Installation of SAPROUTER on OS/400DocumentVersion: $Revision: #16$,$DateTime: 2015/05/1809:56:33$Notation used througout this documentWhen describing CL-commands as usual the +-sign indicates lines to be continued:Do no type the +-sign when typing these commands in interactive mode using the commandentry panel.Youmusttypethe+-signwhenthecommandisenteredinaCL-sourcelewhichwill becompiled afterwards.Components needed on OS levelOption 33 (PASE, 64-Bit) must be installed.Software needed from SAP Service Marketplace1. The SAPEXE.SAR package.You need some parts from the SAPEXE.SAR-package. You can download it from the SoftwareDonwload Area at the SAPServiceMarketplace:Additional Components SAPKernel SAPKernel64-Bit SAPKernel7.2164-Bit OS/400 #databaseindependent. Here you need the package SAPEXE_.SAR; get theone with the highest patch level; it must be at least 500.2. The SAPCAR program.(a)In order to extract the downloadedSAP software you need the programSAPCAR. If youdonothaveitavailableonyourIBM i-System, youcandownloaditfromtheSoftwareDownload Area at the SAPServiceMarketplace Additional Components SAPCAR SAPCAR 7.21 OS/400.After downloading the SAPCAR package from the marketplace (SAPCAR_-########.EXE),simply rename it as SAPCAR and move it to the /tmp/-directory on your IBM i-System. Thenproceed:(b)Logon with QSECOFR(c)Perform these stepsCALLQP2TERMumask022mkdir-p /usr/local/bincp/tmp/SAPCAR/usr/local/bin/1chmod0755 /usr/local/bin/SAPCARrm/tmp/SAPCAR

3. Documentation for SAPROUTER using the sapcrypto library.The document https://support.sap.com/remote-support/help/installing-saprouter.htmldescribes the general steps in the setup of SAPROUTER with sapcrypto library for all supportedoperating systems. The text you are reading now is largely based on this document; thereforewe strongy recommend to carefully check this document for more up-to-date information.Please also have a look at the following documents on the Service Marketplace:https://service.sap.com/saprouter/. General Informationabout SAPROUTER-Setup;however the OS/400-specic parts are outdated.http://service.sap.com/saprouter-sncdoc/. This is an older generic documentationfor the installation of the SAPROUTER using Secure Network Connection (SNC) with sapcryptoLibrary, which doesnt include the OS/400 specics. The links and general information maystill be of interest for you.SAP notes needed1. From 04/15/2015 11:00 AM CET until 07/18/2015 you need to get SAP note2131531. At-tachedtothatnoteyouwill ndtheoldSAProuterSMPRootCAcerticate; itisthelesmprootca.der. Copy this le to the /tmp/SRT/-directory of your IBM i-System.Installing the contents of the packages on the IBM i-System1. Logon as user QSECOFR.2. Create a user prole and a group prole on your IBM i that will be used to run the SAPROUTERIn this document we call the user prole SAPRTADM; its primary group will be SAPRTGRP. Do notuse more than eight characters for the prole names to avoid some diculties which otherwisemight arise with the PASE-subsystem:CRTUSRPRFUSRPRF(SAPRTGRP)PASSWORD(*NONE) USRCLS(*PGMR) +TEXT(GroupProfileforSAPROUTER)CRTUSRPRFUSRPRF(SAPRTADM)PASSWORD(XXXXXXXX)USRCLS(*PGMR) +TEXT(UsertorunSAPROUTER)SPCAUT(*SAVSYS)PWDEXPITV(*NOMAX)+GRPPRF(SAPRTGRP)GRPAUT(*USE)GRPAUTTYP(*PGP)GRTOBJAUTOBJ(RSTOBJ)OBJTYPE(*CMD)USER(SAPRTADM)AUT(*USE)/*GRTOBJAUTOBJ(RSTLIB)OBJTYPE(*CMD)USER(SAPRTADM)AUT(*USE)*/CRTDIRDIR(/HOME/SAPRTADM)DTAAUT(*EXCLUDE)OBJAUT(*NONE)2CHGOWNOBJ(/HOME/SAPRTADM)NEWOWN(SAPRTADM)CHGPGPOBJ(/HOME/SAPRTADM)NEWPGP(SAPRTGRP)CHGAUTOBJ(/HOME/SAPRTADM)USER(SAPRTADM)DTAAUT(*RWX)CHGAUTOBJ(/HOME/SAPRTADM)USER(SAPRTGRP)DTAAUT(*RX)CHGAUTOBJ(/HOME/SAPRTADM)USER(*PUBLIC) DTAAUT(*NONE)3. Create anIFS-directory forSAPROUTER (we call it/usr/sap/saprtrpase here, but you maychoose any name you want) do not forget to backup an existing /usr/sap/saprtrpase:CALLQP2TERMumask022#Save/usr/sap/saprtrpaseto/usr/sap/saprtrpase-:test-d/usr/sap&&cd/usr/sap&&test-esaprtrpase&&mvsaprtrpasesaprtrpase-$(date+%C%m%d%H%M%S)#Createanewempty/usr/sap/saprtrpasedirectory:mkdir-p/usr/sap/saprtrpasechownSAPRTADM:SAPRTGRP/usr/sap/saprtrpasechmod02750 /usr/sap/saprtrpase

4. In one of the next steps we will create a library LIBROUTER containing the objects needed bySAPROUTER; the name used is an example you can chose any name you want. Please backupany existing library LIBROUTER, so that you are able to restore it, if the procedure describedhere would fail:/*CreateabackuplibraryLIBROUTER@: */DLTLIBLIB(LIBROUTER@) /*Mayfail*/RNMOBJOBJ(LIBROUTER)OBJTYPE(*LIB)NEWOBJ(LIBROUTER@) /*Mayfail*/The last command must only fail if LIBROUTER does not exist. Otherwise check if LIBROUTER isstill in use.5. Log out.6. Logon as user SAPRTADM.7. Create a new empty library LIBROUTER for SAPROUTER:CRTLIBLIB(LIBROUTER)8. Copy the downloadedSAPEXE.SAR package to anIFS-directory; in this document we assumethat the package has been saved to the /tmp/SRT/-directory.39. Extractthepackage; itisnamedlikeSAPEXE_-.SAR, whereisttheVersion of the package and is an internally used number. In the following we willname such a package like SAPEXE_.SAR:CALLQP2TERMumask002PATH=/usr/local/bin:${PATH};exportPATHcd/usr/sap/saprtrpasemkdirSAPEXEchmod02770SAPEXEcdSAPEXESAPCAR-xvf/tmp/SRT/SAPEXE_.SAR #Subst.bythecorrectnum.cd.. #Mindthe..ln-sSAPEXE/libsapcrypto.o. #Mindthe.ln-sSAPEXE/saprouter . #Mindthe.ln-sSAPEXE/niping . #Mindthe.ln-sSAPEXE/sapgenpse . #Mindthe.ln-sSAPEXE/ILE_TOOLS . #Mindthe.

10. Build up the ILE library:CLRLIBLIB(QTEMP)CPYFRMSTMFFROMSTMF(/usr/sap/saprtrpase/ILE_TOOLS) +TOMBR(/QSYS.LIB/QTEMP.LIB/ILE.FILE)MBROPT(*REPLACE)RSTOBJOBJ(*ALL)SAVLIB(QTEMP)DEV(*SAVF)OBJTYPE(*PGM*CMD)+SAVF(QTEMP/ILE)CRTDUPOBJOBJ(ILEWRAPPER)FROMLIB(QTEMP)OBJTYPE(*PGM) +TOLIB(LIBROUTER)NEWOBJ(SAPROUTER)CRTDUPOBJOBJ(ILEWRAPPER)FROMLIB(QTEMP)OBJTYPE(*PGM) +TOLIB(LIBROUTER)NEWOBJ(NIPING)CRTDUPOBJOBJ(ILEWRAPPER)FROMLIB(QTEMP)OBJTYPE(*PGM) +TOLIB(LIBROUTER)NEWOBJ(SAPGENPSE)CRTDUPOBJOBJ(CMDMAINP) FROMLIB(QTEMP)OBJTYPE(*PGM) +TOLIB(LIBROUTER)CRTDUPOBJOBJ(SAPROUTER) FROMLIB(QTEMP)OBJTYPE(*CMD) +TOLIB(LIBROUTER)CLRLIBLIB(QTEMP)11. In order to work correctly with SAPROUTER, you need some kind of logon or conguration program,an example of which is outlined here feel free to modify it according to your needs:4CRTSRCPFFILE(LIBROUTER/QCLSRC)MBR(LOGON)Using e.gEDTFFILE(LIBROUTER/QCLSRC)MBR(LOGON)write the following CL program into the LOGON-Member allowing for lower case, as the /QOpenSys-Filesystem is case-sensitive:PGMDCLVAR(&USER)TYPE(*CHAR)LEN(10)CHGCURLIBLIBROUTERCHGCURDIRDIR(/usr/sap/saprtrpase)RTVUSRPRF*CURRENTRTNUSRPRF(&USER)ADDENVVARPASE_PATH +VALUE(/usr/sap/saprtrpase:/QOpenSys/usr/bin) +REPLACE(*YES)ADDENVVARPASE_LIBPATH +VALUE(/usr/sap/saprtrpase/SAPEXE:/QOpenSys/usr/lib)+REPLACE(*YES)ADDENVVARSECUDIR +VALUE(/usr/sap/saprtrpase) +REPLACE(*YES)ADDENVVARSNC_LIB +VALUE(/usr/sap/saprtrpase/libsapcrypto.o) +REPLACE(*YES)ADDENVVARUSER +VALUE(&USER) +REPLACE(*YES)ENDPGMCreate the CL-Program:CRTBNDCLPGM(LIBROUTER/LOGON)SRCFILE(LIBROUTER/QCLSRC)SRCMBR(LOGON)+DBGVIEW(*ALL)12. Create the IFS le /usr/sap/saprtrpase/saprouttab acoording to your needs and the require-ments of SAPROUTER with SNC (see below).5Creating a secure network connection (SNC) if neededThe tool sapgenpseThe main tool to work with when creating a secure network connection is the program SAPGENPSE. Ithas several subcommands:The command gen_pse is used to generate the saprouters PSE (Personal Security Environment)le, which includes the public and private key pair and a public-key certicate.A synonym for this command is get_pse.If you are using a trusted CA, then you can also use the gen_pse command to generate a certicaterequest. Per default, all of the items are generated, however, you can use the options -noreq or-onlyreq to explicitly include or omit the certicate request:Generating a public/private key-pair stored in the new PSE-le local.pse:CALLPGM(SAPGENPSE)PARM(gen_pse +-noreq-p/local.pse-x)Where PIN is an arbitrary passphrase which protects the PSE-le from unauthorized accessand DN ist the DistinguishedName or SNCName: :=CN = , OU = , O = , C = Example:CN=ABC,OU=Test,O=MyCompany,C=DESo a valid call to SAPGENPSE could beCALLPGM(SAPGENPSE)PARM(gen_pse-noreq-p/tmp/ex.pse +-x123456789U_uCN=ABC,OU=Test,O=MyCompany,C=DE)Generating a