Maintaining ICM Parameters for Using SSL for As JAVA

1770585 - How to configure SSL on the AS Java

You can use this procedure to configure the necessary ICM parameters to enable the use of SSL for accessing SAP NetWeaver AS for Java.

Prerequisites
You have OS level access permission for the file system of the SAP NetWeaver AS for Java host.
The SAP Cryptographic Library is installed and you know where it is located.
You know which sequential number to use for the icm/server_port_ parameter.
You can use either the ICM Monitor or the Web Administration Interface to check the parameter settings.

Context
SSL is supported for the protocols:

Protocol Secured Protocol
HTTP HTTPS
IIOP IIOPSEC
P4 P4SEC

Note
The server uses the same key pair and SSL certificates for all of the protocols.

The protocol and port information are specified in the ICM parameter icm/server_port_, where is a sequential number. When setting the port for HTTPS, make sure that you select a number that is not already being used.

Configuration from instance profile filename

Procedure
Using a text editor, open the instance profile of the ICM for SAP NetWeaver AS for Java.
You can find the instance profile at the following location in the SAP NetWeaver AS for Java host file system: /usr/sap//SYS/profile. The profile has the name .

Set the HTTPS port to use in the ICM parameter icm/server_port_. Also, to explicitly specify the location of the SAP Cryptographic Library (for example, if it is not in the default location, which is the directory specified by the $(DIR_LIBRARY) parameter), set the parameter ssl/ssl_lib.
See the example below.

Tip

SSL Configuration: Location of the SAP Cryptographic Library

ssl/ssl_lib =

port configuration

icm/server_port_ = PROT=, PORT=5$(SAPSYSTEM)01[, VCLIENT=<0,1,2>]
Note
To configure a different port for HTTPS communication, specify the desired port in the PORT parameter.

In addition, to specify the server's behavior regarding the use of certificates for client authentication, set the corresponding value in the VCLIENT parameter:

0: No certification is required and the server does not ask for one.
1: The server asks the client to transfer a certificate. If the client does not send a certificate, authentication is performed using another method, for example, basic authentication (default setting).
2: The client must transfer a valid certificate to the server, otherwise access is denied.
There are also additional optional parameters. For example, to specify port-specific SSL configurations, use the parameter icm/ssl_config_.

For more information, see icm/server_port_.

Restart the ICM so that the parameter settings take effect.
Results
After restarting the ICM instance, the HTTPS port configuration appears in Active Services for the ICM.

Example
The example below shows an extract from an ICM instance profile with SSL and HTTPS port configuration.

...

SSL Configuration: Location of the SAP Cryptographic Library

ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so

https port configuration

icm/server_port_4 = PROT=HTTPS, PORT=5$(SAPSYSTEM)01, VCLIENT=1
...