Initial setup of Personas 3 – 1- Change Profile Parameters

The Personas 3 configuration guide contains all the information you need. At least two profile parameters need to changed to ensure that the Personas 3 health check passes:

  • em/global_area_MB
  • ztta/diag_area


Change profile parameter em/global_area_MB to 1GB:

Tx: RZ10

I will run Personas 3 on a demo system, having as only user me. I do not have to change the default value therefore. If you want to or have to change the value, you can do so in the instance profile, under extended maintenance.


Change profile parameter ztta/diag_area to 2º MB.

Save and activate profile.

Restart NW ABAP to make the new values effective.

Enable certificate based logon – 5 Configure SAP Web Dispatcher

For SAP Web Dispatcher be able to forward the received client certificate received by the browser, it must

  1. Re-encrypt the connection
  2. Add the client certificate as a header in the request

To ensure the connection is forwarded encrypted via TLS, use the parameter wdisp/ssl_enrypt=2. Value 2 means that WD will always forward using TLS, independently if the request received was HTTP or HTTPS. To inform WD which client certificate to use, configure parameter wdisp/ssl_auth. Value 2 means that the certificate specified by parameter wdisp/ssl_cred is used. In the below sample profile, ssl_cred points to the client PSE (SAPSSLC.pse). Icm/HTTPS/verify_client controls whether or not WD is asking or demanding for a client certificate. 1 means that WD will ask for one, but continue if not presented, while 2 means that a certificate must be presented.

With this information, WD can be used to connect securely the backend and forward the client certificate as a header, while using its own client certificate to authenticate against the backend NetWeaver system.

Extract of a sample WD profile

# unique instance identifier


# unique instance number





# Configuration for handling certificates



icm/HTTPS/forward_ccert_as_header = true

icm/HTTPS/verify_client = 1

icm/HTTPS/client_certificate_header_name = SSL_CLIENT_CERT

icm/HTTPS/client_key_size_header_name = SSL_CIPHER_USEKEYSIZE

icm/HTTPS/client_cipher_suite_header_name = SSL_CIPHER_SUITE

icm/HTTPS/client_certificate_chain_header_prefix = SSL_CLIENT_CERT_CHAIN_1


# Backend System


wdisp/system_0 = SID=GWD,, MSPORT=8101, SRCURL=/, SRCSRV=*:*, SSL_ENCRYPT=1

# SAP Web Dispatcher Ports

icm/server_port_1 = PROT=HTTPS,PORT=443

Gateway: Set Profile Parameters

Profile parameter to be set in the Gateway and BEP (backend) system. SAP Help. These parameters are set in the DEFAULT profile SAP Help

  • login/accept_sso2_ticket = 1
  • login/create_sso2_ticket = 1

Transaction: RZ10

If the transaction is called for the 1st time, a profile must be generated first. We want to adjust the default profile, therefore a default profile must be cerated. Enter the profile meta data

  • Profile: DEFAULT
  • Version: 1

Select Create

Select Copy

Back on RZ10 main screen, select Import

Select the base profile to be imported.

Profile: DEFAULT.2.PFL

Select Copy

Click OK. New profile is now saved and activated.

Select Extended Maintenance and then Change.

A list of parameters is shown.

Create a new parameter: . Search for

  • Parameter name: login/accept_sso2_ticket
  • Parameter value: 1

Select copy If it worked, status message indicates:

Do the same for parameter login/create_sso2_ticket

  • Parameter name: login/create_sso2_ticket
  • Parameter value: 2


Two new parameters are added to the profile: