Show TOC

Procedure documentationSetting the Profile Parameters for Using SSL Locate this document in the navigation structure

Procedure

  1. Set the profile parameters in AS ABAP's instance profile as shown in the tables below. If you used the recommended directory DIR_EXECUTABLE, then use the following values for the location of the SAP Cryptographic Library:

    • Unix: $(DIR_EXECUTABLE)/libsapcrypto.<ext>

    • Windows: $(DIR_EXECUTABLE)\sapcrypto.dll

    Trust Manager Parameters

    Profile Parameter

    Value

    Examples

    ssl/ssl_lib

    Path and file name of the SAP Cryptographic Library

    UNIX: /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so

    Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\sapcrypto.dll

    sec/libsapsecu

    Path and file name of the SAP Cryptographic Library

    UNIX: /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so

    Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\sapcrypto.dll

    ssf/ssfapi_lib

    Path and file name of the SAP Cryptographic Library

    UNIX: /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so

    Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\sapcrypto.dll

    ssf/name

    SAPSECULIB

    SAPSECULIB

    ssl/ciphersuites (optional)

    List of available cipher suites.

    If you are using multiple server SSL PSEs, use the parameter icm/ssl_config_<xx> to set server-specific configurations, to include the set of cipher suites.

    For more information, see SAP Note 510007.

    !eNULL:MEDIUM:HIGH:LOW:EXPORT

    Note Note

    Ignore the warnings that the parameters are not known to the system.

    End of the note.
    ICM Parameters

    Profile Parameter

    Value

    Examples

    icm/ssl_config_<xx>

    CRED=<credential> [, CACHESIZE=<cache size>, LIFETIME=<max. lifetime>, VCLIENT=<SSL client verification>, CIPHERS=<Cipher Suites>]

    CRED=SAPSSLS.pse, VCLIENT=1

    icm/server_port_<xx>

    PROT=HTTPS, PORT=<port>,TIMEOUT=<timeout_in_ seconds>

    PROT=HTTPS, PORT=1443, TIMEOUT=900

    icm/HTTPS/verify_client

    0: Do not use certificates

    1: Allow certificates (default)

    2: Require certificates

    1

    There are also additional SSL-relevant parameters for the ICM and the Web dispatcher. For more information about these parameters, see SSL Parameters for ICM and Web Dispatcher.

    Note Note

    If you use multiple SSL server PSEs for multiple identities, then set a port for each identity in the icm/server_port_<xx> profile parameter.

    End of the note.

    Note Note

    If icm/HTTPS/verify_client = 1, then any users who use Microsoft's Internet Explorer as their Web browser and who do not possess a client certificate will receive an empty certificate selection dialog box when they access the AS ABAP. Therefore, if your users are not going to use client certificates for authentication, then set this parameter to the value 0.

    End of the note.

  2. Restart the application server or the ICM.

    Note Note

    If you only make changes to the ICM parameters, then it suffices to only restart the ICM.

    End of the note.