icm/ssl_config_<xx>
Use
You use this parameter to configure the SSL certificates.
This configuration includes a credential , the SSL server cache size, the die retention period of the cache objects, the SSL client verification, and the permitted SSL Cipher Suites.
Also, the TLS enhancement "Server Name Indication (SNI)" can be activated by this parameter on the server-side. This makes it possible for more than one certificate to be assigned to a port.
You can use this SSL configuration when defining services in the ICM and Web dispatcher in parameter icm/server_port_<xx>.
Prerequisites
The parameter is only relevant for SSL configurations for ICM or Web dispatcher (communication using HTTPS).
SSL is particularly significant for the Web dispatcher since it resides in the DMZ and is used as the entry point for queries from the Internet.
Structure
| Work area | Internet Communication Manager, SAP Web Dispatcher |
|---|---|
|
Unit |
Character string |
|
Default value |
Not set |
|
Dynamically changeable |
The subparameter ID must be used for a dynamic change. |
Value Range and Syntax
The character string has the following syntax:
[ID=<Name zur Referenzierung>,] CRED=<credential> [, CACHESIZE=<cache size>,
LIFETIME=<max. lifetime>, VCLIENT=<SSL client verification>,
CIPHERS=<Cipher Suites >, SNI_CREDS=<Liste von Credentials für SNI>]
The credential must be specified; the other values are optional.
The options are described below.
| Option | Description |
|---|---|
|
ID |
Name that can be used for referencing in icm/server_port_<xx> parameters. This subparameter is optional. If it is not set, the parameter name including the index, but without the prefix (ssl_config_<xx>) is used for referencing. |
|
CRED |
Credential to be used (fully qualified file name) |
|
CACHESIZE |
Maximum number of entries that may be in the cache |
|
LIFETIME |
Maximum lifetime of an entry in seconds |
|
VCLIENT |
SSL client verification; possible values 0, 1, 2 (analogous to the option VCLIENT of parameter icm/server_port_<xx>) |
|
CIPHERS |
List of supported Cipher Suites For more information about this option and the syntax, see SAP Note 510007 |
|
SNI_CREDS |
';' separated list of credentials for SNI. For the PSE files configured here, TLS Server Name Indication (SNI) is activated. Each selected certificate is assigned to the server name for which the certificate was created (SUBJECT attribute of the certificate). If a client opens a connection to one of these server names, the certificate linked to that server name is used for further SSL communication. If the client does not use SNI, or no certificate was found for the server name, the certificate configured in CRED continues to be used. This subparameter is optional. If it is not set, SNI is not activated. |
