Steps to check ICM settings in SAP

ICM parameters required in all instance profiles

Go to Tcode RZ10 for each instance profile and confirm if the below ICM parameters are maintained.

Parameter name
Parameter value

icm/HTTPS/client_sni_enabled

TRUE

ssl/client_sni_enabled

TRUE

ssl/client_ciphersuites

150:PFS:HIGH::EC_P256:EC_HIGH

ssl/ciphersuites

135:PFS:HIGH::EC_P256:EC_HIGH

If the parameters are not present or if the parameters are not matching, then add or update the parameters with the above-mentioned values. Once updated, restart ICM for this to work.

Note: Some systems may need application restart as well. But check the connectivity accordingly step by step with minimum downtime.

Prerequisites for SSL handshake

CommonCryptoLib (SAPCRYPTOLIB) Version 8.5.34 and above;

Kernel release should be 722 and above;

If is it below the given version, make sure you upgrade the kernel patch as per your system version. The help documentation for the Kernal upgrade and the required information are in the below SAP notes.

  1. 2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client.

  2. 2083594 - SAP Kernel Versions and SAP Kernel Patch Levels.

  3. 2350788 - Using Kernel 749 instead of Kernel 740, 741, 742 or 745

Important Note:

This is a step-by-step "How-to" guide for checking ICM settings in SAP. Please be aware that the values of different parameters and screenshots presented in this guide may vary depending on your specific use case. Before proceeding, please make sure to go through the checklist.

Steps to check ICM settings

Step 1: Run T-code RZ10 and check if the parameter icm/HTTPS/client_sni_enabled and ssl/client_sni_enabled is set to True.

Step 2: If the above parameter is not enabled as TRUE, Run T-code: RZ11 and then enter the parameter icm/HTTPS/client_sni_enabled.

Please make the change to the parameter by changing the value directly in the profile.

Step 3: Go to Change mode and apply the current value as TRUE and save the parameter.

Step 4: Repeat steps 2 and 3 for ssl/client_sni_enabled as well.

Done!

Last updated