[转载]SAP SAProuter配置
(2012-06-23 10:21:41)
转载▼
分类:SAP
标签:
转载
原文地址:SAP SAProuter 配置作者:三叶虫
https://www.wendangku.net/doc/319392606.html,/saphelp_46c/helpdata/en/4f/993172446d11d189700000e8322d00/frameset.htm
https://www.wendangku.net/doc/319392606.html,/saphelp_nw70/helpdata/EN/4f/993172446d11d189700000e8322d00/frameset.htm
https://www.wendangku.net/doc/319392606.html,/saphelp_nw04/helpdata/EN/e6/56f466e99a11d1a5b00000e835363f/frameset.htm
参考SAP note 41054 Installation of the SAPRouter as NT Service 、
30374 SAProuter installation
1. SAP Router的安装:
SAP Router可安装在UNIX,Windows NT,OS/400系统上。其安装过程比较简单,以Windows NT为
例,只需将SAP Router程序所需可执行文件saprouter.exe 及niping.exe等拷贝到所建目录
2. SAP Router参数的相关配置
下述相关参数配置以图连接状态为例。
2.1 创建SAP Router参数配置表:
在SAP Router1及SAP Router2主机的
Router参数配置表文件,文件名为mysaprouter.txt,其中“mysaprouter”可任取。语法编辑格
式为:P/S/D
表示
“安全”;参数D表示“拒绝接受”;host1表示访问端(客户)主机IP地址;host2表示目标端
主机IP地址,当访问路径中存在多个SAP Router路由时,host2指离访问端最近的主机IP 地址;
Service指请求服务的内容;password指给客户机所设置的访问密码,可以缺省。各参数间为一空
格。对于图1中所示从客户机访问ERP应用服务器的一个完整配置可以是:
在SAP Router1主机的SAP Router参数配置表文件中配置:
P 192.168.18.221 192.168.18.222 * passwd1
其中,192.168.18.221是客户机的IP地址;192.168.18.222是SAP Router路由1的IP地址(相应的
主机名为saprouter1);passwd1是设置的密码。
同时在SAP Router2主机的SAP Router参数配置表文件中配置:
P 192.168.18.223 192.168.18.224 * passwd2
其中,192.168.18.223是SAP Router路由2的IP地址(相应的主机名为saprouter2);192.168.18.224是ERP应用服务器的IP地址(相应的主机名为erpsapr3);passwd2是设置的密
码。
SAP Router参数配置的常用语法见表1。
2.2 系统hosts文件配置
在SAP Router路由1主机的hosts文件中配置目标端的IP地址及相应的主机名:
192.168.18.223 saprouter2
192.168.18.224 erpsapr3
在SAP Router路由2主机的hosts文件中也应配置目标端的IP地址及相应的主机名:192.168.18.224 erpsapr3
2.3配置源端的访问路由
在PC客户机的SAP登陆属性中修改其登陆属性,增加SAP路由器字符串。其语法格式为:/H/host1/S/
其中,“H”表示主机IP地址,host1和host2分别是按访问路由的主机IP地址;“S”表示服务,“default”表示默认的服务内容,可省略;“W”表示密码,“password1”及“password2”分
别是访问路由中所设置的密码。注意这里的“H”、“S”“W”均为大写。
图1中所示从客户机访问ERP应用服务器的一个完整访问路由可以设置为:
/H/192.168.18.222/W/passwd1/H/192.168.18.223/W/passwd2/H/
或/H/saprouter1/W/passwd1/H/saprouter2/W/passwd2/H/
并配置ERP应用服务器的IP地址:192.168.18.224
3. SAP Router的启动:
在MS-DOS模式下键入
4.SAP Router的停止
在MS-DOS模式下键入C:usersapsaprouter –s回车停止程序运行。参数“s”表示终止SAP Router程序运行。
表1:SAP Router常用参数配置方式
属性Host1Host2ServicesPassword
P***
表示:允许所有的路径和服务的连接
P***password
表示:如果密码正确则允许所有的路径和服务的连接
P192.168.18.253192.168.18.222*password
表示:如果密码正确则允许从192.168.18.253到192.168.18.222所有服务的连接
P*192.168.18.222*
表示:允许任何到192.168.18.222所有服务的连接
P192.168.18.*192.168.18
表示:允许子网在192.168.18内的所有的连接
P192.168.xxx10010.*
表示:允许任何IP地址在192.168.18.*到192.168.242.*内的到任何地址的所有服务的连接;xxx
为二进制数0或1
P*,0**password
表示:如果密码正确,允许任何连接到非SAProuter的服务
P192.168.18.253192.168.18.222telnet
表示:允许从192.168.18.253到192.168.18.222要求的非SAP服务的远程登陆(服从TCP/IP 协议)
S192.168.18.253
表示:允许任何从192.168.18.253开始的连接,但是必须是满足SAP protocol 协议
D192.168.18.253192.168.18.222*
表示:不允许从192.168.18.253到192.168.18.222所有服务的连接
D192.168.18.253
表示:不允许从192.168.18.253开始的所有连接
另外,Services内容的设置可以通过ERP应用系统对客户权限进行设置,因此在SAP Router 参数配
置表中可将其设为“*”或忽略(默认值为3299),表示所有的服务内容。
前面的表可能不是很清楚,
呵呵,贴一下图。
Solution
1. Create the subdirectory SAProuter in the directory /usr/sap/.
2. Download the latest version from sapserv3, directory /general/misc/saprouter. Also see the corresponding file 'README' in this directory. Copy programs 'saprouter' and 'niping' into the directory /usr/sap/saprouter.
If you cannot copy the programs from sapserv3, you can get a (possibly out-of-date) version from the directory /usr/sap/
3. Add the following lines to the file /users/
# # Start saprouter
#
SRDIR=/usr/sap/saprouter
if [ -f $SRDIR/saprouter ];then
echo "nStarting saprouter Daemon " | tee -a $LOGFILE
echo "--------------------------- " | tee -a $LOGFILE
$SRDIR/saprouter -r -W 30000 -R $SRDIR/saprouttab
| tee -a $LOGFILE &
fi
This entry automatically starts the SAProuter during the system start and it ensures that the SAProuter is always started. Since the SAProuter should continue to run after R/3 is shut down no respective entry is included in the Stopsap Script. If you boot the R/3 several times, the system displays error messages when the SAProuter is started. You can ignore these error messages. The entry of the SAProuter in the Startup Script is a recommendation. However, you can also start the SAProuter manually.
4. The corresponding routing table must be maintained in /usr/sap/saprouter/saprouttab.
5. Remarks
As of version 25 the SAProuter must have a routing table. The router terminates with an error message if it cannot read the table. If you do not want an authorization check use the line 'P * * *'.
Setting up the SAProuter as a Windows NT service.
Solution
If the Saprouter has already been entered as a service with srvany.exe, the definition of the service from the registry (path: HKLM -> System
-> CurrentControlSet -> Services -> SAPRouter) should first be removed and then the machine should be rebooted.
With the following command you can newly define the service from the command line:
'ntscmgr install SAProuter -b
Replace
As of version 25 (3.0E) a route permission table file (SAPROUTTAB) must be specified for the Saprouter. When you want to specify the SAProuttab you consequently must also enter '-R
ntscmgr install SAPRouter -b c:saproutersaprouter.exe -p "service -r -R
c:saprouterSAPROUTTAB"
If no path to SAPROUTTAB is specified, the SAPROUTTAB must be in a directory which is contained in the PATH variable of the NT system environment, thus for example the SYSTEM32 directory of the Windows NT installation. If the SAPROUTTAB should be in a special directory, this path to SAPROUTTAB must be specified.
Proceed as follows after the installation to maintain the general attributes of the service:
?Go to 'Control Panel -> Services: SAPRouter -> Button: Startup', set the startup type to 'Automatic' and enter a user. The SAPRouter should NOT run under the
system account.
?To avoid the error message 'The description for Event ID (0) ...' in the NT Eventviewer you must make the following entries in the Registry. Under:
HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Services -> Eventlog -> Application
enter the following key: SAPRouter
Under this, define the two following values:
EventMessageFile (REG_SZ) :
TypesSupported (REG_DWORD) : 0x7
All required files (ntscmgr.exe, saprouter.exe, sapevents.dll) can be found in your
usrsap
SAPRouter on a firewall computer:
----------------------------------------
The NTSCMGR utility creates the SAPRouter Service with predefined dependencies from NT Workstation Service and NT Server Service. If the SAPRouter is to be installed on a firewall and if the Server Service is to be stopped, the dependencies of the SAPRouter need to be adjusted. To do so, open the registry editor (REGEDT32.EXE) and switch to the following subkey:
HKLMSystemCurrentControlSetServicesSAPRouter
Double-click the parameter DependOnService on the right hand side of the window and delete the entry 'LanmanServer' from the displayed list. Exit the registry editor and restart SAPRouter Service.
Use the following command line to create the PSE.
sapgenpse get_pse –p
The Distinguished Name consists of the following elements:
· CN =
· OU =
· O =
· C =
Example Distinguished Name
CN=SAPJ2EE, O=MyCompany, C=US
Result
sapgenpse creates a PSE in the SAP J2EE Engine’s SECUDIR directo ry.
Example
The following command line creates the file SAP_J2EE.pse that is protected with the PIN
j2eepin. When using this PSE, the SAP J2EE Engine has the Distinguished Name
CN=SAPJ2EE, O=MyCompany, C=US.
sapgenpse get_pse –p SAP_J2EE.pse -x j2eepin CN=SAPJ2EE, O=MyCompany, C=US
Use the following command line to open the server’s PSE and create credentials sapgenpse seclogin –p
The credentials file (cred_v2) for the user specified with the –O option is created in the SECUDIR directory.
Example
The following command line creates credentials for the user SAPService
sapgenpse seclogin –p SAP_J2EE.pse -x j2eepin –O SAPService
Start the SAProuter as follows:
saprouter -r -K
Note 734095 - WSAEADDRINUSE error during connection setup
Increase the range of port numbers that can be allocated by the operating system. By default, you have a range between port 1024 and port 5000; you can, however, increase the upper limit of 5000 by changing the following Windows registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersMaxUs erPort
By default, an IP address and port remain locked for 240 seconds (that is, four minutes) after the connection was closed. You can also adjust this to 30-300 seconds. However, we recommend that you adjust the upper limit of the port numbers instead of the interval. The registry key is: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersTcpTi medWaitDelay
Microsoft documentation about this is under:
https://www.wendangku.net/doc/319392606.html,/windows2000/techinfo/reskit/en-us/default.as p?url=/windows2000/techinfo/reskit/en-us/regentry/58791.asp
and
https://www.wendangku.net/doc/319392606.html,/windows2000/techinfo/reskit/en-us/default.asp?url=/windows 2000/techinfo/reskit/en-us/regentry/58811.asp
SAP Network Interface Router, Version 38.10
Compiled Jun 2 2008 01:55:34
start router : saprouter -r
stop router : saprouter -s
soft shutdown: saprouter -p
router info : saprouter -l (-L)
new routtab : saprouter -n
toggle trace : saprouter -t
cancel route : saprouter -c id
dump buffers : saprouter -d
flush " : saprouter -f
hide errInfo : saprouter -z
start router with third-party library: saprouter -a library
additional options
-R routtab : name of route-permission-file (default ./saprouttab)
-G logfile : name of log file (default no logging)
-T tracefile : name of trace file (default dev_rout)
-V tracelev : trace level to run with (default 1)
-H hostname : of running SAProuter (default localhost)
-S service : service-name / number (default 3299)
-P infopass : password for info requests
-C clients : maximum no of clients (default 800)
-Y servers : maximum no of servers to start (default 1)
-K [myname] : activate SNC; if given, use 'myname' as own sec-id
-A initstring: initialization options for third-party library
-D : switch DNS reverse lookup off
-E : append log- and trace-files to existing
-J filesize : maximum log file size in byte (default off)
-6 : IPv6 enabled
-Z : hide connect error information for clients
expert options
-B quelength : max. no. of queued packets per client (default 1)
-Q queuesize : max. total size for all queues (default 20000000 bytes)
-W waittime : timeout for blocking net-calls (default 5000 millisec)
-M min.max : portrange for outgoing connects, like -M 1.1023
-I address : address for outgoing connects, like -I 155.56.76.6
# this is a sample routtab : -----------------------------------------
D host1 host2 serviceX
D host3
P * * serviceX
P 155.56.*.* 155.56
P 155.57.1011xxxx.*
P host4 host5 * xxx
P host6 localhost 3299
P host7 host8 telnet
S host9
P0,* host10
KP sncname1 * *
KS * host11 *
KD "sncname "abc" * *
KT sncname3 host11 *
# deny routes from host1 to host2 serviceX
# deny all routes from host3
# permit routes from anywhere to any host using serviceX
# permit all routes from/to addresses matching 155.56
# permit ... with 3rd byte matching 1011xxxx
# permit routes from host4 to host5 if password xxx supplied
# permit information requests from host6
# permit native-protocol-routes to non-SAP-server telnet
# permit ... excluding native-protocol-routes (SAP-servers only)
# permit ... if number of preceding/succeeding hops (SAProuters) <= 0/* # permit SNC-connection with partnerid = 'sncname1' to any host
# permit all SAP-SAP SNC-connections to host11
# deny all SNC-connections with partnerid = 'sncname "abc'
# open connects to host11 with SNC enabled and partnerid = 'sncname3' # first match [host/sncname host service] is used
# permission is denied if no entry matches
# service wildcard (*) does not apply to native-protocol-routes
# --------------------------------------------------------------------