server-side
SAProuter requires it due to the relevant entries in the route permission table. In this scenario,
the SNC handshake is triggered by the server-side SAProuter later on. This means that there
is no SNC name in the 'CONNECT TO' entry in the log on the client side.
Client Side
Thu Jun 14 16:55:21 2007 CONNECT FROM C9/- host 10.18.211.3/1065
(host2)
Thu Jun 14 16:55:21 2007 CONNECT TO
(10.18.211.3)
S9/17 host 10.18.211.3/3299
Thu Jun 14 16:55:21 2007 ESTABLISHED
S9/17 (-/SNC)
Thu Jun 14 16:56:42 2007 DISCONNECT
(10.18.211.3)
S9/17 host 10.18.211.3/3299
Server Side
Thu Jun 14 16:55:21 2007 CONNECT FROM C9/- host 10.18.211.3/1066
(host2)
Thu Jun 14 16:55:21 2007 CONNECT TO
(host4.company.corp)
S9/17 host 10.66.66.91/sapdp53
Thu Jun 14 16:55:21 2007 ESTABLISHED
S9/17 (SNC/-)
Thu Jun 14 16:56:42 2007 DISCONNECT
(host4.company.corp)
S9/17 host 10.66.66.91/3253
More Information
Route Connections [page 10]
SNC - Secure Network Communication [page 12]
SAProuter Error Messages
A SAProuter error message consists of eight or more lines, with a blank line inserted after one
or two lines.
SAProuter Error Message
SAProuter
LOCATION
SapRouter on myhost
ERROR
partner not reached
7.10
32
SAP Online Help
29.10.2007
TIME
Wed Jul 23 15:24:42 1997
RELEASE
700
COMPONENT
NI (network interface)
VERSION
38
RC
-100
COUNTER
1
The two first lines are important here. They show you:
●
On which host the SAProuter concerned is running (in this example myhost)
●
To which application area the error belongs (here connection setup)
In this example, SAProuter cannot set up the connection to its partner. You are advised to
check the connection again.
If there is no LOCATION entry, the error message refers to a local program.
The information after the blank line is particularly relevant for internal errors. If you cannot
correct the error and therefore contact SAP, the detailed information may be helpful.
The most important error messages are:
●
Route permission denied: The connection is not permitted and will not be
opened by the SAProuter. Check the route permission table and make changes, if
necessary.
More information: Checking the Route Permission Table [page 33]
●
Maximum number of clients reached: The SAProuter cannot open the
connection because it has already opened the maximum number of connections.
Change the maximum setting or start another SAProuter.
More information: Setting Up More Connections [page 34]
More Information
Connection Setup Errors [page 34]
Connection Terminations [page 40]
Other Errors [page 43]
Checking the Route Permission Table
One of the most common error messages is the following:
LOCATION
SapRouter on myhost
ERROR
Route Permission Denied
TIME
.....
....
....
A connection has not been set up because SAProuter does not allow the route concerned.
SAProuter
7.10
33
SAP Online Help
29.10.2007
Procedure
Check the route permission table of this SAProuter (on host myhost) carefully and change it,
if necessary.
You can find out which working directory the running SAProuter and the route permission
table are in with Option -l / -L.
Remember that the first entry in the route permission table for which source address, target
address, and target port match is decisive.
You can import a modified route permission table with Option -n (new saprouttab).
More Information
Route Permission Table [page 23]
Option -l / -L [page 56]
Option -n (new saprouttab) [page 54]
Setting Up More Connections
SAProuter does not accept a connection and outputs the following error message:
LOCATION
SapRouter on myhost
ERROR
maximum number of clients reached
TIME
.....
....
....
This means that SAProuter cannot accept any further clients because the maximum number
has been reached (default 800). However, SAProuter continues running with all other clients.
Procedure
In order not to have to restart SAProuter (and thereby end all existing connections), you
should perform a soft shutdown of the SAProuter using Option -p. SAProuter then continues
running on a different port. SAProuter can then be started on the old port, possibly with a
larger number of clients. It will then accept clients again.
If you would like to automate this procedure, you can start SAProuter using Option -Y <n>. A
new SAProuter is started automatically every time the client table becomes full.
More Information
Option -p (Soft-Shutdown) [page 58]
Option -C <clients> [page 62]
Option -Y <n> [page 64]
Connection Setup Errors
The following errors can occur during the connection setup:
●
Connect fails because the server is not running
SAProuter
7.10
34
SAP Online Help
29.10.2007
●
TCP/IP connect takes too long (longer than the timeout -W value)
●
Route setup takes too long (longer than the timeout -W value)
●
No route permission for the connection
●
Error on the subsequent host
These errors are described below with possible solutions.
Connect fails (server not running)
The log file contains the following entries:
SAProuter Log File
Thu Jun 14 13:18:22 2007 CONNECT FROM C9/- host 10.66.66.90/35169
(host2.company.corp)
Thu Jun 14 13:18:22 2007 CONNECT TO
(host1)
S9/17 host 10.66.66.91/3299
Thu Jun 14 13:18:22 2007 CONNECT ERR
S9/17 connection refused
Thu Jun 14 13:18:22 2007 DISCONNECT
(host1)
S9/17 host 10.66.66.91/3299
The client issues the error message below.
SAProuter Error Message
***********************************************************************
*
LOCATION
SAProuter 39.1 (SP3) on 'ld8060'
*
ERROR
partner '10.66.66.91:3299' not reached
*
TIME
Thu Jun 14 13:18:22 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-92
*
MODULE
nixxi.cpp
*
LINE
3068
*
DETAIL
NiPConnect2: 10.66.66.91:3299
*
SYSTEM CALL connect
*
ERRNO
111
*
ERRNO TEXT
Connection refused
*
COUNTER
4
*
***********************************************************************
Background and Further Analysis
On the server side, there is no program running that listens to the IP address 10.66.66.91 and
port 3299 (LISTEN). Check that the host name/IP address and server name/port number are
correct. If they are correct, the right server is being reached but it appears that the program to
which the connection should be established is not running. Check that the SAProuter and the
SAProuter
7.10
35
SAP Online Help
29.10.2007
system or corresponding program on the server is running and is using the correct port (OS
command netstat -an).
TCP/IP connect takes too long (longer than the timeout -W value)
The log file contains the following entries:
SAProuter Log File
Thu Jun 14 13:22:01 2007 CONNECT FROM C10/- host 10.66.66.90/41060
(host2.company.corp)
Thu Jun 14 13:22:01 2007 CONNECT TO
(1.1.1.1)
S10/18 host 1.1.1.1/3299
Thu Jun 14 13:22:06 2007 CONNECT ERR
connection within 5s
S10/18 could not establish
Thu Jun 14 13:22:06 2007 DISCONNECT
(1.1.1.1)
S10/18 host 1.1.1.1/3299
The client issues the error message below.
SAProuter Error Message
***********************************************************************
*
LOCATION
SAProuter 39.1 (SP3) on 'ld8060'
*
ERROR
connection to 1.1.1.1:3299 timed out
*
TIME
Thu Jun 14 13:22:06 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-5
*
MODULE
nirout.cpp
*
LINE
6548
*
* DETAIL
within
RTPENDLIST::timeoutPend: could not establish connection
*
5s (ROUTED)
*
COUNTER
6
***********************************************************************
Background and Further Analysis
In this example, the TCP/IP connection from the SAProuter to the next node (the next
SAProuter, a system, or another network component) could not be established within a
specified timeout period. This error can occur if the server host is down or the IP address of
the host cannot be reached. It can also be due to the network failing to establish the TCP/IP
connection within 5 seconds (the timeout value defined in option -W). You might be able to
solve this problem by using a greater value for option -W.
More information: Expert Options in SAProuter Options [page 51].
Route setup takes too long
The SAProuter is able to connect to the next host using TCP/IP, but the next host takes too
long to establish the route to the destination. It receives no NI_PONG (confirmation that the
route has been established) within the -W timeout period.
SAProuter
7.10
36
SAP Online Help
29.10.2007
The log file contains the following entries:
SAProuter Log File
Thu Jun 14 13:34:19 2007 CONNECT FROM C15/- host 10.66.66.90/41070
(host2.company.corp)
Thu Jun 14 13:34:19 2007 CONNECT TO
(host3)
S15/23 host 10.21.72.60/3299
Thu Jun 14 13:34:24 2007 CONNECT ERR
5s; check SAProuter on 'host3'
S15/23 no route completion within
Thu Jun 14 13:34:24 2007 DISCONNECT
(host3)
S15/23 host 10.21.72.60/3299
The client issues the error message below.
