Hello Guys,
I have a little problem. I am tryng to setup our Solman’s connection to OSS for continuing the initial setup, but I came across an error which I can’t solve and can’t find any solution on the internet. My OS is SLES 11SP3.
I have set everything up, I have asked SAP for the DN, which went pretty fast and I have followed the document supplied in the incident (http://service.sap.com/saprouter-sncdoc), which went great too.
I have logged in under the <sid>adm user and:
setenv SECUDIR /usr/sap/saprouter
setenv SNC_LIB /sapmnt/<sid>/exe/libsapcrypto.so
Generated the key:
sapgenpse get_pse -v -r certreq -p local.pse "CN=SapDev, OU=<customer number>, OU=SAProuter, O=SAP, C=DE"
sapgenpse get_pse –v -onlyreq -r certreq -p local.pse
Got the contents of certreq and followed wizard on the:
http://service.sap.com/saprouter-sncadd
Got the generated cert from SAP and saved it into srcert file and launched:
sapgenpse import_own_cert -c srcert -p local.pse
Created credentials for the user:
sapgenpse seclogin -p local.pse -O <sid>adm
According to the recommendation I have changed the permissions to cred_v2 file to 600 (e.g. when using certificates for SSH login, it throws an error, because the key in user’s home doesn’t have this authorization)
chmod 600 cred_v2
When I launch this command, I correctly get the same as in the document
sapgenpse get_my_name -v -n Issuer
Opening PSE "/usr/sap/saprouter/local.pse"...
PSE (v2) open ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "sm1adm"
with PSE file "/usr/sap/saprouter/local.pse"
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
Then I have created the saprouttab file with contents:
##################################
# SNC Connection to and from SAP #
##################################
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
###########################################
# SNC Connection from SAP to local system #
###########################################
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" SapDev 3200
####################################
# Access from local network to SAP #
####################################
P 192.168.*.* 194.39.131.34 3299
######################
# DENY ANYTHING ELSE #
######################
D * * *
Of course I have sapserv2 and SapDev in the /etc/hosts file
I start the saprouter by command:
saprouter -r -V 3 -K "p:CN=SapDev, OU=<customer id>, OU=SAProuter, O=SAP, C=DE" &
And I try connection by niping:
niping -c -H /H/192.168.200.95/H/194.39.131.34/H/localhost
And I get the error:
*** ERROR => NiBufIProcMsg: hdl 1 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp 2146]
*** ERROR => NiBufIConnect: route connect for non-buffered hdl 1 failed (rc=-104;/H/192.168.200.95/H/194.39.131.34/H/localhost); pong not received [nibuf.cpp 4801]
*** ERROR => NiTClientLoop: NiHandle (rc=-104) [nixxtst.cpp 2590]
*****************************************************************************
*
* LOCATION SAProuter 40.4 on 'SapDev'
* ERROR SNC processing failed:
* SncProcessInput
*
* TIME Tue Feb 11 07:53:29 2014
* RELEASE 720
* COMPONENT NI (network interface)
* VERSION 40
* RC -104
* MODULE nisnc.c
* LINE 1007
* DETAIL NiSncIProcIn: sncrc=-4;cae090
* COUNTER 14
*
*****************************************************************************
When I look into the dev_rout file I get:
->> SncPFrameIn(): state=INITIATING, role=INITIATE, p_in->used=2068
UnFrame: (len=2068, token=1998, data=46, flags=0x007e) FR_ACCEPT <<
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [sncxxall.c 3386]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3352]
GSS-API(maj): A token had an invalid signature
GSS-API(min): The name is wrong
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;cae090;2068) [nisnc.c 1010]
NiBufISetError: save rc -17 in buffer (hdl 17)
NiBufISetStatus: hdl 17 changed from OK to ERR
I have tried to look the google, scn, notes and I have found only this thread saprouter on Linux not working and SAP Note 95810 which has similar problem in 2.1.1 point, but I don’t understand the solution provided.
The only think, my fellow colleagues told me is, that the CN=SapDev is incorrect, because it is not pingablefrom the Internet. Are they correct or am I missing something out?
Thank you in advance,
Best Regards,
Petr Sourek