certicate request for the public key stored in the PSE specied by the -pparameter and store it into the IFS-le given by the -r parameter:CALLPGM(SAPGENPSE)PARM(gen_pse +-onlyreq-p/local.pse-x-r)Example:CALLPGM(SAPGENPSE)PARM(gen_pse-onlyreq-p/tmp/ex.pse+-x123456789U_u-r/tmp/reqf)The command import_own_cert is used to import the CA-response to a PKCS#10 certicationrequest:6CALLPGM(SAPGENPSE)PARM(import_own_cert +-c-p/local.pse-x)The command maintain_pk is used to display, add to, or delete certicates from the PKList ofa PSE. All of the certicates (public keys) in the PKList are fully trusted.To add single certicate from :CALLPGM(SAPGENPSE)PARM(maintain_pk +-a-p/local.pse-x)Example:CALLPGM(SAPGENPSE)PARM(maintain_pk-a/tmp/smprootca.der+-p/tmp/ex.pse+-x123456789U_u)Output:maintain_pkforPSE"/tmp/ex.pse"Subject:CN=SMPRootCA,OU=ServiceMarketplace,O=SAP,C=DEPKListupdated(1entriestotal,1newlyadded)The command export_own_cert is used to export the own certicate from the PSE to the le:CALLPGM(SAPGENPSE)PARM(export_own_cert +-o-p/local.pse-x)How to proceed1. Go to: http://service.sap.com/saprouter-sncadd Trust Center Service in Detail SAProuter Certicates Apply Now!-Button and get the DistinguishedName for yourSAPROUTER from the list of SAProuters registered for your installation.The Distinguished Name normally is structured this way:

=CN=,OU=,OU=SAProuter,O=SAP,C=DE72. Choose an arbitrary PIN or Passphrase to protect the PSE-Files that will be generated in thefollowing steps. These les are containers for the private and public keys used to encrypt anddecrypt the communication and should therefore be protected by a PIN.3. Logon on as SAPRTADM4. Build up the correct environment:CALLPGM(LIBROUTER/LOGON)5. Now create your private/public key-pair:CALLPGM(SAPGENPSE)PARM(gen_pse-v+-noreq -plocal.pse-x)It is stored in the IFS-le /usr/sap/saprtrpase/local.pse.Please keep in mind, that here you have to use single-quotes around the distinguished name andnot double-quotes. You also have to provide the PIN via parameter -x, because the programSAPGENPSE has no interactive mode on IBM i to request a missing PIN.6. Now you create the SSO (Single Sign On) credentials for the SAPROUTER by another SAPGENPSEsubfunction namely seclogin:CALLPGM(SAPGENPSE)PARM(seclogin-x-plocal.pse)The credentials are only valid for the currently logged in user, which must be SAPRTADM. They arestored in the le /usr/sap/saprtrpase/cred_v2. For increased security change its permissionsso that ist is only accessible by the OS-user SAPRTADM which will be running the SAPROUTER:CHGAUTOBJ(/usr/sap/saprtrpase/cred_v2)USER(SAPRTADM)DTAAUT(*RW)CHGAUTOBJ(/usr/sap/saprtrpase/cred_v2)USER(SAPRTGRP)DTAAUT(*NONE)CHGAUTOBJ(/usr/sap/saprtrpase/cred_v2)USER(*PUBLIC) DTAAUT(*NONE)Check its permissions:DSPAUTOBJ(/usr/sap/saprtrpase/cred_v2)SYMLNK(*NO)This should give you an output like this:DisplayAuthorityObject............: /usr/sap/saprtrpase/cred_v28Type.............: STMFOwner ............: SAPRTADMPrimarygroup ........: SAPRTGRPAuthorizationlist......: *NONEData --ObjectAuthorities--User Authority Exist Mgt Alter Ref*PUBLIC *EXCLUDESAPRTADM *RW X X X XSAPRTGRP *NONE X X X XIn the same way check the authorities of the le /usr/sap/saprtrpase/local.pse:DSPAUTOBJ(/usr/sap/saprtrpase/local.pse)SYMLNK(*NO)This should give you an output like this:DisplayAuthorityObject............: /usr/sap/saprtrpase/local.pseType.............: STMFOwner ............: SAPRTADMPrimarygroup ........: SAPRTGRPAuthorizationlist......: *NONEData --ObjectAuthorities--User Authority Exist Mgt Alter Ref*PUBLIC *EXCLUDESAPRTADM *RW X X X XSAPRTGRP *NONE X X X XThe CHGAUT-step should not be necessary for the local.pse-le.7. Generate the certicate request with the following command:CALLPGM(SAPGENPSE)PARM(gen_pse-v+-onlyreq-plocal.pse-x-rcertreq)It is stored in the IFS-le /usr/sap/saprtrpase/certreq.8. Display the output le certreqDSPFSTMF(/usr/sap/saprtrpase/certreq)9andwithcopy&paste insert the certicate request includingthe lines -BEGIN...and-END... into the text area of the same form on the SAP Service Marketplace from which youcopied the DistinguishedName. In