HELP.BCCSTROUT SAProuter Release 7.10 SAP Online Help 29.10.2007 Copyright © Copyright 2007 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAProuter 7.10 2 SAP Online Help 29.10.2007 Icons in Body Text Icon Meaning Caution Example Note Recommendation Syntax Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library. Typographic Conventions Type Style Description Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table titles. EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. <Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER. SAProuter 7.10 3 SAP Online Help 29.10.2007 Content SAProuter .................................................................................................................................. 6 What is SAProuter? ............................................................................................................... 6 NI Network Interface........................................................................................................... 8 SAP Protocol .................................................................................................................. 9 Route Connections........................................................................................................... 10 SNC - Secure Network Communication........................................................................... 12 Installing the SAProuter ....................................................................................................... 12 Hardware Requirements for SAProuter ........................................................................... 13 Installation on UNIX.......................................................................................................... 14 Installation on Windows.................................................................................................... 15 Installation on System i .................................................................................................... 16 Using and Configuring the SAProuter.................................................................................. 17 Starting SAProuter ........................................................................................................... 17 Testing Basic Functions ................................................................................................... 18 Entering Route Strings ..................................................................................................... 20 Route Strings ................................................................................................................ 21 Creating a Route Permission Table ................................................................................. 22 Route Permission Table ............................................................................................... 23 Example of a Route Permission Table ......................................................................... 26 Example of a Route Permission Table with SNC ......................................................... 26 Setting Up Logging in the SAProuter ............................................................................... 27 Identifying and Correcting Errors ......................................................................................... 30 Successful Connection Setup and Data Transfer ............................................................ 31 SAProuter Error Messages .............................................................................................. 32 Checking the Route Permission Table ......................................................................... 33 Setting Up More Connections....................................................................................... 34 Connection Setup Errors .................................................................................................. 34 Connection Terminations ................................................................................................. 40 Other Errors...................................................................................................................... 43 SAP Notes for SAProuter ................................................................................................. 50 Reference............................................................................................................................. 51 SAProuter Options ........................................................................................................... 51 Option -s (stop saprouter)............................................................................................. 54 Option -n (new saprouttab) ........................................................................................... 54 Option -t (toggle trace).................................................................................................. 54 Option -c<n> (cancel connection n).............................................................................. 56 Option -l / -L .................................................................................................................. 56 Option -d (dump buffers)............................................................................................... 58 SAProuter 7.10 4 SAP Online Help 29.10.2007 Option -f (flush buffers) ................................................................................................. 58 Option -p (Soft Shutdown) ............................................................................................ 58 Option -a <lib> (Start with External Library) ................................................................. 59 Option -R <routtab> ...................................................................................................... 59 Option -K <mysncname> .............................................................................................. 59 Option -G< log file>....................................................................................................... 60 Option -J<size in bytes> ............................................................................................... 60 Option -T<tracefile> ...................................................................................................... 61 Option -V<tracelev>...................................................................................................... 61 Option -E....................................................................................................................... 61 Option -S <service> ...................................................................................................... 61 Option -C <clients> ....................................................................................................... 62 Option -D....................................................................................................................... 62 Option -6 (enable IPv6)................................................................................................. 63 Option -Z ....................................................................................................................... 63 Option -I <address> ...................................................................................................... 63 Option -Y <n> ............................................................................................................... 64 Option -H <host name> [-P <password>] ..................................................................... 64 Option -A <initstring> .................................................................................................... 65 Option -M <min>.<max> ............................................................................................... 66 NI and SAProuter Implementation ................................................................................... 66 Communication Modes ................................................................................................. 66 Route Connects ............................................................................................................ 67 Buffered Connection Handles....................................................................................... 68 Select Sets.................................................................................................................... 69 NI Keepalive ................................................................................................................. 69 NI Error Information ...................................................................................................... 69 NI Control Messages .................................................................................................... 69 Common Settings for Sockets ...................................................................................... 70 SAProuter Route Permission........................................................................................ 70 Route Table Examples.............................................................................................. 71 SAProuter 7.10 5 SAP Online Help 29.10.2007 SAProuter SAProuter is an SAP program that can protect your SAP network against unauthorized access. It is a stand-alone program that is normally installed on the system with the firewall. SAProuter LAN (SAP System) WAN (Internet) This documentation comprises the following sections. Section Content What is SAProuter? [page 6] Introduction, concept, and architecture of SAProuter. Installing the SAProuter [page 12] Installation guidelines for the platforms supported by SAP Using and Configuring the SAProuter [page 17] Starting and stopping, administration functions while the SAProuter is running, and configuration of SAProuter Identifying and Correcting Errors [page 30] Troubleshooting Reference [page 51] SAProuter Options [page 51]: Overview of all administration options NI and SAProuter Implementation [page 66]: Implementation details What is SAProuter? SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP systems, or between SAP systems and external networks. SAProuter 7.10 6 SAP Online Help 29.10.2007 SAProuter controls the access to your network (application level gateway), and, as such, is a useful enhancement to an existing firewall system (port filter). Figuratively speaking, the firewall acts as an impenetrable wall around your network. However, since particular types of connections need to penetrate this wall, a “hole” has to be made in the firewall. SAProuter assumes the control of this hole. In short, SAProuter provides you with the means of controlling access to your SAP system. Purpose You can use SAProuter to do the following: ● Control and log the connections to your SAP system, for instance from an SAP service center ● Set up an indirect connection when programs involved in the connection cannot communicate with each other due to the network configuration ● ● ○ Address conflicts when using non-registered IP addresses ○ Restrictions arising from firewall systems Improve network security by means of the following: ○ A password, which protects your connection and data from unauthorized external access ○ Allowing access from particular SAProuters only. ○ Only allowing encrypted connections from a known partner (using the SNC layer) Increase performance and stability by reducing the SAP system workload within a local area network (LAN) when communicating with a wide area network (WAN) The following graphic illustrates your network (LAN) using a firewall as protection against access from outside. There is SAProuter running on the firewall host serving as a “door” to your network. This door is only opened for connections you specify. SAProuter LAN (SAP System) WAN (Internet) SAProuter 7.10 7 SAP Online Help 29.10.2007 This is often useful if, for example, there is a support connection from SAP to your SAP system that SAP staff use to access your system in the case of problems. SAProuter controls and monitors these connections. Note that installing SAProuter without the use of a firewall does not protect your network against access from external networks. You must ensure that all incoming connections go through the SAProuter “hole”. Increasing Network Security with SAProuter The SAProuter running on your firewall host should be configured to allow the following: ● Only the NI protocol (SAP-Protokoll [page 9]) is accepted from external systems ● Not just any number of SAProuters are allowed before and after this one in a route station. Under UNIX, we recommend starting the SAProuter on a port reserved for root. More Information NI Network Interface [page 8] Route Connections [page 10] SNC - Secure Network Communication [page 12] Installing the SAProuter [page 12] Using and Configuring the SAProuter [page 17] NI Network Interface Definition To provide independency from the various platforms, SAP has developed the intermediate layer NI (Network Interface) for all network connections. It is used by SAProuter and all SAP programs, as well as by the development kits for CPI-C and Remote Function Call (RFC). Structure In the OSI 7 layer model, the NI layer forms the upper part of the transport layer, and is therefore the part nearer the applications. Specifically, this means that NI uses TCP or UDP. The protocol is also known as the SAP Protocol [page 9]. NI in the OSI 7 layer model OSI Layer Protocol 7 Application 6 Presentation 5 Session 4 Transport NI TCP / UDP 3 Network SAProuter IP 7.10 8 SAP Online Help 2 Data Link 29.10.2007 Ethernet,... 1 Transfer method The test program niping, which tests the the NI functions belongs to the NI layer. A predefined number of data packets is sent from the client to the server, sent back from the server, and read again by the client. The program also outputs average transfer times and depending on the trace level - detailed information on the data transfer. niping can be used to test network connections with or without SAProuter. If niping is entered without parameters, an online help is displayed with possible parameters and additional options. Further Information Testing Basic Functions [page 18] NI and SAProuter Implementation [page 66] IPv6 Support in SAP NetWeaver [external] SAP Protocol Definition The protocol used by SAP programs that communicate using the NI interface is called the SAP Protocol. This is an enhanced version of the TCP/IP protocol, which has been supplemented by one length field and some options for error information . Use When defining the route permission table, you can use S as the initial letter. This then only allows the SAP protocol, that is, the line is interpreted as usual, but only SAP programs (SAP GUI, SAP application servers, etc.) are permitted to communicate with each other. More information: Creating a Route Permission Table [page 22] Integration The NI network interface provides the SAP protocol as the default for communication, although it can also use the TCP/IP protocol with external programs (for example, telnet or lpd) that do not 'speak' SAP protocol. More Information Route Connections [page 10] SNC - Secure Network Communication [page 12] SAProuter 7.10 9 SAP Online Help 29.10.2007 Route Connections Definition A route connection is a connection between two hosts via a network. The route is the sequence of intermediate stations used to set up the connection. Structure You can set up a connection between SAP systems with or without SAProuter. Connections Without SAProuter The following graphic shows a network connection from SAP to the customer without SAProuter: SAP LAN WAN (Internet) Customer LAN Customer Workstations SAP Workstations We are assuming that both the SAP LAN (local area network) as well as the customer LAN are protected against unwanted access by firewalls. If a connection is to be set up between an SAP workstation and a customer workstation, a “hole” needs to be made in the firewall. The more connections required to external hosts, the more holes (and therefore security gaps) the firewall contains. If a connection is set up without SAProuter, the following information is required: ... 