Enable certificate based logon – 3 Activate client certificate verification on NetWeaver ABAP

Published by Tobias Hofmann on

1 min read

For the NetWeaver ABAP system to be able to accept the certificate based logon from Web Dispatcher, it must be configured to accept the certificate of the WD system as a client certificate. SAP Help

Transaction: RZ10

Instance profile

It is necessary to maintain 2 profile parameters:

  • icm/HTTPS/trust_client_with_issuer
  • icm/HTTPS/trust_client_with_subject

These two parameters are needed to let NW ABAP identifiy which client certificate to trust. They define the DN of the client and the DN of the CA that issued the certificate. Even when someone sends a certificate with the same DN as of WD, but signed by a different CA, it won`t be accepted by NW ABAP. This helps to increase the level of security.

To add both, you have to select Change and then Add new parameter

Parameter name: icm/HTTPS/trust_client_with_issuer

The value of the parameter is taken from the Issuer line of the client PSE of the WD.

Parameter name icm/HTTPS/trust_client_with_subject

The value of the parameter is taken from the Subject line of the client PSE of the WD.

The example screenshots show CN=WDP, OU=SSL Client. These are the standard values of the self-signed certificate of WD client PSE. In case you do not have a CA available, self-signed certificates like the above can be used too.


Let the world know
Categories: BasisSAP

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.