SAProuter Error Message
***********************************************************************
*
LOCATION
SAProuter 39.1 (SP3) on 'ld8060'
*
ERROR
connection to host3:3299 timed out
*
TIME
Thu Jun 14 13:34:24 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-5
*
MODULE
nirout.cpp
*
LINE
6537
*
DETAIL
RTPENDLIST::timeoutPend: no route completion within 5s
*
*
*
(ROUTED)
COUNTER
17
***********************************************************************
Background and Further Analysis
Find out why the subsequent SAProuter was unable to establish the connection within 5
seconds (in this example). It might be due to slow name resolution, for example. The log and
trace files should provide further information on this. In the case of connections using multiple
SAProuters in a WAN environment, increase option -W. If multiple SAProuters are involved in
setting up a connection and the network response times are relatively high, the default value
of 5 seconds is not sufficient to enable the connection to the target system to be established.
More information: Expert Options in SAProuter Options [page 51].
No route permission for the connection
The SAProuter rejects the connection because the route permission table does not allow it.
The log file contains the following entries:
SAProuter Log File
SAProuter
7.10
37
SAP Online Help
29.10.2007
Thu Jun 14 14:18:20 2007 CONNECT FROM C10/- host 10.66.66.90/63669
(host2.company.corp)
Thu Jun 14 14:18:20 2007 PERM DENIED
(host2.company.corp) to host1/3254
C10/- host 10.66.66.90
Thu Jun 14 14:18:20 2007 DISCONNECT
(host2.company.corp)
C10/- host 10.66.66.90/63669
The client issues the error message below.
SAProuter Error Message
************************************************************************
LOCATION
SAProuter 39.1 (SP3) on 'ld8060'
*
ERROR
*
ld8060: route permission denied (host2.company.corp to
host1, 3254)
*
*
TIME
Thu Jun 14 14:18:20 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-94
*
COUNTER
5
***********************************************************************
Background and Further Analysis
Check the route permission table [page 33]
Error on the subsequent host
This error does not occur on the local SAProuter. Instead, it occurs on a subsequent host.
Messages of the following type appear in the log of the local SAProuter:
SAProuter Log File
Thu Jun 14 14:42:53 2007 CONNECT FROM C10/- host 10.66.66.90/30005
(host2.company.corp)
Thu Jun 14 14:42:53 2007 CONNECT TO
(host3)
S10/18 host 10.21.72.60/3299
Thu Jun 14 14:42:54 2007 CONNECT ERR
'SAProuter 37.15 on hs0126'
S10/18 NIEROUT_INTERN on
Thu Jun 14 14:42:54 2007 DISCONNECT
(host3)
S10/18 host 10.21.72.60/3299
The client issues the error message below.
SAProuter Error Message
SAProuter
7.10
38
SAP Online Help
29.10.2007
***********************************************************************
* LOCATION
SAProuter 37.15 on hs0126
*
ERROR
partner not reached (host 10.66.66.91, service 3298)
*
TIME
Thu Jun 14 14:42:54 2007
*
RELEASE
640
*
COMPONENT
NI (network interface)
*
VERSION
37
*
RC
-93
*
MODULE
nixxi.cpp
*
LINE
8724
*
DETAIL
NiPConnect2
*
SYSTEM CALL SiPeekPendConn
*
ERRNO
239
*
ERRNO TEXT
Connection refused
*
COUNTER
5
*
***********************************************************************
Or
SAProuter Log File
Thu Jun 14 14:40:28 2007 CONNECT FROM C9/- host 10.66.66.90/24016
(host2.company.corp)
Thu Jun 14 14:40:28 2007 CONNECT TO
(host3), *** NATIVE ROUTING ***
S9/17 host 10.21.72.60/3299
Thu Jun 14 14:40:28 2007 CONNECT ERR S9/17 NIEROUT_PERM_DENIED on
'SAProuter 39.0 on 'host3'', *** NATIVE ROUTING ***
Thu Jun 14 14:40:28 2007 DISCONNECT
(host3), *** NATIVE ROUTING ***
S9/17 host 10.21.72.60/3299
SAProuter Error Message
***********************************************************************
*
LOCATION
SAProuter 39.0 on 'host3'
*
ERROR
host3: route permission denied (host2.company.corp to
*
host1, 3253)
*
*
TIME
Thu Jun 14 14:40:28 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-93
*
COUNTER
3
**********************************************************************
SAProuter
7.10
39
SAP Online Help
29.10.2007
Background and Further Analysis
Check the log and trace files on the SAProuter where the error occurred if the information
already provided is not sufficient. The SAProuter error message that is normally displayed on
the client contains information on the error. The LOCATION line tells you the location of the
error.
More Information
Connection Terminations [page 40]
Other Errors [page 43]
SAProuter Options [page 51]
Connection Terminations
Connection terminations can be triggered from both the client side and the server side.
Connection Terminations from the Server Side
The following entries appear in the log file when a connection termination is triggered from the
server side (if the local SAProuter is the client).
SAProuter Log File
Thu Jun 14 16:08:47 2007 CONNECT FROM C18/- host 10.66.66.90/24761
(host2.company.corp)
Thu Jun 14 16:08:47 2007 CONNECT TO
(host2)
S18/10 host 10.21.83.41/3299
Thu Jun 14 16:08:47 2007 ESTABLISHED
S18/10
Thu Jun 14 16:08:58 2007 DISCONNECT
(host2)
S18/10 host 10.21.83.41/3299
The client issues the error message below.
SAProuter Error Message
SAProuter
7.10
40
SAP Online Help
29.10.2007
************************************************************************
LOCATION
SAProuter 39.0 on 'host2'
*
ERROR
connection to partner '10.21.72.60:3298' broken
*
TIME
Thu Jun 14 16:08:58 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-95
*
MODULE
nixxi.cpp
*
LINE
4660
*
DETAIL
NiIRead: P=10.21.72.60:3298; L=???
*
SYSTEM CALL recv
*
ERRNO
232
*
ERRNO TEXT
Connection reset by peer
*
COUNTER
17
*
***********************************************************************
Or
SAProuter Log File
Thu Jun 14 16:09:50 2007 CONNECT FROM C19/- host 10.66.66.90/24847
(host2.company.corp)
Thu Jun 14 16:09:50 2007 CONNECT TO
(ldp007)
S19/11 host 10.21.72.60/3298
Thu Jun 14 16:09:50 2007 ESTABLISHED
S19/11
Thu Jun 14 16:10:02 2007 DISCONNECT
(ldp007) RST
S19/11 host 10.21.72.60/3298
The client issues the error message below.
SAProuter Error Message
SAProuter
7.10
41
SAP Online Help
29.10.2007
***********************************************************************
*
LOCATION
SAProuter 39.1 (SP3) on 'host1'
*
ERROR
connection to partner '10.21.72.60:3298' broken
*
TIME
Thu Jun 14 16:10:02 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-95
*
MODULE
nixxi.cpp
*
LINE
4660
*
DETAIL
NiIRead: P=10.21.72.60:3298; L=10.66.66.90:24848
*
SYSTEM CALL recv
*
ERRNO
104
*
ERRNO TEXT
Connection reset by peer
*
COUNTER
10
*
***********************************************************************
Connection Terminations from the Client Side
The following entries appear in the log file when a connection termination is triggered from the
client side (if the local SAProuter is the server).
Thu Jun 14 16:13:20 2007 CONNECT FROM C20/- host 10.66.66.90/24849
(host2.company.corp)
Thu Jun 14 16:13:20 2007 CONNECT TO
(host2)
S20/12 host 10.21.83.41/3299
Thu Jun 14 16:13:20 2007 ESTABLISHED
S20/12
Thu Jun 14 16:13:43 2007 DISCONNECT
(host2.company.corp) RST
C20/12 host 10.66.66.90/24849
There is no error message with errInfo because the error is on the client side.
Background and Further Analysis
The DISCONNECT entry in the log file tells you the side where the connection termination was
triggered. You can use this information to find the node/program that first closed the
connection. The trace file for this program contains more information on the cause of the
connection termination.
In some cases, the connection between the two programs can be terminated without either
side triggering the termination. For example, this is the case if two SAProuters with a direct
TCP/IP connection both record that the other side triggered the connection termination. This
means that an active network component between the two programs terminated the TCP/IP
connection. The network component concerned is often a firewall or a router with an idle
timeout. If this occurs, check the network.
