Most of the basis persons confusion?
Let's discuss with three cases.
Case 1:
From Netweaver AS ABAP 710 plus AS ABAP 702 and above, Manual ICM Restart IS NO LONGER REQUIRED. It will be updated at runtime automatically without any interruption of services.
Note 510007 - Additional considerations about setting up SSL on Application Server ABAP vers209
Changes made to ICM SSL PSEs in STRUST mentioned below will be updated at runtime and reloaded by ICM without any interruption of services.
1) Importing the certification response of a CA
2) Changes to the Certificate List of trust anchors - Say Addition/Removal in Certification lists
In simple words,
⭐We will receive a message - "SSL PSE was saved ICM was notified" at bottom when saving PSE in STRUST.
This confirmation sufficient that our updated certificate is known to the system. It will be used for next SSL Communications/Authentication commits.
Same behavior exists for WebDispatcher PSE updates as well. If we do addition/removal of certificates or apply CA response from Web Dispatcher Administration Interface, then manual sapwebdisp process restart not required. It will load/update at runtime automatically.
Case 2:
Changes to ICM SSL PSEs of standalone programs that are not maintained through STRUST may require restart of the corresponding affect programs (Say - saphostagent, sldreg,..etc.,)
Case 3: (Additional)
*** There was no explicit statements stated that ICM restart required for below scenario in both note 2148372 vers3 & 510007 vers209 & 1473710 vers11 - 20.04.2026. Hence, It should reflect/update at runtime only ***
"Replace main PSE file certificate itself - Say Importing PSE (.PFX) file in STRUST and saving as - new SAPSSLS.PSE, SAPSSLC.PSE - Usually applicable on post installation steps/cases"
For safer side, crosscheck whether "ICM notified message" shown or not. If it's not shown, then do manual ICM restart once.
I have faced one glitch - Replaced PSE file (with pfx) and saved as SAPSSLS PSE (did ICM restart as well). It doesn't update/shown latest certificate in Fiori Launchpad - Security- Certificate Info. It still took older certificate for SSL and showed "Connection Insecure" due to expired existing certificates. Post system restart, It took the updated one. Hence, Just be cautious and have restart as an backup plan when replacing SAPSSLS PSE file.
Note 2148372 - How to create own SSL Client PSE vers3
Note 1473710 - STRUST: How to Export or Import PSE from/to STRUST vers11
Hope you like this cases !
Thanks for visiting !!!
No comments:
Post a Comment