SAP NetWeaver SNI configuration
To show a correct configuration and to be able to connect to a HTTP service that needs SNI support enabled, I’ll connect my NetWeaver ABAP system to a public OData service. You can read my blogs for more information on SNI in general and SNI with NetWeaver ABAP.
Scenario and pre-requisites
I´ll use the SAP NetWeaver ABAP Developer Edition to show how to enable SNI support. It´s an SAP system with kernel release 753 PL 400 and the default value is false. Goal of the scenario is to connect to https://services.odata.org via SM59. For this to work, NW ABAP must connect to the web server and use SNI. Without SNI, the target server cannot be resolved and a wrong TLS certificate will be returned.
Enable SNI support
Tx: RZ10 Parameter: icm/HTTPS/client_sni_enabled Value: true
Connect to HTTPS service
To be able to connect from NetWeaver ABAP to the external OData service via HTTPS, a connection must be created. This is done in transaction SM59.
Tx: SM59 Connection type: G URL: services.odata.org Port: 443 Description: Northwind OData service
Go to tab security options. Here the PSE used to connect to the service is provided. The certificate chain of the service must be imported into the selected PSE. NetWeaver will act as a normal browser client and not try to authenticate the user. The PSEA for anonymous connections is used.
Configure PSE for SSL Client Anonymous
The certificates needed to be able to connect to the service https://service.odata.org are not available in PSEA. These must first be obtained from the service and imported into the PSEA. Download the correct certificates from the service.odata.org and save them in Base64 CER format.
If all parameters are configured, SM59 can connect to a cloud service and send the correct server name in the SNI field.