The DISCONNECT log entry also tells you whether or not the connection was closed in a
TCP/IP-compliant manner. 'RST' at the end of the line indicates an RST package or a
retransmit timeout. This means that the other side or an active network component between
the two sides of the TCP/IP connection ended the connection incorrectly. This can be caused
by the program crashing, the connection being closed too early at application level, or a
firewall.
SAProuter
7.10
42
SAP Online Help
29.10.2007
More Information
Connection Setup Errors [page 34]
Other Errors [page 43]
Other Errors
The following errors occur only rarely. The descriptions below aim to help you to analyze and
eliminate these errors.
●
The SAProuter receives incorrect data. This can happen if the route is too short or if
the system overlooks the fact that the connection is to a SAProuter rather than a backend connection.
●
The SAProuter receives the route information too late (TCP/IP connection setup was
successful).
●
The SAProuter is the client and it receives an incorrect response from the server.
●
The SAProuter is the server and it receives the data from the client too early.
●
SNC is not active for a forwards connection.
●
SNC is not active for a backwards connection.
Incorrect data sent to the SAProuter
The log file contains the following entries:
SAProuter Log File
Thu Jun 14 09:55:36 2007 CONNECT FROM C10/- host 10.66.66.90/34506
(host1.company.corp)
Thu Jun 14 09:55:36 2007 INVAL DATA
C10/- route expected
Thu Jun 14 09:55:36 2007 DISCONNECT
(host1.company.corp)
C10/- host 10.66.66.90/34506
The client issues the error message below.
SAProuter Error Message
SAProuter
7.10
43
SAP Online Help
29.10.2007
***********************************************************************
*
LOCATION
SAProuter 39.1 (SP3) on 'host1'
*
ERROR
internal error
*
TIME
Thu Jun 14 09:55:36 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-93
*
MODULE
nirout.cpp
*
LINE
2664
*
DETAIL
NiRClientHandle: route expected
*
COUNTER
4
*
***********************************************************************
Background and Further Analysis
The client program sends incorrect data to the SAProuter. This is usually the case if the client
assumes that it is already communicating with the target system but the connection was
actually established to an SAProuter that has to wait for a route first. Check the parameters
for the connection setup on the client.
Route sent too late
The connection setup (connect) was successful but the client sends the route to the
SAProuter too late, or the client assumes that it is already connected to the server and is
waiting for data, or the timeout -W is exceeded.
The log file contains the following entries:
SAProuter Log File
Thu Jun 14 12:27:27 2007 CONNECT FROM C11/- host 10.66.66.90/35087
(host1.company.corp)
Thu Jun 14 12:27:32 2007 CONNECT ERR
5s
C11/- no route received within
Thu Jun 14 12:27:32 2007 DISCONNECT
(host1.company.corp)
C11/- host 10.66.66.90/35087
The client issues the error message below.
SAProuter Error Message
SAProuter
7.10
44
SAP Online Help
29.10.2007
***********************************************************************
*
LOCATION
SAProuter 39.1 (SP3) on 'host1'
*
ERROR
connection timed out
*
TIME
Thu Jun 14 12:27:32 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-5
*
MODULE
nirout.cpp
*
LINE
6519
*
DETAIL
RTPENDLIST::timeoutPend: no route received within 5s
*
*
*
(CONNECTED)
COUNTER
5
***********************************************************************
Background and Further Analysis
This error can occur if the client does not send the route quickly enough after the TCP/IP
connect to the SAProuter. This might be caused by the client hanging temporarily.
Incorrect response from the server
If a server-side program other than a SAProuter responds, or if the back end responds, the
SAProuter cannot use the response. It needs another SAProuter as the server.
The log file contains the following entries:
SAProuter Log File
Thu Jun 14 13:59:43 2007 CONNECT FROM C9/- host 10.66.66.90/46915
(host1.company.corp)
Thu Jun 14 13:59:43 2007 CONNECT TO
(host2)
S9/17 host 10.66.66.91/3253
Thu Jun 14 13:59:43 2007 CONNECT ERR
during route completion
S9/17 invalid data form server
Thu Jun 14 13:59:43 2007 DISCONNECT
(host2)
S9/17 host 10.66.66.91/3253
The client issues the error message below.
SAProuter Error Message
SAProuter
7.10
45
SAP Online Help
29.10.2007
***********************************************************************
*
LOCATION
SAProuter 39.1 (SP3) on 'host1'
*
ERROR
internal error
*
TIME
Thu Jun 14 13:59:43 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-93
*
MODULE
nirout.cpp
*
LINE
2694
*
DETAIL
NiRClientHandle: invalid data from server 'host2' during
*
*
*
route completion
COUNTER
3
***********************************************************************
Background and Further Analysis
Check the parameters for the connection setup on the client.
Data received too early from the client
If the SAProuter, as the server, receives data from the client before the route is established,
the following entries appear in the log file:
SAProuter Log File
Thu Jun 14 14:15:00 2007 CONNECT FROM C10/- host 10.66.66.90/52640
(host1.company.corp)
Thu Jun 14 14:15:00 2007 CONNECT TO
(host2)
S10/18 host 10.66.66.91/3253
Thu Jun 14 14:15:00 2007 CONNECT ERR
during route completion
C10/18 invalid data form client
Thu Jun 14 14:15:00 2007 DISCONNECT
(host1.company.corp)
C10/18 host 10.66.66.90/52640
The client issues the error message below.
SAProuter Error Message
SAProuter
7.10
46
SAP Online Help
29.10.2007
***********************************************************************
*
LOCATION
SAProuter 39.1 (SP3) on 'host1'
*
ERROR
internal error
*
TIME
Thu Jun 14 14:15:00 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-93
*
MODULE
nirout.cpp
*
LINE
2688
*
DETAIL
NiRClientHandle: invalid data from client
*
*
*
'host1.company.corp' during route completion
COUNTER
5
***********************************************************************
Background and Further Analysis
The client program is behaving incorrectly. Check for a more recent version of the client
program.
Data received too early from the server
The log file contains the following entries:
SAProuter Log File
Thu Jun 14 13:59:43 2007 CONNECT FROM C9/- host 10.66.66.90/46915
(host1.company.corp)
Thu Jun 14 13:59:43 2007 CONNECT TO
(host2)
S9/17 host 10.66.66.91/3253
Thu Jun 14 13:59:43 2007 CONNECT ERR
during route completion
S9/17 invalid data form server
Thu Jun 14 13:59:43 2007 DISCONNECT
(host2)
S9/17 host 10.66.66.91/3253
The client issues the error message below.
SAProuter Error Message
SAProuter
7.10
47
SAP Online Help
29.10.2007
***********************************************************************
*
LOCATION
SAProuter 39.1 (SP3) on 'host1'
*
ERROR
internal error
*
TIME
Thu Jun 14 13:59:43 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-93
*
MODULE
nirout.cpp
*
LINE
2694
*
DETAIL
NiRClientHandle: invalid data from server 'host2' during
*
*
*
route completion
COUNTER
3
***********************************************************************
Background and Further Analysis
Check the version of the SAProuter on the server side and update the program if necessary.
SNC not active for a forwards connection
The log file contains the following entries:
Client Side
Thu Jun 14 17:16:40 2007 CONNECT FROM C18/- host 10.66.66.90/30891
(host1.company.corp)
Thu Jun 14 17:16:40 2007 CONNECT TO
S18/10 host 10.18.211.3/3299
(10.18.211.3) (p:CN=D039768, O=SAP-AG, C=DE)
Thu Jun 14 17:16:40 2007 CONNECT ERR
NIESNC_FAILURE
S18/10 forwarding route failed
Thu Jun 14 17:16:40 2007 DISCONNECT
(host1.company.corp)
C18/10 host 10.66.66.90/30891
Server Side
Thu Jun 14 17:16:40 2007 CONNECT FROM C9/- host 10.18.211.3/1168
(host3.wdf.sap.corp)
Thu Jun 14 17:16:40 2007 DISCONNECT
(host3.wdf.sap.corp)
C9/- host 10.18.211.3/1168
SAProuter Error Message on Client Sire
SAProuter
7.10
48
SAP Online Help
29.10.2007
***********************************************************************
*
LOCATION
SAProuter 39.1 (SP3) on 'host3'
*
ERROR
SNC processing failed:
*
SNC not enabled
*
*
TIME
Thu Jun 14 17:16:40 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-104
*
MODULE
nisnc.c
*
LINE
566
*
DETAIL
NiSncOpcode: NISNC_REQ
*
COUNTER
2
***********************************************************************
Background and Further Analysis
The SAProuter on the server side has not activated SNC. Restart the SAProuter on the server
side with the option –K mysncname.
