Show TOC

Setting the Profile Parameters for Using SSLLocate this document in the navigation structure

The profile parameters for using SSL mainly comprise the paths ot the SAP Cryptographic Library, the environment variable SECUDIR, and cipher suites.

Procedure

  1. Set the profile parameters in the instance profile of SAP NetWeaver Application Server for ABAP as shown in the tables below.
    Note

    The following profile parameters are obsolete:

    • sec/libsapsecu

    • ssf/name

    • ssf/ssfapi_lib

    • ssl/ssl_lib

    For more information, see SAP Note 2198198 Information published on SAP site.

    Profile Parameter

    Value

    Examples

    ssl/ciphersuites (optional)

    List of available cipher suites.

    If you are using multiple server SSL PSEs, use the parameter icm/ssl_config_<xx> to set server-specific configurations, to include the set of cipher suites.

    For more information, see SAP Note 510007 Information published on SAP site.

    !eNULL: MEDIUM: HIGH: LOW: EXPORT

    ccl/fips/enable (optional)

    Enables the use of the FIPS 140-2 certified cryptographic kernel.

    0: (default value) The built-in crypto kernel inside of CommonCryptoLib (technically libsapcrypto.so) is used instead of libslcryptokernel.

    1: The FIPS 140-2 certified crypto kernel is used. If the libslcryptokernel is not a FIPS 140-2 certified one, the initialization of the library fails. The application server cannot start because of dependent errors in other security functions, such as, licensing errors, SSL errors, and so on.

    For more information, see SAP Note 2180024 Information published on SAP site.

    0
    Note

    Ignore the warnings that the parameters are not known to the system.

    Profile Parameter

    Value

    Examples

    icm/ssl_config_<xx>

    CRED=<credential> [, CACHESIZE=<cache size>, LIFETIME=<max. lifetime>, VCLIENT=<SSL client verification>, CIPHERS=<Cipher Suites>]

    CRED=SAPSSLS.pse, VCLIENT=1

    icm/server_port_<xx>

    PROT=HTTPS, PORT=<port>,TIMEOUT=<timeout_in_ seconds>

    PROT=HTTPS, PORT=1443, TIMEOUT=900

    icm/HTTPS/verify_client

    0: Do not use certificates

    1: Allow certificates (default)

    2: Require certificates

    1

    There are also additional SSL-relevant parameters for the ICM and the Web dispatcher.

    Note

    If you use multiple SSL server PSEs for multiple identities, then set a port for each identity in the icm/server_port_<xx> profile parameter.

    Note

    If icm/HTTPS/verify_client= 1, then any users who use Microsoft Internet Explorer as their Web browser and who do not possess a client certificate receive an empty certificate selection dialog box when they access SAP NetWeaver Application Server for ABAP. If your users are not going to use client certificates for authentication, then set this parameter to the value 0.

  2. Restart the application server and the ICM.
    Note

    If you only change the ICM parameters, then it suffices to only restart the ICM.

Related Information