Setting the Profile Parameters for Using SSL

The profile parameters for using SSL mainly comprise the paths ot the SAP Cryptographic Library, the environment variable SECUDIR, and cipher suites.

Procedure

Set the profile parameters in AS ABAP's instance profile as shown in the tables below. If you used the recommended directory DIR_EXECUTABLE, then use the following values for the location of the SAP Cryptographic Library (see SAP Note 1848999 Information published on SAP site

Unix: $(DIR_EXECUTABLE)/libsapcrypto.<ext>
Windows: $(DIR_EXECUTABLE)\sapcrypto.dll

Profile Parameter	Value	Examples
`ssl/ssl_lib`	Path and file name of the SAP Cryptographic Library	UNIX: `/usr/ sap/ <SID>/ SYS/ exe/ run/ libsapcrypto.so` Windows: `<DRIVE>:\usr\ sap\ <SID>\ SYS\ exe\ run\ sapcrypto.dll`
`sec/libsapsecu`	Path and file name of the SAP Cryptographic Library	UNIX: `/usr/ sap/ <SID>/ SYS/ exe/ run/ libsapcrypto.so` Windows: `<DRIVE>:\usr\ sap\ <SID>\ SYS\ exe\ run\ sapcrypto.dll`
`ssf/ssfapi_lib`	Path and file name of the SAP Cryptographic Library	UNIX: `/usr/ sap/ <SID>/ SYS/ exe/ run/ libsapcrypto.so` Windows: `<DRIVE>:\ usr\ sap\ <SID>\ SYS\ exe\ run\ sapcrypto.dll`
`ssf/name`	`SAPSECULIB`	`SAPSECULIB`
ssl/ciphersuites (optional)	List of available cipher suites. If you are using multiple server SSL PSEs, use the parameter icm/ssl_config_<xx> to set server-specific configurations, to include the set of cipher suites. For more information, see SAP Note 510007 .	!eNULL: MEDIUM: HIGH: LOW: EXPORT

Note

Ignore the warnings that the parameters are not known to the system.

Profile Parameter	Value	Examples
icm/ssl_config_<xx>	`CRED=<credential> [, CACHESIZE=<cache size>, LIFETIME=<max. lifetime>, VCLIENT=<SSL client verification>, CIPHERS=<Cipher Suites>]`	`CRED=SAPSSLS.pse, VCLIENT=1`
icm/server_port_<xx>	`PROT=HTTPS, PORT=<port>,TIMEOUT=<timeout_in_ seconds>`	`PROT=HTTPS, PORT=1443, TIMEOUT=900`
icm/HTTPS/verify_client	0: Do not use certificates 1: Allow certificates (default) 2: Require certificates	1

Profile Parameter

Value

Examples

icm/ssl_config_<xx>

CRED=<credential> [, CACHESIZE=<cache size>, LIFETIME=<max. lifetime>, VCLIENT=<SSL client verification>, CIPHERS=<Cipher Suites>]

CRED=SAPSSLS.pse, VCLIENT=1

icm/server_port_<xx>

PROT=HTTPS, PORT=<port>,TIMEOUT=<timeout_in_ seconds>

PROT=HTTPS, PORT=1443, TIMEOUT=900

icm/HTTPS/verify_client

0: Do not use certificates

1: Allow certificates (default)

2: Require certificates

There are also additional SSL-relevant parameters for the ICM and the Web dispatcher. For more information about these parameters, see SSL Parameters for ICM and Web Dispatcher.

Note

If you use multiple SSL server PSEs for multiple identities, then set a port for each identity in the icm/server_port_<xx> profile parameter.

Note

If icm/HTTPS/verify_client= 1, then any users who use Microsoft's Internet Explorer as their Web browser and who do not possess a client certificate will receive an empty certificate selection dialog box when they access the AS ABAP. Therefore, if your users are not going to use client certificates for authentication, then set this parameter to the value 0.

Restart the application server or the ICM.

Note
If you only make changes to the ICM parameters, then it suffices to only restart the ICM.