SNC not active for a backwards connection
The log file contains the following entries:
Client Side
Thu Jun 14 17:08:19 2007 CONNECT FROM C9/- host 10.66.66.90/30883
(host1.company.corp)
Thu Jun 14 17:08:19 2007 CONNECT TO
(10.18.211.3)
S9/17 host 10.18.211.3/3299
Thu Jun 14 17:08:19 2007 CONNECT ERR
'SAProuter 39.1 (SP3) on 'host3''
S9/17 NIESNC_FAILURE on
Thu Jun 14 17:08:19 2007 DISCONNECT
(10.18.211.3)
S9/17 host 10.18.211.3/3299
Server Side
Thu Jun 14 17:08:19 2007 CONNECT FROM C12/- host 10.18.211.3/1119
(host3.wdf.sap.corp)
Thu Jun 14 17:08:19 2007 CONNECT TO
(host2)
S12/20 host 10.66.66.91/3253
Thu Jun 14 17:08:19 2007 CONNECT ERR
'SAProuter 39.1 (SP3) on 'host3''
C12/20 NIECONN_BROKEN on
Thu Jun 14 17:08:19 2007 DISCONNECT
(host3.wdf.sap.corp)
C12/20 host 10.18.211.3/1119
SAProuter Error Message on Client Sire
SAProuter
7.10
49
SAP Online Help
29.10.2007
***********************************************************************
*
LOCATION
SAProuter 39.1 (SP3) on 'host3'
*
ERROR
SNC processing failed:
*
SNC not enabled
*
*
TIME
Thu Jun 14 17:08:19 2007
*
RELEASE
710
*
COMPONENT
NI (network interface)
*
VERSION
39
*
RC
-104
*
MODULE
nisnc.c
*
LINE
586
*
DETAIL
NiSncOpcode: NISNC_ACC
*
COUNTER
4
***********************************************************************
Background and Further Analysis
The SAProuter on the client side has not activated SNC. Restart the SAProuter on the client
side with the option –K mysncname.
Further Information
SNC - Secure Network Communication [page 12]
Option -K <mysncname> [page 59]
SAP Notes for SAProuter
As a rule, always refer to the relevant SAP Notes if you experience problems with SAProuter.
You will find these on the SAP Service Marketplace.
Note Number
Content
0029684
STFK: Route permission denied
0062636
saprouter terminates on ending UNIX session
0063342
List: NI error codes
0164937
NiPBind: service 'sap????' in use
0104576
Package filter between ITS and R/3
0042692
Test tool for RFC links: sapinfo
0066168
Required documents when analyzing RFC problems
0025917
Changes to /etc/hosts are not accepted
0147021
"Address already in use" due to TCP state
0037211
ftp not via SAProuter : "connection refused"
SAProuter
7.10
50
SAP Online Help
29.10.2007
You can also search for SAP Notes under component BC-CST-NI to find current corrections
in the SAProuter environment.
Reference
The reference section of the SAProuter documentation contains the following information:
●
A complete overview of the SAProuter options: start options, administration options for
a running SAProuter, and so on: SAP Router Options [page 51]
●
A technical description of the implementation of SAProuter in the NI layer of the SAP
kernel: NI and SAProuter Implementation [page 66].
More Information
What is SAProuter? [page 6]
SAProuter Options
Use
SAProuter provides a number of optional functions. They consist of a letter, which is specified
when SAProuter is called (syntax: UNIX/Windows: saprouter -<option>, syntax System
i: saprouter -'<option>'), or is sent to a running SAProuter. The following describes how
they are used and the default values.
Features
There are administrative options (lowercase), additional options, and expert options
(uppercase). The various options can be combined by specifying an administrative option and
any number of other options.
Under system options must be enclosed in inverted commas. For example, to
stop the SAProuter, enter saprouter '-s'.
Administrative Options
Administrative options — with the exception of the startup functions -r and -a <lib> — are
sent to a running SAProuter. It then executes the appropriate function.
The command saprouter -r (System i: saprouter '-r') starts the SAProuter.
The following list gives you an overview of the administrative options:
Option
Meaning
Option -s (stop saprouter)
[page 54]
Stop SAProuter
Option -n (new saprouttab)
Re-read in the route permission table
SAProuter
7.10
51
SAP Online Help
29.10.2007
[page 54]
Option -t (toggle trace) [page
54]
Changing the trace level
Option -c<n> (cancel
connection n) [page 56]
Terminate connection n
Option -l / -L [page 56]
Display route information
Option -d (dump buffers)
[page 58]
Write detailed information from the internal buffers to the
trace file
Option -f (flush buffers)
[page 58]
Reset internal buffers
Option -p [page 58]
Carry out soft shutdown
Option -a <lib> [page 59]
Use external library
More information: Starting the SAProuter [page 17].
Additional Options
The additional options — with one exception — are indicated by uppercase letters. They can
be combined with each other and with an administrative option, as long as this makes sense.
Most additional options are used when the SAProuter is started. The ways in which the
options can be combined are indicated in the sections in which they are described.
If an invalid combination of SAProuter options is specified, SAProuter behaves as if only
saprouter was specified and displays the online help.
The additional options can also be omitted, as there are default values that are specified for
each option.
Features
The following options are available:
Option
Meaning
Default Value
Option -R <routtab> [page
59]
File name and path of the route
permission table
./saprouttab (UNIX and
System i)
<lwk>:\usr\sap\saprouter\s
aprouttab (Windows)
Option -K <mysncname>
[page 59]
Use of SNC: SNC name of the
host on which the SAProuter is
running
-
Option -G<logfile> [page 60]
Name and path of the SAProuter
log file
No log file
Option -J<size in bytes>
[page 60]
Size restriction for SAProuter log
file
No size restriction
Option -T<tracefile> [page
61]
Name and path of the SAProuter
trace file
dev_rout in the directory
of the SAProuter
Option -V<tracelev> [page
61]
Trace level of the SAProuter
1
Option -E [page 61]
Update trace and log files instead
of overwriting them
- (Trace and log files are
overwritten when the
SAProuter is restarted)
Option -S <service> [page
61]
Service (port) on which the
SAProuter runs
3299
SAProuter
7.10
52
SAP Online Help
29.10.2007
Option -C <clients> [page
62]
Maximum number of client that
the SAProuter administrates.
Note:
●
This value cannot exceed
2048
●
2 Clients make a
connection
800
Option -D [page 62]
Deactivate DNS reverse lookup
-
Option -6 (enable IPv6)
[page 63]
Activate IPv6 support
Option -Z [page 63]
Suppress exact error message
while opening connection
Option -I <address> [page
63]
Establish external connection, if
there are several network cards.
-
Option -Y <n> [page 64]
n number of times an SAProuter
automatically restarts if the client
table is overfilled
SAProuter is not
automatically restarted
(case n=1)
Option -H <host name> [-P
<password>] [page 64]
Name of the host to which the
SAProuter listens; password
protection for route information
(see Option -l / -L [page 56])
-
Option -A <initstring> [page
65]
String transfer to the external
library, if available (see Option -a
<lib> (start with external library)
[page 59])
-
Option -M <min>.<max>
[page 66]
A port area for outgoing
connection
-
Expert Options
SAProuter has some expert options, which are described below.
Use these options only after consulting SAP or if you are very experienced in
this area.
The following expert options are available:
Command
Function
Default
-B <bufsize>
Maximum queue length per client
1 NI package
-Q <queuesize>
Maximum heap space for NI package
20,000,000 bytes
-W <waittimeL>
Timeout for blocking network calls (if there is an 5000 msec
error)
Activities
Call SAProuter with the desired functions using the following commands:
UNIX/Windows: saprouter [-<adm>] [-<opt>]
System i: saprouter '[-<adm>] [-<opt>]'
SAProuter
7.10
53
SAP Online Help
29.10.2007
If an invalid combination of SAProuter options is specified, SAProuter behaves
as if only saprouter was specified and displays the online help.
Option -s (stop saprouter)
Use
This function is used to stop a running SAProuter.
Integration
If the SAProuter to be stopped is not running on the default service 3299, the service has to
be made known with option -S <service> [page 61] .
