The profile parameters for using SSL mainly comprise the paths ot the SAP Cryptographic Library, the environment variable SECUDIR, and cipher suites.
Unix: $(DIR_EXECUTABLE)/libsapcrypto.<ext>
Windows: $(DIR_EXECUTABLE)\sapcrypto.dll
Profile Parameter |
Value |
Examples |
---|---|---|
ssl/ssl_lib |
Path and file name of the SAP Cryptographic Library |
UNIX: /usr/ sap/ <SID>/ SYS/ exe/ run/ libsapcrypto.so Windows: <DRIVE>:\usr\ sap\ <SID>\ SYS\ exe\ run\ sapcrypto.dll |
sec/libsapsecu |
Path and file name of the SAP Cryptographic Library |
UNIX: /usr/ sap/ <SID>/ SYS/ exe/ run/ libsapcrypto.so Windows: <DRIVE>:\usr\ sap\ <SID>\ SYS\ exe\ run\ sapcrypto.dll |
ssf/ssfapi_lib |
Path and file name of the SAP Cryptographic Library |
UNIX: /usr/ sap/ <SID>/ SYS/ exe/ run/ libsapcrypto.so Windows: <DRIVE>:\ usr\ sap\ <SID>\ SYS\ exe\ run\ sapcrypto.dll |
ssf/name |
SAPSECULIB |
SAPSECULIB |
ssl/ciphersuites (optional) |
List of available cipher suites. If you are using multiple server SSL PSEs, use the parameter icm/ssl_config_<xx> to set server-specific configurations, to include the set of cipher suites. For more information, see SAP Note 510007 . |
!eNULL: MEDIUM: HIGH: LOW: EXPORT |
Ignore the warnings that the parameters are not known to the system.
Profile Parameter |
Value |
Examples |
---|---|---|
CRED=<credential> [, CACHESIZE=<cache size>, LIFETIME=<max. lifetime>, VCLIENT=<SSL client verification>, CIPHERS=<Cipher Suites>] |
CRED=SAPSSLS.pse, VCLIENT=1 |
|
PROT=HTTPS, PORT=<port>,TIMEOUT=<timeout_in_ seconds> |
PROT=HTTPS, PORT=1443, TIMEOUT=900 |
|
0: Do not use certificates 1: Allow certificates (default) 2: Require certificates |
1 |
There are also additional SSL-relevant parameters for the ICM and the Web dispatcher. For more information about these parameters, see SSL Parameters for ICM and Web Dispatcher.
If you use multiple SSL server PSEs for multiple identities, then set a port for each identity in the icm/server_port_<xx> profile parameter.
If icm/HTTPS/verify_client= 1, then any users who use Microsoft's Internet Explorer as their Web browser and who do not possess a client certificate will receive an empty certificate selection dialog box when they access the AS ABAP. Therefore, if your users are not going to use client certificates for authentication, then set this parameter to the value 0.
If you only make changes to the ICM parameters, then it suffices to only restart the ICM.