Connecting to an ABAP System via SAProuter

When connecting RunMyJobs to an ABAP instance, it may be necessary to use an intermediary routing product called SAProuter. SAProuter allows software residing on different networks to connect to each other.

An RFC connection can pass through as many SAPRouters as required. A common use case is where RFC connections are transferred over the internet between two sites A and B. In such situations, there are usually two SAPRouters involved, one on the interface between site A and the internet, and one between site B and the internet.

Configuring SAProuter is not difficult but must be done carefully. This is especially true if you use SNC, because SNC requires that both parties involved must have exactly the correct information before they agree to communicate. For more information, see the SAP documentation on SAProuter

Configuration is Direction-Oriented

When setting up SAPRouter, keep in mind that RFC connections originate from one system and make an outgoing connection to a second system. Allowing client applications in network A to connect to RFC servers in network B does not allow client applications in network B to connect to RFC servers in network A. This asymmetric behavior is reflected in the configuration files: if you want to allow RFC connections to be set up in two directions, you will need multiple configuration files.

SAProuter and Secure Network Connection (SNC)

SAProuter allows all parts of the network connections to be encrypted and/or authenticated via SNC. However, SNC is not always preferred or recommended, because encryption uses CPU resources and may have a negative impact on throughput on fast networks. On the other hand, on slow networks the SNC may improve throughput because it compresses data.

For this reason, SNC is not recommended for use on internal networks private to your data center or protected by a VPN. Only when RFC data flows over networks that contain untrusted nodes that could capture the data or even act as if they are a proper source then should SNC be used. The Internet is the prime example of such an untrusted network.

Adding an SAProuter also gives more flexibility on where encryption resources are consumed and allows for mixed types of servers.

SNC uses a layered architecture with a pluggable API called GSS-API. It can work with any GSS-API compatible plug-in library, as long as the GSS-API library on both sides of the secured connection are compatible.

Configuring RunMyJobs for SAPRouter

To make use of SAProuter, you must adjust the RFC connect string (Configure > Admin > Manage Connections > SAP Systems > Edit > SAP System tab > RFC Connect String field). The syntax for this string is as follows:

ASHOST={saprouter1}[{saprouter2}...]{sapsystem}

Every {saprouter} requires one to three routing items:

  1. /H/host (name or IP address): This is mandatory. There is no default.
  2. /S/service (name or number): The default is 3299.
  3. /P/password: The default is null. Whether this is required depends on the SAP router configuration.

The final {sapsystem} hostname consists of just /H/hostname.

Here is a sample RFC Connect String value:

ASHOST=/H/saprouter1.local/S/3290/H/saprouter2.example.com/H/sapsystem.example.local

This example routes first to a host named saprouter1 on the local network where the RunMyJobs server is installed. This is a connection to a non-standard port (3290). The next hop is across the internet to a router accessible from saprouter1.local as saprouter2.example.com, which is accessed on the standard port 3299. The final hop is from saprouter2 on its local network example.local to the actual ABAP instance.