The commands saprouter -s -S 3299 and saprouter -s (System i: :
saprouter '-s -S 3299' and saprouter '-s') have the same effect.
Option -n (new saprouttab)
Use
The command saprouter -n (System i: saprouter '-n') is used to inform the running
SAProuter of changes to the route permission table: It causes the table with the name
specified in Option -R <routtab> [page 59] (default saprouttab) to be transferred again.
If you would like to enter, for example, other restrictions in the route permission table, you do
not have to stop and restart SAProuter, but you can use this function.
The new route permission table does not affect connections which already exist!
Even if the existing connection is not allowed according to the new table, it
remains in place!
More Information
Creating a Route Permission Table [page 22]
Option -t (toggle trace)
Use
This function is used to toggle the trace level of a running SAProuter. Trace levels 1, 2 and 3
exist. If the trace level was 1, it is now increased to 2, and if it was 2 or 3, it is decreased to 1.
You can also activate the trace for individual connections (see below).
SAProuter
7.10
54
SAP Online Help
29.10.2007
Integration
When SAProuter is started, the trace level is selected with option -V<tracelev> [page 61].
Connection Trace
You can also activate the trace for individual connections. For these connections the
information is written with trace level 2.
The connetion is traced using an enhanced syntax of option –t. You have the following
options:
Command
Meaning
saprouter -t "on <id>"
<id> is the number of the connection. You can see
this number when you display the connection
information (saprouter -l). This command
activates the trace for this (existing) connection.
More information: Option -l / -L [page 56]
saprouter -t "off <id>"
Deactivates the trace for connection with number
<id>.
saprouter -t "on <IPaddress>"
Activates the trace for all new connections coming
from the IP address <IPaddress>. You use this
option if the connection is not yet open and you are
looking the for connection setup information.
saprouter -t "off
<IPaddress>"
Deactivates the trace for all new connections coming
from the IP address <IPaddress>.
saprouter -t "on <subnet>"
<subnet> specifies a set of IP addresses. The
command activates the trace for all new connections
coming from this subnetwork.
You can find more information about IP address
masks in: IP Address Formats [external]
saprouter -t "off <subnet>"
Deactivates the trace for all new connections coming
from this subnetwork.
Trace ID in the Connection Overview
Connections for which the trace is activated are marked with an asterisk in the connection
overview (to to display the overview enter command saprouter -l).
You can find the trace information in the trace file dev_rout.
You activate the trace for connection number 4 by sending the command
saprouter -t "on 4" to the active SAProuter.
Then you call saprouter -l to display the connections. You get the following
output:
SAP Network Interface Router running on port 3299 (PID =
1576962)
Started on: Wed Apr 13 09:00:10 2005
ID CLIENT
service
SAProuter
| PARTNER
7.10
55
SAP Online Help
29.10.2007
------------------------------+-----------------------------7
localhost
| (no partner)
6
10.18.203.8
3227
| 10.17.74.118
4 *10.18.203.8
3227
| 10.17.74.118
2
10.18.203.8
3227
| 10.17.74.118
Total no. of clients: 7
Working directory
: /usr/sap/PRD/work
Routtab
: ./saprouttab
The * is the trace for connection 4.
Further Information
Option -l / -L [page 56]
Option -c<n> (cancel connection n)
Use
Internally, each connection using SAProuter has a number, which can be seen with option -l /
-L [page 56] . This function can be used to close a connection.
The command saprouter -c 2 (System i: saprouter '-c 2') closes the
connection with the (internal) number 2.
Option -l / -L
Use
You use the function saprouter -l (System i: saprouter '-l') to make the SAProuter
display route information on screen. saprouter -L (System i: saprouter '-L') gives
you more detailed information.
The information contains the following:
●
A table with the connection number, client, partner, and service for each existing
connection Connections for which the connection trace is activated are marked with an
asterisk (*).
More information: Option -t (toggle trace) [page 54]
●
The total number of clients, the working directory in which SAProuter is running, and
the path of the Route Permission Table [page 23].
SAProuter
7.10
56
SAP Online Help
●
29.10.2007
The PID and the port of the parent, if the SAProuter was started by another SAProuter
process (For more information, see Starting the SAProuter [page 17] and Option -Y
<n> [page 64].)
If you want to display the SAProuter information from a remote host, you should
use the option -H <hostname> [-P <password>] [page 64].
Route Details for Several SAProuters
If you are running several SAProuter processes, and you want to display the route details of a
SAProuter other than the last one started, use option Option -S <service> [page 61] and
specify the port. You can find out the port of the SAProuter preceding the current one by
using the option -l (see above).
Example
If you specify saprouter –l, the output may look like:
Wed Apr 11 09:01:57 2007
SAP Network Interface Router, Version 38.0
Wed Apr 11 09:01:58 2007
peer SAProuter with NI version 38 ...
send info-request to running SAProuter ...
SAP Network Interface Router running on port 3299 (PID = 1576962)
Started on: Wed Apr 13 09:00:10 2005
ID
CLIENT
| PARTNER
service
--------------------------------+-----------------------------------7
localhost
| (no partner)
6
10.18.203.8
| 10.17.74.118
3227
4
*10.18.203.8
| 10.17.74.118
3227
2
10.18.203.8
| 10.17.74.118
3227
Total no. of clients: 7
Working directory
: /net/usr.scratch/d039768/mm/rs6000_64
Routtab
: ./saprouttab
SAProuter
7.10
57
SAP Online Help
29.10.2007
Option -d (dump buffers)
Use
If this function is used, detailed information on the host names involved in the connection and
their IP addresses is written to the trace file (default dev_rout, or the name specified with
option -T<tracefile> [page 61]). The trace file is not overwritten, the information is simply
appended at the end.
Option -f (flush buffers)
Use
This function can be used to empty the internal buffer (which is written to the trace file with
option -d (dump buffers) [page 58]).
Option -p (Soft Shutdown)
Use
This option can be used to perform a soft shutdown of an SAProuter. SAProuter continues
running on another port and can be administrated on this port, but does not accept any logon
requests, and terminates automatically when no more clients are connected.
The port on which SAProuter was running before (default 3299) is now free. This is useful in
the following cases:
●
You want to start a new SAProuter without closing all existing connections.
●
More connections are required than one SAProuter alone can handle (max. 1018).
Therefore, enter the command saprouter –p. Information is then displayed telling you on
which port SAProuter can now be administered, and the host on which SAProuter is running.
The standard port on which SAProuter is running is port 65000. If it is already assigned or if a
port range was already defined for the SAProuter with option -M <min>.<max> [page 66] , a
different port is selected.
You can start the SAProuter using the Option -r -Y <n> [page 64]. This has the
effect that the existing SAProuter is automatically moved to another port and a
new SAProuter is started. The new SAProuter then accepts incoming
connections on this port.
SAProuter
7.10
58
SAP Online Help
29.10.2007
Option -a <lib> (Start with External Library)
Use
This option is not sent to a running SAProuter, but is used to start SAProuter with an external
library. <lib> is the relative path name of the library. A string can also be passed to the library
with option -A <initstring> [page 65].
Note that SAP cannot guarantee support if you use an external library. Please
contact the vendor of the external library if you have problems.
Option -R <routtab>
Use
You can use the saprouter -R <path> (System i: saprouter '-R <pfad>') option to
specify the file containing the route permission table. If nothing is specified, SAProuter
searches the file
●
./saprouttab (UNIX and System i)
●
<lwk>:\usr\sap\saprouter\saprouttab (Windows)
The route permission table is essential for SAProuter (version >= 23). If it is not
found, SAProuter terminates with an appropriate message.
If you want to permit all connections, you must specify the following single-line
route permission table:
P * * *
More Information
Creating a Route Permission Table [page 22]
Option -K <mysncname>
Use
For SNC connections to be possible with SAProuter, SAProuter must be started with this
option:
saprouter -r -K <mysncname> (System i: saprouter '-r -K <mysncname>').
There must also be a KT entry in the route permission table [page 23] specifying that
connections with a certain host (whose SNC name is known) should be SNC connections.
<mysncname> is the SNC name of the host on which the SAProuter is running.
Further Information
SNC - Secure Network Communication [page 12]
SAProuter
7.10
59
SAP Online Help
29.10.2007
Example of a Route Permission Table with SNC [page 26]
Option -G< log file>
Use
If you want to use Logging in the SAProuter [page 27], you can start your SAProuter with this
option and specify a log file.
