Documente Academic
Documente Profesional
Documente Cultură
Applies to:
As of release SAP NetWeaver PI 7.10.
Summary
This document will guide you to setup Secure Socket Layer (SSL) configuration, nothing but enabling secure
data transfer (through HTTPS) between server and client in PI systems as of release 7.10.
In earlier SAP PI versions, there are some methods to configure SSL. One was in ABAP stack and the
other one was in J2EE stack. As of PI 7.10 all configuration is made in the ICM component and NetWeaver
Administrator.
Author(s): Siva Kumar Arivinti
Company: Deloitte Consulting India Pvt Ltd.
Created on: 31 March 2012
Author Bio
Siva Kumar Arivinti is currently working with Deloitte Consulting India Pvt Ltd., as Consultant in AMS service
line.
SAP NetWeaver Consultant with around 5 years of experience in SAP Basis and DB2 DBA Administration.
Expertise in Production support, Installations and Software Life Cycle Management including EHP/Release
Upgrades.
Benefits
It allows the exchange of encrypted information through SAP PI via Secure Socket Layer (SSL). SSL use
asymmetric method for interchange the secret key, this method use a private key and public key. The private
key is in server side and the public key is used by client for encrypt or decrypt the messages.
HTTPS redirect configuration is also covered in this document.
Pre-requisites
1. Update the instance profile with the following parameters.
ssf/name SAPSECULIB
ssl/ssl_lib /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o
sec/libsapsecu /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o
ssf/ssfapi_lib /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o
icm/HTTPS/verify_client 0 (zero)
icm/server_port_<x> PROT=HTTPS,PORT=84$
$,TIMEOUT=900,PROCTIMEOUT=600
Note: PORT value is a unique number. It means HTTPS, SMTP and HTTP port numbers should not be same.
2. Create directory sec under /usr/sap/<SID>/<Instance> and update SAP environment variable
.sapenv_<hostname>.sh (or .sapenv_<hostname>.sh) with the following value with user SIDADM.
SECUDIR=/usr/sap/<SID>/<Instance>/sec; export SECUDIR
Installation
I. Create Private key and Certificates and generate CSR certificate
1. Open NetWeaver Administrator (http://<FQDN>:5<XX>00/nwa)
3. Select ICM_SSL_<ID> and you will find the default Private key and Certificate when SSL has not yet been
configured.
Note: Certificate (ssl-credentials-cert) will be generated automatically when we choose ‘Store
Certificate’ in the above screenshot.
Click Finish
6. Now you should be able to see Subject name and Issuer name as CN=<Fully qualified name>, L=
<Locality Name>, O=<Organization Name>, ST=<State or Province>, C=<Country Name>.
7. Select ssl-credentials and click on ‘Generate CSR Response’
8. Click Download and save the CSR certificate in text format with .csr extension and send it to Certificate
Authority for entrust certificates.
Note: We will get 3 certificates from CA, Web Server, Entrust cross and Entrust root. Import them in the
same order.
Once all 3 certificates are added, and then only click on ‘Import’ button.
2. Now you should be able to see chain certificates Certificate[0], Certificate[1] and Certificate[2]
and Issuer name as ‘Entrust Certification Authority’.
3. We should do Export View to PSE after steps 1 and 2 are completed successfully.
You should be able to see successful message at the top left screen.
6. Double click on lock symbol at the bottom of the browser and now you should be able to see Issued by:
<Certificate Authority>.
ProxyMappings 5<XX>00=(Host:<FQDN>,Port:84<XX>,Scheme:https,Override:true)
Related Content
http://help.sap.com/saphelp_nwpi71/helpdata/EN/f7/c2953fc405330ee10000000a114084/frameset.htm
http://help.sap.com/saphelp_nwpi71/helpdata/EN/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60ff2883-70c5-2c10-f090-a744def2ba66?
QuickLink=index&overridelayout=true