Show TOC

 Maintaining ICM Parameters for Using SSLLocate this document in the navigation structure


You can use this procedure to configure the necessary ICM parameters to enable the use of SSL for accessing the AS Java.

SSL is supported for the protocols:

Protocol Secured Protocol








The server uses the same key pair and SSL certificates for all of the protocols.

The protocol and port information are specified in the ICM parameter icm/server_port_<xx> , where <xx> is a sequential number. When setting the port for HTTPS, make sure you select a number that is not already being used.

  • You have OS level access permission for the file system of the AS Java host.
  • The SAP Cryptographic Library is installed and you know where it is located.
  • You know which sequential number to use for the icm/server_port_<xx> parameter.

    You can use either the ICM Monitor or the Web Administration Interface to check the parameter settings.


Configuration from instance profile filename

  1. Using a text editor, open the instance profile of the ICM for the AS Java.

    You can find the instance profile at the following location in the AS Java host file system: /usr/sap/<SID>/SYS/profile . The profile has the name <SID>_<instance>_<hostname> .

  2. Set the HTTPS port to use in the ICM parameter icm/server_port_<xx> . Also, to explicitly specify the location of the SAP Cryptographic Library (for example, if it is not in the default location, which is the directory specified by the $(DIR_LIBRARY) parameter), set the parameter ssl/ssl_lib . See the example below.
    # SSL Configuration: Location of the SAP Cyrptographic Library
    ssl/ssl_lib = <Location of the SAP Cryptographic Library>
    # <protocol> port configuration
    icm/server_port_<xx> = PROT=<protocol>, PORT=5$(SAPSYSTEM)01[, VCLIENT=<0,1,2>]

    To configure a different port for HTTPS communication, specify the desired port in the PORT= parameter.

    In addition, to specify the server's behavior regarding the use of certificates for client authentication, set the corresponding value in the VCLIENT= parameter:

    • 0: No certification is required and the server does not ask for one.
    • 1: The server asks the client to transfer a certificate. If the client does not send a certificate, authentication is performed using another method, for example, basic authentication (default setting). 
    • 2: The client must transfer a valid certificate to the server, otherwise access is denied.

    There are also additional optional parameters. For example, to specify port-specific SSL configurations, use the parameter icm/ssl_config_<xx> . For more information, see icm/server_port_<xx> .

    See the example below.

  3. Restart the ICM so that the parameter settings take effect.

After restarting the ICM instance, the HTTPS port configuration appears in Active Services for the ICM.


The example below shows an extract from an ICM instance profile with SSL and HTTPS port configuration.

# SSL Configuration: Location of the SAP Cryptographic Library
ssl/ssl_lib = $(DIR_EXECUTABLE)/
# https port configuration
icm/server_port_4 = PROT=HTTPS, PORT=5$(SAPSYSTEM)01, VCLIENT=1

See also: