Enable certificate based logon – 3 Activate client certificate verification on NetWeaver ABAP

1 min read

For the NetWeaver ABAP system to be able to accept the certificate based logon from Web Dispatcher, it must be configured to accept the certificate of the WD system as a client certificate. SAP Help

Transaction: RZ10

Instance profile

It is necessary to maintain 2 profile parameters:

  • icm/HTTPS/trust_client_with_issuer
  • icm/HTTPS/trust_client_with_subject

These two parameters are needed to let NW ABAP identifiy which client certificate to trust. They define the DN of the client and the DN of the CA that issued the certificate. Even when someone sends a certificate with the same DN as of WD, but signed by a different CA, it won`t be accepted by NW ABAP. This helps to increase the level of security.

To add both, you have to select Change and then Add new parameter

Parameter name: icm/HTTPS/trust_client_with_issuer

The value of the parameter is taken from the Issuer line of the client PSE of the WD.

Parameter name icm/HTTPS/trust_client_with_subject

The value of the parameter is taken from the Subject line of the client PSE of the WD.

The example screenshots show CN=WDP, OU=SSL Client. These are the standard values of the self-signed certificate of WD client PSE. In case you do not have a CA available, self-signed certificates like the above can be used too.


Let the world know

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.