UNIX/Windows: saprouter -r -G <log file>
System i: saprouter '-r -G <log file>'
<logfile> is the name (relative path name) you specify for the log file. All important
activities, such as starting the connection and runtime operations, are logged in this file:
●
Connection from (client name/address)
●
Connection to (partner name/address)
●
Partner service
●
Start time
●
End time
●
Connection requests rejected after checking the route permission table [page 23].
You can restrict the size of the log file in Option -J<size in bytes> [page 60].
If the SAProuter can no longer write to the log file, because for instance the hard
drive is full, for security reasons it switches to soft shutdown mode (it does not
accept any new connections, see Option -p (Soft Shutdown) [page 58]).
If this option is not used, a log file is not created.
Example
In section Logging im SAProuter [page 27] you can find an example of a log file.
Option -J<size in bytes>
Use
This option enables you to restrict the size of the log file and archive the resulting files.
If you do not use this option, the log file can become as large as is necessary.
Prerequisites
You are using a log file (see Option -G<logfile> [page 60]).
Features
If you use this option, once the log file reaches the defined size, it is renamed to
<logfile name>_a_<start date>_<start time>-<end date>_<end time>.
SAProuter
7.10
60
SAP Online Help
29.10.2007
Option -T<tracefile>
Use
A trace file is used to search for and correct errors. It logs in detail - the higher the trace level
(see Option -V<tracelev> [page 61] ), the more detailed the information - what SAProuter
does. From this, you can see in which function an error occurred, why a connection was not
established, etc.
When you start SAProuter, you can specify a trace file:
UNIX/Windows: saprouter -r -T <trace file>
System i: saprouter '-r -T <trace file>'
A trace file always exists. If the option is not used, the trace file dev_rout in the working
directory is used. It resides in the working directory of the SAProuter.
Option -V<tracelev>
Use
This option is used to set the trace level when SAProuter is started:
UNIX/NT: saprouter -r -V3
System i: saprouter '-r -V3'
for example, starts SAProuter with trace level 3.
With the trace level you can specify how detailed the information in the trace file should be: 1
means very little information, 3 very detailed information. The name of the trace file can be set
with option -T<tracefile> [page 61] .
You can change the trace level while SAProuter is running with option -t (toggle trace) [page
54].
Trace levels 1, 2, and 3 are available, and the default value is 1.
Option -E
Use
This option is used to prevent old trace files and log files from being overwritten when the
SAProuter is restarted.
If you start the SAProuter with option –E (saprouter –r -E), the SAProuter updates all
existing log and trace files.
Option -S <service>
Use
The option -S <service> is used to specify the service (port) on which SAProuter runs
(default 3299). This means the SAProuter can be started on any other service: saprouter -
SAProuter
7.10
61
SAP Online Help
29.10.2007
r -S 4444 (System i: saprouter '-r -S 4444') starts the SAProuter on the local host
on service 4444. If you then want to perform administrative tasks on this SAProuter, the
service must also be specified.
Option -C <clients>
Use
You can use this function to set the maximum number of clients. The default setting is 800,
the maximum value is 2039.
Note that two clients correspond to one connection; that is max 400 connections
are preset and max. 1019 connections are possible.
If you want to run 1000 connections with your SAProuter, start SAProuter as
follows:
UNIX/Windows: saprouter -r -C 2000
System i: saprouter '-r -C 2000'
If you would like to have more connections than the maximum (1019), you can “move”
SAProuter to another port with option -p [page 58] and start a new SAProuter on this port.
These limitations are obviously only valid if smaller values for the number of
connections have not been set in the operating system. Therefore you must take the
operating system parameters into consideration.
As of SAProuter version 37 significant higher values are possible, up to 16000 (with the
exception of System i). But make sure that only one thread process is involved. For this
reason having more than about 1000/1500 clients is not at all practical. With many
connections you can work better with Option -Y <n> [page 64], which distributes the
connections across several processes.
Option -D
Prerequisites
You are using at least SAProuter version 36.7, which is version 36, patch level 6.
The section Installing SAProuter [page 12] describes where you can find the latest SAProuter.
Use
With this option you can set the IP addresses so that they are not broken up by incoming
connections in the SAProuter.
This can result in better performance for SAProuters, with which connections from many
different clients are established. However, if this option is used, only the IP addresses are
visible in the log (client-side).
SAProuter
7.10
62
SAP Online Help
29.10.2007
Option -6 (enable IPv6)
Prerequisites
You have at least SAProuter version 38.0.
The section Installing SAProuter [page 12] describes where you can find the latest SAProuter.
Use
With this option you can activate the Internet Protocol version 6 (IPv6) for the SAProuter. The
SAProuter can then open and manage both IPv4 and IPv6 connections.
Option -Z
Prerequisites
You have at least SAProuter version 38.0.
The section Installing SAProuter [page 12] describes where you can find the latest SAProuter.
Use
With this option you can specify that any errors occurring while opening the connection are
not reported in detail to the client. The same error text is then always returned to the caller
regardless of the error (connection could not be opened, route is not permitted. host name
could not be resolved, and so on).
The client receives the following error text that the connection could not be established:
*********************************************************************
* LOCATION
SAProuter
*
ERROR
route could not be established
*
TIME
Tue Sep
*
RELEASE
0
*
COMPONENT
NI (network interface)
*
RC
-92
*
5 15:38:57 2006
*********************************************************************
Option -I <address>
Prerequisites
You are using at least SAProuter version 37. The section Installing SAProuter [page 12]
describes where you can find the latest SAProuter.
Use
If a computer has several network interfaces, you can use this option to determine which
interface is used to establish external connections. For example, this can be useful for
SAProuter
7.10
63
SAP Online Help
29.10.2007
firewalls between two networks. In this way you can specify that the connection is established
in one specific network only.
The specified address must be a local interface.
Option -Y <n>
Use
You use this function to force the SAProuter to automatically start a new SAProuter if the
client table is full when the SAProuter is started. This allows you to circumvent the limit of
1000 clients.
saprouter -r -Y <n>
The number n specifies the maximum number of times a new SAProuter can be started.
Value of n
Meaning
0
A new SAProuter is started every time the client table becomes
full.
1
SAProuter never starts automatically.
n>1
SAProuter is started a maximum of n times when the client table
becomes full. You can use this value to control the amount of
SAProuter restarts.
Integration
Use Option -l / -L [page 56] to display information on the running SAProuter. This information
tells you, among other things, whether the SAProuter was started, and if so, which SAProuter
process started the SAProuter.
Prerequisites
You have not yet started the SAProuter.
Note that you cannot send this option to a running SAProuter. You can only specify it before
the SAProuter starts.
Example
If you want to run a high number of connections via the SAProuter (more than 1000), you can
use the following option to start the SAProuter:
saprouter -r -Y 0 -C 2000
If this option is set, a new SAProuter is automatically started if the client table becomes full.
New connections can then use this new SAProuter.
Option -H <host name> [-P <password>]
Use
This option has two uses:
...
SAProuter
7.10
64
SAP Online Help
29.10.2007
1. You can define the option when you start SAProuter:
saprouter -r -H <hostname> (System i: saprouter '-r -H <hostname>').
This means that SAProuter only responds to the IP address of host <hostname>; if
option -S does not define any other value, this is default port 3299. If SAProuter is
started without option -H, it responds to all IP addresses of this host. <hostname> can
also be an IP address.
The host myhost has two IP addresses: a1 und a2.
The call saprouter -r (System i: saprouter '-r') causes SAProuter to
respond to a1/3299 and a2/3299. The call saprouter -r -H a2 (System i:
saprouter '-r -H a2') causes SAProuter to respond only to a2/3299.
If you started SAProuter with option H <hostname>, of course you also have to
define the host name for administration. For example, if you want to use a new
route permission table, you must enter saprouter -n -H <hostname>
(System i: saprouter '-n -H <hostname>').
2. You can use this option in a running SAProuter to get SAProuter information (displayed
with the option -l / -L [page 56]) from a remote host. A password may be required,
which is then entered with option -P <password> (System i: Option '-P
<password>'). SAProuter then checks its route permission table [page 23] to determine
whether the route is allowed with this password, and if it is displays the information.
SAProuter is running on host_sr, port 3299 (default). You would like to display
the SAProuter information (list of all SAProuter clients, for example) from the
host myhost.
Enter the command saprouter -l -H host_sr -P pass (System i:
saprouter '-l -H host_sr -P pass ').
