The profile parameters for using SSL mainly comprise the paths ot the SAP Cryptographic Library, the environment variable SECUDIR, and cipher suites.
The following profile parameters are obsolete:
sec/libsapsecu
ssf/name
ssf/ssfapi_lib
ssl/ssl_lib
For more information, see SAP Note 2198198 .
Profile Parameter |
Value |
Examples |
---|---|---|
ssl/ciphersuites (optional) |
List of available cipher suites. If you are using multiple server SSL PSEs, use the parameter icm/ssl_config_<xx> to set server-specific configurations, to include the set of cipher suites. For more information, see SAP Note 510007 . |
!eNULL: MEDIUM: HIGH: LOW: EXPORT |
ccl/fips/enable (optional) |
Enables the use of the FIPS 140-2 certified cryptographic kernel. 0: (default value) The built-in crypto kernel inside of CommonCryptoLib (technically libsapcrypto.so) is used instead of libslcryptokernel. 1: The FIPS 140-2 certified crypto kernel is used. If the libslcryptokernel is not a FIPS 140-2 certified one, the initialization of the library fails. The application server cannot start because of dependent errors in other security functions, such as, licensing errors, SSL errors, and so on. For more information, see SAP Note 2180024 . |
0 |
Ignore the warnings that the parameters are not known to the system.
Profile Parameter |
Value |
Examples |
---|---|---|
icm/ssl_config_<xx> |
CRED=<credential> [, CACHESIZE=<cache size>, LIFETIME=<max. lifetime>, VCLIENT=<SSL client verification>, CIPHERS=<Cipher Suites>] |
CRED=SAPSSLS.pse, VCLIENT=1 |
icm/server_port_<xx> |
PROT=HTTPS, PORT=<port>,TIMEOUT=<timeout_in_ seconds> |
PROT=HTTPS, PORT=1443, TIMEOUT=900 |
icm/HTTPS/verify_client |
0: Do not use certificates 1: Allow certificates (default) 2: Require certificates |
1 |
There are also additional SSL-relevant parameters for the ICM and the Web dispatcher.
If you use multiple SSL server PSEs for multiple identities, then set a port for each identity in the icm/server_port_<xx> profile parameter.
If icm/HTTPS/verify_client= 1, then any users who use Microsoft Internet Explorer as their Web browser and who do not possess a client certificate receive an empty certificate selection dialog box when they access SAP NetWeaver Application Server for ABAP. If your users are not going to use client certificates for authentication, then set this parameter to the value 0.
If you only change the ICM parameters, then it suffices to only restart the ICM.