Install a server certificate in SAP NetWeaver ABAP – 3.6 Import CA certificate into SAP NetWeaver ABAP PSE

In case your ICF will serve only as a HTTPS server, you do not need to do this. In case you want your ABAP server to connect to another web server, this may be of interest. In that case, your ABAP server acts as a client and will receive a server certificate, just like your browser does. While a browser comes with a pre-installed list of CAs, the PSE does not have this. Therefore, ABAP will reject the server certificate received when opening a TLS connection. To make ABAP accept the certificate, either the server certificate must be imported or the CA certificate. Importing each server certificate is not the best approach (number of servers, lifetime, management), importing the CA certificate will make ABAP accept connects too, as long as the received server certificate was issued by this CA.

Transaction: STRUST

Open the SSL server standard PSE and switch to edit mode. Click on import certificate

Select the tab File and give the path to the CA certificate.

Check the information of the certificate.

If everything is OK, add the certificate to the certificate list.

Click save


CA certificate is imported into the PSE. With this, the PSE can validate successfully each certificate received and that is signed by the CA.

Install a server certificate in SAP NetWeaver ABAP – 3.5 Test the new server certificate

After the server certificate is installed, ICM should automatically make use of it. To see if SSL/TLS connections are now working, two tests should be executed:

  1. Check SSL port setup
  2. Access service using TLS

1. Making Sure the SSL Port is set up correctly

This step checks that ICM is configured to accept TLS connections. SAP Help

Transaction: SMICM

Select: Goto from the menu and then Services.

Check that HTTPS is listed and note the port number. Here: 8100.

2. Testing the Connection for SSL Server Authentication

With ICM configured to accept TLS connections on port 8100, the last test is to check if it works with a browser. SAP Help. Open a service in your web browser. To check that the service Works, open it first in normal HTTP.


If the worked, open the URL as HTTPS.


Check the certificate used by ICM.


The server certificate is issued by to This shows that the SSL certificate of the right PSE is being used by ICM.

Install a server certificate in SAP NetWeaver ABAP – 3.4 Import the certificate response from CA

After the CA issued the certificate, it must be imported into the PSE that issued the CSR. During the import step a verification of the private / public key will happen. This ensures that you import the right public key into the PSE. This also means that you cannot use another PSE for the CSR, as the private key would be different. SAP Help

Transaction: STRUST

Switch on edit mode and select import certificate.

Inform the path to the CRT.

Select load as local file. If the CA exported the certificate as P7B, the content is in Base64 format. If the CA gave you another format, you`ll have to transform the certificate first to Base64. Would be nice if the import wizard of STRUST would do all that work for you, but somehow Basis guys must also defend their working time …

Confirm the import. To see if the certificate was imported, double click on Subject

This shows the certificate information in the certificate section.



The PSE contains now a private key and a valid public key, signed by a CA. Now ICF can use this certificate without having browsers complain about the certificate.

Install a server certificate in SAP NetWeaver ABAP – 3.3 Submiting the certificate requests to a CA

The certificate request created in the previous step must be send to a CA. The CA is responsible to create a valid server certificate based on the information provided by the CSR.

Important: the certificate emitted by the CA must follow the PKCS#7 certificate chain format. The response file must contain the public key certificate of the ABAP server as well as the CA’s root certificate. SAP Help

The following screenshots are taking from my own CA.
Add an end entity for the server.
Submit CSR
Download certificate
Save as p12 (PKCS#7)


You now have a P7B file that contains the signed certificate for the server in Baes64 format.

Install a server certificate in SAP NetWeaver ABAP – 3.2 Generate a certificate request for each SSL server PSE

In the previous step a new PSE for SSL server was created, but the containing server certificate is self-signed. This means that no sane web browser will accept your certificate without showing a warning message to the user. To have a valid server certificate, it must be signed by a CA. To do so, a certificate request must be created. SAP Help

Transaction: STRUST

Open SSL Server Standard node and select server

Create a certificate request.

Copy content to a file (via clipboard) and send it to your CA.


You now have the CSR file for the server PSE that can be submitted to a CA.

Install a server certificate in SAP NetWeaver ABAP – 3.1 Create a SSL/TLS Server PSE

SAP stores certificates in PSE files (for the Java guys: JKS). By default, there are several PSEs available, one for each use case (system, SSL, web service, etc). A PSE has a subject which stands for the name of the server. Changes are good that the subject value created by SAP does not match your reality. The following steps show how to create a PSE for your SSL server. SAP Help

Transaction: STRUST

Change into edit mode:

Select the SSL Server PSE:

Right click to open the context menu and select replace

Give information about the new PSE. This creates a private and public key for the server CN informed for this PSE. The key will be automatically self-signed, but as the PSE contains the private key, it is no problem to create a certificate request and get the certificate signed by a CA.

