X509 based logon – 1 – Configure ICM to accept client certificates

Published by Tobias Hofmann on

3 min read

SAP Help

Configuring the SAP Web AS for Supporting SSL
icm/HTTPS/verify_client
Configuring the AS ABAP to Use X.509 Client Certificates

A pre-requisite is to configure NW ABAP to support TLS / HTTPS. To be able to log on to NW ABAP using a X.509 user certificate, the ICM service must be configured to accept client certificates. This is a profile configuration. The parameter is:

icm/HTTPS/verify_client

The enable client certificate validation, set the value to 1. To make it mandatory, set it to 2. In most cases you set it to 1 to not block HTTP access to all users that cannot send a client certificate.

Tx: RZ10

Select the ACS profile.

DIA Profile: NPL_ACS01_vhcalnplcs

Select change. Add a new parameter.

Parameter name: icm/HTTPS/verify_client
Parameter val.: 1

Navigate back and save the change when asked. Save and activate the new profile version.

The new parameter should be read and activated without a restart. To make sure that it really worked, restart the ABAP server and validate that the new parameter is active. To see if the parameter is active, the profile can be checked, or the ICM configuration.

Profile

Tx: RZ11

Current value is set to 1, ICM will accept client certificates.

ICM configuration

Tx: SMICM

Open menu Goto and parameters > display.

Scroll down to section HTTPS (SSL) settings.

Let the world know
Categories: BasisSAP
Tags:

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

2 Comments

Joe · July 6, 2020 at 21:07

Hey Tobias, why did you decide to set the parameter in the profile of the ASCS instead of the Default or instance profile?

Reply

SSO Logon with X.509 certificate | It's full of stars! · July 24, 2020 at 10:00

[…] Configure ICM to accept client certificates […]

Reply

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

SAP

SAP Development Tech Radar

4 min read The SAP Development Tech Radar is available online. The source code is available at its GitHub repository. The information used for to place each technology on the radar is in the folder Read more…

SAP

What if … it is not the technology?

9 min read The past The SAP Community Network (SCN) [1] went through some changes in the last 20+ years. 2011 a major change was planned, went live in 2012 and did not work as Read more…

SAP

DSAG Technologietage 2024

10 min read Moin Hamburg. Ich bin nicht aus Zucker, ich bin aus Hamburg. Mehr muss man über das Wetter nicht wissen und zum Glück sind die Technologietage keine Freiluftveranstaltung. Montags bei der Anreise und Read more…