One of the most powerful parts of using an SAP portal is the simple implementation of a SSO (single sign on) environment. In simplistic terms, this means that after you have authenticated to the SAP portal, you shouldn't need to reauthenticate when starting applications from within the portal. SSO has been covered many times in the SDN environment, but there is a slight gotcha...

The SSO "magic" is often implemented by the use of a special cookie, often called the SAP Logon Ticket. This ticket contains, among other things, the certificate of the portal server that issued the ticket.

Now the gotcha. This certificate is setup when the Web AS Java that hosts the SAP portal is installed. By default it has a lifetime of two years, so an SAP portal that runs on a Web AS Java that was installed in late 2004 might have a certificate that looks like this:

This is taken from the Keystore administration option within the system administration portal role. Note that it will expire in late 2006. Not good 😞

Using the Visual Administrator and navigating to the Keystore service on one of the server nodes would give similar details:

Note that we need to select the TicketKeystore view and the SAPLogonTicketKeypair-cert entry.

It is from the Visual Administrator that we can make the necessary changes....

First, use the Rename option to rename the current entry in case we break anything. Remember, it's the SAPLogonTicketKeypair-cert that we're working with.

Now we can create a new entry. On the creation screen, enter as a minimum a value for the Common Name - generally your Web AS Java SID. As the Entry Name use SAPLogonTicketKeypair. Ensure you select the Store Certificate check box. The Valid To should be set long enough that you don't have to repeat this process in the short term - I've used 31st December 2049 in the example below. Ensure you select DSA as the algorithm.

Note that on the right hand side, under Issuer Info it specifies Self Signed. This is set by using the Select CA Key option and selecting the TicketKeystore view as shown in the following screen:

Back on the certificate creation main screen, use Generate to create the new entry.

OK, so now we have a new keypair, but here's the next gotcha... We have to tell each of our systems to trust this new certificate. This means going through the process you originally followed to upload the certificate to each backend SAP ABAP system. This has been documented many times, but generally involves exporting the new certificate and using transaction STRUSTSSO2 to upload the certificate. Remember to check the ACL entry as well..

Of course, if you set the lifetime to a suitable value immediately after installing Web AS Java, this can remove the need to change the value later on.