Adds, deletes, or displays a list of server certificates for the SAP ASE server.


sp_ssladmin {[addcert, certificate_path [, password | NULL]] 
	[dropcert, certificate_path]
	{"FIPS" | "Strong" | "Weak" | "All" | quoted_list_of_ciphersuites}]




  • The SAP ASE listener must present to the client a certificate. The common name in the certificate must match the common name used by the client in the interfaces file. If they do not match, the server authentication and login fail.

  • When NULL is specified as the password, dataserver must be started with a -y flag. This flag prompts the administrator for the private-key password at the command line.

  • The use of NULL as the password is intended to protect passwords during the intitial configuration of SSL, before the SSL encrypted session begins.

    After restarting the SAP ASE server with an SSL connection established, use sp_ssladmin again, this time using the actual password. The password is then encrypted and stored by the SAP ASE server. Any subsequent starts of the SAP ASE server from the command line would use the encrypted password; you do not have to specify the password on the command line during start up.

  • You can specify “localhost” as the hostname in the interfaces file (sql.ini on Windows) to prevent clients from connecting remotely. Only a local connection can be established, and the password is never transmitted over a network connection.

See also Confidentiality of Data in the System Administration Guide.


The permission checks for sp_ssladmin differ based on your granular permissions settings.


With granular permissions enabled, you must be a user with manage security configuration privilege.


With granular permissions disabled, you must be a user with sso_role.


Values in event and extrainfo columns from the sysaudits table are:



Audit option


Command or access audited

Execution of a procedure

Information in extrainfo
  • Roles – Current active roles

  • Keywords or options – NULL

  • Previous value – NULL

  • Current value – NULL

  • Other information – All input parameters

  • Proxy information – Original login name, if set proxy in effect