Install a server certificate in SAP NetWeaver ABAP – 3.5 Test the new server certificate

After the server certificate is installed, ICM should automatically make use of it. To see if SSL/TLS connections are now working, two tests should be executed:

  1. Check SSL port setup
  2. Access service using TLS

1. Making Sure the SSL Port is set up correctly

This step checks that ICM is configured to accept TLS connections. SAP Help

Transaction: SMICM

Select: Goto from the menu and then Services.

Check that HTTPS is listed and note the port number. Here: 8100.

2. Testing the Connection for SSL Server Authentication

With ICM configured to accept TLS connections on port 8100, the last test is to check if it works with a browser. SAP Help. Open a service in your web browser. To check that the service Works, open it first in normal HTTP.


If the worked, open the URL as HTTPS.


Check the certificate used by ICM.


The server certificate is issued by to This shows that the SSL certificate of the right PSE is being used by ICM.

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 3.4 Import the certificate response from CA

After the CA issued the certificate, it must be imported into the PSE that issued the CSR. During the import step a verification of the private / public key will happen. This ensures that you import the right public key into the PSE. This also means that you cannot use another PSE for the CSR, as the private key would be different. SAP Help

Transaction: STRUST

Switch on edit mode and select import certificate.

Inform the path to the CRT.

Select load as local file. If the CA exported the certificate as P7B, the content is in Base64 format. If the CA gave you another format, you`ll have to transform the certificate first to Base64. Would be nice if the import wizard of STRUST would do all that work for you, but somehow Basis guys must also defend their working time …

Confirm the import. To see if the certificate was imported, double click on Subject

This shows the certificate information in the certificate section.



The PSE contains now a private key and a valid public key, signed by a CA. Now ICF can use this certificate without having browsers complain about the certificate.

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 3.3 Submiting the certificate requests to a CA

The certificate request created in the previous step must be send to a CA. The CA is responsible to create a valid server certificate based on the information provided by the CSR.

Important: the certificate emitted by the CA must follow the PKCS#7 certificate chain format. The response file must contain the public key certificate of the ABAP server as well as the CA’s root certificate. SAP Help

The following screenshots are taking from my own CA.
Add an end entity for the server.
Submit CSR
Download certificate
Save as p12 (PKCS#7)


You now have a P7B file that contains the signed certificate for the server in Baes64 format.

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 3.2 Generate a certificate request for each SSL server PSE

In the previous step a new PSE for SSL server was created, but the containing server certificate is self-signed. This means that no sane web browser will accept your certificate without showing a warning message to the user. To have a valid server certificate, it must be signed by a CA. To do so, a certificate request must be created. SAP Help

Transaction: STRUST

Open SSL Server Standard node and select server

Create a certificate request.

Copy content to a file (via clipboard) and send it to your CA.


You now have the CSR file for the server PSE that can be submitted to a CA.

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 3.1 Create a SSL/TLS Server PSE

SAP stores certificates in PSE files (for the Java guys: JKS). By default, there are several PSEs available, one for each use case (system, SSL, web service, etc). A PSE has a subject which stands for the name of the server. Changes are good that the subject value created by SAP does not match your reality. The following steps show how to create a PSE for your SSL server. SAP Help

Transaction: STRUST

Change into edit mode:

Select the SSL Server PSE:

Right click to open the context menu and select replace

Give information about the new PSE. This creates a private and public key for the server CN informed for this PSE. The key will be automatically self-signed, but as the PSE contains the private key, it is no problem to create a certificate request and get the certificate signed by a CA.

The data informed here MUST match the data of the HTTPS server. The name field is the CN of the certificate; therefore this field MUST be the same as the FQDN of the server. That is, when the server is accessed by browsers as, the field MUST be

Click OK

Confirm the information. Make sure the CN name is correct. This changes the PSE for SSL Server.

You now have a PSE with a private and public key for the CN This certificate is self-signed. While you can now access ICF via HTTPS, each and every browser will give you a warning message that the certificate used is not trustworthy. To change that, a CSR must be created and signed by a CA.


You now have a PSE for the server with a private key and a self-signed certificate.

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 2 Set profile parameters

For ICM to work with SSL, some parameters must be set in the profile. These parameters define which PSE and algorithms to use. Normally these parameters are already set to default values. To see if these are acceptable to you and match the location of your CommonCryptoLib 8 installation, you can use transaction RZ11. SAP Help, Central note for CommonCryptoLib.

Transaction RZ11

Here you can enter the name of a parameter and see the currently configured value of it.

