Active IDoc MonitoringSNC connection to an SAP System

Connect to an ABAP System via SAProuter

When connecting Redwood Server to an ABAP instance it may be necessary to use an intermediary routing product named SAProuter. The SAProuter allows software residing on different networks to connect to each other via the SAProuter.

An RFC connection can pass through as many SAP routers as required. A common use case is where RFC connections are transferred over the internet between two sites A and B. In that case there are usually two SAP routers involved, one on the interface between site A and the internet and one between site B and the internet.

Configuring the SAProuter is not difficult but must be done carefully. This is especially true if you use SNC as SNC requires that both parties involved must have exactly the correct information before they agree to communicate.

For more information regarding the SAP router please read the SAP documentation on SAProuter

Below you will find some additional notes to help you understand SAProuter configuration.

Configuration is direction oriented

When setting up the SAP router you should consider that RFC connections originate from one system and make an outgoing connection to a second system. This asymmetric behavior reflects in the configuration files: if you want to allow RFC connections to be set up in two directions you will find multiple configuration items as well. In other words, allowing client applications in network A to connect to RFC servers in network B does not allow client applications in network B to connect to RFC servers in network A.

SAProuter and Secure Network Connection (SNC)

The SAProuter allows all parts of the network connections to be encrypted and/or authenticated via SNC. Encryption means that nobody else is able to understand what is being said on the network connection, authentication means that you trust that you are talking to the party that you want to talk to.

The use of SNC is not always preferred or recommended; encryption uses CPU resources and may have a negative impact on throughput on fast networks. On the other hand on slow networks the SNC may improve throughput because it not only encrypts but also compresses data.

For this reason, SNC is not recommended for use on internal networks private to your data center or protected by a VPN. Only when RFC data flows over networks that contain untrusted nodes that could capture the data or even act as if they are a proper source then should SNC be used. The Internet is the prime example of such an untrusted network.

Adding an SAProuter also gives more flexibility on where encryption resources are consumed (offload the server running ABAP) and allows for mixed types of servers.

SNC and SAP Crypto library

SNC uses a layered architecture with a pluggable API called GSS-API. As such it can work with any GSS-API compatible plug in library. For this to work the GSS-API library on both sides of the secured connection must be compatible.

Prerequisites

  • You have installed the SAP router according to SAP instructions.

Procedure

Configuration in Redwood Server

To make use of an SAProuter you must adjust the RFC connect string. In the most common cases where there is no encryption or the first section of the connection between Redwood Server and the first SAProuter is not encrypted the only adjustment needed is a change in the RFC Connect String.

  1. Navigate to "Environment > SAP".
  2. Choose Edit from the context-menu of the SAP system you want to connect to via SNC.
  3. On the SAP System tab, fill the connect string below into the RFC Connect String field.
  4. Choose Check connection and make sure the connection was successful.
  5. On the XBP tab, choose Check Connection Settings.
  6. Choose Save & Close.
  7. Navigate to "Environment > Process Servers" and restart the process server belonging to the SAP system.
ASHOST={saprouter1}[{saprouter2}...]{sapsystem}

Every {saprouter _n_ } on the path between Redwood Server and the final ABAP instance uses one to three routing items:

  1. /H/host (name or IP address). This is mandatory, there is no default.
  2. /S/service (name or number). The default is 3299.
  3. /P/password. The default is null. Whether this is required depends on the SAP router configuration.

The final {sapsystem} hostname consists of just /H/hostname.

Example

Connect String in Redwood Server

ASHOST=/H/saprouter1.local/S/3290/H/saprouter2.example.com/H/sapsystem.example.local

The above example routes first to a host named saprouter1 on the local network where Redwood Server is installed. This is a connection to a non-standard port 3290. Then the next hop is across the internet to a router accessible from saprouter1.local as saprouter2.example.com; it is accessed on the standard port 3299. The final hop is from saprouter2 on its local network example.local to the actual ABAP instance.

Active IDoc MonitoringSNC connection to an SAP System