SAP NetWeaver SNI configuration

To show a correct configuration and to be able to connect to a HTTP service that needs SNI support enabled, I’ll connect my NetWeaver ABAP system to a public OData service. You can read my blogs for more information on SNI in general and SNI with NetWeaver ABAP.

Scenario and pre-requisites

I´ll use the SAP NetWeaver ABAP Developer Edition to show how to enable SNI support. It´s an SAP system with kernel release 753 PL 400 and the default value is false. Goal of the scenario is to connect to https://services.odata.org via SM59. For this to work, NW ABAP must connect to the web server and use SNI. Without SNI, the target server cannot be resolved and a wrong TLS certificate will be returned.

Enable SNI support

Tx: RZ10
Parameter: icm/HTTPS/client_sni_enabled 
Value: true

Connect to HTTPS service

To be able to connect from NetWeaver ABAP to the external OData service via HTTPS, a connection must be created. This is done in transaction SM59.

Tx: SM59
Connection type: G
URL: services.odata.org
Port: 443
Description: Northwind OData service

Go to tab security options. Here the PSE used to connect to the service is provided. The certificate chain of the service must be imported into the selected PSE. NetWeaver will act as a normal browser client and not try to authenticate the user. The PSEA for anonymous connections is used.

Configure PSE for SSL Client Anonymous

The certificates needed to be able to connect to the service https://service.odata.org are not available in PSEA. These must first be obtained from the service and imported into the PSEA. Download the correct certificates from the service.odata.org and save them in Base64 CER format.

Tx: STRUST

Connection test

If all parameters are configured, SM59 can connect to a cloud service and send the correct server name in the SNI field.