response you will receive the certicate signed by the CA inthe Service Marketplace, cut & paste the text to a local le named /usr/sap/saprtrpase/srcert.As this signed certicate is quite long, it might be better to create this le with aPC basedtext editor and then upload it via NetServer/400. You can now install the certicate in yourSAPROUTER with the following call:CALLPGM(SAPGENPSE)PARM(import_own_cert-csrcert +-x-plocal.pse)9. From 04/15/2015 11:00 AM CET until 07/18/2015 you also need to import the old SAProuterRootCA manually:TheoldSAProuterSMPRootCA certicate isattached toSAP note2131531. Itisthelesmprootca.der. Copy this le to the /tmp/SRT/-directory of your IBM iImport the old SAProuterSMPRootCA certicate as trusted into your PSE:CALLPGM(SAPGENPSE)PARM(maintain_pk-a/tmp/SRT/smprootca.der+-x-plocal.pse)This is necessary, since SAP has to keep using saprouter certicates signed by the old SAProuterSMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannotbe established.You should see an output like:maintain_pkforPSE"/usr/sap/saprtrpase/local.pse"Subject:CN=SMPRootCA,OU=ServiceMarketplace,O=SAP,C=DEPKListupdated(1entriestotal,1newlyadded)10. Check that the certicate has been imported correctly:CALLPGM(SAPGENPSE)PARM(get_my_name-v-nIssuer)The name of the Issuer should be:CN=SAProuterCA,OU=SAProuter,O=SAP,C=DEAfter 04/15/2015 tha name of the Issuer should be:CN=SAProuterCA,OU=SAProuter,O=SAPTrustCommunityII,C=DE10If this is not the case, delete the les cred_v2,local.pse,srcert and certreq they areintheIFS-directory/usr/sap/saprtrpaseandstartoverwithitem5Nowcreateyourprivate/public key-pair (page 8). If the output still does not match, please open an incidentatcomponentXX-SER-NETstatingtheactionsyouhavetakensofarandtheoutputof thecommands following Generate the certicate request.11. You can check the expiration date of your certicate as follows:CALLPGM(SAPGENPSE)PARM(get_my_name)These certicates are only valid for one year, so dont forget to create and install a new one ingood time, otherwise it wont be possible to use the connection to SAP any longer. If you shouldexperience any problems, please open a customer message in component BC-OP-AS4, describingwhat you have done so far and giving the output of each command you used.Creating the saprouttabAdditional actions necessary before you can start SAPROUTER You have to setup a new saprouttabas described in the following document: http://service.sap.com/saprouter-sncdoc. Pleaseedit the saprouttab as follows:EDTFSTMF(/usr/sap/saprtrpase/saprouttab)The simplest saprouttab without any security is#SAPROUTTABwithoutanysecurity---useonlyfortestingP***#EOFyou should only use it to test your basic setup.An example of a saprouttab which gives access only to a specic SAP-System is this one (withoutSNC):#SAPROUTTAB###P/S/D _opt###AllowaccessfromanywheretoSAPsystemrunningonhosthostX#withsystemnumber61:#P * hostX 3261#EOF11Example saprouttab for SNC connections registered to sapserv2 in Germany:#SNCconnectiontoandfromSAPKT"p:CN=sapserv2,OU=SAProuter,O=SAP,C=DE"194.39.131.34*#SNCconnectiontolocalsystemforR/3-Support#R/3Server:192.168.1.1#R/3Instance:00KP"p:CN=sapserv2,OU=SAProuter,O=SAP,C=DE"192.168.1.13200#SNCconnectiontolocalWINDOWSsystemforWTS,ifapplicable#Windowsserver:192.168.1.2#DefaultWTSport:3389KP"p:CN=sapserv2,OU=SAProuter,O=SAP,C=DE"192.168.1.23389#SNCconnectiontolocalUNIXsystemforSAPtelnet,ifapplicable#UNIXserver:192.168.1.3#DefaultTelnetport:23KP"p:CN=sapserv2,OU=SAProuter,O=SAP,C=DE"192.168.1.323#SNCconnectiontolocalportalsystemforURLaccess,ifapplicable#Portalserver:192.168.1.4#Portnumber:50003KP"p:CN=sapserv2,OU=SAProuter,O=SAP,C=DE"192.168.1.450003#AccessfromthelocalNetworktoSAPP192.168.*.*194.39.131.343299#denyallotherconnectionsD***Example saprouttab for SNC connections registered to sapserv9 in Singapore:#SNCconnectiontoandfromSAPKT"p:CN=sapserv9,OU=SAProuter,O=SAP,C=DE"169.145.197.110*#SNCconnectiontolocalsystemforR/3-Support#R/3Server:192.168.1.