Set the profile parameters in AS ABAP's instance profile as shown in the tables below. If you used the recommended directory DIR_EXECUTABLE, then use the following values for the location of the SAP Cryptographic Library:
Unix: $(DIR_EXECUTABLE)/libsapcrypto.<ext>
Windows: $(DIR_EXECUTABLE)\sapcrypto.dll
Profile Parameter |
Value |
Examples |
---|---|---|
ssl/ssl_lib |
Path and file name of the SAP Cryptographic Library |
UNIX: /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\sapcrypto.dll |
sec/libsapsecu |
Path and file name of the SAP Cryptographic Library |
UNIX: /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\sapcrypto.dll |
ssf/ssfapi_lib |
Path and file name of the SAP Cryptographic Library |
UNIX: /usr/sap/<SID>/SYS/exe/run/libsapcrypto.so Windows: <DRIVE>:\usr\sap\<SID>\SYS\exe\run\sapcrypto.dll |
ssf/name |
SAPSECULIB |
SAPSECULIB |
ssl/ciphersuites (optional) |
List of available cipher suites. If you are using multiple server SSL PSEs, use the parameter icm/ssl_config_<xx> to set server-specific configurations, to include the set of cipher suites. For more information, see SAP Note 510007. |
!eNULL:MEDIUM:HIGH:LOW:EXPORT |
Note
Ignore the warnings that the parameters are not known to the system.
Profile Parameter |
Value |
Examples |
---|---|---|
CRED=<credential> [, CACHESIZE=<cache size>, LIFETIME=<max. lifetime>, VCLIENT=<SSL client verification>, CIPHERS=<Cipher Suites>] |
CRED=SAPSSLS.pse, VCLIENT=1 |
|
PROT=HTTPS, PORT=<port>,TIMEOUT=<timeout_in_ seconds> |
PROT=HTTPS, PORT=1443, TIMEOUT=900 |
|
0: Do not use certificates 1: Allow certificates (default) 2: Require certificates |
1 |
There are also additional SSL-relevant parameters for the ICM and the Web dispatcher. For more information about these parameters, see SSL Parameters for ICM and Web Dispatcher.
Note
If you use multiple SSL server PSEs for multiple identities, then set a port for each identity in the icm/server_port_<xx> profile parameter.
Note
If icm/HTTPS/verify_client = 1, then any users who use Microsoft's Internet Explorer as their Web browser and who do not possess a client certificate will receive an empty certificate selection dialog box when they access the AS ABAP. Therefore, if your users are not going to use client certificates for authentication, then set this parameter to the value 0.
Restart the application server or the ICM.
Note
If you only make changes to the ICM parameters, then it suffices to only restart the ICM.