SAP ECC / SAP NetWeaver requirements
SAP systems often require additional configuration to support modern TLS and external APIs.
Required configuration
-
Enable Server Name Indication (SNI)
Required to ensure the correct TLS certificate is selected on Cloudflare’s edge for multi-tenant HTTPS routing.
SAP parameter:
icm/HTTPS/client_sni_enabled = TRUE -
Enable TLS v1.2 or higher
Ensure
ssl/client_ciphersuitesis configured to support TLS 1.2+ compatible cipher suites (as per SAP kernel version). -
Ensure the SAP STRUST store contains all required public root CAs used by modern TLS services.
Import all required root certificates into both:
SSL Client (Anonymous)SSL Client (Standard)
noteSAP STRUST is independent of the operating system trust store and must be maintained separately.
Root certificates (trust store)
| Certificate Authority | Root Name | Download |
|---|---|---|
| Google Trust Services | GTS Root R1 | https://i.pki.goog/r1.pem |
| Google Trust Services | GTS Root R2 | https://i.pki.goog/r2.pem |
| Google Trust Services | GTS Root R3 | https://i.pki.goog/r3.pem |
| Google Trust Services | GTS Root R4 | https://i.pki.goog/r4.pem |
| Let’s Encrypt | ISRG Root X1 | https://letsencrypt.org/certs/isrgrootx1.pem |
| SSL.com | TLS RSA Root CA 2022 | https://ssl.com/repo/certs/SSLcom-TLS-Root-2022-RSA.pem |
| SSL.com | TLS ECC Root CA 2022 | https://ssl.com/repo/certs/SSLcom-TLS-Root-2022-ECC.pem |
Connectivity test endpoints
| Purpose | URL |
|---|---|
| Fluentax API TLS validation endpoint | https://fx-api.fluentax.com/healthz/live |
| GTS Root R1 TLS validation endpoint | https://good.gtsr1.demosite.pki.goog |
| GTS Root R2 TLS validation endpoint | https://good.gtsr2.demosite.pki.goog |
| GTS Root R3 TLS validation endpoint | https://good.gtsr3.demosite.pki.goog |
| GTS Root R4 TLS validation endpoint | https://good.gtsr4.demosite.pki.goog |
| ISRG Root X1 TLS validation endpoint | https://valid-isrgrootx1.letsencrypt.org |
| SSL.com TLS RSA Root CA 2022 TLS validation endpoint | https://test-root-2022-rsa.ssl.com |
| SSL.com TLS ECC Root CA 2022 TLS validation endpoint | https://test-root-2022-ecc.ssl.com |
You can use report RSHTTP20 with destination SAPHTTPA to test the connection to the test endpoints above.
Troubleshooting
Common errors
SSL handshake failedSSSLERR_SERVER_CERT_MISMATCHICM_HTTP_SSL_ERRORunknown CApeer certificate unknownno SNI match
Recommended diagnostics
- Test via SAP transaction
SMICM→Goto → Trace File- Report:
RSHTTP20
-
Enable ICM trace (if needed)
Trace level = 3 -
Check certificates in STRUST
SSL Client (Anonymous)SSL Client (Standard)
- External TLS test
openssl s_client -connect fx-api.fluentax.com:443 -servername fx-api.fluentax.com
Common root causes
- Missing root CA in STRUST
- SNI not enabled in SAP profile
- TLS < 1.2 enforced
- Corporate proxy or SSL inspection modifying TLS traffic or certificates
Note: TLS handshake failures may appear as HTTP timeouts in SAP logs depending on configuration.