#R/3Instance:00KP"p:CN=sapserv9,OU=SAProuter,O=SAP,C=DE"192.168.1.13200#SNCconnectiontolocalWINDOWSsystemforWTS,ifapplicable#Windowsserver:192.168.1.212#DefaultWTSport:3389KP"p:CN=sapserv9,OU=SAProuter,O=SAP,C=DE"192.168.1.23389#SNCconnectiontolocalUNIXsystemforSAPtelnet,ifapplicable#UNIXserver:192.168.1.3#DefaultTelnetport:23KP"p:CN=sapserv9,OU=SAProuter,O=SAP,C=DE"192.168.1.323#SNCconnectiontolocalportalsystemforURLaccess,ifapplicable#Portalserver:192.168.1.4#Portnumber:50003KP"p:CN=sapserv9,OU=SAProuter,O=SAP,C=DE"192.168.1.450003#AccessfromthelocalNetworktoSAPP192.168.*.*169.145.197.1103299#denyallotherconnectionsD***Running the saprouter1. Logon on as SAPRTADM2. Build up the correct environment:CALLPGM(LIBROUTER/LOGON)3. Now you can start theSAPROUTER either using Secure Network Connection (SNC) or withoutSecure Network Connection:With SNC:CALLPGM(SAPROUTER)PARM(-r-R/usr/sap/saprtrpase/saprouttab+-Kp:)Without SNC:CALLPGM(SAPROUTER)PARM(-r-R/usr/sap/saprtrpase/saprouttab)PerdefaulttheSAPROUTERwill listentotheTCP-Port3299. Youmaychangethisbyusingtheadditional -S option when starting SAPROUTER.To test the fundamental functionality of the SAPROUTER which runs on hostA, assume that there isa SAP-system running on hostX with system number 61 and that we are using one of the non-SNC13saprouttabs mentioned above. Then the connection from the local SAPGUI running on your PC viahostA to hostX (PC hostA hostX(61)) can be testet by using this SAPROUTER-String in yourSAPGUI:/H/hostA/H/hostX/S/3261or/H/hostA/S//H/hostX/S/3261For automation purposes, you might want to submit a program via SBMJOB into batch otherwisean interactive terminal session will be blocked by theSAPROUTER. To this end write the followingCL-Program into the Member RUNSAPRTR of LIBROUTER/QCLSRCWith SNC:PGMCALLPGM(LIBROUTER/LOGON)CALLPGM(SAPROUTER)PARM(-r-R/usr/sap/saprtrpase/saprouttab+-Kp:)ENDPGMWithout SNC:PGMCALLPGM(LIBROUTER/LOGON)CALLPGM(SAPROUTER)PARM(-r-R/usr/sap/saprtrpase/saprouttab)ENDPGMand create the program RUNSAPRTR in library LIBROUTER:CRTBNDCLPGM(LIBROUTER/RUNSAPRTR)SRCFILE(LIBROUTER/QCLSRC)+SRCMBR(RUNSAPRTR)DBGVIEW(*ALL)So you may submit this program as a batch job:SBMJOBCMD(CALLPGM(LIBROUTER/RUNSAPRTR))USER(SAPRXADM)14Cleaning up the directory /tmp/SRT/In a nal step you may want to clean up the directory by removing the SAR archives you downloadedfrom the SAPServiceMarketplace.TroubleshootingProblems with SNC1. Logon on as SAPRTADM2. Build up the correct environment:CALLPGM(LIBROUTER/LOGON)3. Provide the output of the following commands:CALLPGM(SAPGENPSE)PARM(seclogin-l)Typical output:runningsecloginwithUSER="SAPRTADM"0:CN=,OU=##########,OU=SAProuter,O=SAP,C=DE/usr/sap/saprtrpase/local.pseOptions: LIFETIME=Wed,12Feb201410:16:10(GMT)DIRACCESS=FALSECRLCHECK=FALSE1readableSSO-CredentialsavailableTypical error messages:seclogin: NoSSOcredentialsavailableorrunningsecloginwithUSER="SAPRTADM"0(LPS:OFF):CN=,OU=##########,OU=SAProuter,O=SAP,C=DE(LPS:OFF):/usr/sap/saprtrpase/local.pseNOTreadableforSAPRTADMNOreadableSSO-Credentialsavailable(total1)15CALLPGM(SAPGENPSE)PARM(get_my_name-nvalidity)Typical output:SSOforUSER"SAPRTADM"withPSEfile"/usr/sap/saprtrpase/local.pse"Validity - NotBefore: TueFeb1211:16:102013(130212101610Z)NotAfter: WedFeb1211:16:102014(140212101610Z)Typical error messages:get_my_name: noPSEnamesupplied,noSSOcredentialsfoundorget_my_name:noPSEnamesupplied,SSOcredentialsnotreadableforyou!runningsecloginwithUSER="SAPRTADM"0(LPS:OFF):CN=,OU=##########,OU=SAProuter,O=SAP,C=DE(LPS:OFF):/usr/sap/saprtrpase/local.pseNOTreadableforSAPRTADMNOreadableSSO-Credentialsavailable(total1)ILEWRAPPERcallingsapgenpse:NonzeroreturncodeofPASEprogram.(rc=21)The (error) messages indicate possible problems with your SNC-Setup:SNC-Setup was not completed.The SNC-Setup was not done as user SAPRTADM.You are outside of the validity period of the certicates.AppendicesAppendix I: How to establish a SNC-connection between two SAProutersTo create a SNC-Connection between two SAProuters running on hostA and hostB respectively followthese steps:1. On each of the hosts substituting X by A and B do:16(a)Logon on to hostX as SAPRTADM(b)Build up the correct environment:CALLPGM(LIBROUTER/LOGON)(c)Now create your private/public key-pair:CALLPGM(SAPGENPSE)PARM(gen_pse-v+-noreq -plocal.pse-xCN=SRThostX)It is stored in the IFS-le /usr/sap/saprtrpase/local.pse.Please keep in mind, that here you have to use single-quotes around the distinguished nameand not double-quotes. You also have to provide the PIN via parameter -x, because theprogram SAPGENPSE has no interactive mode on IBM i to request a missing PIN.