1. IP address of the host or the logical name of the host on which the server process is running. The target host must therefore have a unique IP address. 2. Port number or the logical name of the port used by the process. The server process must use an exclusive port number on its host. Also, this port number must be known to the client. When the NI network interface [page 8] is used, the host address and port number can be passed as logical names (for example, host saposs, service SAProuter 7.10 10 SAP Online Help 29.10.2007 sapdp00) or address strings (for example, a host IP address in the form www.xxx.yyy.zzz, port 3200). Connections with SAProuter The following graphic shows a network connection with SAProuter: WAN (Internet) SAP LAN SAProuter Customer LAN SAProuter Customer Workstations SAP Workstations SAProuter only allows a network to be accessed from fixed points. The number of access points (“holes”) is therefore reduced, since fewer direct lines are required for connections. Each "hole" is guarded by an SAProuter whose route permission table determines the routes that can be used and the necessary passwords for gaining access. The hole in the firewall is therefore monitored. Without SAProuter, the IP addresses must be unique. This is not always possible, particularly in the case of a connection between two networks that do not normally have an external connection. SAProuter enables two points with identical IP addresses to be connected. SAProuter cannot only be used to connect one host with a particular service, but also several hosts and services with each other. The route information is provided in the form of a route string. The passwords required for access are also specified in the route string. More Information Route Permission Table [page 23] Route Strings [page 21] Using and Configuring the SAProuter [page 17] Route Connects [page 67] in the implementation part SAProuter 7.10 11 SAP Online Help 29.10.2007 SNC - Secure Network Communication Use SNC is used to make network connections using the Internet, in particular WAN connections, secure. It provides reliable authentication as well as encryption of the data to be transferred. SAProuter allows SNC connections to be set up. The route permission table can be used to specify precisely whether SNC connections are allowed, and if so, which ones. Integration See the following documentation for a detailed description of how to use the Secure Network Communications (SNC) [external] in the SAP environment: Prerequisites You are using at least version 30 of SAProuter, and have configured SNC using the relevant guide. The following are prerequisites for setting up an SNC connection between two SAProuters: ● Both SAProuters must have been started using the option -K <SNCname> (System i: '-K <SNCname>'). These names ensure the authenticity of a host. ● There must be a KT entry in the route permission table of the source host. This causes the connection to the target host to use the SNC layer. ● There must be a KP entry in both route permission tables, allowing the connection. Activities To set up an SNC connection between two SAProuters, you need to start them using the option -K and configure the route permission table appropriately. More Information Option -K <mysncname> Route Connections [page 10] Route Permission Table Installing the SAProuter Use The following describes how to install SAProuter. On UNIX, SAProuter is installed as a daemon. On Windows it is installed as a service. Prerequisites For information about the hardware prerequisites see Hardware Requirements for SAProuter [page 13]. SAProuter 7.10 12 SAP Online Help 29.10.2007 Procedure Download You will find the latest SAProuter in the SAP Service Marketplace under Download SAP Software → <Support Packages & Patches>, service.sap.com/patches . On the Support Packages and Patches page choose links in navigation bar Entry by Application Group, and then Additional Components → SAPROUTER → SAPROUTER 7.00 → <Platform>. Here you will find the saprouter packet. Installation How you install the SAProuter depends on the operating system you are using. Choose the appropriate method: Installation on UNIX [page 14] Installation on Windows [page 15] Installation on System i [page 16] Hardware Requirements for SAProuter SAProuter Architecture and Requirement Profile Since the work of the SAProuter (also with SNC) is mainly I/O-based (input/output), you do not require any especially powerful CPU. The workload handled by the SAProuter is determined by the number of open connections. If over 800 connections have to be maintained, we recommend that you start new SAProuter processes with Option -Y <n> [page 64]. This distributes the load across several processes and reduces the risk of any problem occurring (if a problem does occur, it never affects all the open connections.) The rule of thumb is 1 SAProuter for every 500 connections. Alternatively to option -Y you can also set a script that monitors the SAProuter process and restarts the SAProuter (soft shutdown with Option -p [page 58], then restart), as soon as a certain number of connections is exceeded, or when the message Maximum number of clients reached [page 34] is issued for the first time. Since the SAProuter process is running in one thread (single threaded) and is often busy with I/O calls or with host name resolutions, a computer with one CPU manages well with several SAProuter processes running in parallel. Recommended Hardware For an SAProuter with 3000 parallel connections between SAP GUIs and application servers, transferring an average volume of data, a small number of file downloads and uploads (approximately 8kB data transfer in both directions per connection and per 10 seconds), we recommend: ● Quick network adapter (very important) ● 2 hyper-threading (HTT) CPUs with 2GHz tact frequency ● 512 MB RAM ● 50 MB free space on the hard drive SAProuter 7.10 13 SAP Online Help 29.10.2007 Background For 3000 users we estimate six SAProuter processes (set Option -C <clients> [page 62] to 1000). Each of these processes requires 4.5 MB of memory, and 9% of a two-way HTT 3 GHz CPU, if you assume one third of the CPU workload is for the users and two thirds for the system. The six SAProuter processes together require approximately 30 MB and 55% of the CPU. Sometimes it takes a few seconds to determine the host name from the IP address (reverse lookup), and during this time the process is blocked. The cause is usually an error in the DNS configuration. Users will notice these delays particularly if the workload on the SAProuter is large. Use Option -D [page 62], to prevent this happening. Recommended Start Options Start the SAProuter as follows: saprouter -r -K <SNC name> -Y 0 -C 1000 -D -G <log file> -J 2000000 For information about operating the SAProuter under Windows see SAP note 734095. Installation on UNIX ... 1. Create the subdirectory saprouter in the directory /usr/sap/. Get the latest version of the SAProuter from the SAP Service Marketplace (service.sap.com/patches), as described under Installation of the SAProuter [page 12]. The SAProuter is in packet saprouter*.SAR; the program niping is also in this packet. Copy programs saprouter and niping to the newly created directory /usr/sap/saprouter. If you cannot copy the programs from SAP Service Marketplace, you can copy a version (may be obsolete) from your directory /usr/sap/<SID>/SYS/exe/run. 2. (Optional) If you want to start the SAProuter on the same computer used for an SAP instance, insert the following line into file /usr/sap/<SID>/SYS/exe/run/startsap: # # Start saprouter # SRDIR=/usr/sap/saprouter if [ -f $SRDIR/saprouter ] ; then echo “\nStarting saprouter Daemon “ | tee -a $LOGFILE echo “----------------------------“ | tee -a $LOGFILE $SRDIR/saprouter -r -R $SRDIR/saprouttab \ | tee -a $LOGFILE & fi Insert the lines before the commands to start the SAP instance. Normally the SAProuter runs on a different computer. If this is so, this step is omitted and you start the SAProuter as described in Starting the SAProuter [page 17]. SAProuter 7.10 14 SAP Online Help 29.10.2007 Maintain the route permission table [page 23] in directory /usr/sap/saprouter. If you want to keep it in another directory or under a name other than saprouttab, you must specify this with the SAProuter option -R (see Option R <routtab> [page 59]). Installation on Windows Prerequisites You have the latest version of SAProuter (available from the SAP Service Marketplace (http://service.sap.com/patches) (see Installation of the SAProuter [page 12]), and have read the readme file. The SAProuter version must not be under 23. Procedure ... 1. Create the subdirectory saprouter in the directory <drive>:\usr\sap. 2. Download the latest version of the SAProuter from SAP Service Marketplace. Read the README file in this package. Copy the executables saprouter.exe and niping.exe to the directory you have just created. If there is no SAProuter there, you can get a version (may be obsolete) from your directory <drive>:\usr\sap\<SID>\SYS\exe\run. 3. If SAProuter has already been entered as a service with srvany.exe, remove the definition of the service from the Registry and restart the host. 4. Define the service with the following command: ntscmgr install SAProuter -b ...\saprouter\saprouter.exe -p “service -r <parameter>“ Note: The points stand for <drive>:\usr\sap <parameter> can be replaced by other parameters with which SAProuter is to be started. See SAProuter Options [page 51]). It is important that the parameters are within the character string enclosed in double quotation marks. 5. Define standard service properties in Control Panel → Services, set the startup type to “automatic” and enter a user. SAProuter should not run under the system account. 6. To avoid the error message “The description for Event ID (0)” in Windows NT event log, you have to enter the following in the registry: Under HKEY_LOCAL_MACHINE → SYSTEM → CurrentControlSet → Services → Event Log → Application enter the key saprouter and define the following values for it: EventMessageFile (REG_SZ): ....\saprouter\saprouter.exe TypesSupported (REG_DWORD): 0x7 These adjustments are not obligatory for running SAProuter. They are only used for providing detailed error messages in the event log. Maintain the Route Permission Table [page 23] in the system32 Windows directory. If you want to keep it in another directory or under a name other than saprouttab, you must specify this with the SAProuter option -R (see Option R <routtab> [page 59]). SAProuter 7.10 15 SAP Online Help 29.10.2007 Installation on System i Prerequisites You have the latest version of SAProuter (available from the SAP Service Marketplace (see Installation of the SAProuter [page 12]), and have read the readme file. Procedure Install the programs SAPROUTER and NIPING in a separate library (such as SAPROUTER). ... 1. Log on to the System i machine as <SID>ADM. 2. Create a library CRTLIB <library name> 3. Create the file SAPROUTER CRTSAVF <library name>/SAPROUTER 4. Create the backup file NIPING using the command <library name>/NIPING 5. Download the programs SAPROUTER.SVF and NIPING.SVF from the SAP Service Marketplace to your local PC, using the following commands: ftp <System i> cd QGPL lcd <dir> (<dir> is the directory where SAPROUTER.SVF and NIPING.SVF are located) bin: put SAPROUTER.SVF SAPROUTER put NIPING.SVF NIPING quit 6. Re-create the SAPROUTER or NIPING objects. Use the command APYR3FIX as described in SAP Note 49365, and for parameter KRNLIB use the library that you created above. 7. Create the directory /usr/sap/saprouter. 8. Make sure to maintain the corresponding Route Permission Table [page 23] under /usr/sap/saprouter/saprouttab (see also Creating a Route Permission Table [page 22]). More Information Starting SAProuter [page 17] SAProuter 7.10 16 SAP Online Help 29.10.2007 Using and Configuring the SAProuter This section describes how SAProuter is started, tested, and configured. The following tasks are described: Operation Starting SAProuter [page 17] Testing Basic Functions [page 18] Entering Route Strings [page 20] Configuration Creating a Route Permission Table [page 22] Setting Up Logging in the SAProuter [page 27] More Information SAProuter Options [page 51] Error Diagnosis [page 30] Starting SAProuter Prerequisites Before using SAProuter, you should test its basic functions. Testing SAProuter Basic Functions [page 18] Procedure To start SAProuter: Enter saprouter -r in the input field. (System i: enter saprouter '-r' in the input field in batch mode if possible.) This command starts SAProuter.The connections allowed are contained in the route permission table saprouttab. You can automatically start SAProuter when you start the system. In UNIX for example, you would change file /etc/rc. If you want to run a high number of connections (more than 1000) via SAProuter, start the SAProuter using Option -r -Y <n> [page 64], and set the maximum number of clients to 2000 using Option -C <clients> [page 62], thus: saprouter -r -Y 0 -C 2000 If this option is set, a new SAProuter is automatically started if the client table becomes full. New connection can then use this new SAProuter. The table below contains the most important SAProuter commands: Command SAProuter Meaning 7.10 17 SAP Online Help 29.10.2007 saprouter Displays a complete list of SAProuter parameters on the screen saprouter -r (System i: saprouter 'r') Starts SAProuter saprouter -s (System i: saprouter 's') Stops the running SAProuter More Information Creating a Route Permission Table [page 22] SAProuter Options [page 51] Testing Basic Functions Prerequisites Before using SAProuter, you should test whether there are any network problems. To test the basic functions of the SAProuter, you require the programs saprouter and niping as well as three open windows (shells) on one or more hosts. Procedure The following table shows the test scenario when using niping: SAProuter runs in window 1, the server in window 2, and the client in window 3. UNIX/Windows Window 2 (host2) Window 1 (host1) Without SAProuter niping -s With SAProuter niping -s Window 3 (host3) niping -c -H host2 saprouter -r niping -c -H /H/host1/H/host2 System i Window 2 (host2) Window 1 (host1) Window 3 (host3) Without SAProuter call niping '-s' call niping '-c' '-H' 'host2' With SAProuter call niping '-s' saprouter '-r' call niping '-c' '-H' '/H/host1/H/host2' Steps ... 1. Start SAProuter in window 1 (on host1). To do this, enter the following command: UNIX/Windows: saprouter -r System i: saprouter '-r' This command calls SAProuter without any parameters. SAProuter 7.10 18 SAP Online Help 29.10.2007 For a complete list of the SAProuter commands, refer to the chapter SAProuter Options [page 51] or the online help. To call the online help, enter saprouter. 