Steps to check ICM settings in SAP
ICM parameters required in all instance profiles
Go to Tcode RZ10
for each instance profile and confirm if the below ICM parameters are maintained.
icm/HTTPS/client_sni_enabled
TRUE
ssl/client_sni_enabled
TRUE
ssl/client_ciphersuites
150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites
135:PFS:HIGH::EC_P256:EC_HIGH
If the parameters are not present or if the parameters are not matching, then add or update the parameters with the above-mentioned values. Once updated, restart ICM for this to work.
Note: Some systems may need application restart as well. But check the connectivity accordingly step by step with minimum downtime.
Prerequisites for SSL handshake
CommonCryptoLib (SAPCRYPTOLIB) Version 8.5.34 and above;
Kernel release should be 722 and above;
If is it below the given version, make sure you upgrade the kernel patch as per your system version. The help documentation for the Kernal upgrade and the required information are in the below SAP notes.
2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client.
2083594 - SAP Kernel Versions and SAP Kernel Patch Levels.
2350788 - Using Kernel 749 instead of Kernel 740, 741, 742 or 745
Important Note:
This is a step-by-step "How-to" guide for checking ICM settings in SAP. Please be aware that the values of different parameters and screenshots presented in this guide may vary depending on your specific use case. Before proceeding, please make sure to go through the checklist.
Steps to check ICM settings
Step 1: Run T-code RZ10
and check if the parameter icm/HTTPS/client_sni_enabled
and ssl/client_sni_enabled
is set to True
.
Step 2: If the above parameter is not enabled as TRUE
, Run T-code: RZ11
and then enter the parameter icm/HTTPS/client_sni_enabled
.
Please make the change to the parameter by changing the value directly in the profile.
Step 3: Go to Change
mode and apply the current value as TRUE
and save the parameter.
Step 4: Repeat steps 2 and 3 for ssl/client_sni_enabled
as well.
Done!
Last updated