Maintaining ICM Parameters for Using SSL 

Use

You can use this procedure to configure the necessary ICM parameters to enable the use of SSL for accessing the AS Java.

SSL is supported for the protocols:

Protocol	Secured Protocol
HTTP	HTTPS
IIOP	IIOPSEC
P4	P4SEC

The server uses the same key pair and SSL certificates for all of the protocols.

The protocol and port information are specified in the ICM parameter icm/server_port_<xx>, where <xx> is a sequential number. When setting the port for HTTPS, make sure you select a number that is not already being used.

Prerequisites

·  You have OS level access permission for the file system of the AS Java host.

·  The SAP Cryptographic Library is installed and you know where it is located.

·  You know which sequential number to use for the icm/server_port_<xx> parameter.

You can use either the ICM Monitor or the Web Administration Interface to check the parameter settings.

Procedure

Configuration from instance profile filename

  1.  Using a text editor, open the instance profile of the ICM for the AS Java.

You can find the instance profile at the following location in the AS Java host file system: /usr/sap/<SID>/SYS/profile. The profile has the name <SID>_<instance>_<hostname>.

  2.  Set the HTTPS port to use in the ICM parameter icm/server_port_<xx>. Also, to explicitly specify the location of the SAP Cryptographic Library (for example, if it is not in the default location, which is the directory specified by the $(DIR_LIBRARY) parameter), set the parameter ssl/ssl_lib. See the example below.

# SSL Configuration: Location of the SAP Cyrptographic Library

ssl/ssl_lib = <Location of the SAP Cryptographic Library>

# <protocol> port configuration

icm/server_port_<xx> = PROT=<protocol>, PORT=5$(SAPSYSTEM)01[, VCLIENT=<0,1,2>]

To configure a different port for HTTPS communication, specify the desired port in the PORT= parameter.

In addition, to specify the server's behavior regarding the use of certificates for client authentication, set the corresponding value in the VCLIENT= parameter:

●  0: No certification is required and the server does not ask for one.

·  1: The server asks the client to transfer a certificate. If the client does not send a certificate, authentication is performed using another method, for example, basic authentication (default setting). 

·  2: The client must transfer a valid certificate to the server, otherwise access is denied.

There are also additional optional parameters. For example, to specify port-specific SSL configurations, use the parameter icm/ssl_config_<xx>. For more information, see icm/server_port_<xx>.

See the example below.

  3.  Restart the ICM so that the parameter settings take effect.

Result

After restarting the ICM instance, the HTTPS port configuration appears in Active Services for the ICM.

Example

The example below shows an extract from an ICM instance profile with SSL and HTTPS port configuration.

...

# SSL Configuration: Location of the SAP Cryptographic Library

ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so

# https port configuration

icm/server_port_4 = PROT=HTTPS, PORT=5$(SAPSYSTEM)01, VCLIENT=1

...

See also:

●  Deploying the SAP Cryptographic Software 

●  Parameterization of the ICM and the ICM Server Cache 

○  Generic Profile Parameters with the Ending _<xx> 

●  Administration of the Internet Communication Manager