2. In window 2 (host2), start the test program niping to emulate a test server. Enter the following command: UNIX/ Windows: niping -s System i: call niping '-s' For a complete list of the niping commands, refer to the online help. To call the online help, enter niping. 3. In window 3 (host3), start the test program niping to emulate a client. Enter the following command: UNIX/ Windows: niping -c -H host2 System i: call niping '-c' '-H' 'host2' This command tests the connection without SAProuter, that is directly between host2 and host3. 4. In window 3, start the test program niping again with the following command: UNIX/ Windows: niping -c -H /H/host1/H/host2 System i: call niping '-c' '-H' '/H/host1/H/host2' This command tests the connection with SAProuter. A host name is interpreted as a route (over one or more SAProuters to the server) if /H/ is added as a prefix to the host name (see Route Strings [page 21] ). In steps 3 and 4, data packages are sent to the server, and the server sends the data packages back. In step 3, the data packages should be sent to the server more frequently, since more process changes take place. To perform a self test for the local host: Enter the command niping -t ( System i: call niping '-t'). A list with function names, parameters, and return codes is displayed. If the self test is successful, the following message appears: *** SELFTEST O.K. *** To get an idea of the options provided by niping, enter niping without any parameters. SAP Note 500235 contains comprehensive documentation about the niping tool. More Information Entering Route Strings for SAProuter [page 20] Creating a Route Permission Table [page 22] NI Network Interface [page 8] SAProuter 7.10 19 SAP Online Help 29.10.2007 Entering Route Strings Use A route string describes a connection required between two hosts using one or more SAProuters. Each of these SAProuters then checks its Route Permission Table [page 23] to see whether the connection between its predecessor and successor is allowed, and if it is, sets it up. Procedure The entry of route strings is best illustrated by an example. The following graphic shows an example of a connection between SAP and a customer system. In this example, an SAP employee working on sappc wants to log on to a customer application server yourapp, which provides or uses the service sapsrv. SAPLAN WAN (Internet) Customer LAN sappc sap_rout your_rout sapsrv yourapp The SAP service employee logs on to the SAP System, and sets up a connection between sappc and yourapp using the SAProuter on sap_rout and the customer’s SAProuter your_rout. your_rout requires the password pass_to_app for connections with yourapp. The route string appears as follows: /H/sap_rout/H/your_rout/W/pass_to_app/H/yourapp/S/sapsrv This route string is interpreted by the SAProuters involved in the route as follows: Host/address Service/port Password Substring 1 /H/sap_rout /S/<default> <no password> Substring 2 /H/your_rout /S/<default> /W/pass_to_app Substring 3 /H/yourapp /S/sapsrv The connection from sappc to the application server is set up in the following steps: SAProuter 7.10 20 SAP Online Help 29.10.2007 sappc (front end) Sets up the connection to SAProuter sap_rout according to substring 1 and relays the route information. sap_rout (SAProuter on SAP side) Uses the route permission table to check whether the route “sappc to your_rout 3299” is allowed, sets up the connection to the customer SAProuter on the host your_rout, and passes substring 2 and 3. your_rout Checks whether the route “sap_rout to yourapp, sapsrv” is allowed. The password pass_to_app is (SAProuter on customer side) also checked. SAProuter then sets up the connection to the application server. A SAProuter always checks only the previous host name or the previous IP address and the next substring (/H/.../S/.../W/...) for host name or IP address, service and password. The last substring does not contain a password, since there is no successor in the route. If the /S/ section is missing, the default port number of the SAProuter is used. If the /W/ section is missing, a password is not used. With the old password entry, the above route string would appear as follows: /H/sap_rout/H/your_rout/H/yourapp/S/sapsrv/P/pass_to_app Note that the host name (which follows the /H/ in the route string) must be at least two characters long. More Information Route Strings [page 21] Route Permission Table [page 23] Route Connects [page 67] in the implementation part Route Strings Definition A route string describes the stations of a connection required between two hosts. A route string has the syntax (/H/host/S/service/W/pass)* It consists of any number of substrings in the form /H/host/S/service/W/pass. H, S, and W must be uppercase! Structure A route string contains a substring for each SAProuter and for the target server. Each substring contains the information required by the SAProuter to create a connection in the route - host name, port name, and password if applicable. Syntax for substrings: ● /H/ indicates the host name SAProuter 7.10 21 SAP Online Help 29.10.2007 Note that the host name must be at least two characters long. ● /S/ is used for specifying the service (port); it is an optional entry, the default value is 3299 ● /W/ indicates the password for the connection between the predecessor and successor on the route and is also optional (default is “”, no password) In earlier Releases (<4.0A), the password entry was made one substring later and with the letter /P/. New: /H/saprouter/W/pass/H/target server Old: /H/saprouter/H/zielserver/P/pass (Here pass is the password which is checked by the SAProuter on host saprouter to set up or prohibit the connection from the source host to the target host.) Due to downward compatibility, the old password entry form is still possible. More Information Entering Route Strings [page 20] Route Connects [page 67] in the implementation part Creating a Route Permission Table You can create a route permission table with a standard text editor. You must create a separate route permission table for each SAProuter in your network. If no specific route permission table has been assigned to the SAProuter, ./saprouttab is used on UNIX and System i. The file saprouttab in the working directory of the SAProuter (<lwk>:\usr\sap\saprouter) is used on Windows. If this file is not available, SAProuter terminates with an appropriate message. Procedure Create the file in the relevant directory. You can find a description of the syntax under Route Permission Table [page 23]. You can use generic entries (“*”) in hosts, ports, and passwords. You can use sub-networks in host routes. SAProuter Entry in the Route Permission Table Meaning 156.56.*.* All host addresses beginning with 156.56 7.10 22 SAP Online Help 29.10.2007 133.27.17.* All host addresses beginning with 133.27.17 133.27.16.0/24 All host addresses beginning with 133.27.16 (0/24 at the end means that the first 24 bits are relevant, that is, the first three blocks) 156.56.1011xxxx.* All host addresses from 156.56.176.* to 156.56.191.*. (Binary interpretation of the third byte of the address. ‘x’ is a freely selectable binary value (1 or 0).) Examples You can display an example of a route permission table on the screen. To do this, enter saprouter to call the SAProuter online help: You can find more examples of route permission tables in the following sections: Example of a Route Permission Table [page 26] Example of a Route Permission Table with SNC [page 26] Further Information Route Permission Table [page 23] Route String Entry for SAProuter [page 20] Route Connects [page 67] in the implementation part Route Permission Table Definition The route permission table contains the host names and port numbers of the predecessor and successor points on the route (from the SAProuter’s point of view), as well as the passwords required to set up the connection (corresponds to a substring, cf. Route Strings [page 21]). It is used to specify which connections are allowed and which prohibited by SAProuter. It also specifies whether SNC connections are set up and which these are. Structure Standard Entries Standard entries in a route permission table appear as follows: P/S/D <source host> <dest host> <dest serv> <password> <source-host> and <dest-host> could be SAProuters. Elements of a table entry are described below: Handling the Connection: P/S/D The beginning of the line can be as follows: ● P(ermit) causes SAProuter to set up the connection. P(ermit) entries can contain a password. SAProuter checks whether this password corresponds to that sent by the client. SAProuter 7.10 23 SAP Online Help 29.10.2007 Directly after the P you can also specify the maximum number of SAProuters allowed on this route before and after this SAProuter so that the connection is permitted: Pv,n - v stands for the maximum number of SAProuters before this one, and n stands for the maximum number of SAProuters after this one allowed on this route. ● S(ecure) only allows connections with the SAP Protocol [page 9]; connections with other protocols (such as TCP) are not allowed. With Sv,n you can determime the number of preceding and succeeding SAProuters on the route, the same as you can with P. ● D(eny) prevents the connection from being set up. ● You can also add comment lines, which must begin with ‘#’. Source Host <source host> This element describes the host from where the connection comes (from viewpoint of the SAProuter). This can be a host name, an IP address or an IP subnetwork (see Creating the Route Permission Table [page 22]). Destination Host <dest host> This element describes the host the connection is going to (from viewpoint of the SAProuter). This can be a host name, an IP address, or an IP subnetwork. Destination Port <dest serv> This element describes the port (service) of the destination host where the connection is going to. Here you can also specify port ranges by separating the two ports that demarcate the range by a period. If <dest serv> has the value 3200.3298, this means connections to the destination server on all ports between 3200 and 3298. If a <source-host> client wants to set up a connection to <dest-host> <dest-serv> using SAProuter, SAProuter checks its route permission before the connection is set up. If the password and route SAProuter has received correspond to the entries in the route permission table, SAProuter sets up the connection. In this is not the case, SAProuter does not set up the connection, and issues the message, Route permission denied. More information: Example of a Route Permission Table [page 26] Identifying and Correcting Errors [page 30] SNC Entries SNC entries always start with the letter K (like key). There are two types of SNC entries: ... 1. KT entries (Key Target) This defines which connections should be SNC connections. This can be defined for both incoming and outgoing connections (from the point of view of this SAProuter). ... a. Incoming connections The syntax is KT <SNCname src host> <src host> <src serv>. This means that connections coming from the host <src host> <src serv> with the SNC name <SNC name src host> should be SNC connections. The user can thus define that service connections from SAP must be SNC connections. SAProuter 7.10 24 SAP Online Help 29.10.2007 b. Outgoing connections They have the syntax KT <SNC name dest host> <dest host> <dest serv>. This means that connections from the SAProuter to <dest host> <dest serv> with the SNC name <SNC name> should be SNC connections. To make SNC connections possible, the appropriate SAProuters need to have been started with the option -K and the route permission table must contain the appropriate KT entry. 2. KD, KP, and KS entries They have the following syntax: K<D/P/S> <SNC name source host> <dest host> <dest serv> <password>. This means that the (encrypted) SNC connection from <SNCname source-host> via SAProuter to <dest host> <dest serv> is set up when the route string contains the correct <password>. More information: Example of a Route Permission Table with SNC [page 26] Evaluation of the Route Permission Table The following rules apply when the SAProuter evaluates the route permission table. First Match The first entry in the route permission table for which source address, target address, and target port match is decisive. In other words, in the above example of a route permission table, this means that the connection from host1 to host2, service serviceX, is not allowed (because of the first entry) although all connections with service serviceX are allowed according to the third entry. No match If there is not an appropriate entry in the table for a route, the connection is rejected. It behaves as though the last line were a D * * *. Wildcards Exception If the SAProuter is the last SAProuter on the route (for example, the front end), and the service is not an SAP service (not an SAP protocol), a wildcard (“*”) cannot be used with the service. The connection is only allowed if the non-SAP service is explicitly selected. If the example given above contained a * instead of telnet, and the SAProuter was the last one on the route, the telnet connection would not be set up. Security Note For security reasons SAP recommends, that you do not use wildcards (*) for the target host (<dest-host>) and the target port (<dest-serv>) in P and S lines in the route permission table. If the table contains P or S lines, the SAProuter issues a warning message: WARNING: wildcard character used in route target Further Information Creating a Route Permission Table [page 22] SAProuter Route Permission [page 70] in the implementation part. SAProuter 7.10 25 SAP Online Help 29.10.2007 Example of a Route Permission Table A route permission table could appear as follows: D host1 host2 serviceX D host3 P * * 3200.3298 P 155.56.*.* 155.56.*.* P 155.57.1011xxxx.