Sap router что это

Sap router что это

The only pre-requisite for using SAProuter is a network connection from the customer’s network to the SAP network.

In order to establish this it will be necessary to first coordinate with the SAP network team to prep your environment. To best facilitate this request it’s vital that you ensure the following:

New Connection Requirements

Existing Connection Requirements

Security

It is key for SAP to offer the Services and Support for your solution in a safe, fast and auditable way. Therefore customers will profit from the following benefits:

SAP, together with the network providers, strives to offer the highest possible security for accessing customer networks via WAN (wide area network) connections. Maximum security against unauthorized access to customer systems and local networks via a WAN connection is only guaranteed, however, if the customer also undertakes specific measures and observes all security guidelines.

Customers are primarily responsible for complying with all necessary security measures. SAP can only provide the highest security possible if customers consistently comply with all security measures.

SAProuter Certificates

Encrypt your data transfer

Special server certificates can be issued to validate Internet connections set up for support purposes between your company and SAP using the SAProuter. In general, they are used for server authentication for encrypted data transfer within mySAP.com using the Generic Security Services API interface (GSS-API).

SAProuter certificates are available free of charge from the SAP Support Portal.

Processing Route Strings

A route is defined for SAProuter in the form of a route string, which must observe specific syntax rules. A route string contains an entry, or substring, for each SAProuter and for the target server. Each substring contains the information that SAProuter needs to make a connection in the route: the host name, the port name, and the password, if supplied.

A route string can look like this: /H/host/S/service/P/pass

Each substring begins with /H/, which indicates the host name. You can optionally specify a service after each host name. The service name is preceded by /S/. The substring can then include a password, which is preceded by /P/.

By default, route strings are sent without a password. The default value for service is «3299», and the default password is «» (empty).

The diagram below shows a sample connection between SAP and a customer system. In this example, an SAP service engineer working at sappc needs to log on to a customer application server yourapp, which offers or uses the service sapservice.

Источник

What is SAP Router?

SAP Router Definition

SAProuter is an SAP program which behaves as an intermediate station or proxy between SAP systems and external networks. It controls the access to our network and protects our SAP network against unauthorized access. It normally installed on the system with the firewall.

The use of saprouter means that a client will first connect to saprouter. SAProuter then connects to an additional SAProuter or to a SAP server.

Characteristics of SAPRouter:

1.Maintain our systems in the Market Place

2. SAP able to connect and we need to provide authentication

3. SAP Router provides the authorization and we need to provide the authentication.

The password will be visible [ ].

SAP router side will restrict the user.

Market place > connect to SAP
> R/3 Support
> Open connection

Take out the access from SCC4, SE38, SA38.

SAP Router is an executable which is used to restrict the access to the customer systems over the network. It works like a firewall/ proxy to permit and deny the access to the SAP systems.

It needs to be configured before implementation Part of SAP.
—————
RMMAIN t-code only in SOLMAN

Implementation Road Map > Technical Infrastructure Planning > Order for Remote Connection to SAP

Project Preparation Phase

1. Create message to SAP along with your SAP Router [Hostname], IP Address and Customer Number (SAP Router need not be installed on Solution Manager /DEV/ QAS/ PRD.

It can be installed on any desktop, but it is advised to install on SOLMAN system to ensure that it is monitored periodically.

Cust Number: When we buy SAP we will be provided with the customer number.

2. SAP responds with the distinguished name.

3. Create SAP Router directory and copy the executables from exeucNTi386 or download from the market place. (www.service.sap.com/swdc) copy only SAPCAR.exe, SAPROUTER.exe and NIPPING.exe

4. Download the Cryptography files from Market place related to OS and bit version (Download *.SAR files)

5. Uncar the files into SAPRouter directory

7. Generate the certificate using distinguished «DN» name with executable SAPGENPSE.

8. Copy and Paste certificate from Begin to End the market place url/Saprouter-SNCADD

9. Request a certificate from the market place copy into srcert.

10. Import the certificate into router system using SAPGENPSE

13. On each backend system, we need to maintain the RFC details in OSS1 Transaction. It will update SAPOSS RFC Connection.

SAPOSS, SAP-OSS, SAPSNOTE are created on communicating with the Market Place.

SAP Router u have to configure it through SAP Service market place and apply for the license and it will let u to download the notes from SAP service market place and u can access the SAP GUI from home or any place with internet from ur laptop You should be able to see this SAPRouter in the Service Marketplace now.

1. logon to the SAP Service Marketplace with your S-user (internet explorer: www.service.sap.com)

2. Change to the alias SAPROUTER-SNCADD (www.service.sap.com/saprouter-sncadd)

Please check if it is possible for you to download the software. You can do that if you press the button ‘Software’. You should get a note (Export Control Regulation). You are not allowed at the moment if you can’t see a boutton ‘I agree’ in this screen. If you can’t see the button ‘I agree’ then please follow the instructions on the page in the Service Marketplace ( Trust Center Service, not yet registered) and contact your local SAP contract administration and request the access to this page.They will initiate the further steps.

