SAP router is an SAP program that can
protect your SAP network against unauthorized access. It is a stand-alone
program that is normally installed on the system with the firewall. SAProuter
is an SAP program that acts as an intermediate station (proxy) in a network connection
between SAP systems, or between SAP systems and external networks. SAProuter controls
the access to your network (application level gateway), and, as such, is a useful
enhancement to an existing firewall system (port filter).
CONNECTIONS WITH SAPROUTER The following graphic shows a network
connection with SAProuter:
SAProuter only allows
a network to be accessed from fixed points. The number of access points (“holes”)
is therefore reduced, since fewer direct lines are required for connections. Each
"hole" is guarded by an SAProuter whose route permission table
determines the routes that can be used and the necessary passwords for gaining
access. The hole in the firewall is therefore monitored. Without SAProuter, the
IP addresses must be unique. This is not always possible, particularly in the
case of a connection between two networks that do not normally have an external
connection. SAProuter enables two points with identical IP addresses to be
connected.
# SNC - SECURE NETWORK
COMMUNICATION
SNC is used to make
network connections using the Internet, in particular WAN connections, secure.
It provides reliable authentication as well as encryption of the data to be
transferred. SAProuter allows SNC connections to be set up. The route
permission table can be used to specify precisely whether SNC connections are
allowed, and if so, which ones.
# HARDWARE REQUIREMENTS
FOR SAPROUTER
Since the work of the
SAProuter (also with SNC) is mainly I/O-based (input/output), you do not
require any especially powerful CPU.
NOTE: SAPROUTER IS
BASICALLY A SOFTWARE ROUTER NOT A HARDWARE (PHYSICAL) ROUTER.
The
workload handled by the SAProuter is determined by the number of open
connections. If over 800 connections have to be maintained, we recommend that
you start new SAProuter processes with Option -Y <n> . This distributes the
load across several processes and reduces the risk of any problem occurring (if
a problem does occur, it never affects all the open connections.) The rule of
thumb is 1 SAProuter for every 500 connections.
Alternatively
to option -Y you can also set a script that monitors the SAProuter process and restarts
the SAProuter (soft shutdown with Option -p then
restart), as soon as a certain number of connections is exceeded, or when the
message Maximum number of clients reached is issued for the first
time.
Since the SAProuter
process is running in one thread (single threaded) and is often busy with I/O
calls or with host name resolutions, a computer with one CPU manages well with
several SAProuter processes running in parallel.
# RECOMMENDED HARDWARE
For an SAProuter with
3000 parallel connections between SAP GUIs and application servers, transferring
an average volume of data, a small number of file downloads and uploads (approximately
8kB data transfer in both directions per connection and per 10 seconds), SAP recommend:
● Quick network
adapter (very important)
● 2 hyper-threading
(HTT) CPUs with 2GHz tact frequency
● 512 MB RAM
● 50 MB free space on
the hard drive
# BACKGROUND
For 3000 users we
estimate six SAProuter processes (set Option -C <clients> to 1000). Each
of these processes requires 4.5 MB of memory, and 9% of a two-way HTT 3 GHz
CPU, if you assume one third of the CPU workload is for the users and two
thirds for the system. The six SAProuter processes together require
approximately 30 MB and 55% of the CPU. Sometimes it takes a few seconds to
determine the host name from the IP address (reverse lookup), and during this
time the process is blocked. The cause is usually an error in the DNS configuration.
Users will notice these delays particularly if the workload on the SAProuter is
large. Use Option -D to prevent this happening.
# RECOMMENDED START
OPTIONS
Start the SAProuter
as follows:
saprouter -r -K
<SNC name> -Y 0 -C 1000 -D -G <log file> -J 2000000
# DOWNLOAD
You will
find the latest SAProuter in the SAP Service Marketplace under Download SAP Software
→ <Support
Packages & Patches>, service.sap.com/patches.
On the Support
Packages and Patches page choose links in navigation bar Entry by Application
Group and then Additional Components → SAPROUTER → SAPROUTER 7.00 → <Platform>. Here you
will find the saprouter packet.
# INSTALLATION OF SAPROUTER ON WINDOWS
1. Create
the subdirectory saprouter in the directory <drive>:\usr\sap.
2.
Download the latest version of the SAProuter from SAP Service Marketplace. Read
the README
file in this package. Copy the executables saprouter.exe and niping.exe to the
directory you have just created. If there is no SAProuter there, you can get a
version (may be obsolete) from your directory <drive>:\usr\sap\<SID>\SYS\exe\run.
3. If SAProuter
has already been entered as a service with srvany.exe, remove the definition of
the service from the Registry and restart the host.
4. Define
the service with the following command:
ntscmgr install SAProuter -b ...\saprouter\saprouter.exe –p
“service -r <parameter>“
Note: The points stand for <drive>:\usr\sap
<parameter>
can be replaced by other parameters with which SAProuter is to be started.
It is important that the parameters are within the character string enclosed in
double quotation marks.
5. Define
standard service properties in Control Panel → Services, set the
startup type to “automatic” and enter a user. SAProuter should not run
under the system account.
6. To
avoid the error message “The description for Event ID (0)” in Windows NT event
log,
you have
to enter the following in the registry: Under HKEY_LOCAL_MACHINE →
SYSTEM → CurrentControlSet → Services → Event Log → Application enter the
key
saprouter and
define the following values for it:
EventMessageFile (REG_SZ): ....\saprouter\saprouter.exe
TypesSupported
(REG_DWORD): 0x7
# STARTING SAPROUTER
Before using SAProuter, you should
test its basic functions. To start SAProuter:
Enter saprouter -r in the input field.
(System i: enter saprouter
'-r' in
the input field in batch mode if possible.)
NOTE : If you want to run a high number of connections (more than
1000) via SAProuter, start the SAProuter using Option
-r -Y <n>, and set themaximum number of
clients to 2000 using Option -C <clients>
, thus:
saprouter -r -Y
0 -C 2000
If this
option is set, a new SAProuter is automatically started if the client table becomes
full. New connection can then use this new SAProuter.
|
Command
|
Meaning
|
|
saprouter
|
Displays a complete list of
SAProuter parameters on the
screen
|
|
saprouter -r
|
Starts SAProuter
|
|
saprouter -s
|
Stops the running
SAProuter
|
# TESTING BASIC FUNCTIONS
Before using SAProuter, you should
test whether there are any network problems. To test the basic functions of the
SAProuter, you require the programs saprouter and niping as well as three open windows (shells) on one
or more hosts.
The following table shows the test
scenario when using niping:
SAProuter runs in window 1, the server
in window 2, and the client in window 3.
UNIX/Windows
Window 2 (host2)
|
Window 1 (host1)
|
Window 3 (host3)
| |
Without
SAProuter
|
niping -s
|
niping -c -H host2
| |
With SAProuter
|
niping -s
|
saprouter -r
|
niping -c -H
/H/host1/H/host2
|
Steps
1. Start SAProuter in window 1 (on host1). To do this, enter
the following command:
UNIX/Windows: saprouter –r
This command calls SAProuter without
any parameters.
2. In window 2 (host2), start the test
program niping to emulate a test
server. Enter the
following command:
UNIX/ Windows: niping –s
3. In window 3 (host3), start the test
program niping to emulate a client.
Enter the
following command:
UNIX/ Windows: niping -c -H host2
This command tests the connection without
SAProuter, that is directly between host2 and host3.
4. In window 3, start the test program
niping again with the
following command:
UNIX/ Windows: niping -c -H /H/host1/H/host2
# TO PERFORM A SELF
TEST FOR THE LOCAL HOST:
Enter the command niping -t ( System i: call niping '-t').
A list with function
names, parameters, and return codes is displayed. If the self test is successful,
the following message appears:
*** SELFTEST O.K. ***