* P host4 S host6 P P*,0 host5 * host7 host8 telnet * * pass gui This means: ● Do not allow any routes from host1 to host2, service serviceX ● Do not allow any routes starting from host3 ● Allow all routes to server processes that use a service in area 3200 to 3298 ● Allow all routes within subnetwork 155.56.0.0/16 ● All routes starting from subnetwork 155.57.1011xxxx are allowed (the last byte is written as a binary number; each “x” stands for 0 or 1). ● Allow all routes from host4 to host5 if password pass is correct ● All routes from host6, but only SAP protocol ● Native protocol routes (TCP/IP) from host7 to the non-SAP service telnet on host8 ● All connections to non-SAProuters (no more SAProuters allowed on this route) if password gui is correct In the above example in Entering Route Strings [page 20] the route permission table of host saprouter must have the entry: P sappc your_rout and the route permission table of host yoursaprouter must contain the entry P saprouter yourapp sapsrv pass_to_app More Information Example of a Route Permission Table with SNC [page 26] Route Permission Table [page 23] Example of a Route Permission Table with SNC A route permission table using SNC could look like this: SAProuter 7.10 26 SAP Online Help 29.10.2007 P * * * KT S:SR@host4 host4 3333 KT S:SR@host4 host9 * KD S:SR@host4 host9 * KP S:SR@host4 * * KS * host10 4444 KP * * * pass pass2 This means: ● Allow all connections if password pass is specified correctly ● Connections from this SAProuter to host4 (SNC name S:SR@host4), service 3333 must be SNC connections. ● Connections from host9 (SNC name S:SR@host9) to this SAProuter must be SNC connections. ● A SNC connection from SR@host4 to host9 using this SAProuter should not be set up ● A SNC connection from S:SR@host4 using this SAProuter (any target host) is allowed if the password pass2 is correct (unless the connection is to host9, since this is not allowed according to the previous entry - the first entry which “matches” is decisive!) ● All SAP-SAP connections (that is NI protocols) to host10, service 4444 which enter as SNC connections are passed on to host10 (no SNC host) as non-SNC connections. ● All SNC connections (for which the previous entries are not suitable) are allowed. More Information Route Permission Table [page 23] Creating a Route Permission Table [page 22] Setting Up Logging in the SAProuter Use To get an overview of the function and capacity of the SAProuter, a log can be kept of all the connections established and actions performed via the SAProuter. Procedure You can configure the log using Option -G<logfile> [page 60]. Here you create the name of the log file and specify where it is to be created. Structure of the Log File The log file is structured line by line. Each line contains the following information: SAProuter 7.10 27 SAP Online Help 29.10.2007 ● Date and time: weekday, month, day, time, year ● Action: Possible actions are INIT LOGFILE (start of log file), READ ROUTTAB (read Route Permission Table [page 23]), CONNECT FROM/TO (set up connection from/to), DISCONNECT (close connection), PERM DENIED (connection not permitted by route permission table). After the action is always a handle pair <C|S>n/m, whereby the letter means whether the action was initialized by the client or the server, and the two numbers refer to the internal NI handle numbers. For example, the handle pair 'C1/2' means that this log refers to the connection with handle 1 to the client (the first number) and with handle 2 to the server (second number). The C at the front means that the action was initialized by the client. A CONNECT FROM is therefore always written with C, a CONNECT TO with S. With DISCONNECT the page specified is the one the connection has closed. The IP address and port always refer to the connection’s counter page (peer). A log with a handle pair C1/- means that no server-side connection between a pair exists yet. The most important log entries are described below. Example Actions Assuming that logging has been activated, the following actions are executed through the SAProuter. The SAProuter stands between the physical hosts ldp007 with the IP address 10.21.72.60 and binmain (IP address 10.21.82.77). ... 1. Connection is opened between host ldp007 (10.21.72.60) and host binmain (10.21.82.77) with port sapmsBIN, which is closed by the client again. 2. Administrator calls up local SAProuter to display the list of connections (saprouter -l). 3. Connection is established between host ldp007 (10.21.72.60) and the same host ldp007 with port 3298, which is closed by the server again. 4. Attempt to open connection from host ldp007 (10.21.72.60) to the same host with telnet port 23 is rejected by the SAProuter. Route Permission Table The route permission table in this example allows connections from any host to host 10.21.82.77 with port sapmsBIN, as well as to host 10.21.72.60 with port 3298: P * 10.21.82.77 sapmsBIN P * 10.21.72.60 3298 Log File After these actions have been executed, the log file would look like the following (the line numbers are not displayed, but are added here to help with the description). SAProuter 7.10 28 SAP Online Help 29.10.2007 (1) Wed Dec 7 13:13:59 2005 INIT LOGFILE (2) Wed Dec 7 13:13:59 2005 READ ROUTTAB ./saprouttab o.k. (3) Wed Dec 7 13:14:05 2005 CONNECT FROM C1/- host 10.21.72.60/1245 (ldp007.wdf.sap.corp) (4) Wed Dec 7 13:14:05 2005 CONNECT TO 10.21.82.77/sapmsBIN (binmain) S1/2 host (5) Wed Dec 7 13:14:05 2005 DISCONNECT (ldp007.wdf.sap.corp) C1/2 host 10.21.72.60/1245 (6) Wed Dec (localhost) (7) Wed Dec (8) Wed Dec (localhost) 7 13:14:13 2005 CONNECT FROM C2/- host 127.0.0.1/44997 7 13:14:13 2005 SEND INFO TO C2/7 13:14:13 2005 DISCONNECT C2/- host 127.0.0.1/44997 (9) Wed Dec 7 13:14:23 2005 CONNECT FROM C2/- host 10.21.72.60/1276 (ldp007.wdf.sap.corp) (10) Wed Dec (ldp007) (11) Wed Dec (ldp007) 7 13:14:23 2005 CONNECT TO 7 13:14:24 2005 DISCONNECT S2/1 host 10.21.72.60/3298 S2/1 host 10.21.72.60/3298 (12) Wed Dec 7 13:14:31 2005 CONNECT FROM C2/- host 10.21.72.60/1352 (ldp007.wdf.sap.corp) (13) Wed Dec 7 13:14:31 2005 PERM DENIED (ldp007.wdf.sap.corp) to ldp007/23 C2/- host 10.21.72.60 (14) Wed Dec 7 13:14:31 2005 DISCONNECT (ldp007.wdf.sap.corp) C2/- host 10.21.72.60/1352 Meaning The lines mean the following: Line(s) Meaning (1), (2) The first two lines are always at the start of the log file. The first line marks the start, the second means that the Route Permission Table [page 23] has been read in successfully. (3), (4) The client (host 10.21.72.60, Port 1245) connects to the SAProuter and through this host it can connect to host 10.21.82.77, port sapmsBIN, since this connection is permitted according to the route permission table. (5) The connection between host 10.21.72.60, port 1245 and host 10.21.82.77, port sapmsBIN is closed by the client. (6) On the local host (IP address 127.0.0.1, port 44997) the connection list display is called up (saprouter –l). The connection is opened with the SAProuter. (7) The SAProuter sends the client the requested connection information. (8) The connection is closed again. As it is not a client/server connection via the SAProuter, the connection is closed by the SAProuter. (9), (10) Client host 10.21.72.60, port 1276 wants to connect to server 10.21.72.60, port 3298 v via the SAProuter, which is permitted according to the route permission table. The SAProuter opens the connection. SAProuter 7.10 29 SAP Online Help 29.10.2007 (11) The connection is closed again (from the server). (12), (13) Client host 10.21.72.60, port 1352 wants to connect to server 10.21.72.60, port 23 (telent) via the SAProuter, which is not permitted according to the route permission table. The SAProuter returns message, “permission denied”. (14) The connection is closed by the SAProuter. (With unpermitted connections and in error situations the SAProuter closes the connections.) Identifying and Correcting Errors Use If an error occurs while a SAProuter is in operation, an error message is displayed by the SAProuter client. The message helps you to locate the cause of the error and find a solution. Prerequisites You can find more information about error handling in the log file. Logging in SAProuter [page 27] must be activated (Option -G<logfile> [page 60]). Procedure Restrict the error to one of the following error groups: ● Connection setup error ● Connection terminations ● Other errors /occasional errors To find the relevant group, you can enter the error text in the full text search in the documentation. Once you have restricted the error to a group, proceed as follows: Connection Setup Error [page 34] Connection Terminations [page 40] Other Errors [page 43] Further Information If no error occurs, you can tell this from the log file. Entries are described in Successful Connection Setup and Data Transfer [page 31]. You can find information about the syntax of SAProuter error messages, and examples of frequently occurring errors in SAProuter Error Messages [page 32] SAP Notes With other error messages or problems with SAProuter you can look for solutions in the SAP Note system under component BC-CST-NI. You can find notes about the SAProuter environment in the section SAP Notes for the SAProuter [page 50]. SAProuter 7.10 30 SAP Online Help 29.10.2007 Successful Connection Setup and Data Transfer When the connection is set up and data transferred without any errors, you see the following entries in the log file: Operation Without SNC Thu Jun 14 16:08:04 2007 CONNECT FROM C9/- host 10.66.66.90/19114 (host1.company.corp) Thu Jun 14 16:08:04 2007 CONNECT TO (host2) S9/17 host 10.21.83.41/3299 Thu Jun 14 16:08:06 2007 ESTABLISHED S9/17 Thu Jun 14 16:21:06 2007 DISCONNECT (host1.company.corp) C9/17 host 10.66.66.90/19114 Thu Jun 14 14:28:40 2007 CONNECT FROM C19/- host 10.66.66.90/12127 (host1.company.corp) Thu Jun 14 14:28:40 2007 CONNECT TO (host3), *** NATIVE ROUTING *** S19/11 host 10.21.72.60/3299 Thu Jun 14 14:28:41 2007 ESTABLISHED S19/11 , *** NATIVE ROUTING *** Thu Jun 14 14:58:43 2007 DISCONNECT (host3), *** NATIVE ROUTING *** S19/11 host 10.21.72.60/3299 Operation with SNC When using SNC for data communication between two SAProuters there are two different mechanisms for setting up the connection. SNC Forwards Setup With this mechanism, the client-side SAProuter initiates the SNC connection/encryption. The SAProuter on the client-side has an entry of the type KT in the router permission table for the server-side SAProuter and therefore establishes the SNC connection. The SNC name is written to the 'CONNECT TO' log when the connection to the server-side SAProuter is established. The 'ESTABLISHED' log displays the recipient side of the SNC communication once the connection has been set up successfully. Client Side Thu Jun 14 17:13:22 2007 CONNECT FROM C9/- host 10.66.66.90/30888 (host1.company.corp) Thu Jun 14 17:13:25 2007 CONNECT TO S9/17 host 10.18.211.3/3299 (10.18.211.3) (p:CN=D039768, O=SAP-AG, C=DE) Thu Jun 14 17:13:25 2007 ESTABLISHED S9/17 (-/SNC) Thu Jun 14 17:19:12 2007 DISCONNECT (host1.company.corp) C9/17 host 10.66.66.90/30888 Server Side SAProuter 7.10 31 SAP Online Help 29.10.2007 Thu Jun 14 17:13:22 2007 CONNECT FROM C9/- host 10.18.211.3/1150 (host2) Thu Jun 14 17:13:25 2007 CONNECT TO (binmain) S9/17 host 10.66.66.91/3253 Thu Jun 14 17:13:25 2007 ESTABLISHED S9/17 (SNC/-) Thu Jun 14 17:19:12 2007 DISCONNECT (host2) C9/17 host 10.18.211.3/1150 SNC Backwards Setup The server-side SAProuter can also initiate SNC. This is what happens if the incoming connection from the client-side SAProuter does not use SNC (see above) but the server-side SAProuter requires it due to the relevant entries in the route permission table. In this scenario, the SNC handshake is triggered by the server-side SAProuter later on. This means that there is no SNC name in the 'CONNECT TO' entry in the log on the client side. Client Side Thu Jun 14 16:55:21 2007 CONNECT FROM C9/- host 10.18.211.3/1065 (host2) Thu Jun 14 16:55:21 2007 CONNECT TO (10.18.211.3) S9/17 host 10.18.211.3/3299 Thu Jun 14 16:55:21 2007 ESTABLISHED S9/17 (-/SNC) Thu Jun 14 16:56:42 2007 DISCONNECT (10.18.211.3) S9/17 host 10.18.211.3/3299 Server Side Thu Jun 14 16:55:21 2007 CONNECT FROM C9/- host 10.18.211.3/1066 (host2) Thu Jun 14 16:55:21 2007 CONNECT TO (host4.company.corp) S9/17 host 10.66.66.91/sapdp53 Thu Jun 14 16:55:21 2007 ESTABLISHED S9/17 (SNC/-) Thu Jun 14 16:56:42 2007 DISCONNECT (host4.company.corp) S9/17 host 10.66.66.91/3253 More Information Route Connections [page 10] SNC - Secure Network Communication [page 12] SAProuter Error Messages A SAProuter error message consists of eight or more lines, with a blank line inserted after one or two lines. SAProuter Error Message SAProuter LOCATION SapRouter on myhost ERROR partner not reached 7.10 32 SAP Online Help 29.10.2007 TIME Wed Jul 23 15:24:42 1997 RELEASE 700 COMPONENT NI (network interface) VERSION 38 RC -100 COUNTER 1 The two first lines are important here. They show you: ● On which host the SAProuter concerned is running (in this example myhost) ● To which application area the error belongs (here connection setup) In this example, SAProuter cannot set up the connection to its partner. You are advised to check the connection again. If there is no LOCATION entry, the error message refers to a local program. The information after the blank line is particularly relevant for internal errors. If you cannot correct the error and therefore contact SAP, the detailed information may be helpful. The most important error messages are: ● Route permission denied: The connection is not permitted and will not be opened by the SAProuter. Check the route permission table and make changes, if necessary. More information: Checking the Route Permission Table [page 33] ● Maximum number of clients reached: The SAProuter cannot open the connection because it has already opened the maximum number of connections. Change the maximum setting or start another SAProuter. More information: Setting Up More Connections [page 34] More Information Connection Setup Errors [page 34] Connection Terminations [page 40] Other Errors [page 43] Checking the Route Permission Table One of the most common error messages is the following: LOCATION SapRouter on myhost ERROR Route Permission Denied TIME ..... .... .... A connection has not been set up because SAProuter does not allow the route concerned. SAProuter 7.10 33 SAP Online Help 29.10.2007 Procedure Check the route permission table of this SAProuter (on host myhost) carefully and change it, if necessary. You can find out which working directory the running SAProuter and the route permission table are in with Option -l / -L. Remember that the first entry in the route permission table for which source address, target address, and target port match is decisive. You can import a modified route permission table with Option -n (new saprouttab). More Information Route Permission Table [page 23] Option -l / -L [page 56] Option -n (new saprouttab) [page 54] Setting Up More Connections SAProuter does not accept a connection and outputs the following error message: LOCATION SapRouter on myhost ERROR maximum number of clients reached TIME ..... .... .... This means that SAProuter cannot accept any further clients because the maximum number has been reached (default 800). However, SAProuter continues running with all other clients. Procedure In order not to have to restart SAProuter (and thereby end all existing connections), you should perform a soft shutdown of the SAProuter using Option -p. SAProuter then continues running on a different port. SAProuter can then be started on the old port, possibly with a larger number of clients. It will then accept clients again. If you would like to automate this procedure, you can start SAProuter using Option -Y <n>. A new SAProuter is started automatically every time the client table becomes full. More Information Option -p (Soft-Shutdown) [page 58] Option -C <clients> [page 62] Option -Y <n> [page 64] Connection Setup Errors The following errors can occur during the connection setup: ● Connect fails because the server is not running SAProuter 7.10 34 SAP Online Help 29.10.2007 ● TCP/IP connect takes too long (longer than the timeout -W value) ● Route setup takes too long (longer than the timeout -W value) ● No route permission for the connection ● Error on the subsequent host These errors are described below with possible solutions. Connect fails (server not running) The log file contains the following entries: SAProuter Log File Thu Jun 14 13:18:22 2007 CONNECT FROM C9/- host 10.66.66.90/35169 (host2.company.corp) Thu Jun 14 13:18:22 2007 CONNECT TO (host1) S9/17 host 10.66.66.91/3299 Thu Jun 14 13:18:22 2007 CONNECT ERR S9/17 connection refused Thu Jun 14 13:18:22 2007 DISCONNECT (host1) S9/17 host 10.66.66.91/3299 The client issues the error message below. SAProuter Error Message *********************************************************************** * LOCATION SAProuter 39.1 (SP3) on 'ld8060' * ERROR partner '10.66.66.91:3299' not reached * TIME Thu Jun 14 13:18:22 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -92 * MODULE nixxi.cpp * LINE 3068 * DETAIL NiPConnect2: 10.66.66.91:3299 * SYSTEM CALL connect * ERRNO 111 * ERRNO TEXT Connection refused * COUNTER 4 * *********************************************************************** Background