To configure SAP Router you need use SAP String’s explained below in
my mail as attached.

One have to check all the security settings before configuring the SAP Router File dear.

A route string describes the stations of a connection required between
two hosts. A route string has the syntax

· /S/ is used for specifying the service (port); it is an
optional entry, the default value is 3299

· /W/ indicates the password for the connection between the
predecessor and successor on the route and is also optional (default
is «», no password)

Источник

Удалённый доступ в системы SAP: описание уязвимостей

Python для хакера

Специалисты исследовательского центра Digital Security опубликовали отчёт «Безопасность SAP в цифрах. Результаты глобального исследования 2007-2011» (pdf), которое представляет собой первое общедоступное статистическое исследование безопасности SAP, включающее детали измерений и описание угроз.

Лаборатория Digital Security провела сканирование TCP-портов по всей сети, которое показало, что от 5% до 25% пользователей SAP (в зависимости от типа сервиса) открывают удалённый доступ к критичным для бизнеса сервисам. В рамках исследования были просканированы их подсети. Количество открытых портов будет обновляться онлайн на www.sapscan.com — официальном сайте проекта.

Одной из целей исследования было разоблачение популярного мифа о том, что системы SAP защищены от хакеров, так как доступны только из внутренней сети. В то время как все рекомендации SAP и консалтинговых компаний гласят, что даже внутри сети доступ к административным сервисам необходимо строго ограничивать, обнаружилось, что многие компании некорректно настраивают ландшафт SAP, так что критичные сервисы доступны удалённо через интернет. Иногда причина в банальной некомпетентности, но иногда компании осознанно принимают решение о том, что им нужен лёгкий удалённый контроль, а это грубейшее нарушение правил информационной безопасности.

Так, в России обнаружилось 58 систем SAP Router, предназначенных для управления доступом к внутренним системам SAP. SAP Router как таковой может быть небезопасно настроен и позволять проникнуть внутрь компании, но настоящая проблема в том, что 10% этих компаний оставляют открытыми другие сервисы для прямого доступа через интернет в обход SAP Router, например, сервис SAP Dispatcher. Этот сервис легко эксплуатируется, если войти в систему под стандартной учётной записью или воспользоваться некоторыми другими уязвимостями, которые были закрыты компанией SAP только в мае 2012 года.

Кроме того, 9% мировой выборки (она состояла из 1000 компаний, использующих SAP, по всему миру) не закрыли доступ к сервису SAP Management Console, который уязвим к неавторизованному просмотру параметров системы через интернет.

Компании используют старые версии SAP

Одним из неприятных открытий Digital Security стало то, что компании используют старые версии SAP, выпущенные в 2005 году. Информация о публичных веб-серверах на основе SAP NetWeaver была собрана с помощью поисковых систем Google и Shodan. Анализ их версий показал, что самая популярная (45%) конфигурация — это SAP-система на основе NetWeaver 7.0 без дополнений и обновлений безопасности.

Исследователи Digital Security обеспокоены тем, что новые безопасные настройки, такие как отключение по умолчанию большей части критичных веб-сервисов, появились только в обновлении EHP 2 (Release 7.02). Результаты исследования демонстрируют, что появление новых настроек безопасности в ПО не означает, что компании действительно будут ими пользоваться и улучшать собственную безопасность.

Уязвимости веб-сервисов SAP

Часть данных была обнаружена исследователями Digital Security не только с применением собственной разработки – системы мониторинга безопасности SAP ERPScan, но и с помощью публичных поисковых сервисов, таких как Google и Shodan. Например, 67% систем NetWeaver J2EE и 55% систем NetWeaver ABAP подвержены уязвимости раскрытия информации, так как отдают детальную информацию о версиях серверов приложений и баз данных. Эта информация может помочь хакеру спланировать дальнейшие атаки, и она крайне проста для получения, так как доступна через общедоступные поисковики и не требует ресурсов на дополнительные сканирования.

Саккар Паулюс (Sachar Paulus, вице-президент по защите продукта и безопасности в SAP), сказал в интервью журналу CIO в конце 2008 года: «Одна из самых важных угроз ERP — это люди, которые подключают свои SAP-системы к интернету». Итак, спустя 4 года проблема всё ещё существует и стремительно растет.

Среди 2026 уязвимостей, закрытых компанией SAP на 26 апреля 2012 года (кстати, на 18 июня количество уязвимостей уже более 2300), наиболее популярны уязвимости, связанные с веб-приложениями. Например, самая популярная уязвимость — обход каталога (около 14%), а второе место занял межсайтовый скриптинг.