List of parameters and their values
Parameter: ssl/ssl_lib
Parameter: sec/libsapsecu
Parameter: ssf/ssfapi_lib
Parameter: ssf/name
Parameter: ssl/ciphersuites
Let the world know

SAP Web Dispatcher as reverse proxy for SMP3

As of SMP3 SP07 you can use SAP Web Dispatcher as a reverse proxy for SMP3. Depending on your landscape, this simplifies A LOT your architecture. And you can reuse your WD knowledge and gain support from SAP. Installing the WD is done as usual, with one caveat: you have to inform the commonlib which TLS to use:

ssl/ciphersuites = 896:HIGH

ssl/client_ciphersuites =896:HIGH

With this, WD can connect to SMP3 using TLS. While this may look strange, it actually is necessary as SMP3 uses some high TLS security.

To understand better what these two parameters do, take a look at the Commonlib + WD SAP Note: 510007

A complete sample profile from a WD running on Windows







Autostart = 1

Restart_Program_00 = local $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) pf=$(DIR_PROFILE)/sapwebdisp.pfl


wdisp/system_0 = SID=SMP, SSL_ENCRYPT=0, EXTSRV=, SRCSRV=*:9080, SRCURL=/, STICKY=true

wdisp/system_1 = SID=SEC, SSL_ENCRYPT=1, EXTSRV=, SRCSRV=*:9081, SRCURL=/, STICKY=true

wdisp/system_1 = SID=SEC, SSL_ENCRYPT=1, EXTSRV=, SRCSRV=*:9082, SRCURL=/, STICKY=true

icm/server_port_0 = PROT=HTTP,PORT=9080

icm/server_port_1 = PROT=HTTPS,PORT=9081

icm/server_port_2 = PROT=HTTPS,PORT=9082,VCLIENT=2

ssl/ciphersuites = 896:HIGH

ssl/client_ciphersuites =896:HIGH

icm/max_conn = 2000

icm/max_sockets = ($(icm/max_conn) * 2)

icm/req_queue_len = 6000

icm/min_threads = 10

icm/max_threads = 500

mpi/total_size_MB = (min(0.06 * $(icm/max_conn) + 50, 2000))

mpi/max_pipes = ($(icm/max_conn))

wdisp/HTTP/max_pooled_con = ($(icm/max_conn))

wdisp/HTTPS/max_pooled_con = ($(icm/max_conn))

icm/server_port_3 = PROT=HTTPS,PORT=4300

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,PORT=4300,DOCROOT=./admin,AUTHFILE=icmauth.txt

Let the world know

Afaria Setup 7: Configure SSL for web application

Having a SSL certificate installed and available in IIS, access to web sites / applications can be secured using SSL. Next step is to secure the access to the Afaria Web Application. This will be done by activating SSL for the entire web site, that is: all resources under the default web site can be accessed using SSL. The SAP Afaria web application is not installed yet, but after it is installed, it will be run beneath the default web site by IIS. As the default web site is configured for IIS, all resources underneath it will be too.


  1. Open IIS Manager
  2. Select Default Web Site

  1. Select bindings

  1. Select https and click Edit …

  1. Select SSL certificate afaria from list. Afaria is the friendly name / alias given the the IIS certificate in the previous step: installing SSL to IIS.
  • Assign this binding to all IP address and port 443.


IIS default web site now accessible using SSL.

Let the world know

Afaria Setup 6: Configure SSL for IIS

To ensure confidentiality of user data, access to SAP Afaria by users needs to be done using SSL. For this to work, IIS must use its own valid SSL certificate. To do so, first a certificate request for IIS must be created. This request will be handled by the CA (installed on same server) and the created certificate must be made available in IIS.

IIS: Create certificate request

  • Start IIS Manager
  • Select default server and sever certificates in IIS section.

  • Create certificate request

  • Inform server information. The CA will include this information in the final certificate.
    • Common name: FQDN of the server
    • Country: BR, or your country

  • Select cryptographic service provider.
    • Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
    • Bit length: 1024

  • Inform file name. This is where the certificate request will be saved to. This file will be later submitted to the CA.

Now the certificate request is done by IIS. Next step is to submit the request to the CA.

CA: Issue certificate

As the CA is on the same server as IIS, it is only to submit the request to the CA. The certificate type is for a web server. In my case, using the CA wizard to submit the CSR did not work, as the web server template was not available. What worked was to use the command line to submit the CSR and inform there the web server template.

Command: certreq.exe –submit –attrib “CertificateTemplate:WebServer” .\certreq.txt

Select the CA to be used.

Specify path to save certificate to.

Certificate is issued and saved in CER format.

Next is to install the certificate into IIS and make it available for usage.

IIS: Install certificate

To install the server certificate, open IIS Manager console. Select Complete Certificate Request.

Inform the path to the certificate and na alias/friendly name. You’ll refer by friendly name to the certificate.

Click OK. This installs the certificate into IIS.

Let the world know