and Further Analysis On the server side, there is no program running that listens to the IP address 10.66.66.91 and port 3299 (LISTEN). Check that the host name/IP address and server name/port number are correct. If they are correct, the right server is being reached but it appears that the program to which the connection should be established is not running. Check that the SAProuter and the SAProuter 7.10 35 SAP Online Help 29.10.2007 system or corresponding program on the server is running and is using the correct port (OS command netstat -an). TCP/IP connect takes too long (longer than the timeout -W value) The log file contains the following entries: SAProuter Log File Thu Jun 14 13:22:01 2007 CONNECT FROM C10/- host 10.66.66.90/41060 (host2.company.corp) Thu Jun 14 13:22:01 2007 CONNECT TO (1.1.1.1) S10/18 host 1.1.1.1/3299 Thu Jun 14 13:22:06 2007 CONNECT ERR connection within 5s S10/18 could not establish Thu Jun 14 13:22:06 2007 DISCONNECT (1.1.1.1) S10/18 host 1.1.1.1/3299 The client issues the error message below. SAProuter Error Message *********************************************************************** * LOCATION SAProuter 39.1 (SP3) on 'ld8060' * ERROR connection to 1.1.1.1:3299 timed out * TIME Thu Jun 14 13:22:06 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -5 * MODULE nirout.cpp * LINE 6548 * * DETAIL within RTPENDLIST::timeoutPend: could not establish connection * 5s (ROUTED) * COUNTER 6 *********************************************************************** Background and Further Analysis In this example, the TCP/IP connection from the SAProuter to the next node (the next SAProuter, a system, or another network component) could not be established within a specified timeout period. This error can occur if the server host is down or the IP address of the host cannot be reached. It can also be due to the network failing to establish the TCP/IP connection within 5 seconds (the timeout value defined in option -W). You might be able to solve this problem by using a greater value for option -W. More information: Expert Options in SAProuter Options [page 51]. Route setup takes too long The SAProuter is able to connect to the next host using TCP/IP, but the next host takes too long to establish the route to the destination. It receives no NI_PONG (confirmation that the route has been established) within the -W timeout period. SAProuter 7.10 36 SAP Online Help 29.10.2007 The log file contains the following entries: SAProuter Log File Thu Jun 14 13:34:19 2007 CONNECT FROM C15/- host 10.66.66.90/41070 (host2.company.corp) Thu Jun 14 13:34:19 2007 CONNECT TO (host3) S15/23 host 10.21.72.60/3299 Thu Jun 14 13:34:24 2007 CONNECT ERR 5s; check SAProuter on 'host3' S15/23 no route completion within Thu Jun 14 13:34:24 2007 DISCONNECT (host3) S15/23 host 10.21.72.60/3299 The client issues the error message below. SAProuter Error Message *********************************************************************** * LOCATION SAProuter 39.1 (SP3) on 'ld8060' * ERROR connection to host3:3299 timed out * TIME Thu Jun 14 13:34:24 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -5 * MODULE nirout.cpp * LINE 6537 * DETAIL RTPENDLIST::timeoutPend: no route completion within 5s * * * (ROUTED) COUNTER 17 *********************************************************************** Background and Further Analysis Find out why the subsequent SAProuter was unable to establish the connection within 5 seconds (in this example). It might be due to slow name resolution, for example. The log and trace files should provide further information on this. In the case of connections using multiple SAProuters in a WAN environment, increase option -W. If multiple SAProuters are involved in setting up a connection and the network response times are relatively high, the default value of 5 seconds is not sufficient to enable the connection to the target system to be established. More information: Expert Options in SAProuter Options [page 51]. No route permission for the connection The SAProuter rejects the connection because the route permission table does not allow it. The log file contains the following entries: SAProuter Log File SAProuter 7.10 37 SAP Online Help 29.10.2007 Thu Jun 14 14:18:20 2007 CONNECT FROM C10/- host 10.66.66.90/63669 (host2.company.corp) Thu Jun 14 14:18:20 2007 PERM DENIED (host2.company.corp) to host1/3254 C10/- host 10.66.66.90 Thu Jun 14 14:18:20 2007 DISCONNECT (host2.company.corp) C10/- host 10.66.66.90/63669 The client issues the error message below. SAProuter Error Message ************************************************************************ LOCATION SAProuter 39.1 (SP3) on 'ld8060' * ERROR * ld8060: route permission denied (host2.company.corp to host1, 3254) * * TIME Thu Jun 14 14:18:20 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -94 * COUNTER 5 *********************************************************************** Background and Further Analysis Check the route permission table [page 33] Error on the subsequent host This error does not occur on the local SAProuter. Instead, it occurs on a subsequent host. Messages of the following type appear in the log of the local SAProuter: SAProuter Log File Thu Jun 14 14:42:53 2007 CONNECT FROM C10/- host 10.66.66.90/30005 (host2.company.corp) Thu Jun 14 14:42:53 2007 CONNECT TO (host3) S10/18 host 10.21.72.60/3299 Thu Jun 14 14:42:54 2007 CONNECT ERR 'SAProuter 37.15 on hs0126' S10/18 NIEROUT_INTERN on Thu Jun 14 14:42:54 2007 DISCONNECT (host3) S10/18 host 10.21.72.60/3299 The client issues the error message below. SAProuter Error Message SAProuter 7.10 38 SAP Online Help 29.10.2007 *********************************************************************** * LOCATION SAProuter 37.15 on hs0126 * ERROR partner not reached (host 10.66.66.91, service 3298) * TIME Thu Jun 14 14:42:54 2007 * RELEASE 640 * COMPONENT NI (network interface) * VERSION 37 * RC -93 * MODULE nixxi.cpp * LINE 8724 * DETAIL NiPConnect2 * SYSTEM CALL SiPeekPendConn * ERRNO 239 * ERRNO TEXT Connection refused * COUNTER 5 * *********************************************************************** Or SAProuter Log File Thu Jun 14 14:40:28 2007 CONNECT FROM C9/- host 10.66.66.90/24016 (host2.company.corp) Thu Jun 14 14:40:28 2007 CONNECT TO (host3), *** NATIVE ROUTING *** S9/17 host 10.21.72.60/3299 Thu Jun 14 14:40:28 2007 CONNECT ERR S9/17 NIEROUT_PERM_DENIED on 'SAProuter 39.0 on 'host3'', *** NATIVE ROUTING *** Thu Jun 14 14:40:28 2007 DISCONNECT (host3), *** NATIVE ROUTING *** S9/17 host 10.21.72.60/3299 SAProuter Error Message *********************************************************************** * LOCATION SAProuter 39.0 on 'host3' * ERROR host3: route permission denied (host2.company.corp to * host1, 3253) * * TIME Thu Jun 14 14:40:28 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -93 * COUNTER 3 ********************************************************************** SAProuter 7.10 39 SAP Online Help 29.10.2007 Background and Further Analysis Check the log and trace files on the SAProuter where the error occurred if the information already provided is not sufficient. The SAProuter error message that is normally displayed on the client contains information on the error. The LOCATION line tells you the location of the error. More Information Connection Terminations [page 40] Other Errors [page 43] SAProuter Options [page 51] Connection Terminations Connection terminations can be triggered from both the client side and the server side. Connection Terminations from the Server Side The following entries appear in the log file when a connection termination is triggered from the server side (if the local SAProuter is the client). SAProuter Log File Thu Jun 14 16:08:47 2007 CONNECT FROM C18/- host 10.66.66.90/24761 (host2.company.corp) Thu Jun 14 16:08:47 2007 CONNECT TO (host2) S18/10 host 10.21.83.41/3299 Thu Jun 14 16:08:47 2007 ESTABLISHED S18/10 Thu Jun 14 16:08:58 2007 DISCONNECT (host2) S18/10 host 10.21.83.41/3299 The client issues the error message below. SAProuter Error Message SAProuter 7.10 40 SAP Online Help 29.10.2007 ************************************************************************ LOCATION SAProuter 39.0 on 'host2' * ERROR connection to partner '10.21.72.60:3298' broken * TIME Thu Jun 14 16:08:58 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -95 * MODULE nixxi.cpp * LINE 4660 * DETAIL NiIRead: P=10.21.72.60:3298; L=??? * SYSTEM CALL recv * ERRNO 232 * ERRNO TEXT Connection reset by peer * COUNTER 17 * *********************************************************************** Or SAProuter Log File Thu Jun 14 16:09:50 2007 CONNECT FROM C19/- host 10.66.66.90/24847 (host2.company.corp) Thu Jun 14 16:09:50 2007 CONNECT TO (ldp007) S19/11 host 10.21.72.60/3298 Thu Jun 14 16:09:50 2007 ESTABLISHED S19/11 Thu Jun 14 16:10:02 2007 DISCONNECT (ldp007) RST S19/11 host 10.21.72.60/3298 The client issues the error message below. SAProuter Error Message SAProuter 7.10 41 SAP Online Help 29.10.2007 *********************************************************************** * LOCATION SAProuter 39.1 (SP3) on 'host1' * ERROR connection to partner '10.21.72.60:3298' broken * TIME Thu Jun 14 16:10:02 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -95 * MODULE nixxi.cpp * LINE 4660 * DETAIL NiIRead: P=10.21.72.60:3298; L=10.66.66.90:24848 * SYSTEM CALL recv * ERRNO 104 * ERRNO TEXT Connection reset by peer * COUNTER 10 * *********************************************************************** Connection Terminations from the Client Side The following entries appear in the log file when a connection termination is triggered from the client side (if the local SAProuter is the server). Thu Jun 14 16:13:20 2007 CONNECT FROM C20/- host 10.66.66.90/24849 (host2.company.corp) Thu Jun 14 16:13:20 2007 CONNECT TO (host2) S20/12 host 10.21.83.41/3299 Thu Jun 14 16:13:20 2007 ESTABLISHED S20/12 Thu Jun 14 16:13:43 2007 DISCONNECT (host2.company.corp) RST C20/12 host 10.66.66.90/24849 There is no error message with errInfo because the error is on the client side. Background and Further Analysis The DISCONNECT entry in the log file tells you the side where the connection termination was triggered. You can use this information to find the node/program that first closed the connection. The trace file for this program contains more information on the cause of the connection termination. In some cases, the connection between the two programs can be terminated without either side triggering the termination. For example, this is the case if two SAProuters with a direct TCP/IP connection both record that the other side triggered the connection termination. This means that an active network component between the two programs terminated the TCP/IP connection. The network component concerned is often a firewall or a router with an idle timeout. If this occurs, check the network. The DISCONNECT log entry also tells you whether or not the connection was closed in a TCP/IP-compliant manner. 'RST' at the end of the line indicates an RST package or a retransmit timeout. This means that the other side or an active network component between the two sides of the TCP/IP connection ended the connection incorrectly. This can be caused by the program crashing, the connection being closed too early at application level, or a firewall. SAProuter 7.10 42 SAP Online Help 29.10.2007 More Information Connection Setup Errors [page 34] Other Errors [page 43] Other Errors The following errors occur only rarely. The descriptions below aim to help you to analyze and eliminate these errors. ● The SAProuter receives incorrect data. This can happen if the route is too short or if the system overlooks the fact that the connection is to a SAProuter rather than a backend connection. ● The SAProuter receives the route information too late (TCP/IP connection setup was successful). ● The SAProuter is the client and it receives an incorrect response from the server. ● The SAProuter is the server and it receives the data from the client too early. ● SNC is not active for a forwards connection. ● SNC is not active for a backwards connection. Incorrect data sent to the SAProuter The log file contains the following entries: SAProuter Log File Thu Jun 14 09:55:36 2007 CONNECT FROM C10/- host 10.66.66.90/34506 (host1.company.corp) Thu Jun 14 09:55:36 2007 INVAL DATA C10/- route expected Thu Jun 14 09:55:36 2007 DISCONNECT (host1.company.corp) C10/- host 10.66.66.90/34506 The client issues the error message below. SAProuter Error Message SAProuter 7.10 43 SAP Online Help 29.10.2007 *********************************************************************** * LOCATION SAProuter 39.1 (SP3) on 'host1' * ERROR internal error * TIME Thu Jun 14 09:55:36 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -93 * MODULE nirout.cpp * LINE 2664 * DETAIL NiRClientHandle: route expected * COUNTER 4 * *********************************************************************** Background and Further Analysis The client program sends incorrect data to the SAProuter. This is usually the case if the client assumes that it is already communicating with the target system but the connection was actually established to an SAProuter that has to wait for a route first. Check the parameters for the connection setup on the client. Route sent too late The connection setup (connect) was successful but the client sends the route to the SAProuter too late, or the client assumes that it is already connected to the server and is waiting for data, or the timeout -W is exceeded. The log file contains the following entries: SAProuter Log File Thu Jun 14 12:27:27 2007 CONNECT FROM C11/- host 10.66.66.90/35087 (host1.company.corp) Thu Jun 14 12:27:32 2007 CONNECT ERR 5s C11/- no route received within Thu Jun 14 12:27:32 2007 DISCONNECT (host1.company.corp) C11/- host 10.66.66.90/35087 The client issues the error message below. SAProuter Error Message SAProuter 7.10 44 SAP Online Help 29.10.2007 *********************************************************************** * LOCATION SAProuter 39.1 (SP3) on 'host1' * ERROR connection timed out * TIME Thu Jun 14 12:27:32 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -5 * MODULE nirout.cpp * LINE 6519 * DETAIL RTPENDLIST::timeoutPend: no route received within 5s * * * (CONNECTED) COUNTER 5 *********************************************************************** Background and Further Analysis This error can occur if the client does not send the route quickly enough after the TCP/IP connect to the SAProuter. This might be caused by the client hanging temporarily. Incorrect response from the server If a server-side program other than a SAProuter responds, or if the back end responds, the SAProuter cannot use the response. It needs another SAProuter as the server. The log file contains the following entries: SAProuter Log File Thu Jun 14 13:59:43 2007 CONNECT FROM C9/- host 10.66.66.90/46915 (host1.company.corp) Thu Jun 14 13:59:43 2007 CONNECT TO (host2) S9/17 host 10.66.66.91/3253 Thu Jun 14 13:59:43 2007 CONNECT ERR during route completion S9/17 invalid data form server Thu Jun 14 13:59:43 2007 DISCONNECT (host2) S9/17 host 10.66.66.91/3253 The client issues the error message below. SAProuter Error Message SAProuter 7.10 45 SAP Online Help 29.10.2007 *********************************************************************** * LOCATION SAProuter 39.1 (SP3) on 'host1' * ERROR internal error * TIME Thu Jun 14 13:59:43 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -93 * MODULE nirout.cpp * LINE 2694 * DETAIL NiRClientHandle: invalid data from