(d)Now you create the SSO (Single Sign On) credentials for the SAProuter by another SAPGENPSEsubfunction namely seclogin:CALLPGM(SAPGENPSE)PARM(seclogin-x-p +local.pse)The credentials are only valid for the currently logged in user, which must be SAPRTADM.They are stored in the le /usr/sap/saprtrpase/cred_v2. For increased security changeits permissions so that ist is only accessible by the OS-user SAPRTADM which will be runningthe SAProuter:CHGAUTOBJ(/usr/sap/saprtrpase/cred_v2)USER(SAPRTADM)DTAAUT(*RW)CHGAUTOBJ(/usr/sap/saprtrpase/cred_v2)USER(SAPRTGRP)DTAAUT(*NONE)CHGAUTOBJ(/usr/sap/saprtrpase/cred_v2)USER(*PUBLIC) DTAAUT(*NONE)Check its permissions:DSPAUTOBJ(/usr/sap/saprtrpase/cred_v2)SYMLNK(*NO)This should give you an output like this:DisplayAuthorityObject............: /usr/sap/saprtrpase/cred_v2Type.............: STMFOwner ............: SAPRTADMPrimarygroup ........: SAPRTGRPAuthorizationlist......: *NONEData --ObjectAuthorities--17User Authority Exist Mgt Alter Ref*PUBLIC *EXCLUDESAPRTADM *RW X X X XSAPRTGRP *NONE X X X XIn the same way check the authorities of the le /usr/sap/saprtrpase/local.pse:DSPAUTOBJ(/usr/sap/saprtrpase/local.pse)SYMLNK(*NO)This should give you an output like this:DisplayAuthorityObject............: /usr/sap/saprtrpase/local.pseType.............: STMFOwner ............: SAPRTADMPrimarygroup ........: SAPRTGRPAuthorizationlist......: *NONEData --ObjectAuthorities--User Authority Exist Mgt Alter Ref*PUBLIC *EXCLUDESAPRTADM *RW X X X XSAPRTGRP *NONE X X X XThe CHGAUT-step should not be necessary for the local.pse-le.(e)Export your own public key to the le router_X.cer:CALLPGM(SAPGENPSE)PARM(export_own_cert +-orouter_X.cer-plocal.pse-x)2. Copy host_A:/usr/sap/saprtrpase/router_A.cer to host_B:/usr/sap/saprtrpase/ and copyhost_B:/usr/sap/saprtrpase/router_B.cer to host_A:/usr/sap/saprtrpase/.Then on each of the hosts you will have the les router_A.cer and router_B.cer in the IFS-directory /usr/sap/saprtrpase/.3. Now you have to add each others key to the list of trusted public keys:On host_ACALLPGM(LIBROUTER/LOGON)CALLPGM(SAPGENPSE)PARM(maintain_pk +-arouter_B.cer-plocal.pse-x)On host_B18CALLPGM(LIBROUTER/LOGON)CALLPGM(SAPGENPSE)PARM(maintain_pk +-arouter_A.cer-plocal.pse-x)4. You need to maintain the saprouttab on each of the hosts:On host_A#Outboundconnectionstohost_BwilluseSNCKT"p:CN=SRThostB" host_B 3299#AllowallinboundconnectionsP * * *#EOFOn host_B#AcceptincomingSNC-connectionsfromhost_AtoanyhostandanyportKP"p:CN=SRThostA" * *#EOF5. Start both SAProuters:On host_ACALLPGM(LIBROUTER/LOGON)CALLPGM(SAPROUTER)PARM(-r-R/usr/sap/saprtrpase/saprouttab+-Kp:CN=SRThostA)On host_BCALLPGM(LIBROUTER/LOGON)CALLPGM(SAPROUTER)PARM(-r-R/usr/sap/saprtrpase/saprouttab+-Kp:CN=SRThostB)Of course you should create CL-programs containing these commands.6. Test the SAProuter connection: The program niping may be used to test the setup.(a)Open a new 5250-Terminal-session to host_B and start niping in server mode:CALLPGM(LIBROUTER/LOGON)CALLPGM(NIPING)PARM(-s)The server listens on TCP-port 3298, which could be changed by using the -S-parameter.19(b)Open a new 5250-Terminal-session to host_A start niping in client mode:CALLPGM(LIBROUTER/LOGON)CALLPGM(NIPING)PARM(-c-H+/H/localhost/S/3299/H/host_B/S/3299/H/localhost/S/3298)If on host_A (the client side) it returns output like below the setup is complete:FriMay1515:37:242015sendandreceive10messages(len1000)FriMay1515:37:252015-------times-----avg 0.298msmax 0.655msmin 0.251msFriMay1515:37:262015tr 6545.325kB/sexcludingmaxandmin:av2 0.260mstr2 7519.249kB/sAppendix II: Help output of sapgenpseThe command CALLPGM(SAPGENPSE)PARM(-h) produces the output:SAPGENPSEtoolforcreationandmanagementofPSE-filesandSSO-credentialsUsage:sapgenpse[-fipson/off][-h][-l]\[-h][sub-options]...