SAProuter checks whether its route permission table contains the entry
P
myhost
host_sr
3299
pass
Do_Destroy. If it does, the SAProuter information is displayed on your host
myhost.
Integration
If the SAProuter is running on a port other than the default port 3299, you can specify this in
the command line with option -S <service> [page 61].
Option -A <initstring>
Use
This option is only required in connection with option -a <lib> [page 59]. If SAProuter is
started with an external library, a string can be passed to this library with option -A
<initstring> (System i: option '-A <initstring>') .
SAProuter
7.10
65
SAP Online Help
29.10.2007
Option -M <min>.<max>
Use
You can use this option to specify a port range for outgoing connections. For example, the
command saprouter -r -M 1.1023 only allows outgoing connections from ports 1 to
1023 (reserved for root under UNIX).
Integration
You can use this option to increase security.
More information: What is SAProuter? [page 6]
NI and SAProuter Implementation
The following documentation gives a detailed technical description of the implementation of
the SAP Network Interface (NI) and SAProuter.
SAProuter is an SAP program that acts as an intermediate station (proxy) in a network
connection between SAP Systems, or between SAP Systems and external networks.
SAProuter controls the access to your network (application level gateway), and, as such, is a
useful enhancement to an existing firewall system (port filter).
See also:
What is SAProuter? [page 6]
The documentation covers the following topics:
Communication Modes [page 66]
Route Connects [page 67]
Route Strings [page 21]
Buffered Connection Handles [page 68]
Select Sets [page 69]
SNC - Secure Network Communication [page 12]
NI Keepalive [page 69]
NI Error Information [page 69]
NI Control Messages [page 69]
Common Settings for Sockets [page 70]
Communication Modes
The network interface supports a platform independent interface to communicate between
SAP systems. NI knows the following different operation modes:
SAProuter
7.10
66
SAP Online Help
29.10.2007
●
NI_RAW_IO
●
NI_MESG_IO
●
NI_ROUTE_IO
The NI_RAW_IO mode is used to communicate between SAP applications without any further
interpretation of the data blocks.
The NI_MSG_IO mode is the common used operation mode between SAP applications. The
format is also called the SAP Protocol [page 9]. A 4-byte header precedes each data block.
These 4 bytes give the length of the data block (length without leading 4 bytes). This value is
needed to recognize a complete data block, if underlying layers fragment it.
In addition this operation mode knows three special messages. They are recognized by a
leading byte-string 'NI_PING\0', 'NI_PONG\0' or 'NI_RTERR\0'. The first two are used for
keepalive tests, the third one for error messages (see NI Keepalive [page 69], NI Error
Information [page 69] and NI Control Messages [page 69]).
Only the SAProuter uses the NI_ROUTE_IO mode. This mode is similar to the NI_MSG_IO
mode, but keepalive messages are ignored. This is necessary for the keepalive test passing
the SAProuter.
Route Connects
If the connection should be established over SAProuters, the route information is sent as the
first message. The information includes:
●
Eye catcher
●
Route information version
●
NI version
●
Operation mode
●
Route length
●
Total number of nodes on the route
●
Pointer to the next hop on the route
●
Number of remaining nodes
●
Route string
The field for the route string contains the whole route, inclusive all previous nodes. For each
node, the hostname, service/port and the password is included, separated by null characters.
The values for the service/port and the password field may be empty strings. As default port
number the value 3299 is used.
In the connect phase, the NI layer converts the route string from the input format (see Route
Strings [page 21]) into this internal format.
The data structure for the message is as follows:
Offset
Size
(bytes)
Description and Value
0x00
9
eye catcher ("NI_ROUTE\0")
0x09
1
route information version (current version: 2)
SAProuter
7.10
67
SAP Online Help
29.10.2007
0x0a
1
NI version (current version: 36)
0x0b
1
total number of entries (value 2 to 255)
0x0c
1
talk mode (NI_MSG_IO: 0; NI_RAW_IO; 1; NI_ROUT_IO: 2), see
Communication Modes [page 66].
0x0d
2
currently unused field
0x0f
1
number of rest nodes (remaining hops; value 2 to 255)
0x10
4
route length (integer value in net byte order)
0x14
4
current position as an offset into the route string (integer value in net
byte order)
0x18
*
route string in ASCII
Route String Format
The internal format of the route string looks like following (ASCII characters):
<hostname node 1>\0<port node 1>\0<password node 1>\0<hostname node
2>\0 ...
where \0 means the null character.
Example of a remote connection
"localhost\03300\0test\0sapserv3.wdf.sap-ag.de\0\0\0147.204.100.35\0sapdp01\0\0"
with
●
node 1: hostname = "localhost"; port = 3300; password = "test"
●
node 2: hostname = "sapserv3.wdf.sap-ag.de"; port = 3299 (def.); password = ""
●
node 3: host address = 147.204.100.35; service name = "sapdp01"; password = ""
After a SAProuter has received the route information, the next destination is extracted from
the string. If the connect to the next destination is successful, the same route information is
passed with an incremented current position and decremented number of remaining nodes.
The own hostname in the string is replaced by the address / hostname of the previous node.
This mechanism allows following SAProuters still to extract the whole route. In addition,
newer SAProuter will add a leading blank to the hostname.
Buffered Connection Handles
To hide fragmentation of messages from the application, NI supports buffered connections,
which provide the assembly of the fragments. In NI_MESG_IO and NI_ROUTE_IO the data
block length is given, which is necessary for buffering the incoming data until the block is
completed. NI_RAW_IO does not support buffering.
For an incoming data block, the data buffer is created after the first received packet
(particularly after receiving the whole data block header; 4 bytes). To prevent running out of
memory, a limit for the maximal message length can be set.
See also:
SAProuter
7.10
68
SAP Online Help
29.10.2007
Communication Modes [page 66]
Select Sets
A select set is a wrapper around a select or poll implementation. The advantages are, that the
user does not have to care about the final implementation (select or poll) and the set stores
the status. If events for buffered handles are received, the implementation processes it
silently and notifies the user only if a whole data block has arrived or the connection is
writable again. Keepalive as well as control messages, packed in error info blocks, can be
processed hidden. Most applications, e.g. dispatcher or SAProuter, use these select sets.
NI Keepalive
In NI a keepalive mechanism is implemented, to check connections between applications.
That includes 2 messages, a request and response.
The request message contains 8 data bytes, headed by the data length, a 4-byte integer. The
data corresponds the ASCII String "NI_PING\0". If the receiver mode is NI_MSG_IO, this
packet will be detected as a keepalive request. The receiver is going to reply with the
response packet. This response is as long as the request and contains the ASCII sting
"NI_PONG\0". The keepalive initiator notes the test as successful, if he receives the response
within a specified time interval.
NI Error Information
If an error occurs or is detected by a node between the client and final destination, an error
info packet is sent to the client. A 9-byte eye catcher characterizes this error information; the
data is basically an ASCII string.
The data structure is formatted as follows:
Offset
Size
Description and Value
0x00
9
eye catcher ("NI_RTERR\0")
0x09
1
NI version (current version: 36)
0x0a
1
operation code (error information: 0; other messages > 0)
0x0b
1
currently unused filed
0x0c
4
return code (integer value in net byte order)
0x10
4
error information text length (integer value in net byte order)
0x04
*
error information text in ASCII
A user will be notified by the client (e.g. SAP GUI) that an error occurred, the SAProuter just
forwards the packet.
NI Control Messages
Control messages are used for handshakes and other communication, located in the NI layer.
These messages are based on the same structure as the NI Error Information [page 69].
None zero operation code indicates a message. The following control messages are known in
NI version 36:
SAProuter
7.10
69
SAP Online Help
29.10.2007
NI control messages
●
NI version request
●
NI version response
●
NI send handle (4 messages)
SNC control messages:
●
SNC request from client side
●
SNC request from server side
●
SNC handshake completed
Common Settings for Sockets
The sockets created by NI have set several socket settings differently from the operating
system defaults.
Following setting will be set:
●
Non-blocking mode
●
Disable Nagle algorithm for client sockets (TCP no delay)
●
Allow reuse of address
●
No keepalive
●
Not remain open across exec (close on exec flag)
In addition on some platforms receive and send buffer size is redefined as well.
SAProuter Route Permission
The SAProuter works with a Route Permission Table [page 23], which is used to authorize
route connection. Following properties are essential for the route-check:
●
Source IP address
●
Destination IP address
●
Destination port
●
Number of previous SAProuter hops
●
Number of remaining SAProuter hops
The route permission file is loaded in an internal table during the SAProuter startup. The
permission is checked for each accepted connection after receiving the route data.
