Using Web Administration Interface with X.509 Certificate


You can set up the administration for the ICM and the SAP Web dispatcher from the browser. SAP recommends you use the Web administration with X.509 client certificates (with SSL). This is much more secure and the logon popup is omitted when the Web administration is first called up.


The configuration of the ICM and Web dispatcher must fulfill the following conditions.


SSL is configured in the ICM or Web dispatcher and a TTPS port has been opened (see  Configuring the SAP Web Dispatcher to Support SSL).

For the HTTPS port the value of icm/HTTPS/verify_clientmust be 1 or 2 (server must ask for the client certificate).

The user has a client certificate that the server accepts (the CA which has issued the client certificate must be trusted); see Using X509 Client Certificates.

Web Administration Interface

You have set up the Web administration interface as described in Setting Up the Web Administration Interface.


Enter the client certificate belonging to the user in the authentication file (standard name icmauth.txt). You enter the certificate in an optional column at the end of the file (see icm/HTTP/auth_<xx>).



In this column enter the distinguished name (DN) as it stands in the client certificate. In the browser this is often entered as the subject of the client certificate. As you can see in the example, the wildcards '?'and '*' are used to specify the certificate.

For instance, the distinguished name of the client certificate could have the following value in full: CN=muster, O=SAP-AG, C=DE

When you set icmon -a or wdispmon -a in the authentication file, you can change the DN of the client certificate as well as the password and group of an existing user.

If you want a user to be able to log on only with the X.509 client certificate, you can enter an x as the password (for queries), which makes the following entry (in the example) in file: