Setting up SAProuter as a systemd service

Published on

The SAProuter is a small piece of software provided by SAP to establish a remote connection between a customer’s network and SAP.

With SAProuter you can:

  • Improve network security, e.g. by using a password or only allowing encrypted connections from known sources
  • Control and log connections to SAP systems
  • Increase performance and stability by reducing SAP system load within a local area network (LAN) when communicating with a wide area networks (WAN)

SAProuter can be used with both classic SAP products and analytics solutions. A list of SAP Business Analytics products that benefit from SAProuter connections are listed in SAP Note 1478974.

SAProuter controls access to your network at the application level and is a useful addition to an existing firewall system (port filter).

The SAProuter is included in every kernel and thus in every SAP system. However, operating the SAProuter with an existing system does not make sense and is not recommended from a security point of view. In the following, I show how to set up SAProuter as a service on a Linux system.

Required software

The following software is required from the SAP Software Download Center for installation:

  • SAPCAR
  • SAPROUTER
  • COMMONCRYPTOLIB
  • Optional: SAP HostAgent

Installation

The installation basically refers to unpacking the files. And in the aftermath of the creation of a service, so that the SAProuter is started automatically.

Download the software and upload it to the Linux server using WinSCP, for example.

Create the folder structure and extract the saprouter*sar and SAPCRYPTOLIB*SAR files to the /usr/sap/saprouter/bin directory.

The saprouttab will later contain the rules that allow or prohibit access to SAP systems.

sudo mkdir -p /usr/sap/saprouter/{logs,bin,etc,sec}
sudo ./SAPCAR -xf “saprouter_*.sar” -R /usr/sap/saprouter/bin
sudo ./SAPCAR -xf “SAPCRYPTOLIBP_*.SAR” -R /usr/sap/saprouter/bin
sudo touch /usr/sap/saprouter/etc/saprouttab

The service will later run under a dedicated user. Create this user and then adjust the permissions to the previously created directory.

sudo useradd  -m -u 3299  -s /bin/bash  saprouter
sudo chown -R saprouter:saprouter /usr/sap/saprouter

With the user saprouter variables are still deposited in the ~/.bashrc, so that the environment fits.

export SECUDIR=/usr/sap/saprouter/sec
export SNC_LIB=/usr/sap/saprouter/bin/libsapcrypto.so
PATH=$PATH:/usr/sap/saprouter/bin

Now one is almost ready. The only thing missing is the service entry.

Creation of the systemd service entry for the SAProuter 

sudo vim /etc/systemd/system/saprouter.service

[Unit]
Description=SAProuter Service
After=network.target

[Service]
Type=simple
WorkingDirectory=/usr/sap/saprouter
User=saprouter

Environment="SECUDIR=/usr/sap/saprouter/sec" 
Environment="SNC_LIB=/usr/sap/saprouter/bin/libsapcrypto.so"

ExecStart=/usr/sap/saprouter/bin/saprouter -r -S 3299 -R /usr/sap/saprouter/etc/saprouttab -E  -G /usr/sap/saprouter/logs/saprouter.log -J 20971520 -T /usr/sap/saprouter/logs/dev_rout

ExecStop=/usr/sap/saprouter/bin/saprouter -s

ExecReload=/usr/sap/saprouter/bin/saprouter -n

Restart=on-failure

[Install]
WantedBy=multi-user.target

Let’s break down the entry. In the section [Unit] it is important that this service is started after the network is started.

In the section [Service] we specify the user under which the service should run and we also provide two environment variables.

With ExecStart, ExecStop and ExecReload we specify the parameters we want to use. 