-l PathofCommonCryptoLib(libsapcrypto.so)tobeused-h Showhelptext-fipson/off Activatefipsmode Commandtoexecute-h ShowhelptextofnamedcommandAllcommandsthatcreatePSEsorCredentialssupporttheoption-lps.(Thesecommandsaregen_pse,import_p12,import_p8,keytab,seclogin)The-lpsoptionenablestheusageoftheLocalProtectionStorage(LPS)to20protectthesensitiveinformationstoredinPSEsandCredentials.AnLPSprotectedPSEorcredentialcouldonlybeusedonthesamesystemwhereithasbeencreated.TheLPSusesoneofthefollowingmechanismstoprotectthedata:-(DP)TheMicrosoftDataProtectionAPI,onWindowsonly-(TPM)TrustedPlatformModule(TPM),onLinuxsystemswithaninstalledTPM-(INT)Internalprotectionmechanisms,onallothersystemsItisstronglyrecommendedtouseLPStoprotectallPSEsandCredentials.Thecommandlps_enablecanbeusedtoenableLPSonexistingPSEs.ThecommandseclogincanbeusedtoenableLPSonexistingcredentials.mustbeoneof:gen_pse createnewPSEand/orPKCS#10certificationrequest(sameas"get_pse")gen_verify_pse generateaverifyPSEimport_own_cert importCAresponsetoPKCS#10certificationrequestseclogin create/add/deleteSSO-credentialsforaPSE("cred_v2")orchangePIN/PassphraseofaPSEget_my_name showattributesoftheusercertificate/keytabinaPSEmaintain_pk show/add/deletetrustedkeys/certsinPKListofPSEexport_own_cert exporttheusercertificateofaPSEimport_p12 importaPKCS#12digitalIDtransportfileexport_p12 exportaPKCS#12digitalIDtransportfilepseconv convertbetweenPSEformatv2andv4import_p8 createnewPSEfromPKCS#8privatekeypluscertskeytab managekeyTabinPSEcryptinfo showpropertiesofSecureLoginCryptoKernellps_import importaPSE(addLPSprotection)lps_export exportaPSE(removeLPSprotection)lps_enable enablesLPSprotectionofaPSE(in-place)lps_disable disablesLPSprotectionofaPSE(in-place)lps_show showLPSprotectionstateofaPSEshow showfilecontentandotherinformationpassing"-h"afterawillshowfurtherhelpinformationThe command CALLPGM(SAPGENPSE)PARM(gen_pse-h) produces the output:CreateanewPSEandaPKCS#10certificationrequestororcreatea(renewal)PKCS#10certificationrequestforanexistingPSE21Usage:gen_pse-p[other-options][Distinguishedname]Options:-p filenamefor(new)PSE-r filenameforPKCS#10request(default:stdout)-lps useLPStoprotectthenewPSE-a algorithmDSAorRSA(defaultisRSA)withGOSTplugin:GostR3410-2001-s keysizeinBits(default=alg-specific,rsa=2048,dsa=1024)-x PIN/PassphraseforPSE(default:queryinteractively)-noreq donotcreate/printaPKCS#10certificationrequest-onlyreq createPKCS#10certificationrequestforanexistingPSE-2 createPSEformatv2-4 createPSEformatv4-h printthishelp-v verboseExamples:-createanlpsprotectedfileSAPSNCS.psewithserverDName(promptsforPSEpassword)sapgenpsegen_pse-lps-pSAPSNCS.pse"CN=SAPServerABC,C=DE"-createPKCS#10certificationrequestforanexistingPSEsapgenpsegen_pse-pSAPSNCS.pse-onlyreq-rcert.p10-createanlpsprotectedfileSAPSNCS1.psewithserverDNameandPKCS#10Request(promptsforPSEpassword)sapgenpsegen_pse-lps-pSAPSNCS1.pse"CN=SAPServerABC1,C=DE"-rcert1.p10The command CALLPGM(SAPGENPSE)PARM(import_own_cert-h) produces the output:ImporttheCA-responsetoaPKCS#10certificationrequestNormallytheCA-responseshouldbeaPKCS#7responsecontainingthefullcertificationpathuptoandincludingtheRootCAcertificateHowever,alotofCAsrespondwithonlyyoursignedcertificate--inthiscaseyouwillhavetosupplyoneormoreadditional22fileswithallintermediateCAandRootCAcertificatesthatareneededforacompletecertificationpathusingoption-r.Usage:import_own_cert-c[other-options]Optionsare:-p nameofPSEfileforwhichtoimporttheCA-response(default:tryPSEfromdefaultSSO-credentials)-x PIN/PassphraseforPSE(default:trySSO,queryinteractively)-c filecontainingtheCAresponsetothePKCS#10request(PEM,Base64orDERbinary)-r additionalfilecontainingRootCAcertificate(s)-r "-r"maybeusedupto10timesforaddingcertificates(PEM,Base64orDERbinary)-h printthishelp-v verbose(usemultipletimesformoredetails)The command CALLPGM(SAPGENPSE)PARM(seclogin-h) produces the output:Create,displayordeleteSingleSign-On(SSO)credentialsoralternativelychangethePIN/passphraseonaPSE!ChangingaPINofaPSEwillnotauto-updatetheSSO-credential!!Addinganewcredentialwillnotauto-updateanexistingcredential!Usage:seclogin[]Oneoftheseselectsthemodeofoperation:-l listSSO-credentials-r