Setting up HTTPS on SAP servers
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Setting up HTTPS on SAP servers

  • Dark
    Light
  • PDF

Article Summary

Setting up HTTPS for your SAP server is relevant if you wish to enable automatic custom code extraction and upload to Panaya or integration with ChaRM.

Important!
This article provides guidelines for setting up HTTPS. Please consult with your Basis Consultant before you proceed.



Step 1 - Verify that SAPCRYPTOLIB is installed

The guidelines provided here are applicable for systems where SAPCRYPTOLIB is installed.
To verify SAPCRYPTOLIB installation - 

  1. Enter TCODE STRUST
  2. Select the environment and then SSL Client Identities
    If SAPCRYPTOLIB  is not installed, you will be able to see the message at the bottom of the screen


    SAPCRYPTOLIB is not installed?
    If SAPCRYPTOLIB is not installed, you can download and install 7.22 Kernel for SAP up to Netweaver 7.31 (ERP 6 EhP 6, CRM 7 EhP 2, SRM 7 EhP 2, SCM 7 EhP 2, and others). Then restart your system.
     
  3. For systems where SAPCRYPTOLIB is installed, select the Environment and then Display SSF Version to view the version details.

 


Step 2 - Create Anonymous SSL Client PSE

  1. Create an Anonymous SSL Client
  2. If the system appears in Green (as in the image below),
  3. If the system appears with a red X, right click on it and select Create

 


Step 3 - Import CA (Certificate Authority)

  1. Download the Panaya Certificate
  2. Extract the file and import both certificates as described in the next steps
  3. Double-click the name of the instance that shows under the SSL client identity (anonymous) folder, to display the contents of this PSE. Select the left button.
  4. Use the File Path field to select the certificate file to import, then select Base64 as the file format
  5. Click the V icon to submit.
    The details of the certificate will be displayed
  6. Click on the Add to Certificate List button
    You should be able to view the name of the certificate added to the list
  7. Click the Save button at the top of the screen

 

Older SAP version?
Older versions of SAP may prompt a notification that the ICM needs to be restarted in order for changes to take effect. In such cases, use TCOE SMICM as described below. 


Step 4 - Change HTTP destination

Change the settings for the HTTP destination, as created in SM59
Set SSL status to Active
For SSL Client Certificate, use ANONYM SSL Client (Anonymous)

Note
This step applies to defining HTTPS destination only and is not affecting any RFC setting previously defined for your custom code extraction

 

Step 5 - Set Server Parameters 

Please set the system profile parameters as shown below:

  • icm/HTTPS/client_sni_enabled = TRUE
  • ssl/client_sni_enabled = TRUE

Important!
This activity stops the web server as well as the web client of the SAP system

  1. Execute transaction SMICM
  2. Select Administration > ICM > ExitSoft > Global from the menu options
  3. After a few moments, click the Refresh button until you see the threads
    Threads should appear as Available with Thread No.lower than 10

 

Additional certificates

If the Anonymous SSL client does not have the root and intermediate certificates installed, be sure to install them from here:

https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem (DigiCert Global Root G2)
https://cacerts.digicert.com/GeoTrustTLSRSACAG1.crt.pem (GeoTrust TLS RSA CA G1)

More information about these certificates can be found here:
https://www.digicert.com/kb/digicert-root-certificates.htm