server 'host2' during * * * route completion COUNTER 3 *********************************************************************** Background and Further Analysis Check the parameters for the connection setup on the client. Data received too early from the client If the SAProuter, as the server, receives data from the client before the route is established, the following entries appear in the log file: SAProuter Log File Thu Jun 14 14:15:00 2007 CONNECT FROM C10/- host 10.66.66.90/52640 (host1.company.corp) Thu Jun 14 14:15:00 2007 CONNECT TO (host2) S10/18 host 10.66.66.91/3253 Thu Jun 14 14:15:00 2007 CONNECT ERR during route completion C10/18 invalid data form client Thu Jun 14 14:15:00 2007 DISCONNECT (host1.company.corp) C10/18 host 10.66.66.90/52640 The client issues the error message below. SAProuter Error Message SAProuter 7.10 46 SAP Online Help 29.10.2007 *********************************************************************** * LOCATION SAProuter 39.1 (SP3) on 'host1' * ERROR internal error * TIME Thu Jun 14 14:15:00 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -93 * MODULE nirout.cpp * LINE 2688 * DETAIL NiRClientHandle: invalid data from client * * * 'host1.company.corp' during route completion COUNTER 5 *********************************************************************** Background and Further Analysis The client program is behaving incorrectly. Check for a more recent version of the client program. Data received too early from the server The log file contains the following entries: SAProuter Log File Thu Jun 14 13:59:43 2007 CONNECT FROM C9/- host 10.66.66.90/46915 (host1.company.corp) Thu Jun 14 13:59:43 2007 CONNECT TO (host2) S9/17 host 10.66.66.91/3253 Thu Jun 14 13:59:43 2007 CONNECT ERR during route completion S9/17 invalid data form server Thu Jun 14 13:59:43 2007 DISCONNECT (host2) S9/17 host 10.66.66.91/3253 The client issues the error message below. SAProuter Error Message SAProuter 7.10 47 SAP Online Help 29.10.2007 *********************************************************************** * LOCATION SAProuter 39.1 (SP3) on 'host1' * ERROR internal error * TIME Thu Jun 14 13:59:43 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -93 * MODULE nirout.cpp * LINE 2694 * DETAIL NiRClientHandle: invalid data from server 'host2' during * * * route completion COUNTER 3 *********************************************************************** Background and Further Analysis Check the version of the SAProuter on the server side and update the program if necessary. SNC not active for a forwards connection The log file contains the following entries: Client Side Thu Jun 14 17:16:40 2007 CONNECT FROM C18/- host 10.66.66.90/30891 (host1.company.corp) Thu Jun 14 17:16:40 2007 CONNECT TO S18/10 host 10.18.211.3/3299 (10.18.211.3) (p:CN=D039768, O=SAP-AG, C=DE) Thu Jun 14 17:16:40 2007 CONNECT ERR NIESNC_FAILURE S18/10 forwarding route failed Thu Jun 14 17:16:40 2007 DISCONNECT (host1.company.corp) C18/10 host 10.66.66.90/30891 Server Side Thu Jun 14 17:16:40 2007 CONNECT FROM C9/- host 10.18.211.3/1168 (host3.wdf.sap.corp) Thu Jun 14 17:16:40 2007 DISCONNECT (host3.wdf.sap.corp) C9/- host 10.18.211.3/1168 SAProuter Error Message on Client Sire SAProuter 7.10 48 SAP Online Help 29.10.2007 *********************************************************************** * LOCATION SAProuter 39.1 (SP3) on 'host3' * ERROR SNC processing failed: * SNC not enabled * * TIME Thu Jun 14 17:16:40 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -104 * MODULE nisnc.c * LINE 566 * DETAIL NiSncOpcode: NISNC_REQ * COUNTER 2 *********************************************************************** Background and Further Analysis The SAProuter on the server side has not activated SNC. Restart the SAProuter on the server side with the option –K mysncname. SNC not active for a backwards connection The log file contains the following entries: Client Side Thu Jun 14 17:08:19 2007 CONNECT FROM C9/- host 10.66.66.90/30883 (host1.company.corp) Thu Jun 14 17:08:19 2007 CONNECT TO (10.18.211.3) S9/17 host 10.18.211.3/3299 Thu Jun 14 17:08:19 2007 CONNECT ERR 'SAProuter 39.1 (SP3) on 'host3'' S9/17 NIESNC_FAILURE on Thu Jun 14 17:08:19 2007 DISCONNECT (10.18.211.3) S9/17 host 10.18.211.3/3299 Server Side Thu Jun 14 17:08:19 2007 CONNECT FROM C12/- host 10.18.211.3/1119 (host3.wdf.sap.corp) Thu Jun 14 17:08:19 2007 CONNECT TO (host2) S12/20 host 10.66.66.91/3253 Thu Jun 14 17:08:19 2007 CONNECT ERR 'SAProuter 39.1 (SP3) on 'host3'' C12/20 NIECONN_BROKEN on Thu Jun 14 17:08:19 2007 DISCONNECT (host3.wdf.sap.corp) C12/20 host 10.18.211.3/1119 SAProuter Error Message on Client Sire SAProuter 7.10 49 SAP Online Help 29.10.2007 *********************************************************************** * LOCATION SAProuter 39.1 (SP3) on 'host3' * ERROR SNC processing failed: * SNC not enabled * * TIME Thu Jun 14 17:08:19 2007 * RELEASE 710 * COMPONENT NI (network interface) * VERSION 39 * RC -104 * MODULE nisnc.c * LINE 586 * DETAIL NiSncOpcode: NISNC_ACC * COUNTER 4 *********************************************************************** Background and Further Analysis The SAProuter on the client side has not activated SNC. Restart the SAProuter on the client side with the option –K mysncname. Further Information SNC - Secure Network Communication [page 12] Option -K <mysncname> [page 59] SAP Notes for SAProuter As a rule, always refer to the relevant SAP Notes if you experience problems with SAProuter. You will find these on the SAP Service Marketplace. Note Number Content 0029684 STFK: Route permission denied 0062636 saprouter terminates on ending UNIX session 0063342 List: NI error codes 0164937 NiPBind: service 'sap????' in use 0104576 Package filter between ITS and R/3 0042692 Test tool for RFC links: sapinfo 0066168 Required documents when analyzing RFC problems 0025917 Changes to /etc/hosts are not accepted 0147021 "Address already in use" due to TCP state 0037211 ftp not via SAProuter : "connection refused" SAProuter 7.10 50 SAP Online Help 29.10.2007 You can also search for SAP Notes under component BC-CST-NI to find current corrections in the SAProuter environment. Reference The reference section of the SAProuter documentation contains the following information: ● A complete overview of the SAProuter options: start options, administration options for a running SAProuter, and so on: SAP Router Options [page 51] ● A technical description of the implementation of SAProuter in the NI layer of the SAP kernel: NI and SAProuter Implementation [page 66]. More Information What is SAProuter? [page 6] SAProuter Options Use SAProuter provides a number of optional functions. They consist of a letter, which is specified when SAProuter is called (syntax: UNIX/Windows: saprouter -<option>, syntax System i: saprouter -'<option>'), or is sent to a running SAProuter. The following describes how they are used and the default values. Features There are administrative options (lowercase), additional options, and expert options (uppercase). The various options can be combined by specifying an administrative option and any number of other options. Under system options must be enclosed in inverted commas. For example, to stop the SAProuter, enter saprouter '-s'. Administrative Options Administrative options — with the exception of the startup functions -r and -a <lib> — are sent to a running SAProuter. It then executes the appropriate function. The command saprouter -r (System i: saprouter '-r') starts the SAProuter. The following list gives you an overview of the administrative options: Option Meaning Option -s (stop saprouter) [page 54] Stop SAProuter Option -n (new saprouttab) Re-read in the route permission table SAProuter 7.10 51 SAP Online Help 29.10.2007 [page 54] Option -t (toggle trace) [page 54] Changing the trace level Option -c<n> (cancel connection n) [page 56] Terminate connection n Option -l / -L [page 56] Display route information Option -d (dump buffers) [page 58] Write detailed information from the internal buffers to the trace file Option -f (flush buffers) [page 58] Reset internal buffers Option -p [page 58] Carry out soft shutdown Option -a <lib> [page 59] Use external library More information: Starting the SAProuter [page 17]. Additional Options The additional options — with one exception — are indicated by uppercase letters. They can be combined with each other and with an administrative option, as long as this makes sense. Most additional options are used when the SAProuter is started. The ways in which the options can be combined are indicated in the sections in which they are described. If an invalid combination of SAProuter options is specified, SAProuter behaves as if only saprouter was specified and displays the online help. The additional options can also be omitted, as there are default values that are specified for each option. Features The following options are available: Option Meaning Default Value Option -R <routtab> [page 59] File name and path of the route permission table ./saprouttab (UNIX and System i) <lwk>:\usr\sap\saprouter\s aprouttab (Windows) Option -K <mysncname> [page 59] Use of SNC: SNC name of the host on which the SAProuter is running - Option -G<logfile> [page 60] Name and path of the SAProuter log file No log file Option -J<size in bytes> [page 60] Size restriction for SAProuter log file No size restriction Option -T<tracefile> [page 61] Name and path of the SAProuter trace file dev_rout in the directory of the SAProuter Option -V<tracelev> [page 61] Trace level of the SAProuter 1 Option -E [page 61] Update trace and log files instead of overwriting them - (Trace and log files are overwritten when the SAProuter is restarted) Option -S <service> [page 61] Service (port) on which the SAProuter runs 3299 SAProuter 7.10 52 SAP Online Help 29.10.2007 Option -C <clients> [page 62] Maximum number of client that the SAProuter administrates. Note: ● This value cannot exceed 2048 ● 2 Clients make a connection 800 Option -D [page 62] Deactivate DNS reverse lookup - Option -6 (enable IPv6) [page 63] Activate IPv6 support Option -Z [page 63] Suppress exact error message while opening connection Option -I <address> [page 63] Establish external connection, if there are several network cards. - Option -Y <n> [page 64] n number of times an SAProuter automatically restarts if the client table is overfilled SAProuter is not automatically restarted (case n=1) Option -H <host name> [-P <password>] [page 64] Name of the host to which the SAProuter listens; password protection for route information (see Option -l / -L [page 56]) - Option -A <initstring> [page 65] String transfer to the external library, if available (see Option -a <lib> (start with external library) [page 59]) - Option -M <min>.<max> [page 66] A port area for outgoing connection - Expert Options SAProuter has some expert options, which are described below. Use these options only after consulting SAP or if you are very experienced in this area. The following expert options are available: Command Function Default -B <bufsize> Maximum queue length per client 1 NI package -Q <queuesize> Maximum heap space for NI package 20,000,000 bytes -W <waittimeL> Timeout for blocking network calls (if there is an 5000 msec error) Activities Call SAProuter with the desired functions using the following commands: UNIX/Windows: saprouter [-<adm>] [-<opt>] System i: saprouter '[-<adm>] [-<opt>]' SAProuter 7.10 53 SAP Online Help 29.10.2007 If an invalid combination of SAProuter options is specified, SAProuter behaves as if only saprouter was specified and displays the online help. Option -s (stop saprouter) Use This function is used to stop a running SAProuter. Integration If the SAProuter to be stopped is not running on the default service 3299, the service has to be made known with option -S <service> [page 61] . The commands saprouter -s -S 3299 and saprouter -s (System i: : saprouter '-s -S 3299' and saprouter '-s') have the same effect. Option -n (new saprouttab) Use The command saprouter -n (System i: saprouter '-n') is used to inform the running SAProuter of changes to the route permission table: It causes the table with the name specified in Option -R <routtab> [page 59] (default saprouttab) to be transferred again. If you would like to enter, for example, other restrictions in the route permission table, you do not have to stop and restart SAProuter, but you can use this function. The new route permission table does not affect connections which already exist! Even if the existing connection is not allowed according to the new table, it remains in place! More Information Creating a Route Permission Table [page 22] Option -t (toggle trace) Use This function is used to toggle the trace level of a running SAProuter. Trace levels 1, 2 and 3 exist. If the trace level was 1, it is now increased to 2, and if it was 2 or 3, it is decreased to 1. You can also activate the trace for individual connections (see below). SAProuter 7.10 54 SAP Online Help 29.10.2007 Integration When SAProuter is started, the trace level is selected with option -V<tracelev> [page 61]. Connection Trace You can also activate the trace for individual connections. For these connections the information is written with trace level 2. The connetion is traced using an enhanced syntax of option –t. You have the following options: Command Meaning saprouter -t "on <id>" <id> is the number of the connection. You can see this number when you display the connection information (saprouter -l). This command activates the trace for this (existing) connection. More information: Option -l / -L [page 56] saprouter -t "off <id>" Deactivates the trace for connection with number <id>. saprouter -t "on <IPaddress>" Activates the trace for all new connections coming from the IP address <IPaddress>. You use this option if the connection is not yet open and you are looking the for connection setup information. saprouter -t "off <IPaddress>" Deactivates the trace for all new connections coming from the IP address <IPaddress>. saprouter -t "on <subnet>" <subnet> specifies a set of IP addresses. The command activates the trace for all new connections coming from this subnetwork. You can find more information about IP address masks in: IP Address Formats [external] saprouter -t "off <subnet>" Deactivates the trace for all new connections coming from this subnetwork. Trace ID in the Connection Overview Connections for which the trace is activated are marked with an asterisk in the connection overview (to to display the overview enter command saprouter -l). You can find the trace information in the trace file dev_rout. You activate the trace for connection number 4 by sending the command saprouter -t "on 4" to the active SAProuter. Then you call saprouter -l to display the connections. You get the following output: SAP Network Interface Router running on port 3299 (PID = 1576962) Started on: Wed Apr 13 09:00:10 2005 ID CLIENT service SAProuter | PARTNER 7.10 55 SAP Online Help 29.10.2007 ------------------------------+-----------------------------7 localhost | (no partner) 6 10.18.203.8 3227 | 10.17.74.118 4 *10.18.203.8 3227 | 10.17.74.118 2 10.18.203.8 3227 | 10.17.74.118 Total no. of clients: 7 Working directory : /usr/sap/PRD/work Routtab : ./saprouttab The * is the trace for connection 4. Further Information Option -l / -L [page 56] Option -c<n> (cancel connection n) Use Internally, each connection using SAProuter has a number, which can be seen with option -l / -L [page 56] . This function can be used to close a connection. The command saprouter -c 2 (System