Говоря о критичных сервисах, доступных через веб-интерфейс, стоит отметить то, что в 40% систем ABAP NetWeaver в интернете включен сервис WebRFC, который позволяет вызывать критические административные и бизнес-функции. Он защищён логинами и паролями, но существует множество стандартных учётных записей, которые обычно не отключаются и пароли на которых не меняются. На 61% систем J2EE в интернете включен сервис CTC. Он подвержен уязвимости, которая называется Verb Tampering, позволяет обходить механизмы аутентификации и удаленно создавать в системе пользователя с любыми правами, и, к сожалению, всё ещё не исправлена в большинстве компаний.

Топ-5 самых важных уязвимостей в 2011 году

Количество уведомлений по безопасности SAP по годам

Количество эксплойтов SAP по годам

Прочие данные

В отчёте содержится 40 страниц метрик и графиков, а также интересные прочие факты:

● По данным на 26 апреля 2012 года, опубликовано более 2000 уведомлений о безопасности SAP.

● Большинство проблем (69%) имеют высокий приоритет, а это означает, что 2/3 публикуемых уязвимостей необходимо исправлять в кратчайшие сроки.

● Поисковая система Shodan обнаружила в интернете 2677 уникальных серверов с разнообразными веб-приложениями.

● Самые популярные ОС, которые используются вместе с SAP — Windows NT (28%) и AIX (25%).

Источник

Sap router что это

For License conditions of SAP Cryptographic Library please refer to SAP Note 597059. Only for the connection between SAProuters at SAP and the first SAProuter on customer sites, certificates signed by a CA provided by SAP are being used. For all other uses of SAPCRYPTOLIB for SNC in backend connections, customers are free to choose any CA of their preference or simply use self-signed certificates as proposed by SAP for SNC connections in general.

Download SAProuter

1. Login to the SAP Support Portal with the S-User ID which is assigned to your installation.

2. Use the latest SAProuter version, which can be downloaded from the SAP Software Download Center.

On the Support Packages & Patches tab click:

A-Z Alphabetical List of Products > S > SAPROUTER > SAPROUTER (latest versions) > select OS from drop-down > select saprouter_XXX-XXXXXXXX.sar > Download Basket button

3. Download the latest SAP Cryptographic Library from the SAP Software Download Center.

On the Support Packages & Patches tab click:

A-Z Alphabetical List of Products > S > SAPCRYPTOLIB > COMMONCRYPTOLIB (latest version) > select OS from drop-down > select SAPCRYPTOLIBP_xxxx-xxxxxxxx.SAR > Download Basket button

4. Download the SAPCAR executable, which is necessary to unpack SAR archives, from any Installation Kernel CD or from the SAP Software Download Center.

On the Support Packages & Patches tab click:

A-Z Alphabetical List of Products > S > SAPCAR > SAPCAR (latest version)
>your preferred O.S. version > SAPCAR_xxx-xxxxxxxx.EXE

Create the Credentials

1. Logged on as an administrator, set the environment variables SNC_LIB and SECUDIR:

Windows NT, 2000, XP or higher

2. Go to the SAProuter application and from the list of SAProuters registered to your installation, choose the relevant SAProuter.

3. You then have two options:

3.1. Generate a PSE (preferred option):

a) You must provide a password, which will be used to create your SAProuter PSE;

b) Download the generated pse and save it as «local.pse» in the same directory as the sapgenpse executable.

c) Skip the next step 3.2, and continue with step 4.

3.2. Submit a CSR (to be used if 3.1 fails):

a) Generate the certificate request with the following command:

Alternatively use either of these two commands:

b) Display the output file «certreq» and with copy & paste (including the BEGIN and END statement) insert the certificate request into the text area of the SAProuter application from which you copied the Distinguished Name.

c) In response you will receive the certificate signed by the CA in a new text area in the SAProuter application. Copy & paste the text to a new local file named «srcert», which must be created in the same directory as the sapgenpse executable.

d) With this in turn you can install the certificate in your SAProuter by calling:

Note: If you chose to generate a new PSE previously and you are replacing an old PSE file, then make sure to delete the old credential first:

5. This will create a file called «cred_v2» in the same directory as «local.pse»

6. Check if the certificate has been imported successfully with the following command:

The name of the issuer should be:

CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE

7. If this is not the case, delete the files «cred_v2», «local.pse», «srcert» and «certreq» and start over at item 2. If the output still does not match, open an incident using component XX-SER-NET stating the actions you have taken so far and the output of the sapgenpse commands executed.

