Initial setup of Personas 3 – 1- Change Profile Parameters

The Personas 3 configuration guide contains all the information you need. At least two profile parameters need to changed to ensure that the Personas 3 health check passes:

  • em/global_area_MB
  • ztta/diag_area

em/global_area_MB

Change profile parameter em/global_area_MB to 1GB:

Tx: RZ10

I will run Personas 3 on a demo system, having as only user me. I do not have to change the default value therefore. If you want to or have to change the value, you can do so in the instance profile, under extended maintenance.

ztta/diag_area

Change profile parameter ztta/diag_area to 2º MB.

Save and activate profile.

Restart NW ABAP to make the new values effective.

Enable certificate based logon – 5 Configure SAP Web Dispatcher

For SAP Web Dispatcher be able to forward the received client certificate received by the browser, it must

  1. Re-encrypt the connection
  2. Add the client certificate as a header in the request

To ensure the connection is forwarded encrypted via TLS, use the parameter wdisp/ssl_enrypt=2. Value 2 means that WD will always forward using TLS, independently if the request received was HTTP or HTTPS. To inform WD which client certificate to use, configure parameter wdisp/ssl_auth. Value 2 means that the certificate specified by parameter wdisp/ssl_cred is used. In the below sample profile, ssl_cred points to the client PSE (SAPSSLC.pse). Icm/HTTPS/verify_client controls whether or not WD is asking or demanding for a client certificate. 1 means that WD will ask for one, but continue if not presented, while 2 means that a certificate must be presented.

With this information, WD can be used to connect securely the backend and forward the client certificate as a header, while using its own client certificate to authenticate against the backend NetWeaver system.

Extract of a sample WD profile

# unique instance identifier

SAPSYSTEMNAME = TOB

# unique instance number

SAPSYSTEM = 00

wdisp/ssl_encrypt=2

wdisp/ssl_auth=2

#

# Configuration for handling certificates

#

wdisp/ssl_cred=$(DIR_PROFILE)/sec/SAPSSLC.pse

icm/HTTPS/forward_ccert_as_header = true

icm/HTTPS/verify_client = 1

icm/HTTPS/client_certificate_header_name = SSL_CLIENT_CERT

icm/HTTPS/client_key_size_header_name = SSL_CIPHER_USEKEYSIZE

icm/HTTPS/client_cipher_suite_header_name = SSL_CIPHER_SUITE

icm/HTTPS/client_certificate_chain_header_prefix = SSL_CLIENT_CERT_CHAIN_1

#

# Backend System

#

wdisp/system_0 = SID=GWD, MSHOST=nwgw74.tobias.de, MSPORT=8101, SRCURL=/, SRCSRV=*:*, SSL_ENCRYPT=1

# SAP Web Dispatcher Ports

icm/server_port_1 = PROT=HTTPS,PORT=443

Gateway: Set Profile Parameters

Profile parameter to be set in the Gateway and BEP (backend) system. SAP Help. These parameters are set in the DEFAULT profile SAP Help

  • login/accept_sso2_ticket = 1
  • login/create_sso2_ticket = 1

Transaction: RZ10

If the transaction is called for the 1st time, a profile must be generated first. We want to adjust the default profile, therefore a default profile must be cerated. Enter the profile meta data

  • Profile: DEFAULT
  • Version: 1

Select Create

Select Copy

Back on RZ10 main screen, select Import

Select the base profile to be imported.

Profile: DEFAULT.2.PFL

Select Copy

Click OK. New profile is now saved and activated.

Select Extended Maintenance and then Change.

A list of parameters is shown.

Create a new parameter: . Search for

  • Parameter name: login/accept_sso2_ticket
  • Parameter value: 1

Select copy If it worked, status message indicates:

Do the same for parameter login/create_sso2_ticket

  • Parameter name: login/create_sso2_ticket
  • Parameter value: 2

Result

Two new parameters are added to the profile: