Skip to main content

SSL Setup

abapGitAbout 4 minsetup


In general, Git servers require secure connections. Therefore, abapGit is using secure connections based on HTTPS to access Git servers.

Note: Using unsecure HTTP connections is possible but strongly discouraged since the content of your repository would become visible on the network.

To support HTTPS, your SAP system must be configured accordingly:

  • Enabled HTTP/HTTPS service connection in SAP system profile
  • Import Git server certificates into SAP trust manager
  • If necessary, define an HTTP Proxy Server in abapGit settings

Note: Alternatively, connection details can be defined via user exit.


There are usually policies in place of who is permitted to make changes to these settings in your SAP system. Please contact your SAP Basis and network team to coordinate requirements.

We use GitHub.comopen in new window as an example for configuring secure connections. This is also required if you want to clone and contribute to abapGit itself. The setup for other Git servers is quite similar and will require different certificates.

SAP Crypto Library

Secure connections require installation of the SAP Crypto Library (CommonCryptoLib 8). Since SAP NetWeaver 7.4 this library is installed with the system. However, if your system is older or not up-to-date, you might have to update the library to a more recent version.


It's highly recommended to run a recent version of the Crypto Library to avoid known security issues. As of December 2022, the latest version is 8.5.47.

Crypto Library in SAP Download Centeropen in new window

You can find the installed version number in transaction STRUST > Environment > Display SSF Version:


SAP System Profile

See SAP Note 510007open in new window, section 7, for detailed information on how to configure your SAP system to support SSL.

The currently recommended settings for TLS v1.2 interoperability are (requiring at least CommonCryptoLib 8.4.38, recommending at least 8.5.4):

ssl/ciphersuites             = 135:PFS:HIGH::EC_X25519:EC_P256:EC_HIGH
ssl/client_ciphersuites      = 150:PFS:HIGH::EC_X25519:EC_P256:EC_HIGH
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled       = TRUE


To add profile parameters, use transaction RZ10 or update the contents of file DEFAULT.PFL directly. A system restart might be required.

For preview, evaluation, and developer versions of SAP NetWeaveropen in new window refer to following locations, depending on your system name:

  • "A4H - SAP NetWeaver AS ABAP 7.4 and above (Linux / SAP HANA)" - /usr/sap/A4H/sys/profile/DEFAULT.PFL
  • "NPL - SAP NetWeaver 7.x" - /sapmnt/NPL/profile/DEFAULT.PFL

If configured correctly, transaction SMICM > Goto > Services (Shift + F1) will show a green checkmark next to the HTTPS service.


SAP Trust Manager

As a default, abapGit uses an anonymous client connection (ANONYM - SSL Client (Anonymous)). A secure connection requires that the Git server certificate is available in the certificate list. The certificate must also be valid!

First, download the server certificates to you local machine. Then import and add these certificates to your SAP system.

Trust Manager in SAP Documentationopen in new window

If done correctly, transaction STRUST will show the Git server certificates in the certificate list.


Download the Certificate Files

Option A - Chrome
  1. Using Google Chrome to go to https://github.comopen in new window
  2. Click on the lock icon near the address bar, then click on "Connection is secure"
  3. On the Security tab, click on "Certificate is valid"
  4. Go to the "Details" tab and select "Export..." to download the certificate to a file
  5. In the "Certification hierarchy" box, select the parent node of the GitHub certificate and export it as well. Repeat the same with the root node.
Option B - Firefox
  1. Use Firefox to go to https://github.comopen in new window
  2. Click on the lock icon and then "More Information ..." and there "View Certificate"
  3. Switch to the Details Tab and choose the first certificate of the hierarchy and click Export
  4. Do the same for the next certificate in the hierarchy
Option C - Safari
  1. Use Safari to go to https://github.comopen in new window
  2. Click on the lock icon and then "View Certificate"
  3. In the certificate hierarchy, select the root certificate
  4. Holding down the Option key (⌥), drag the large certificate icon into a text editor
  5. Save the document as a .PEM file
Option D - Manual
  1. Goto GitHub, find the certificate that it is using
  2. Download certificate from in new window

Install the Certificate Files

  1. Install the certificates in transaction STRUST:
  2. Click on the Change button
  3. Open "SSL client Client SSL Client (Anonymous)" folder
  4. In the third box called "Certificate", click on the bottom-left button "Import certificate" to bring the certificate into the system
  5. Select "Add to certificate list"
  6. Repeat the process for all downloaded certificates
  7. Save

abapGit Settings

If your SAP system is behind a firewall, it might require an HTTP proxy to access the Git server. If this is the case, maintain the proxy host, port, and authentication (user/password) in your global abapGit settings.


Testing the Connection

Report ZABAPGIT_TEST_SSL can be used to verify that the connection works.


Connection issues typically lead to "Access to resource forbidden" (HTTP 403) or "Misdirected Request" (HTTP 421) errors.

  1. Go to transaction SMICM
  2. Check that ICM is in status "running" (green light)
  3. Select Goto > Services and check that the HTTPS service is active (green checkmark)
  4. Select Goto > Trace Files > Display All to view the ICM trace (dev_icm)
  • Check for any errors
  • Find the section called "SSL Initialization" and check if it ends with "Success - SapCryptoLib SSL ready!"
  • Compare the listed SSL settings to the recommended settings of SAP Note 51007 (and mentioned above)
  1. Go to transaction STRUST
  2. Select "SSL client SSL Client (Anonymous)"
  3. Verify that the required Git server certificates are included in the certificate list
  4. Check that all required certificates are valid

The following blog posts on the SAP Community Network might be helpful:


There might be user exits in play that modify the default connection behavior (see section below). Check which exits are implemented and what values they return!


Actions Requiring Authentication

To perform operations that require authentication, like e.g. cloning a private repository or pushing to any GitHub repository, you need to install not only the certificates for github.comopen in new window but also for https://api.github.comopen in new window. Repeat the download and STRUST import steps for the API server as described in the sections above accordingly (see also #1491open in new window and #6768open in new window)

User Exits

The following exits are available to customize certain aspects of connection to the Git server using ABAP:

  • Using a RFC connection instead of HTTP
  • Defining proxy host and port (if abapGit settings are not sufficient)
  • Defining the SSL certificate section (if other than ANONYM)
  • Identifying local systems and setting logon tickets
  • Changing the used HTTP protocol

See User Exits for more details.

Accessing GitHub

On 2018-02-22open in new window, GitHub deprecated weak TLS connections. See SAP Note 510007open in new window for details on required profile parameter changes.