Configuring SAProuter (as a service) on Linux
Configuring SAProuter (as a service) on LinuxInstalling a saprouter on Linux is straight forward.
... at least without using SNC.
SAP Routers can be used to
- connect your production system to SAP Remote Services
- route traffic of on premises SAP GUI users to a peered VNC
- Allow on premises SAP GUI users to reach highy available SAP systems which use an overlay IP address.
The playbook for the installation is
- Create files for services, the installation, a saprouting table file
- Copy all files to a private S3 bucket
- Create a policy which allows the instance to pull the files from the S3 bucket
- Use an AWS CLI command to create an instance which will automatically install the saprouter
Have a routing table file for saprouter
Create a configuration file with the name saprouttab. The simplest one which means: route all ABAP traffic in all directions is a file with the name /usr/sap/saprouter/saprouttab with the content:
P * * *
This means: P(ermit) ALL SOURCE IP/HOSTNAMES to ALL DESTINATION IP/HOSTNAMES using a PORT-RANGE from 3200 – 3299
Create a Policy which grants Access to an S3 Bucket to Download all required Software
Create a policy which looks like the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket-name/bucket-folder/*" }, { "Effect": "Allow", "Action": ["sS:ListBucket","S3:HeadBucket"], "Resource": "arn:aws:s3:::bucket-name" } ]
Replace the following variables with you individual settings
- bucket-name: the name of the bucket which stores all files to be downloaded
- bucket-folder: The subfolder which contains your download information. It is an optional part
Add this policy to a new role.
Attach the role to the instance when you will create it.
Creation of a Service
SLES 12, 15 or Red Hat will need a service to restart the saprouter whenever needed. Create a file saprouter.service:
[Unit] Description=SAP Router Configuration After=syslog.target network.target [Service] Type=simple RemainAfterExit=yes WorkingDirectory=/usr/sap/saprouter ExecStart=/usr/sap/saprouter/saprouter -r ExecStop=/usr/sap/saprouter/saprouter -s KillMode=none Restart=no [Install] WantedBy=multi-user.target
Start the service with the commands:
systemctl daemon-reload systemctl enable saprouter.service systemctl start saprouter.service
Create an Installation Script
Create a file install.sh:
#!/usr/bin/env bash # version 0.2 # December, 2018 ## Run script as super user: # This script needs one parameter, the URL to access the S3 bucket # with all downloadble files # Use the notation s3:my-bucket/myfolder BUCKET=$1 SAPSAPROUTTAB="saprouttab" SERVICE="saprouter.service" ROUTDIR="/usr/sap/saprouter" echo "*** 1. Create /usr/sap/saprouter" mkdir -p ${ROUTDIR}/install echo "*** 2. Download files" aws s3 sync ${BUCKET} ${ROUTDIR}/install cd ${ROUTDIR}/install # All files will become lowe case files for f in `find`; do mv -v "$f" "`echo $f | tr '[A-Z]' '[a-z]'`"; done chmod u+x ${ROUTDIR}/install/${SAPCAR} chmod u+x uninstall.sh mv uninstall.sh .. mv ${SERVICE} /etc/systemd/system/${SERVICE} for f in `find . -name saprouter*.sar`; do mv -v $f saprouter.sar; done for f in `find . -name sapcryptolib*.sar`; do mv -v $f sapcryptolib.sar; done for f in `find . -name sapcar*`; do mv -v $f sapcar; done chmod u+x sapcar mv saprouttab .. echo "*** 3. Unpack files" cd ${ROUTDIR} ./install/sapcar -xf ${ROUTDIR}/install/saprouter.sar ./install/sapcar -xf ${ROUTDIR}/install/sapcryptolib.sar echo "*** 4. Start service" systemctl daemon-reload systemctl enable ${SERVICE} systemctl start ${SERVICE} echo "5. Done..."
The file will work if there are three unique files in the download bucket which are the onlyones with names like sapcar*, sapcrypto*.sar and saprouter*.sar. Capitalztion will not matt Update the bucket-name and the bucket-folder variables matching your individual needs.
Create a De-installation Script
Create a file withe the name uninstall.sh:
#!/usr/bin/env bash # version 0.1 # December, 2018 ## Run as super user: echo "1. Stopping and disabling service" systemctl stop saprouter.service systemctl disable saprouter.service systemctl daemon-reload echo "2. Removing files" rm /etc/systemd/system/saprouter.service rm -rf /usr/sap/saprouter echo "3. Completed deinstallation"
Files Upload
Upload the following files to the S3 bucket:
- sapcar
- Cryptolib installation file
- saprouter installation file
- saprouttab
- install.sh
- uninstall.sh
- saprouter.service
There is no need to make this bucket public. The instance will have an IAM profile which entitles the instance to download the files needed.
Create a UserData file on your Adminstration PC
Create a file prep.sh:
Content-Type: multipart/mixed; boundary="//" MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
BUCKET="s3://bucket-name/bucket-folder"
# take a one scond nap before moving on...
sleep 1
aws s3 cp ${BUCKET}/install.sh /tmp/install.sh
chmod u+x /tmp/install.sh
/tmp/install.sh $BUCKET
--//
Replace bucket-name and bucket-folder with the appropriate values.
This file will get executed when the instance will get created.
Installation of Instance
The following script will launch an instance with an automated saprouter installation. It assumes that
- The local account has the AWS CLI (Command Line Interface) configured
- The AMI-ID is one of a SLES12 or SLES 15 AMI available in the region (image-id parameter)
- There is security group which has the appropriate ports open (security-group-ids parameter)
- The file prep.sh is in the directory where the command gets launched
- There is subnet with Internet access and access to the SAP systems (subnet-id parameter)
- There is an IAM role which grants access to the appropriate S3 bucket (iam-instance-profile parameter)
- aws-key an the AWS key which allows to login through ssh. It needs to exist upfront
The command is
aws ec2 run-instances --image-id ami-XYZ \ --count 1 --instance-type m5.large \ --key-name aws-key \ --associate-public-ip-address \ --security-group-ids sg-XYZ \ --subnet-id subnet-XYZ \ --iam-instance-profile Name=saprouter-inst \ --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=PublicSaprouter}]' \ --user-data file://prep.sh
This command will create an instance with
- a public IP address
- a running saprouter
- a service being configured for the saprouter
- SAP Cryptolib currently gets unpacked but not configured (stay tuned)
Installation as VPC internal saprouter as a proxy to relay traffic from on-premises users
Omit the parameter --associate-public-ip-address. This parameter creates a public IP address. You don't want this for an internal saprouter.
Installation with the help of an AWS Cloudformation template
Use this template (saprouter.template). It works with SLES 12SP3. Replace the AMIs if you need a higher revision.
- Upload the template to an S3 bucket
- Upload the SAP installation media and the file saprouttab to a S3 bucket
- Execute the file in CloudFormation
Warning: Please check the template upfront. It'll allocate resources in your AWS account. It has the potential to do damage.
More Information
Consult the SAP documentation to configure SNC or more detailed routing entries.
- 10388 views