Required Actions Before Starting SAProuter

Check if the environment of the account running SAProuter contains the environment variables SNC_LIB and SECUDIR

The corresponding file saprouttab, a local file that must be created manually and is normally created in the main SAProuter-directory, must contain at least the following entries :

Example SAPROUTTAB for SNC connections registered to sapserv2 in Germany

# SNC connection to and from SAP

KT «p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE» 194.39.131.34 *

# SNC connection to local system for R/3-Support

# R/3 Server: 192.168.1.1

KP «p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE» 192.168.1.1 3200 (optional SAProuter password)

# SNC connection to local WINDOWS system for WTS, if applicable

# Windows server: 192.168.1.2

# Default WTS port: 3389

KP «p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE» 192.168.1.2 3389 (optional SAProuter password)

# SNC connection to local UNIX system for SAPtelnet, if applicable

# UNIX server: 192.168.1.3

# Default Telnet port: 23

KP «p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE» 192.168.1.3 23 (optional SAProuter password)

# SNC connection to local Portal system for URL access, if applicable

# Portal server: myserver.mydomain

KP «p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE» myserver.mydomain 50003

# Access from the local Network to SAP

P 192.168.*.* 194.39.131.34 3299

# deny all other connections

Example SAPROUTTAB for SNC connections registered to sapserv9 in Singapore

# SNC connection to and from SAP

KT «p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE» 169.145.197.110 *

# SNC connection to local system for R/3-Support

KP «p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE» 192.168.1.1 3200 (optional SAProuter password)

# SNC connection to local WINDOWS system for WTS, if applicable

# Windows server: 192.168.1.2

# Default WTS port: 3389

KP «p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE» 192.168.1.2 3389 (optional SAProuter password)

# SNC connection to local UNIX system for SAPtelnet, if applicable

# UNIX server: 192.168.1.3

# Default Telnet port: 23

KP «p:CN=sapserv9, OU=SAProuter, O=SAP, C=DE» 192.168.1.3 23 (optional SAProuter password)

# SNC connection to local Portal system for URL access, if applicable

# Portal server: myserver.mydomain

KP «p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE» myserver.mydomain 50003

# Access from the local Network to SAP

P 192.168.*.* 169.145.197.110 3299

# deny all other connections

Start the SAProuter with the following command line (to start the SAProuter as a Windows service, follow the steps described in SAP Note 525751):

-K tells the SAProuter to start with loading the SNC library

: you can find this parameter on the certification webpage after you click the Apply Now button.

If the O.S. of SAProuter is OS400, implement SAP Note 1818735

If SAProuter fails to start, also implement C-runtime packages as described here: C-runtimes needed to run SAP executables.

Источник

Sap router что это

This command starts SAProuter and loads the file saprouttab (router permission table), which defines access control. If this file does not exist, you need to create it.

A route permission table must be used as of version 25 of the SAProuter.

You can start SAProuter automatically when you start the system. In UNIX, for example, change your file /etc/rc accordingly.

The main SAProuter commands are:

Testing Basic SAProuter Functions

Before you work with SAProuter, you should check for any network problems.

You will need the programs saprouter and niping, and three open windows (shells) on one or more computers.

This command starts SAProuter without parameters.

Refer also to the online help for a complete list of SAProuter commands. To get online help, type saprouter.

This command tests the connection without the SAProuter, that is directly between host 2 and host 3.

This command tests the connection with SAProuter. A host name is interpreted as a route (via one or more SAProuters to the server), if the host name is preceded with /H/.

In steps 3 and 4 several data packets are sent to the server and then returned by the server.

Self-Test for the Local Host

To carry out a self-test for the local host:

A list is displayed with function names, parameters and return codes.

The following message appears if the self-test is successful: «*** SELFTEST O.K. ***»

Define Passwords & Authorizations in SAProuter

You set passwords and access permissions for your system in user-defined files known as route permission tables. You use a standard text editor to create a route permission table.

You can allow access to and from specified application servers in your LAN via your SAProuter. You can also password protect the routes you define. To do this, you must create and configure a separate route permission table for each SAProuter in your network.

A route permission table contains the host names and port numbers of the preceding and subsequent point of the route, and any passwords required to make the connection.

Entries in a route permission table look like this:

Here, and could be SAProuters.

P(ermit) allows SAProuter to build the connection. P(ermit) entries can include a password. SAProuter checks that this password matches the password sent by the client.

D(eny) prevents the connection from being built.

You can also include comment lines, which must begin with ‘#‘.

If a client of wants to connect with via a SAProuter, the SAProuter checks its route permission before making the connection. If the password and route that SAProuter receives are identical to the entries in the route permission table, SAProuter will make the connection. If the passwords are not identical, SAProuter will not make the connection.

You can include wildcards («*«) in hosts, ports and passwords.

You can include subnetworks in host routes.

Examples:

You can display a sample route permission table on your screen. To do this, call the SAProuter online help: saprouter.

If there are several suitable entries, the first one is selected. This is important for the sequence of the permit/deny rules.

Источник