i: saprouter '-c 2') closes the connection with the (internal) number 2. Option -l / -L Use You use the function saprouter -l (System i: saprouter '-l') to make the SAProuter display route information on screen. saprouter -L (System i: saprouter '-L') gives you more detailed information. The information contains the following: ● A table with the connection number, client, partner, and service for each existing connection Connections for which the connection trace is activated are marked with an asterisk (*). More information: Option -t (toggle trace) [page 54] ● The total number of clients, the working directory in which SAProuter is running, and the path of the Route Permission Table [page 23]. SAProuter 7.10 56 SAP Online Help ● 29.10.2007 The PID and the port of the parent, if the SAProuter was started by another SAProuter process (For more information, see Starting the SAProuter [page 17] and Option -Y <n> [page 64].) If you want to display the SAProuter information from a remote host, you should use the option -H <hostname> [-P <password>] [page 64]. Route Details for Several SAProuters If you are running several SAProuter processes, and you want to display the route details of a SAProuter other than the last one started, use option Option -S <service> [page 61] and specify the port. You can find out the port of the SAProuter preceding the current one by using the option -l (see above). Example If you specify saprouter –l, the output may look like: Wed Apr 11 09:01:57 2007 SAP Network Interface Router, Version 38.0 Wed Apr 11 09:01:58 2007 peer SAProuter with NI version 38 ... send info-request to running SAProuter ... SAP Network Interface Router running on port 3299 (PID = 1576962) Started on: Wed Apr 13 09:00:10 2005 ID CLIENT | PARTNER service --------------------------------+-----------------------------------7 localhost | (no partner) 6 10.18.203.8 | 10.17.74.118 3227 4 *10.18.203.8 | 10.17.74.118 3227 2 10.18.203.8 | 10.17.74.118 3227 Total no. of clients: 7 Working directory : /net/usr.scratch/d039768/mm/rs6000_64 Routtab : ./saprouttab SAProuter 7.10 57 SAP Online Help 29.10.2007 Option -d (dump buffers) Use If this function is used, detailed information on the host names involved in the connection and their IP addresses is written to the trace file (default dev_rout, or the name specified with option -T<tracefile> [page 61]). The trace file is not overwritten, the information is simply appended at the end. Option -f (flush buffers) Use This function can be used to empty the internal buffer (which is written to the trace file with option -d (dump buffers) [page 58]). Option -p (Soft Shutdown) Use This option can be used to perform a soft shutdown of an SAProuter. SAProuter continues running on another port and can be administrated on this port, but does not accept any logon requests, and terminates automatically when no more clients are connected. The port on which SAProuter was running before (default 3299) is now free. This is useful in the following cases: ● You want to start a new SAProuter without closing all existing connections. ● More connections are required than one SAProuter alone can handle (max. 1018). Therefore, enter the command saprouter –p. Information is then displayed telling you on which port SAProuter can now be administered, and the host on which SAProuter is running. The standard port on which SAProuter is running is port 65000. If it is already assigned or if a port range was already defined for the SAProuter with option -M <min>.<max> [page 66] , a different port is selected. You can start the SAProuter using the Option -r -Y <n> [page 64]. This has the effect that the existing SAProuter is automatically moved to another port and a new SAProuter is started. The new SAProuter then accepts incoming connections on this port. SAProuter 7.10 58 SAP Online Help 29.10.2007 Option -a <lib> (Start with External Library) Use This option is not sent to a running SAProuter, but is used to start SAProuter with an external library. <lib> is the relative path name of the library. A string can also be passed to the library with option -A <initstring> [page 65]. Note that SAP cannot guarantee support if you use an external library. Please contact the vendor of the external library if you have problems. Option -R <routtab> Use You can use the saprouter -R <path> (System i: saprouter '-R <pfad>') option to specify the file containing the route permission table. If nothing is specified, SAProuter searches the file ● ./saprouttab (UNIX and System i) ● <lwk>:\usr\sap\saprouter\saprouttab (Windows) The route permission table is essential for SAProuter (version >= 23). If it is not found, SAProuter terminates with an appropriate message. If you want to permit all connections, you must specify the following single-line route permission table: P * * * More Information Creating a Route Permission Table [page 22] Option -K <mysncname> Use For SNC connections to be possible with SAProuter, SAProuter must be started with this option: saprouter -r -K <mysncname> (System i: saprouter '-r -K <mysncname>'). There must also be a KT entry in the route permission table [page 23] specifying that connections with a certain host (whose SNC name is known) should be SNC connections. <mysncname> is the SNC name of the host on which the SAProuter is running. Further Information SNC - Secure Network Communication [page 12] SAProuter 7.10 59 SAP Online Help 29.10.2007 Example of a Route Permission Table with SNC [page 26] Option -G< log file> Use If you want to use Logging in the SAProuter [page 27], you can start your SAProuter with this option and specify a log file. UNIX/Windows: saprouter -r -G <log file> System i: saprouter '-r -G <log file>' <logfile> is the name (relative path name) you specify for the log file. All important activities, such as starting the connection and runtime operations, are logged in this file: ● Connection from (client name/address) ● Connection to (partner name/address) ● Partner service ● Start time ● End time ● Connection requests rejected after checking the route permission table [page 23]. You can restrict the size of the log file in Option -J<size in bytes> [page 60]. If the SAProuter can no longer write to the log file, because for instance the hard drive is full, for security reasons it switches to soft shutdown mode (it does not accept any new connections, see Option -p (Soft Shutdown) [page 58]). If this option is not used, a log file is not created. Example In section Logging im SAProuter [page 27] you can find an example of a log file. Option -J<size in bytes> Use This option enables you to restrict the size of the log file and archive the resulting files. If you do not use this option, the log file can become as large as is necessary. Prerequisites You are using a log file (see Option -G<logfile> [page 60]). Features If you use this option, once the log file reaches the defined size, it is renamed to <logfile name>_a_<start date>_<start time>-<end date>_<end time>. SAProuter 7.10 60 SAP Online Help 29.10.2007 Option -T<tracefile> Use A trace file is used to search for and correct errors. It logs in detail - the higher the trace level (see Option -V<tracelev> [page 61] ), the more detailed the information - what SAProuter does. From this, you can see in which function an error occurred, why a connection was not established, etc. When you start SAProuter, you can specify a trace file: UNIX/Windows: saprouter -r -T <trace file> System i: saprouter '-r -T <trace file>' A trace file always exists. If the option is not used, the trace file dev_rout in the working directory is used. It resides in the working directory of the SAProuter. Option -V<tracelev> Use This option is used to set the trace level when SAProuter is started: UNIX/NT: saprouter -r -V3 System i: saprouter '-r -V3' for example, starts SAProuter with trace level 3. With the trace level you can specify how detailed the information in the trace file should be: 1 means very little information, 3 very detailed information. The name of the trace file can be set with option -T<tracefile> [page 61] . You can change the trace level while SAProuter is running with option -t (toggle trace) [page 54]. Trace levels 1, 2, and 3 are available, and the default value is 1. Option -E Use This option is used to prevent old trace files and log files from being overwritten when the SAProuter is restarted. If you start the SAProuter with option –E (saprouter –r -E), the SAProuter updates all existing log and trace files. Option -S <service> Use The option -S <service> is used to specify the service (port) on which SAProuter runs (default 3299). This means the SAProuter can be started on any other service: saprouter - SAProuter 7.10 61 SAP Online Help 29.10.2007 r -S 4444 (System i: saprouter '-r -S 4444') starts the SAProuter on the local host on service 4444. If you then want to perform administrative tasks on this SAProuter, the service must also be specified. Option -C <clients> Use You can use this function to set the maximum number of clients. The default setting is 800, the maximum value is 2039. Note that two clients correspond to one connection; that is max 400 connections are preset and max. 1019 connections are possible. If you want to run 1000 connections with your SAProuter, start SAProuter as follows: UNIX/Windows: saprouter -r -C 2000 System i: saprouter '-r -C 2000' If you would like to have more connections than the maximum (1019), you can “move” SAProuter to another port with option -p [page 58] and start a new SAProuter on this port. These limitations are obviously only valid if smaller values for the number of connections have not been set in the operating system. Therefore you must take the operating system parameters into consideration. As of SAProuter version 37 significant higher values are possible, up to 16000 (with the exception of System i). But make sure that only one thread process is involved. For this reason having more than about 1000/1500 clients is not at all practical. With many connections you can work better with Option -Y <n> [page 64], which distributes the connections across several processes. Option -D Prerequisites You are using at least SAProuter version 36.7, which is version 36, patch level 6. The section Installing SAProuter [page 12] describes where you can find the latest SAProuter. Use With this option you can set the IP addresses so that they are not broken up by incoming connections in the SAProuter. This can result in better performance for SAProuters, with which connections from many different clients are established. However, if this option is used, only the IP addresses are visible in the log (client-side). SAProuter 7.10 62 SAP Online Help 29.10.2007 Option -6 (enable IPv6) Prerequisites You have at least SAProuter version 38.0. The section Installing SAProuter [page 12] describes where you can find the latest SAProuter. Use With this option you can activate the Internet Protocol version 6 (IPv6) for the SAProuter. The SAProuter can then open and manage both IPv4 and IPv6 connections. Option -Z Prerequisites You have at least SAProuter version 38.0. The section Installing SAProuter [page 12] describes where you can find the latest SAProuter. Use With this option you can specify that any errors occurring while opening the connection are not reported in detail to the client. The same error text is then always returned to the caller regardless of the error (connection could not be opened, route is not permitted. host name could not be resolved, and so on). The client receives the following error text that the connection could not be established: ********************************************************************* * LOCATION SAProuter * ERROR route could not be established * TIME Tue Sep * RELEASE 0 * COMPONENT NI (network interface) * RC -92 * 5 15:38:57 2006 ********************************************************************* Option -I <address> Prerequisites You are using at least SAProuter version 37. The section Installing SAProuter [page 12] describes where you can find the latest SAProuter. Use If a computer has several network interfaces, you can use this option to determine which interface is used to establish external connections. For example, this can be useful for SAProuter 7.10 63 SAP Online Help 29.10.2007 firewalls between two networks. In this way you can specify that the connection is established in one specific network only. The specified address must be a local interface. Option -Y <n> Use You use this function to force the SAProuter to automatically start a new SAProuter if the client table is full when the SAProuter is started. This allows you to circumvent the limit of 1000 clients. saprouter -r -Y <n> The number n specifies the maximum number of times a new SAProuter can be started. Value of n Meaning 0 A new SAProuter is started every time the client table becomes full. 1 SAProuter never starts automatically. n>1 SAProuter is started a maximum of n times when the client table becomes full. You can use this value to control the amount of SAProuter restarts. Integration Use Option -l / -L [page 56] to display information on the running SAProuter. This information tells you, among other things, whether the SAProuter was started, and if so, which SAProuter process started the SAProuter. Prerequisites You have not yet started the SAProuter. Note that you cannot send this option to a running SAProuter. You can only specify it before the SAProuter starts. Example If you want to run a high number of connections via the SAProuter (more than 1000), you can use the following option to start the SAProuter: saprouter -r -Y 0 -C 2000 If this option is set, a new SAProuter is automatically started if the client table becomes full. New connections can then use this new SAProuter. Option -H <host name> [-P <password>] Use This option has two uses: ... SAProuter 7.10 64 SAP Online Help 29.10.2007 1. You can define the option when you start SAProuter: saprouter -r -H <hostname> (System i: saprouter '-r -H <hostname>'). This means that SAProuter only responds to the IP address of host <hostname>; if option -S does not define any other value, this is default port 3299. If SAProuter is started without option -H, it responds to all IP addresses of this host. <hostname> can also be an IP address. The host myhost has two IP addresses: a1 und a2. The call saprouter -r (System i: saprouter '-r') causes SAProuter to respond to a1/3299 and a2/3299. The call saprouter -r -H a2 (System i: saprouter '-r -H a2') causes SAProuter to respond only to a2/3299. If you started SAProuter with option H <hostname>, of course you also have to define the host name for administration. For example, if you want to use a new route permission table, you must enter saprouter -n -H <hostname> (System i: saprouter '-n -H <hostname>'). 2. You can use this option in a running SAProuter to get SAProuter information (displayed with the option -l / -L [page 56]) from a remote host. A password may be required, which is then entered with option -P <password> (System i: Option '-P <password>'). SAProuter then checks its route permission table [page 23] to determine whether the route is allowed with this password, and if it is displays the information. SAProuter is running on host_sr, port 3299 (default). You would like to display the SAProuter information (list of all SAProuter clients, for example) from the host myhost. Enter the command saprouter -l -H host_sr -P pass (System i: saprouter '-l -H host_sr -P pass '). SAProuter checks whether its route permission table contains the entry P myhost host_sr 3299 pass Do_Destroy. If it does, the SAProuter information is displayed on your host myhost. Integration If the SAProuter is running on a port other than the default port 3299, you can specify this in the command line with option -S <service> [page 61]. Option -A <initstring> Use This option is only required in connection with option -a <lib> [page 59]. If SAProuter is started with an external library, a string can be passed to this library with option -A <initstring> (System i: option '-A <initstring>') . SAProuter 7.10 65 SAP Online Help 29.10.2007 Option -M <min>.