Skip to Content

One of the most powerful parts of using an SAP portal is the simple implementation of a SSO (single sign on) environment. In simplistic terms, this means that after you have authenticated to the SAP portal, you shouldn’t need to reauthenticate when starting applications from within the portal. SSO has been covered many times in the SDN environment, but there is a slight gotcha…

The SSO “magic” is often implemented by the use of a special cookie, often called the SAP Logon Ticket. This ticket contains, among other things, the certificate of the portal server that issued the ticket.

Now the gotcha. This certificate is setup when the Web AS Java that hosts the SAP portal is installed. By default it has a lifetime of two years, so an SAP portal that runs on a Web AS Java that was installed in late 2004 might have a certificate that looks like this: image

This is taken from the Keystore administration option within the system administration portal role. Note that it will expire in late 2006. Not good 🙁

Using the Visual Administrator and navigating to the Keystore service on one of the server nodes would give similar details: image

Note that we need to select the TicketKeystore view and the SAPLogonTicketKeypair-cert entry.

It is from the Visual Administrator that we can make the necessary changes….

First, use the Rename option to rename the current entry in case we break anything. Remember, it’s the SAPLogonTicketKeypair-cert that we’re working with.

Now we can create a new entry. On the creation screen, enter as a minimum a value for the Common Name – generally your Web AS Java SID. As the Entry Name use SAPLogonTicketKeypair. Ensure you select the Store Certificate check box. The Valid To should be set long enough that you don’t have to repeat this process in the short term – I’ve used 31st December 2049 in the example below. Ensure you select DSA as the algorithm.

image

Note that on the right hand side, under Issuer Info it specifies Self Signed. This is set by using the Select CA Key option and selecting the TicketKeystore view as shown in the following screen:

image

Back on the certificate creation main screen, use Generate to create the new entry.

OK, so now we have a new keypair, but here’s the next gotcha… We have to tell each of our systems to trust this new certificate. This means going through the process you originally followed to upload the certificate to each backend SAP ABAP system. This has been documented many times, but generally involves exporting the new certificate and using transaction STRUSTSSO2 to upload the certificate. Remember to check the ACL entry as well..

Of course, if you set the lifetime to a suitable value immediately after installing Web AS Java, this can remove the need to change the value later on.

To report this post you need to login first.

10 Comments

You must be Logged on to comment or reply to a post.

    1. Michael Nicholls Post author
      On one of our WAS 620 ABAP systems I am seeing some SM21 messages that cover this issue.

      Message PM4 warns me “Validity of certificate from list with PSE type >SystemPSE< ends in 1 days”

      and PM2 tells me “Certificate with PSE type >SystemPSE< has been invalid for 109 days”.

      Neither of these reports which is the problem certificate, so you need to use STRUST or STRUSTSSO2 to look at the individual entries…

      (0) 
  1. Gregor Wolf
    Hello Michael,

    thank you for providing this documentation. But don’t forget to link also to the standard Documentation avaliable at Replacing the Public-Key Certificate to Use for Logon Tickets.

    Also I had a problem with the long validity period you’ve used. On our 6.20 Backend my Ticket was not accepted because of it’s validity till 2039. There is OSS Note 499386 – “Invalid logon ticket” for CA certificates which explains that certificates can be valid up to the year 2038.

    Another valuable OSS Note 701205 – Single Sign-On using SAP Logon Tickets which conatins a tool to test the Tickets.

    Regards
    Gregor

    (0) 
  2. OSS ETT

    Hello Michael;<br/><br/>This information is helpful to me.<br/><br/>When I create a new SAPLogonTicketKeypair, I will get value in .<br/><br/>From you blog picture, I found the value of is “Could you tell me more detail how to set ?<br/>Or I can skip it.<br/>

    (0) 
    1. Michael Nicholls Post author

      I think the value is set to  on initial setup but then gets set to the new value when you generate your own key. I don’t think it’s a problem. The screen shot I showed was from an initial install.

      (0) 
    1. Michael Nicholls Post author
      Deleting certifictes is not a good idea unless you can re-export them from the source system and reimport them. Please check help pages about STRUST to see how to exchange certifictaes between ABAP systems.
      (0) 

Leave a Reply