-r                                       # Starte den SAProuter
-S 3299                                  # Verwende Port 3299
-R /usr/sap/saprouter/conf/saprouttab       # Pfad zu Route Permission Table
-E                                       # Verhindere das Überschreiben von Trace- und Logfiles
-G /usr/sap/saprouter/logs/saprouter.log    # Pfad zur Logdatei
-J 20971520                              # Maximale Größe der Logdatei in Bytes -> 20 MB
-T /usr/sap/saprouter/logs/dev_rout      # Pfad zur Tracedatei

Depending on your needs, other parameters may be of interest. If we want to use IPv6, the parameter -6 can be set. For larger environments, one SAProuter instance may not be sufficient. In the standard system, 800 clients ( -C ) are served. If you want to have additional instances, the parameter -Y n must be used. Where n = 0 indicates that a new SAProuter process is automatically started each time the maximum number of clients is reached.

The SAProuter gives you the possibility to read in a changed configuration without stopping the service. Therefore, an ExecReload entry is created with the parameter -n is entered.

For the configuration of the systemd service to become active, the deamon must be reloaded and the service activated. 

sudo systemctl daemon-reload
sudo systemctl enable saprouter.service

Now you should start the service. If there are errors in the configuration, the service will abort. One should first correct the error before performing further configuration of saprouttab.

Once the service starts without errors, you can operate the service using systemctl as follows:

sudo systemctl status saprouter        # Status des Service anzeigen
sudo systemctl stop saprouter           # SAProuter Service beenden
sudo systemctl start saprouter          # SAProuter Service beenden 
sudo systemctl reload saprouter        # Konfiguration des SAProuter Service neu einlesen

Maintain saprouttab

Each line in the saprouttab is interpreted as a single rule. The syntax of this rule is included:

# P/S/D    <source-host>    <dest-host>    <dest-service>    <Opt. password>
# P = Permit
# S = Secure 
# D = Deny
# Beispiele
P   147.204.2.5      *      *    # Zugriff von SAP über sapserv3 auf alle Kundensystemen und SAP Services
P   172.16.1.0/22    *      *    # Angenommen 172.16.1.0 ist internes Client-Netz. Zugriff der Clients auf alle SAP-Systeme mit SAP Services
P    <Dienstleister IP>  <sapprod>   3200  # Erlaube einem Dienstleister den Zugriff auf sapprod und den Disp&Work Port 3200 (Dialoginstanz = 00 )
P   147.204.2.5   <WTS>   3389  # Erlaube SAP über sapserv3 den Zugriff auf einen internen Windows Terminal Server mit RDP-Port 3389 
D          *                *      *    # Letzter Eintrag: Deny ALL

For the various access options from SAP (SNC, VPN, etc.) to a customer system, SAP Note 48243 should be reviewed.

Basically, the first-match rule applies to the saprouttab. The lines are evaluated from top to bottom. The first entry where source address, destination address and destination port match determines whether a connection is allowed or denied.

If no matching entry is found, the Deny All rule applies.

Checking the connections

To ensure that the configuration works without errors and is not blocked by a firewall, this should be checked with niping.

SAP Walldorf test

~ PATH=$PATH:/usr/sap/saprouter/bin
~ sudo env PATH=$PATH niping -c -O -H /H/127.0.0.1/H/147.39.131.34/H/localhost
Fri Jun 02 10:34:42 2023
connect to server o.k.
send 10 messages (len 1000)
...

Test for internal SAP system sapsrv01 with port 3200

~ PATH=$PATH:/usr/sap/saprouter/bin
~ sudo env PATH=$PATH niping -c -O -S 3200 -H sapsrv01 -I 3
Fri Jun 02 10:36:42 2023
connect to server o.k.
send 10 messages (len 1000)
...

If you want to test all connections of the saprouttab, you can help yourself with two small commands.

  1. Create host list with ports
~ sudo awk -F ' ' '/^P/ && ( $6 != "*" && $7 != "*") { print $6, $7 }' /usr/sap/saprouter/etc/saprouttab > hostlist.txt
  1. Loop over this created file with niping
~ while read -r HOST PORT; do sudo env PATH=$PATH niping -O -c -I 3 -S $PORT -H $HOST: done<hostlist.txt

Comment on the post

Please write a comment.

Your comment will be moderated by an admin before the activation.