Exchange Certificates between portal and backend systems


To use Single Sign On (SSO) between your portal and your backend system you need to export the portal certificate and import it in your backend system. Here I would like to post a best practice Step by Step Guide.


Export the portal certificate

Navigate to SAP Netweaver Administrator using the url http://host:port/nwa. In the Netweaver Administrator navigate to Configuration > Security > Certificates and Keys. In this view select the entry SAPLogonTicketKeypair-cert and click the Export button.

/wp-content/uploads/2013/12/pic1_340500.png

In the popup window that opens select the export format Base64 X.509 and save the file to your local pc by clicking on the download link.

/wp-content/uploads/2013/12/pic2_340508.png

Import the portal certificate to your backend system

Now you have to import the certificate in your backend system therefore logon to the client in your backend system you want to realize SSO for. Call transaction strustsso2.

IMPORTANT

When the transaction opens watch carefully for a message at the bottom left of the page. If a message saying that maintaining PSEs for Logon Tickets is only possible using client 000 appears. You have to log in using client 000 and import the certificate there. Where the cerificate has to be imported depends on the version of your backend system.

/wp-content/uploads/2013/12/pic3_340524.png

Logged in using the correct client you have to select the import icon to start the import of your portal certificate.

/wp-content/uploads/2013/12/pic3_3_340517.png

In the opening dialog window click on the small icon to select the path to the portal certificate on your local machine,

/wp-content/uploads/2013/12/pic3_4_340518.png

After you have selcted the path to the portal certificate click on the check icon to finish the import.The portal certificate should now show up in the middle of the screen. Now the cerificate has to be added to the certificate list and to the Access Control List of your system.

/wp-content/uploads/2013/12/pic3_5_340519.png

When adding the certificate to the Access Control List a popup window opens, there you have to add the system name and the client of your portal. When importing a portal certificate the client has to be set to 000.

/wp-content/uploads/2013/12/pic3_6_340523.png

After you have finished the backend cerificate should be shown in the certificate list and as own certificate. The portal certificate should be shown in the certificate list and in the access control list.

/wp-content/uploads/2013/12/pic4_340510.png

IMPORTANT

If you imported the portal certificate using client 000 you should now logon to the client you want to implement Single Sign On for and check if the portal certificate is already added to the access control list there. If it is not select it from the certificate list by double vlivking it and add it again to the acl. Save your settings.

If you want to use a connector connection between your portal and your backend system you now have to export the backend system certificatte and import it in the Ticket Key Store of your portal system. If you only plan to use internet transaction and web application server connection, this is not necessary.

Troubleshooting

When Single Sign On fails you can get detailed error information by calling transaction SM50. There you have to set up the trace level and then reproduce the error.

Setting the trace level:

Select all DIA processes shown and press STRG + SHIFT+ F7

/wp-content/uploads/2013/12/pic6_340525.png

In the opening popup check security and set the trace level to 2.

/wp-content/uploads/2013/12/pic7_340535.png

If the operation was successfull the DIA processes should now be backlighted in yellow.

/wp-content/uploads/2013/12/pic8_340536.png

After you have reproduced the error you should reset the trace level of the DIA pocesses to the default level.

Now you have to check the DIA processes one by one and press STRG + SHIFT + F8, this is the only way to find the DIA prcess that was responsive for the request you sent from the portal system.

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Anil Kumar

    Hi Nico,

       The document was simple and perfect for the beginners like me…….Thank you so much for sharing.

    Regards,

    Anil

    (0) 
  2. Lawrence Waterhouse

    Thats a good one Nico, thank you very much! What you need to now is a nice troubleshooting guide for SSO problems, Im missing that one on SCN 🙂 Buddy, you are still working in Halle? My swiss customer is looking for good guys like you actually 😉

    Beste Grüsse aus Bern

    (0) 

Leave a Reply