replaceSSO-credentialsusethisoptionifthePSEPIN/PassphasehasbeenchangedorifyourwanttochangetheLPSprotectionofcredentials-chpin changethePIN/passphraseofaPSE-d deleteSSO-credentials addanSSO-credential(attheend)moreOptionsfor-chpin (ChangePIN/PassphraseofPSE)-p filenameforPSE-x PIN/PassphraseforPSE(default:noPIN,queryinteractively)-xn newPIN/PassphraseforPSE(default:queryinteractively)moreOptionsfor-d (deleteSSO-credentials)23-p deleteSSO-credentialsforthisPSE deleteSSO-credentialnumber(default:firstinlist)Optionsfor-l (listSSO-credentials)-O listcredentialsforuserOptionsfor (create/addSSO-credential)-lps useLPStoprotectthenewSSO-credential-p createSSO-credentialforthisPSE(requiredparameter)-x PIN/PassphraseforPSE(default:noPIN,queryinteractively)-1 insertnewcredentialatthebeginningofthelist-O createSSO-credentialforOTHERuserOptionsfor-r (replaceSSO-credential)-lps useLPStoprotectthenewSSO-credential-p PSEforwhichSSO-credentialshouldbechanged(optionalparameter)Withoutthisoption,allreadablecredentialsarechanged.Use-rwithout-ptochangeLPSmodeforallcredentials.-x PIN/PassphraseforPSE(default:noPIN,PINfromoldcredential,queryinteractively)-O protectSSO-credentialforOTHERuser(nonLPSmodeonly)-h printthishelp-v verboseExamples:-createlpsprotectedSSO-credentialforSAPSNCS.pse(promptsforPSEpassword)sapgenpseseclogin-lps-pSAPSNCS.pse-Oabcadm-replaceonelpsunprotectedSSO-credentialwithlpsprotectedSSO-credentialsapgenpseseclogin-r-lps-pSAPSNCS.pse-replacealllpsunprotectedSSO-credentialswithlpsprotectedSSO-credentials (passwordpromptedifPSEhasanewpassword)sapgenpseseclogin-r-lps-pSAPSNCS.pse-showSSO-credentialscreatedforadedicatedusersapgenpseseclogin-l-Oabcadm24-deleteSSO-credentialforSAPSNCS.psesapgenpseseclogin-d-pSAPSNCS.pse-deleteSSO-credentialNr1sapgenpseseclogin-d1-changePIN/passwordofSAPSNCS.psesapgenpseseclogin-chpin-x-xn-pSAPSNCS.pse-replaceoldSSO-credentialwithnewSSO-credential(passwordpromptedifSAPSNCS.psehasanewpassword)sapgenpseseclogin-r-pSAPSNCS.pse-OabcadmThe command CALLPGM(SAPGENPSE)PARM(get_my_name-h) produces the output:Displaytheattributes/propertiesoftheuser/ownercertificateinaPSEUsage:get_my_name[options]Optionsare:-p whichPSEtoquery(default:trySSO)-n showonlyparticularattribute(s)mustbeoneof:subject,issuer,serialno,keyinfo,validity,all-h printthishelp-v verbose(usemultipletimesformoredetails)Examples:-displaythesubjectofSAPSNCS.psesapgenpseget_my_name-pSAPSNCS.pse-nsubject-v-displayallattributesofSAPSNCSKERB.psesapgenpseget_my_name-pSAPSNCSKERB.pse25The command CALLPGM(SAPGENPSE)PARM(maintain_pk-h) produces the output:Display,addto,ordeletecertificatesfromthePKListofaPSEAllofthecertificates(publickeys)inthePKListarefullytrusted.Whensomeoneelsescertificateisverified(authenticated),itmustbedirectlysignedby(orchainedto)eitherourownkey,ourPKRootoroneofthecertificates(publickeys)inPKList.Usage:maintain_pk[more-options]Oneoftheseselectsthemodeofoperation:-l displaycertificates/keysofPKList-lPEMlist displaycertificates/keysofPKListinPEM-framedbase64-l displaycertificate/keynumberofPKList-l displaycertificates/keysinPKListcontaining-a addSINGLEcertificatefrom(PEM,Base64orDERbinary)-m addMULTIPLEcertificatesfrom[] (PEM,Base64orDERbinary)ifissupplied,onlycertswherethesubjectnamecontainsareconsidered/processedbyaddMULTIPLE-d deletecertificate/keynumberfromPKList-d deletecertificates/keysfromPKListcontaining-f flushPKListentirely(deleteallcertificate/keys)moreOptions:-p filenameforPSE(default:useSSO-credentials)-x PIN/PassphraseforPSE(default:trySSO,queryinteractively)-y automaticYES-mode(for-m/-MaddMULTIPLEcertificatesandfor-fand-d)-h printthishelp-v verbose(usemultipletimesformoredetails)The command CALLPGM(SAPGENPSE)PARM(export_own_cert-h) produces the output:ExportsonesowncertificatefromthePSEIfyouwanttoconfiguretrustbetweentwoPSEs,youneedtoaddoneintermediateCAorRootCAcertfromthecertificationpathofeachPSEtothePKList(=Trustanchors)ofeachotherPSE.26InaPKI-lessscenariowithself-signedcerts(whichcanbeused,butisnotrecommended)youmightimporttheOwner/End-EntitycertificateofeachPSEintothePKListofeachotherPSEinstead.Usage:export_own_cert[options][-o][-p0 shutdownaftertsecsidlet=0 noautomaticshutdownt