Skip to Content
Author's profile photo Marvin Hoffmann

Enabling SSL (HTTPS) on SAP Gateway

Enabling SSL (HTTPS) on SAP Gateway



There are already many guides out there how to configure the SAP Netweaver Gateway so that you can use HTTPS connections. Anyway this here is my documentation, it should also serve as a documentation for myself.

In the first step the netweaver gateway needs to be setup for https/ssl.
So that you can call e.g. OData services by calling

Transport Layer Security on SAP NetWeaver AS for ABAP

CommonCryptoLib 8

Successor of SAPCryptoLib
Inside NetWeaver 74X SAPCRYPTOLIB is available in the new variant CommonCryptoLib 8

Following steps are based on SAP Note: 510007 – Setting up SSL on Application Server ABAP

Before adding and modifiying necessary profile parameter, we should check
if the CommonCryptoLib and its variable is available

SE38 and execute report RSPARAM


Check if $(SAPCRYPTOLIB) is defined


You can also check if you find the sapcrypto files on the file system
(e.g. on Windows sapcrypto.dll)


Maintain Instance Profile Parameter

Go to transaction RZ10 and open the Instance profile with “Extended

(Info: You also can check a single parameter in transaction RZ11)



SAP system starts in a sequence:

  1. The Kernel Codes are ready
  2. The default Profile
  3. The Instance Profile

Parameters in Default profile are the ones which are applicable to all instances, i.e. a set of common system parameters for e.g. message server hostname…

Instance profiles contains parameters that only take effect for that particular instance for e.g. number of dialog work processes

If a parameter is defined in both the profiles, then the value of the parameter in instance profile will be effective for that instance.

Make sure following values are set (if not set, add them as new parameter)





















Permit use of client



Full qualified domain name



Use dynamic mapping

If variable $(SAPCRYPTOLIB) is not set (verified in last step), use $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL) instead

icm/server_port_X = PROT=HTTPS,PORT=<TCP port number for HTTPS>

Replace the X with the number of configured ports (usually https port is 1)

Set icm/HTTPS/verify_client for handling user certificates, it can be set to 0 (suppress) / 1 (default) (permit) or 2 (enforce)

The value login/certificate_mapping_rulebased will enable the use of dynamic mapping through transaction CERTRULE, might be not supported by old
netweaver systems. By setting this parameter to 1 old entries entered manually into table VUSREXTID will not be used any longer.


Note! After changing the profile parameter you need to restart the
netweaver system

Maintain Certificates in STRUST

Go to transaction STRUST

Right click on “SSL server Standard” and choose “Create”


Enter values for your default certificate Organizational Unit and Company Name. Do not change the asterix ( * ) inside name. Best Practice to create at first a default wildcard certificate. Use a key length of 2048. The value in field CA should match your CA’s values. Same CA that will be used later to sign this certificate.


I will use my own CA for this testing…

My CA certificate:


The instance specific PSEs will be created automatically. In this test landscape I only have one instance.



Now it should be possible already to access your server via browser and https:


Testing OData Service with HTTPS connection

We can enable the ping service for further testing. Go to transaction SICF and enable the node /sap/bc/ping


Test Ping Service in browser by accessing https://<gw server>:<https port>/sap/bc/ping

You should get asked for user and password…


After authenticating we can see a success screen


Proper System Certificate Signing

Until now the HTTPS certificate is still self-signed in STRUST we can create a certificate signing request (copy it into clipboard or export it as csr file), that can be signed by a CA.


Because I am using XCA (freeware tool) to simulate my own CA, I can import the certificate request there and sign it. I exported the CSR response “PEM

with Certificate chain”. This will also include the public certificate of the signing CA.


I prefer setting also the Issuer Alternative Name to IP:<ip address of server> . By doing so the browser will be also trusting the certificate if the ip adress instead of the fqdn is called).

Finally import the certificate response in STRUST


After that you should see, that the CA is now the new issuer of the server’s certificate.


Save it. And call the ping service again inside your browser. If you have imported the CA certificate into your system store (under Trusted Certificate Authorities), you should see that now the browser is trusting your server.


The SAP Gateway is now prepared for proper HTTPS communication …

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Dieter Lorenz
      Dieter Lorenz


      What about wildcard certificates. I found not a note for the szenario ?

      thanks a lot

      Author's profile photo Wolfgang Janzen
      Wolfgang Janzen

      "CN=*" is a wildcard certificate.
      Actually it's not a good idea to use server-specific (non-wildcard) certificates in addition - that's only required when your CA is refusing to issue wildcard SSL server certificates.

      So, the easiest (and fastet) way is: delete those additional server-specific (non-wildcard) certificates by selecting "SSL-Server Standard" PSE (left pane), press right mouse button and choose option "Change". A new display (as shown above) comes up; there mark the lines with the server-specific certificates and press the "waste-bin" button to delete them.

      Author's profile photo Karel Daniels
      Karel Daniels

      How do I sign this with XCA or otherwise?

      Author's profile photo Vladislav Volodin
      Vladislav Volodin
      This information can be lost, that is why I have decided to add it here. When you use GW_CLIENT, and check the URL with HTTPS, you will probably have an error that is reviewed here: Troubleshooting Guide - How to troubleshoot the SSSLERR_PEER_CERT_UNTRUSTED (peer certificate (chain) is not trusted) issue
      After you read it, and take a look at the dev_icm file, you should see lines similar to mine (I hope, you will see them):
      [Thr 7824] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_SSL [Thr 7824]    session uses PSE file "E:\usr\sap\ERP\DVEBMGS00\sec\SAPSSLA.pse" [Thr 7824] SecuSSL_SessionStart: SSL_connnect() failed  (536872221/0x2000051d) [Thr 7824]    => "SSL API error" [Thr 7008]   SSL_get_state()==0x1180 "SSLv3 read client certificate A" [Thr 7008] *** ERROR during SecuSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL [Thr 7008]    session uses PSE file "E:\usr\sap\ERP\DVEBMGS00\sec\SAPSSLS.pse" [Thr 7008] SecuSSL_SessionStart: SSL_accept() failed  (536875078/0x20001046) [Thr 7008]    => "SSL API error" What is important is the PSE file name. In my case there are two files: SAPSSLA.pse and SAPSSLS.pse. To find what PSEs should have the root certificate (in my case, this is a global certificate whom I trust), you should click this button (in STRUST):
      The new window will show you the table:

      Everything you have to do is to import the root certificate into your PSE (SSL client Anonymous in my case), and GW_CLIENT will trust HTTPS automatically.
      That's it! Happy debugging :)
      Author's profile photo Former Member
      Former Member

      Is possible you can explain how use XCA tool to create certificate CA with more details?, in my case when I use it and export file an try to sign an error is send it on XCA  "The Key you selected for singning is not a private one" any one can help?