The data informed here MUST match the data of the HTTPS server. The name field is the CN of the certificate; therefore this field MUST be the same as the FQDN of the server. That is, when the server is accessed by browsers as, the field MUST be

Click OK

Confirm the information. Make sure the CN name is correct. This changes the PSE for SSL Server.

You now have a PSE with a private and public key for the CN This certificate is self-signed. While you can now access ICF via HTTPS, each and every browser will give you a warning message that the certificate used is not trustworthy. To change that, a CSR must be created and signed by a CA.


You now have a PSE for the server with a private key and a self-signed certificate.

SCN Meetup Rio de Janeiro 2015

Our 2nd event in Rio de Janeiro and the 1st Meetup in Rio. This time the event was located at INFNET, located directly in the downtown area, close to some of the biggest SAP customers in Rio and also close to partner offices. INFNET is also a SAP University Alliance partner, so great initiative from them to help us. Special thanks here also to SONDA IT, as they divulged the event internally. To no surprise, a large amount of participants was from SONDA. Being active in the SAP community can give you an unfair competitive advantage.


Official site Meetup Rio de Janeiro
Edition 1
Date 4.11.2015
Location Instituto Infnet. Rua São José, 90, 2º andar, Auditório. Centro – RJ
Twitter #scnrj
Sessions 5
Speakers 4
Tracks 1
Participants 74
Tweets 36
Twitter reach 4.412

Event site

The event site was hosted on a Raspberry Pi using a OpenUI5 web page with the backend for user registration run on HCP (Java).

Official site Meetup Rio de Janeiro
Page visits 710
Unique visitors 524
Page views 1.107

As expected, almost all access to the site was done from Brazil.

Event Schedule


SCN announcement

Marssel Vilaca about the event


Available for the next months in mobile docs from SAP

Install a server certificate in SAP NetWeaver ABAP – 2 Set profile parameters

For ICM to work with SSL, some parameters must be set in the profile. These parameters define which PSE and algorithms to use. Normally these parameters are already set to default values. To see if these are acceptable to you and match the location of your CommonCryptoLib 8 installation, you can use transaction RZ11. SAP Help, Central note for CommonCryptoLib.

Transaction RZ11

Here you can enter the name of a parameter and see the currently configured value of it.

List of parameters and their values
Parameter: ssl/ssl_lib
Parameter: sec/libsapsecu
Parameter: ssf/ssfapi_lib
Parameter: ssf/name
Parameter: ssl/ciphersuites

Install a server certificate in SAP NetWeaver ABAP – 1 Pre-requisites

Download SAP Cryptographic Library

Download library from SMP. Go to

Steps to download SAP Cryptographic Library
Select: Installations & Upgrades
Select: Browser our download catalog
Select: SAP Cryptographic Software
Select: Select right OS. In my case, Linux x86 64 bit
Download the latest version

Install SAP Cryptographic Library on the AS ABAP

After downloading the SAP Cryptographic Library it is time to install it on the NW ABAP system. By default, there should already be a version installed. As SAP is constantly releasing a new version, it makes sense to install a newer version and not to use the one delivered with NW ABAP. Copy the downloaded SAR file to your server und “unsar” it. The content of the SAR file will look like:

Copy the files to the executable directory of you instance. In my case, the SID of my ABAP system is GWD. Therefore, the path is /usr/sap/GWD/SYS/exe/run

Command: cp * -Rv /usr/sap/GWD/SYS/exe/run


With this, the latest version is installed on SAP NetWeaver ABAP system.

Fiori client compile error

Lately I was installing the latest version of the SMP3 SDK SP10 PL3 and with it the Fiori client. While trying to create a new custom Fiori client app, I got an error. Gradle wasn`t able to download a dependency from maven.

Now, you never know for sure if this may now happening because of the new SDK version or because of another error. I checked the maven site and the POM was there, I could even download it via the browser. I use from time to time my own repository manager (artifactory). First I checked if my settings.xml can be blamed. Settings.xml was empty, so all requests done by maven will go directly. But this triggered something in my head. The connection I was using to connect to the internet was not without a proxy. Not a proxy you had to insert into your computer configuration, but it was there. So I switched to LTE via my smartphone and … it worked. Cordova compiled now ran without an error.

Lesson learned: be prepared for strange errors when a proxy is between you and the internet.