Administrative requests are rejected, if they are not from the local host. Info requests need to
be authorized by the route table, too.
The permission check works with a first-match-lookup of the route data received against the
route table. For a successful lookup source address, destination address and port are
required to match.
SAProuter
7.10
70
SAP Online Help
29.10.2007
The number of previous and post hops are conditions for the permission, but not
essential for the match.
The internal table, in which the route table is mapped, has the following fields:
●
Type (permitted or denied)
●
SNC (secure network communication required or not)
●
Native (native protocols permitted or not)
●
Previous hops (maximum number of previous hops / SAProuters)
●
Post hops (maximum number of following hops / SAProuters)
●
Source address
●
Source address mask
●
Destination address
●
Destination address mask
●
All destination ports (no port specified)
●
Destination port min
●
Destination port max
●
Password (required password for building up the route)
●
SNC name
The address masks are set, if a subnet is given in the route file. You find details about the
route table in section Route Permission Table [page 23]. Mapping examples of file entries into
the internal table are given in Route Table Examples [page 71].
Route Table Examples
In this part, few examples are given, how the entries in the route permission file are mapped
into the internal table.
Table Fields
Field
Meaning
Possible Values
t
type
P = permitted; D = denied; T = SNC target
s
SNC
X = secure network communication
required
n
native
X = native protocols permitted
shs
previous SAProuter hops
number
dsh
post SAProuter hops
number
s-add
source address
s-msk
source address mask
d-add
destination address
SAProuter
7.10
71
SAP Online Help
29.10.2007
d-msk
destination address mask
a
all destination ports
X = no port specified
d-p-l
destination port min (low)
16-bit integer
d-p-m
destination port max (high)
16-bit integer
pwd
password
string
snc-n
SNC name
string
Example mapping route table file into internal route table
The route table file
D
10.1.0.0
*
*
P0,* 10.1.*.*
*
*
S*,0 *
10.2.00001xxx.* *
P*,1 *
10.2.*.*
*
P
10.3.0.0
10.4.*.*
7
P
10.3.0.1
10.4.0.1
* test
P
10.3.0.2
localhost
*
P
10.3.0.3
localhost
* info
S
10.3.0.4
KT
"p:CN=s0" 10.5.0.0
*
KD
"p:CN=s1" 10.5.0.1
*
KP
"p:CN=s1" *
*
KS
*
10.5.0.*
*
D
*
*
*
is mapped into the following internal route table:
t
s n
sh
s
dsh
s-add
s-msk
d-add
d-msk
a
d-p-l
d-p-h
pw
d
snc
-n
En
try
D
~
~~
~
~~~
a.1.
0.0
00.0
0.00
.00
0.0.
0.0
ff.ff.
ff.ff
X
~~~~
~~~
~~~~
~~~
*
~~~
~~~
~
a
P
X
0
255
a.1.
0.0
00.0
0.ff
.ff
0.0.
0.0
ff.ff.
ff.ff
X
~~~~
~~~
~~~~
~~~
*
~~~
~~~
~
b
25
5
0
0.0.
0.0
ff.f
f.ff
.ff
a.2.
8.0
00.00.
07.ff
X
~~~~
~~~
~~~~
~~~
*
~~~
~~~
~
c
X
~~~~
~~~
~~~~
~~~
*
~~~
~~~
~
d
7
7
*
~~~
~~~
~
e
~~~~
~~~
~~~~
~~~
te
st
~~~
~~~
~
f
P
P
X
25
5
1
0.0.
0.0
ff.f
f.ff
.ff
a.2.
0.0
00.00.
ff.ff
P
X
25
5
255
a.3.
0.0
00.0
0.00
.00
a.4.
0.0
00.00.
ff.ff
P
X
25
5
255
a.3.
0.1
00.0
0.00
.00
a.4.
0.1
00.00.
00.00
SAProuter
7.10
X
72
SAP Online Help
29.10.2007
P
X
25
5
255
a.3.
0.2
00.0
0.00
.00
7f.0
.0.1
00.00.
00.00
X
~~~~
~~~
~~~~
~~~
*
~~~
~~~
~
g
P
X
25
5
255
a.3.
0.3
00.0
0.00
.00
7f.0
.0.1
00.00.
00.00
X
~~~~
~~~
~~~~
~~~
in
fo
~~~
~~~
~
h
P
25
5
255
a.3.
0.4
00.0
0.00
.00
0.0.
0.0
ff.ff.
ff.ff
X
~~~~
~~~
~~~~
~~~
*
~~~
~~~
~
i
T X ~
25
5
255
0.0.
0.0
ff.f
f.ff
.ff
a.5.
0.0
00.00.
00.00
X
~~~~
~~~
~~~~
~~~
*
p:C
N=s
0
j
D X ~
~~
~
~~~
0.0.
0.0
ff.f
f.ff
.ff
a.5.
0.1
00.00.
00.00
X
~~~~
~~~
~~~~
~~~
*
p:C
N=s
1
k
P X X
25
5
255
0.0.
0.0
ff.f
f.ff
.ff
0.0.
0.0
ff.ff.
ff.ff
X
~~~~
~~~
~~~~
~~~
*
p:C
N=s
1
l
P X
25
5
255
0.0.
0.0
ff.f
f.ff
.ff
a.5.
0.0
00.00.
00.ff
X
~~~~
~~~
~~~~
~~~
*
~~
~
~~~
0.0.
0.0
ff.f
f.ff
.ff
0.0.
0.0
ff.ff.
ff.ff
X
~~~~
~~~
~~~~
~~~
*
D
~
m
*
~~~
~~~
~
n
The entry '~' will specify a filed as not initialized respectively unused.
Permission example with permission table above
The current SAProuter is running on the host "this" on port 3299. A '*' indicates a parameter
without effect.
For a match, one of the following conditions for the destination port must be complied:
...
1. Entry 'destination port' is valid and equal with destination port of route
2. Entry 'native' is not set and 'all destination ports' is set, i.e. no destination port specified
3. Entry 'type' is not 'permitted' and 'all destination ports' is set
4. Route has further destination nodes and 'all destination ports' is set
Client
native
10.1.0.0
*
Route
Entry
P/D
Reason
/H/this/H/*/S/3299/W/
test
a
D
All connections from host
10.1.0.0 are denied.
/H/10.1.0.0/H/this/H/*
a
D
All connections from host
10.1.0.0 are denied.
10.1.0.1
X
/H/this/H/10.2.9.0/S/*
n
D
Entry b doesn’t match
because ‚native’ is set and
the route has no further
destinations.
10.1.0.1
X
/H/this/H/10.2.9.0/H/*/
S/*
b
P
b matches as the route
has further destinations
(4.)
SAProuter
7.10
73
SAP Online Help
29.10.2007
*
X
/H/10.1.0.1/H/this/H/1
0.2.9.0/S/*
n
D
No match with b (native
with no further
destinations), c (native)
and d (native with no
further destinations).
*
X
/H/10.1.0.1/H/this/H/1
0.2.9.0/H/*/S/*
b
D
Matches b but has one
previous hop, so denied.
/H/this/H/10.2.9.0/S/*
c
P
Matches c (2.)
10.9.0.0
10.9.0.0
X
/H/this/H/10.2.9.0/S/*
n
D
Does not match c (native
with no further
destinations)
10.9.0.0
X
/H/this/H/10.2.9.0/H/*/
S/*
c
D
Matches c (4.), is denied
because it is native (type
S).
10.9.0.0
/H/this/H/10.2.9.0/H/*/
S/*
c
D
Matches c (2.), is denied
because no following hop
is allowed.
10.9.0.0
/H/this/H/10.2.7.0/H/*/
S/*
d
P
Doesn’t match c because
of IP address; matches d
(2.)
/H/this/H/10.4.0.0/S/7
e
P
Matches e (1.)
/H/this/H/10.4.0.0/S/7
e
P
Matches e (1.)
/H/this/H/10.4.0.0/H/*/
S/7
n
D
Doesn’t match e because
the port 7 must be used on
host 10.4.0.0 (see 1.)
/H/this/H/10.4.0.1/H/*
f
D
Matches e, is denied
because password test is
missing
10.3.0.0
X
10.3.0.0
10.3.0.0
10.3.0.1
SAProuter
X
7.10
74
Download