New SAProuter Certificate Authority: Ensure Your SAProuter Continues to Function

SAProuter and SNC: Background

SAP's customers each need to have a connection to SAP that allows them to receive remote support and secure delivery of SAP's remote services. This connection between SAP and customer is effected by the SAProuter software utility. SAProuter is a software utility that control's access to the SAP systems on customer networks at an application level and allows customers to grant or deny remote access to specific SAP hosts and ports. In terms of the practical implementation, SAProuter is a software router consisting of a core executable program and a text based routing table that controls which access is permitted or denied. 

In order to secure the SAProuter connection many customers choose to utilise SNC secured connections to secure traffic over the public internet between SAP's SAProuter and their own. SNC is an acronym for Secure Network Communications which is a software layer in the SAP system architecture. SNC allows a trust relationship to be established between the two SAProuters and also encrypts the exchanged messages. In doing so the critical security requirements of authentication, privacy and integrity are met.

A basic architecture diagram is shown below:

To safeguard the identity of the SAProuters, and to ensure no misrepresentation takes places, each is issued a certificate from SAP themselves which is verified using a chain of trust. At the uppermost end of the trust chain sits the root certificate. A root certificate is a self-signed certificate that identifies the root Certificate Authority. In the case of SNC protected SAProuter installations, the root certificate identifies the Certificate Authority as the "SMP Root CA"; in other words the SAP Service Marketplace.

The Issue

As described in SAP Note 2131531 the existing SAProuter root certificate authority will expire on the 18th July 2015. This means that any SAProuter certificate issued by this certificate authority will be rendered invalid after this date.

A new SAProuter root certificate authority has been implemented which has been effective from the 15th April 2015. This new certificate authority replaces the old certificate authority and all SAP customers who utilise SNC protected SAProuter connections are required to migrate to certificates signed by the new certificate authority.

This certificate renewal process requires that customers implement both a renewal of the SAProuter certificate and a migration to the latest available SAP common crypto library. It's mandatory that customers also utilise 2048-bit encryption for the personal security environment used to store the certificate details. SAP also recommend that clients implement the latest available SAProuter software.

Is my organisation affected?

If you utilise an SNC protected SAProuter connection to SAP and you have not updated your SAProuter certificate after 11:00 AM CET on the 15th April 2015 then it's unfortunately likely that your connection to SAP will be adversely affected from the 18th July 2015.

How do I check?

You can check your SAProuter configuration as follows:

  1. Log on at operating system level to the host on which you run your SAProuter software. You’ll need to log on as the user under which your SAProuter software is set to run.
  2. Open the file ‘sapprouttab’ from your SAProuter directory and check for an entry beginning with KT with a target of sapserv2 as follows:

This indicates that the target connection to SAP’s sapserv2 system should connect via SNC.

What if we don't update our certificate?

SAP customers who utilise SNC protected SAProuter connections will be unable to effect a connection to SAP unless they have complied with the steps documented in SAP note 2131531 and obtained a new SAProuter certificate after the 11:00 AM CET on the 15th April 2015. The inability to obtain the connection to SAP will prevent the delivery of SAP’s remote support, the execution of any SAP delivered remote services and the operation of any third party interfaces, e.g. to fax services.

What do we need to do?

Follow the guidance issued in SAP note 2131531 and update your SAProuter certificate. You may also need to update to the latest available SAP common crypto library and deploy the latest SAProuter 742 software. If you need any assistance interpreting the note, or making sense of how it applies to your individual circumstances, we are happy to help.

Further Information:

SAP Note 2131531 – New Root Certification Authority for SAProuter Certificates

Installing SAP Crypto Library and Starting SAProuter

by Brian Reid, Principal SAP Consultant