Steps to check ICM settings in SAP

ICM parameters required in all instance profiles

Go to Tcode RZ10 for each instance profile and confirm if the below ICM parameters are maintained.

If the parameters are not present or if the parameters are not matching, then add or update the parameters with the above-mentioned values. Once updated, restart ICM for this to work.

Note: Some systems may need application restart as well. But check the connectivity accordingly step by step with minimum downtime.

Prerequisites for SSL handshake

CommonCryptoLib (SAPCRYPTOLIB) Version 8.5.34 and above;

Kernel release should be 722 and above;

If is it below the given version, make sure you upgrade the kernel patch as per your system version. The help documentation for the Kernal upgrade and the required information are in the below SAP notes.

1. 2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client.

2. 2083594 - SAP Kernel Versions and SAP Kernel Patch Levels.

3. 2350788 - Using Kernel 749 instead of Kernel 740, 741, 742 or 745

Steps to check ICM settings

Step 1: Run T-code RZ10 and check if the parameter icm/HTTPS/client_sni_enabled and ssl/client_sni_enabled is set to True.

Step 2: If the above parameter is not enabled as TRUE, Run T-code: RZ11 and then enter the parameter icm/HTTPS/client_sni_enabled.

Step 3: Go to Change mode and apply the current value as TRUE and save the parameter.

Step 4: Repeat steps 2 and 3 for ssl/client_sni_enabled as well.

Done!