Exchange Certificates between portal and backend systems

To use Single Sign On (SSO) between your portal and your backend system you need to export the portal certificate and import it in your backend system. Here I would like to post a best practice Step by Step Guide.

Export the portal certificate

Navigate to SAP Netweaver Administrator using the url http://host:port/nwa. In the Netweaver Administrator navigate to Configuration > Security > Certificates and Keys. In this view select the entry SAPLogonTicketKeypair-cert and click the Export button.

In the popup window that opens select the export format Base64 X.509 and save the file to your local pc by clicking on the download link.

Import the portal certificate to your backend system

Now you have to import the certificate in your backend system therefore logon to the client in your backend system you want to realize SSO for. Call transaction strustsso2.

IMPORTANT

When the transaction opens watch carefully for a message at the bottom left of the page. If a message saying that maintaining PSEs for Logon Tickets is only possible using client 000 appears. You have to log in using client 000 and import the certificate there. Where the cerificate has to be imported depends on the version of your backend system.

Logged in using the correct client you have to select the import icon to start the import of your portal certificate.

In the opening dialog window click on the small icon to select the path to the portal certificate on your local machine,

After you have selcted the path to the portal certificate click on the check icon to finish the import.The portal certificate should now show up in the middle of the screen. Now the cerificate has to be added to the certificate list and to the Access Control List of your system.

When adding the certificate to the Access Control List a popup window opens, there you have to add the system name and the client of your portal. When importing a portal certificate the client has to be set to 000.

After you have finished the backend cerificate should be shown in the certificate list and as own certificate. The portal certificate should be shown in the certificate list and in the access control list.

IMPORTANT

If you imported the portal certificate using client 000 you should now logon to the client you want to implement Single Sign On for and check if the portal certificate is already added to the access control list there. If it is not select it from the certificate list by double vlivking it and add it again to the acl. Save your settings.

If you want to use a connector connection between your portal and your backend system you now have to export the backend system certificatte and import it in the Ticket Key Store of your portal system. If you only plan to use internet transaction and web application server connection, this is not necessary.

Troubleshooting

When Single Sign On fails you can get detailed error information by calling transaction SM50. There you have to set up the trace level and then reproduce the error.

Setting the trace level:

Select all DIA processes shown and press STRG + SHIFT+ F7

In the opening popup check security and set the trace level to 2.

If the operation was successfull the DIA processes should now be backlighted in yellow.

After you have reproduced the error you should reset the trace level of the DIA pocesses to the default level.

Now you have to check the DIA processes one by one and press STRG + SHIFT + F8, this is the only way to find the DIA prcess that was responsive for the request you sent from the portal system.