<max> Use You can use this option to specify a port range for outgoing connections. For example, the command saprouter -r -M 1.1023 only allows outgoing connections from ports 1 to 1023 (reserved for root under UNIX). Integration You can use this option to increase security. More information: What is SAProuter? [page 6] NI and SAProuter Implementation The following documentation gives a detailed technical description of the implementation of the SAP Network Interface (NI) and SAProuter. SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP Systems, or between SAP Systems and external networks. SAProuter controls the access to your network (application level gateway), and, as such, is a useful enhancement to an existing firewall system (port filter). See also: What is SAProuter? [page 6] The documentation covers the following topics: Communication Modes [page 66] Route Connects [page 67] Route Strings [page 21] Buffered Connection Handles [page 68] Select Sets [page 69] SNC - Secure Network Communication [page 12] NI Keepalive [page 69] NI Error Information [page 69] NI Control Messages [page 69] Common Settings for Sockets [page 70] Communication Modes The network interface supports a platform independent interface to communicate between SAP systems. NI knows the following different operation modes: SAProuter 7.10 66 SAP Online Help 29.10.2007 ● NI_RAW_IO ● NI_MESG_IO ● NI_ROUTE_IO The NI_RAW_IO mode is used to communicate between SAP applications without any further interpretation of the data blocks. The NI_MSG_IO mode is the common used operation mode between SAP applications. The format is also called the SAP Protocol [page 9]. A 4-byte header precedes each data block. These 4 bytes give the length of the data block (length without leading 4 bytes). This value is needed to recognize a complete data block, if underlying layers fragment it. In addition this operation mode knows three special messages. They are recognized by a leading byte-string 'NI_PING\0', 'NI_PONG\0' or 'NI_RTERR\0'. The first two are used for keepalive tests, the third one for error messages (see NI Keepalive [page 69], NI Error Information [page 69] and NI Control Messages [page 69]). Only the SAProuter uses the NI_ROUTE_IO mode. This mode is similar to the NI_MSG_IO mode, but keepalive messages are ignored. This is necessary for the keepalive test passing the SAProuter. Route Connects If the connection should be established over SAProuters, the route information is sent as the first message. The information includes: ● Eye catcher ● Route information version ● NI version ● Operation mode ● Route length ● Total number of nodes on the route ● Pointer to the next hop on the route ● Number of remaining nodes ● Route string The field for the route string contains the whole route, inclusive all previous nodes. For each node, the hostname, service/port and the password is included, separated by null characters. The values for the service/port and the password field may be empty strings. As default port number the value 3299 is used. In the connect phase, the NI layer converts the route string from the input format (see Route Strings [page 21]) into this internal format. The data structure for the message is as follows: Offset Size (bytes) Description and Value 0x00 9 eye catcher ("NI_ROUTE\0") 0x09 1 route information version (current version: 2) SAProuter 7.10 67 SAP Online Help 29.10.2007 0x0a 1 NI version (current version: 36) 0x0b 1 total number of entries (value 2 to 255) 0x0c 1 talk mode (NI_MSG_IO: 0; NI_RAW_IO; 1; NI_ROUT_IO: 2), see Communication Modes [page 66]. 0x0d 2 currently unused field 0x0f 1 number of rest nodes (remaining hops; value 2 to 255) 0x10 4 route length (integer value in net byte order) 0x14 4 current position as an offset into the route string (integer value in net byte order) 0x18 * route string in ASCII Route String Format The internal format of the route string looks like following (ASCII characters): <hostname node 1>\0<port node 1>\0<password node 1>\0<hostname node 2>\0 ... where \0 means the null character. Example of a remote connection "localhost\03300\0test\0sapserv3.wdf.sap-ag.de\0\0\0147.204.100.35\0sapdp01\0\0" with ● node 1: hostname = "localhost"; port = 3300; password = "test" ● node 2: hostname = "sapserv3.wdf.sap-ag.de"; port = 3299 (def.); password = "" ● node 3: host address = 147.204.100.35; service name = "sapdp01"; password = "" After a SAProuter has received the route information, the next destination is extracted from the string. If the connect to the next destination is successful, the same route information is passed with an incremented current position and decremented number of remaining nodes. The own hostname in the string is replaced by the address / hostname of the previous node. This mechanism allows following SAProuters still to extract the whole route. In addition, newer SAProuter will add a leading blank to the hostname. Buffered Connection Handles To hide fragmentation of messages from the application, NI supports buffered connections, which provide the assembly of the fragments. In NI_MESG_IO and NI_ROUTE_IO the data block length is given, which is necessary for buffering the incoming data until the block is completed. NI_RAW_IO does not support buffering. For an incoming data block, the data buffer is created after the first received packet (particularly after receiving the whole data block header; 4 bytes). To prevent running out of memory, a limit for the maximal message length can be set. See also: SAProuter 7.10 68 SAP Online Help 29.10.2007 Communication Modes [page 66] Select Sets A select set is a wrapper around a select or poll implementation. The advantages are, that the user does not have to care about the final implementation (select or poll) and the set stores the status. If events for buffered handles are received, the implementation processes it silently and notifies the user only if a whole data block has arrived or the connection is writable again. Keepalive as well as control messages, packed in error info blocks, can be processed hidden. Most applications, e.g. dispatcher or SAProuter, use these select sets. NI Keepalive In NI a keepalive mechanism is implemented, to check connections between applications. That includes 2 messages, a request and response. The request message contains 8 data bytes, headed by the data length, a 4-byte integer. The data corresponds the ASCII String "NI_PING\0". If the receiver mode is NI_MSG_IO, this packet will be detected as a keepalive request. The receiver is going to reply with the response packet. This response is as long as the request and contains the ASCII sting "NI_PONG\0". The keepalive initiator notes the test as successful, if he receives the response within a specified time interval. NI Error Information If an error occurs or is detected by a node between the client and final destination, an error info packet is sent to the client. A 9-byte eye catcher characterizes this error information; the data is basically an ASCII string. The data structure is formatted as follows: Offset Size Description and Value 0x00 9 eye catcher ("NI_RTERR\0") 0x09 1 NI version (current version: 36) 0x0a 1 operation code (error information: 0; other messages > 0) 0x0b 1 currently unused filed 0x0c 4 return code (integer value in net byte order) 0x10 4 error information text length (integer value in net byte order) 0x04 * error information text in ASCII A user will be notified by the client (e.g. SAP GUI) that an error occurred, the SAProuter just forwards the packet. NI Control Messages Control messages are used for handshakes and other communication, located in the NI layer. These messages are based on the same structure as the NI Error Information [page 69]. None zero operation code indicates a message. The following control messages are known in NI version 36: SAProuter 7.10 69 SAP Online Help 29.10.2007 NI control messages ● NI version request ● NI version response ● NI send handle (4 messages) SNC control messages: ● SNC request from client side ● SNC request from server side ● SNC handshake completed Common Settings for Sockets The sockets created by NI have set several socket settings differently from the operating system defaults. Following setting will be set: ● Non-blocking mode ● Disable Nagle algorithm for client sockets (TCP no delay) ● Allow reuse of address ● No keepalive ● Not remain open across exec (close on exec flag) In addition on some platforms receive and send buffer size is redefined as well. SAProuter Route Permission The SAProuter works with a Route Permission Table [page 23], which is used to authorize route connection. Following properties are essential for the route-check: ● Source IP address ● Destination IP address ● Destination port ● Number of previous SAProuter hops ● Number of remaining SAProuter hops The route permission file is loaded in an internal table during the SAProuter startup. The permission is checked for each accepted connection after receiving the route data. Administrative requests are rejected, if they are not from the local host. Info requests need to be authorized by the route table, too. The permission check works with a first-match-lookup of the route data received against the route table. For a successful lookup source address, destination address and port are required to match. SAProuter 7.10 70 SAP Online Help 29.10.2007 The number of previous and post hops are conditions for the permission, but not essential for the match. The internal table, in which the route table is mapped, has the following fields: ● Type (permitted or denied) ● SNC (secure network communication required or not) ● Native (native protocols permitted or not) ● Previous hops (maximum number of previous hops / SAProuters) ● Post hops (maximum number of following hops / SAProuters) ● Source address ● Source address mask ● Destination address ● Destination address mask ● All destination ports (no port specified) ● Destination port min ● Destination port max ● Password (required password for building up the route) ● SNC name The address masks are set, if a subnet is given in the route file. You find details about the route table in section Route Permission Table [page 23]. Mapping examples of file entries into the internal table are given in Route Table Examples [page 71]. Route Table Examples In this part, few examples are given, how the entries in the route permission file are mapped into the internal table. Table Fields Field Meaning Possible Values t type P = permitted; D = denied; T = SNC target s SNC X = secure network communication required n native X = native protocols permitted shs previous SAProuter hops number dsh post SAProuter hops number s-add source address s-msk source address mask d-add destination address SAProuter 7.10 71 SAP Online Help 29.10.2007 d-msk destination address mask a all destination ports X = no port specified d-p-l destination port min (low) 16-bit integer d-p-m destination port max (high) 16-bit integer pwd password string snc-n SNC name string Example mapping route table file into internal route table The route table file D 10.1.0.0 * * P0,* 10.1.*.* * * S*,0 * 10.2.00001xxx.* * P*,1 * 10.2.*.* * P 10.3.0.0 10.4.*.* 7 P 10.3.0.1 10.4.0.1 * test P 10.3.0.2 localhost * P 10.3.0.3 localhost * info S 10.3.0.4 KT "p:CN=s0" 10.5.0.0 * KD "p:CN=s1" 10.5.0.1 * KP "p:CN=s1" * * KS * 10.5.0.* * D * * * is mapped into the following internal route table: t s n sh s dsh s-add s-msk d-add d-msk a d-p-l d-p-h pw d snc -n En try D ~ ~~ ~ ~~~ a.1. 0.0 00.0 0.00 .00 0.0. 0.0 ff.ff. ff.ff X ~~~~ ~~~ ~~~~ ~~~ * ~~~ ~~~ ~ a P X 0 255 a.1. 0.0 00.0 0.ff .ff 0.0. 0.0 ff.ff. ff.ff X ~~~~ ~~~ ~~~~ ~~~ * ~~~ ~~~ ~ b 25 5 0 0.0. 0.0 ff.f f.ff .ff a.2. 8.0 00.00. 07.ff X ~~~~ ~~~ ~~~~ ~~~ * ~~~ ~~~ ~ c X ~~~~ ~~~ ~~~~ ~~~ * ~~~ ~~~ ~ d 7 7 * ~~~ ~~~ ~ e ~~~~ ~~~ ~~~~ ~~~ te st ~~~ ~~~ ~ f P P X 25 5 1 0.0. 0.0 ff.f f.ff .ff a.2. 0.0 00.00. ff.ff P X 25 5 255 a.3. 0.0 00.0 0.00 .00 a.4. 0.0 00.00. ff.ff P X 25 5 255 a.3. 0.1 00.0 0.00 .00 a.4. 0.1 00.00. 00.00 SAProuter 7.10 X 72 SAP Online Help 29.10.2007 P X 25 5 255 a.3. 0.2 00.0 0.00 .00 7f.0 .0.1 00.00. 00.00 X ~~~~ ~~~ ~~~~ ~~~ * ~~~ ~~~ ~ g P X 25 5 255 a.3. 0.3 00.0 0.00 .00 7f.0 .0.1 00.00. 00.00 X ~~~~ ~~~ ~~~~ ~~~ in fo ~~~ ~~~ ~ h P 25 5 255 a.3. 0.4 00.0 0.00 .00 0.0. 0.0 ff.ff. ff.ff X ~~~~ ~~~ ~~~~ ~~~ * ~~~ ~~~ ~ i T X ~ 25 5 255 0.0. 0.0 ff.f f.ff .ff a.5. 0.0 00.00. 00.00 X ~~~~ ~~~ ~~~~ ~~~ * p:C N=s 0 j D X ~ ~~ ~ ~~~ 0.0. 0.0 ff.f f.ff .ff a.5. 0.1 00.00. 00.00 X ~~~~ ~~~ ~~~~ ~~~ * p:C N=s 1 k P X X 25 5 255 0.0. 0.0 ff.f f.ff .ff 0.0. 0.0 ff.ff. ff.ff X ~~~~ ~~~ ~~~~ ~~~ * p:C N=s 1 l P X 25 5 255 0.0. 0.0 ff.f f.ff .ff a.5. 0.0 00.00. 00.ff X ~~~~ ~~~ ~~~~ ~~~ * ~~ ~ ~~~ 0.0. 0.0 ff.f f.ff .ff 0.0. 0.0 ff.ff. ff.ff X ~~~~ ~~~ ~~~~ ~~~ * D ~ m * ~~~ ~~~ ~ n The entry '~' will specify a filed as not initialized respectively unused. Permission example with permission table above The current SAProuter is running on the host "this" on port 3299. A '*' indicates a parameter without effect. For a match, one of the following conditions for the destination port must be complied: ... 1. Entry 'destination port' is valid and equal with destination port of route 2. Entry 'native' is not set and 'all destination ports' is set, i.e. no destination port specified 3. Entry 'type' is not 'permitted' and 'all destination ports' is set 4. Route has further destination nodes and 'all destination ports' is set Client native 10.1.0.0 * Route Entry P/D Reason /H/this/H/*/S/3299/W/ test a D All connections from host 10.1.0.0 are denied. /H/10.1.0.0/H/this/H/* a D All connections from host 10.1.0.0 are denied. 10.1.0.1 X /H/this/H/10.2.9.0/S/* n D Entry b doesn’t match because ‚native’ is set and the route has no further destinations. 10.1.0.1 X /H/this/H/10.2.9.0/H/*/ S/* b P b matches as the route has further destinations (4.) SAProuter 7.10 73 SAP Online Help 29.10.2007 * X /H/10.1.0.1/H/this/H/1 0.2.9.0/S/* n D No match with b (native with no further destinations), c (native) and d (native with no further destinations). * X /H/10.1.0.1/H/this/H/1 0.2.9.0/H/*/S/* b D Matches b but has one previous hop, so denied. /H/this/H/10.2.9.0/S/* c P Matches c (2.) 10.9.0.0 10.9.0.0 X /H/this/H/10.2.9.0/S/* n D Does not match c (native with no further destinations) 10.9.0.0 X /H/this/H/10.2.9.0/H/*/ S/* c D Matches c (4.), is denied because it is native (type S). 10.9.0.0 /H/this/H/10.2.9.0/H/*/ S/* c D Matches c (2.), is denied because no following hop is allowed. 10.9.0.0 /H/this/H/10.2.7.0/H/*/ S/* d P Doesn’t match c because of IP address; matches d (2.) /H/this/H/10.4.0.0/S/7 e P Matches e (1.) /H/this/H/10.4.0.0/S/7 e P Matches e (1.) /H/this/H/10.4.0.0/H/*/ S/7 n D Doesn’t match e because the port 7 must be used on host 10.4.0.0 (see 1.) /H/this/H/10.4.0.1/H/* f D Matches e, is denied because password test is missing 10.3.0.0 X 10.3.0.0 10.3.0.0 10.3.0.1 SAProuter X 7.10 74