Configuring SAProuter (as a service) on Linux

Installing a saprouter on Linux is straight forward.

... at least without using SNC.

SAP Routers can be used to

The playbook for the installation is

Have a routing table file for saprouter

Create a configuration file with the name saprouttab. The simplest one which means: route all ABAP traffic in all directions is a file with the name /usr/sap/saprouter/saprouttab with the content:

P * * *

This means: P(ermit) ALL SOURCE IP/HOSTNAMES to ALL DESTINATION IP/HOSTNAMES using a PORT-RANGE from 3200 – 3299

Create a Policy which grants Access to an S3 Bucket to Download all required Software

Create a policy which looks like the following:

{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/bucket-folder/*"
},
{
"Effect": "Allow",
"Action": ["sS:ListBucket","S3:HeadBucket"],
"Resource": "arn:aws:s3:::bucket-name"
}
]

Replace the following variables with you individual settings

Add this policy to a new role.

Attach the role to the instance when you will create it.

Creation of a Service

SLES 12, 15 or Red Hat will need a service to restart the saprouter whenever needed. Create a file saprouter.service:

[Unit]
Description=SAP Router Configuration
After=syslog.target network.target

[Service]
Type=simple
RemainAfterExit=yes
WorkingDirectory=/usr/sap/saprouter
ExecStart=/usr/sap/saprouter/saprouter -r
ExecStop=/usr/sap/saprouter/saprouter -s
KillMode=none
Restart=no

[Install]
WantedBy=multi-user.target

Start the service with the commands:

systemctl daemon-reload
systemctl enable saprouter.service
systemctl start saprouter.service

Create an Installation Script

Create a file install.sh:

#!/usr/bin/env bash
# version 0.2
# December, 2018
## Run script as super user:
# This script needs one parameter, the URL to access the S3 bucket
# with all downloadble files
# Use the notation s3:my-bucket/myfolder
##BUCKET="s3://stefanschneider-saptesting/saprouter"
BUCKET=$1
SAPSAPROUTTAB="saprouttab"
SERVICE="saprouter.service"
ROUTDIR="/usr/sap/saprouter"
echo "*** 1. Create /usr/sap/saprouter"
mkdir -p ${ROUTDIR}/install
echo "*** 2. Download files"
aws s3 sync ${BUCKET} ${ROUTDIR}/install
cd ${ROUTDIR}/install
# All files will become lowe case files
for f in `find`; do mv -v "$f" "`echo $f | tr '[A-Z]' '[a-z]'`"; done
chmod u+x ${ROUTDIR}/install/${SAPCAR}
chmod u+x uninstall.sh
mv uninstall.sh ..
mv ${SERVICE} /etc/systemd/system/${SERVICE}
for f in `find . -name saprouter*.sar`; do mv -v $f saprouter.sar; done
for f in `find . -name sapcryptolib*.sar`; do mv -v $f sapcryptolib.sar; done
for f in `find . -name sapcar*`; do mv -v $f sapcar; done
chmod u+x sapcar
mv saprouttab ..
echo "*** 3. Unpack files"
cd ${ROUTDIR}
./install/sapcar -xf ${ROUTDIR}/install/saprouter.sar
./install/sapcar -xf ${ROUTDIR}/install/sapcryptolib.sar
echo "*** 4. Start service"
systemctl daemon-reload
systemctl enable ${SERVICE}
systemctl start ${SERVICE}
echo "5. Done..."

The file will work if there are three unique files in the download bucket which are the onlyones with names like sapcar*, sapcrypto*.sar and saprouter*.sar. Capitalztion will not matt Update the bucket-name and the bucket-folder variables matching your individual needs.

Create a De-installation Script

Create a file withe the name uninstall.sh:

#!/usr/bin/env bash
# version 0.1
# December, 2018
## Run as super user:
echo "1. Stopping and disabling service"
systemctl stop saprouter.service
systemctl disable saprouter.service
systemctl daemon-reload
echo "2. Removing files"
rm /etc/systemd/system/saprouter.service
rm -rf /usr/sap/saprouter
echo "3. Completed deinstallation"

Files Upload

Upload the following files to the S3 bucket:

There is no need to make this bucket public. The instance will have an IAM profile which entitles the instance to download the files needed.

Create a UserData file on your Adminstration PC

Create a file prep.sh:

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
BUCKET="s3://bucket-name/bucket-folder"
# take a one scond nap before moving on...
sleep 1
aws s3 cp ${BUCKET}/install.sh /tmp/install.sh
chmod u+x /tmp/install.sh
/tmp/install.sh $BUCKET
--//

Replace bucket-name and bucket-folder with the appropriate values.

This file will get executed when the instance will get created.

Installation of Instance

The following script will launch an instance with an automated saprouter installation. It assumes that

The command is

aws ec2 run-instances --image-id ami-XYZ \
--count 1 --instance-type m5.large \
--key-name aws-key \
--associate-public-ip-address \
--security-group-ids sg-XYZ \
--subnet-id subnet-XYZ \
--iam-instance-profile Name=saprouter-inst \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=PublicSaprouter}]' \
--user-data file://prep.sh

This command will create an instance with

Installation as VPC internal saprouter as a proxy to relay traffic from on-premises users

Omit the parameter --associate-public-ip-address. This parameter creates a public IP address. You don't want this for an internal saprouter.

Installation with the help of an AWS Cloudformation template

Use this template (saprouter.template). It works with SLES 12SP3. Replace the AMIs if you need a higher revision.

  1. Upload the template to an S3 bucket
  2. Upload the SAP installation media and the file saprouttab to a S3 bucket
  3. Execute the file in CloudFormation

Warning: Please check the template upfront. It'll allocate resources in your AWS account. It has the potential to do damage.

More Information

Consult the SAP documentation to configure SNC or more detailed routing entries.