Steps to check ICM settings in SAP
Last updated
Was this helpful?
Last updated
Was this helpful?
Go to Tcode RZ10 for each instance profile and confirm if the below ICM parameters are maintained.
icm/HTTPS/client_sni_enabled
TRUE
ssl/client_sni_enabled
TRUE
ssl/client_ciphersuites
150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites
135:PFS:HIGH::EC_P256:EC_HIGH
If the parameters are not present or if the parameters are not matching, then add or update the parameters with the above-mentioned values. Once updated, restart ICM for this to work.
Note: Some systems may need application restart as well. But check the connectivity accordingly step by step with minimum downtime.
CommonCryptoLib (SAPCRYPTOLIB) Version 8.5.34 and above;
Kernel release should be 722 and above;
If is it below the given version, make sure you upgrade the kernel patch as per your system version. The help documentation for the Kernal upgrade and the required information are in the below SAP notes.
2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client.
2083594 - SAP Kernel Versions and SAP Kernel Patch Levels.
2350788 - Using Kernel 749 instead of Kernel 740, 741, 742 or 745
Step 1: Run T-code RZ10 and check if the parameter icm/HTTPS/client_sni_enabled and ssl/client_sni_enabled is set to True.
Step 2: If the above parameter is not enabled as TRUE, Run T-code: RZ11 and then enter the parameter icm/HTTPS/client_sni_enabled.
Step 3: Go to Change mode and apply the current value as TRUE and save the parameter.
Step 4: Repeat steps 2 and 3 for ssl/client_sni_enabled as well.
Done!
