X509 based logon – 1 – Configure ICM to accept client certificates

Published by Tobias Hofmann on

3 min read

SAP Help

Configuring the SAP Web AS for Supporting SSL
icm/HTTPS/verify_client
Configuring the AS ABAP to Use X.509 Client Certificates

A pre-requisite is to configure NW ABAP to support TLS / HTTPS. To be able to log on to NW ABAP using a X.509 user certificate, the ICM service must be configured to accept client certificates. This is a profile configuration. The parameter is:

icm/HTTPS/verify_client

The enable client certificate validation, set the value to 1. To make it mandatory, set it to 2. In most cases you set it to 1 to not block HTTP access to all users that cannot send a client certificate.

Tx: RZ10

Select the ACS profile.

DIA Profile: NPL_ACS01_vhcalnplcs

Select change. Add a new parameter.

Parameter name: icm/HTTPS/verify_client
Parameter val.: 1

Navigate back and save the change when asked. Save and activate the new profile version.

The new parameter should be read and activated without a restart. To make sure that it really worked, restart the ABAP server and validate that the new parameter is active. To see if the parameter is active, the profile can be checked, or the ICM configuration.

Profile

Tx: RZ11

Current value is set to 1, ICM will accept client certificates.

ICM configuration

Tx: SMICM

Open menu Goto and parameters > display.

Scroll down to section HTTPS (SSL) settings.

Let the world know
Categories: BasisSAP

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

2 Comments

Joe · July 6, 2020 at 21:07

Hey Tobias, why did you decide to set the parameter in the profile of the ASCS instead of the Default or instance profile?

SSO Logon with X.509 certificate | It's full of stars! · July 24, 2020 at 10:00

[…] Configure ICM to accept client certificates […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.