Skip to Content
Author's profile photo Jens Gleichmann

Calling WebServices from ABAP via HTTPS/SSL with pfx certificates


The reason I write this blog is because it´s difficult to find information about this topic. I want to give an overview how to create a SSL connection in ABAP with a *.pfx certificate.
The main steps of calling a web service from abap via https are good described in Thomas Jung´s blog which can be found under

6 steps to success

  • install the latest sapcryptolib and sapseculib
  • configure the parameters and define the https service
  • convert the *.pfx into a PSE with sapgenpse
  • create a client PSE and load the created PSE into STRUST
  • restart the ICM services to load the new PSE file
  • create the RFC connection

1. Install the latest sapcryptolib and sapseculib

How to download and install these libraries is described in note 662340.

2. Configure the parameters and define the https service

The following parameters in your instance profile must be set to use the SAP Cryptographic Library:

icm/server_port_2 PROT=HTTPS,PORT=443,TIMEOUT=1800,EXTBIND=1 
ssl/ssl_lib /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o
sec/libsapsecu /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o
ssf/ssfapi_lib /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o

Which port you´ll choose is your decision. Standard port for HTTPS is 443. The paths must point to your libsapcrypto.o.

3. Convert the *.pfx into a PSE with sapgenpse

Upload the *.pfx to your application server. Go to your exe directory with command shell and generate into PSE with sapgenpse:


The password can also set in the command with option -z. You can let the PIN empty.

4. Create a client PSE and load the created PSE into STRUST

You can create additional SSL client PSEs in transaction STRUST, using
the menu item “Environment ==> SSL Client Identities”.


In this case I called the PSE “HTTPS”.

The next step is a little bit tricky. Download the PSE file from your sec directory to your workstation. Than go on ABAP site to transaction STRUST. If you look around you´ll find the import option under PSE -> Import . This option is not the right one. This was my why the connection didn´t work at my tests. According to SAP support it´s a historic reason 😉

Choose File -> select your PSE on your workstation; than click on PSE -> Save as… -> SSL Client -> choose your new created client PSE 



If you want to use a pfx certificate you also need a CA root. Upload your root.cer from your workstation and click on “Add to Certificate List”. Save your setting. Now you have successfully integrated your certificates.

5. Restarted the ICM services to load the new PSE file

This is also a little bit tricky; every time you change something in STUST on the PSE files you must restart the ICM.


Go to transaction SMICM and restart the services via “Exit Soft”.

6. Create the RFC connection


Set connection type to G and enter your address and path.


Set SSL to active and select your client certificate from the list.

Don´t forget to set your proxy settings! Be sure that the application server could establish a connection to the external server.


Be careful with the names in the certificate. They mustn´t include special characters like ö,ü,ä. You will get an error like this:


A few days ago I´ve got  another error while refreshing a certificate:

ERROR: Incomplete certification path — NEED certificate of “Root-CA”!



Error while creating the PSE

In newer releases you have to provide (option -r <root-CA.cer>) also the root-CA while you create the PSE:


Creating PSE with option -r



At least I hope I could collect the knowledge you need for setting up a SSL connection with *.pfx certificates and avoid a lot of mistakes you can made while setting up this connection.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      This post is awesome. We've found difficult to install a pfx certificate until we read it. Now we have https in our system working properly 😉
      Author's profile photo Marc Arnold
      Marc Arnold
      Hi Jens,
      great blog, this was very helpful to setup an additional client certificate on the ABAP stack for the first time!
      Author's profile photo Former Member
      Former Member
      Hi Jens,
      great blog. I tried to configure my system as you suggest: I've converted the *.p12 into a PSE with sapgense and I've created the RFC connection. But when I test the connection the result is ICM_HTTP_SSL_ERROR.

      In the ICM monitor these are the message:
      [Thr 11] Thu May 26 16:02:57 2011
      [Thr 11] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
      [Thr 11] session uses PSE file "/usr/sap/SV5/DVEBMGS10/sec/SAPSSLHTTPS1.pse"
      [Thr 11] SecudeSSL_SessionStart: SSL_connect() failed
      secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"
      [Thr 11] >> Begin of Secude-SSL Errorstack >>
      [Thr 11] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer
      WARNING in ssl3_output_cert_chain: (12354/0x3042) No hierarchy certificate in FCPath
      WARNING in reduce_FCPath_by_Issuer: (12354/0x3042) No hierarchy certificate in FCPath
      [Thr 11] << End of Secude-SSL Errorstack
      [Thr 11] SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"
      [Thr 11] Server's List of trusted CA DNames (from cert-request message):
      [Thr 11] #1 certificate
      [Thr 11] #2 certificate
      [Thr 11] SSL NI-sock: local=ip peer=ip2
      [Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=6000000000652010)==SSSLERR_SSL_CONNECT
      [Thr 11] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {0001007f} [icxxconn_mt.c 2012]

      Any suggestion?


      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author
      Hi Norberto,

      there are many reasons for an error during the handshake.
      1) First of all test if the certificate works in the browser
      2) set the trace level for the ICM to a higher level and reproduce the issue
      3) check if any other factors can have influence to your connection like firewalls, proxies, ACL´s etc. and check their logs
      4) Have you created the PSE via the root CA?


      Author's profile photo Former Member
      Former Member
      Hi Jens,
      thanks for your reply.
      I've installed the certificates on my PC to connect to the server to download the wsdl to generate the proxy client and they works.
      The certificate path of the serivice contains 3 certificates:
      1.Informatica Trentina S.p.A. Certification
         2. Informatica Trentina S.p.A. Certification
      The third one is the host of the service.

      I downloaded the second certificate in a file *.cer and I generated the pse with the command:
      sapgenpse import_p12 -v -z<pw > -r file.cer -p file.pse file.p12

      After these operation I created the client PSE as SSL Client, I create th RFC and I test it, but I've got the error message.

      Best regards,

      Author's profile photo Former Member
      Former Member
      Hi all,
      problem solved, I applyed the note 1115328, now it works,
      great blog Jens.


      Author's profile photo Priyanka Porwal
      Priyanka Porwal

      Hello Jens,

      I have configured the destination as you suggested. The private key is imported in STRUST and the destination test results in "you are being logged on". However when I am calling from code after create_by_destination, I also need to append the query parameters. I am using following


          CALL METHOD lo_client->request->set_header_field
            name  = '~request_uri'
            value = lv_request_url.


      where lv_request_url points to the https:// URL that I need to call. However after send and receive as well, I receive the same response "you are being logged on". Could you please help us in getting this corrected?



      Author's profile photo Former Member
      Former Member

      Hi Jens,


      I have tried to perform the steps but while uploading the PSE from File the save as option is not coming .


      Please suggest shall I import it from PSE-->Import option.

      Author's profile photo Albert Samigullin
      Albert Samigullin


      I confused...Step 3. As i understood, you got this sert from third party site? Right?

      Author's profile photo adrian di ruggiero
      adrian di ruggiero

      Hi Jens,

      Thank you for sharing this article, it was very useful for me. I was able to follow the steps, and now I can call WS signing them using a certificate.

      Now I have a doubt: When the certificate becomes invalid due to the expiring date, should I need to recreate the PSE again, or can I upload the renewed certificate to the existing PSE?

      Thank you in advance