Skip to Content

There have been a significant change in how the shared secret is generated from version XI 3.1 to BI 4.0. In XI 3.1 the shared secret value was configured manually and the same key has to be entered in the TrustedPrincipal.conf file. However in BI 4.0/4.1, the shared secret key is generated internally and then the same is is passed in the TrustedPrincipal.conf file when you click Download Shared Secret.

Let me first bring out the diference between setting Trusted Authentication for XI 3.1 and BI 4.0 first.

To configure the server to use Trusted Authentication in XI 3.1

1. Log on to the Central Management Console with administrative rights.
2. Go to the Authentication management area of the CMC.
3. Click the Enterprise tab.
4. Enable Trusted Authentication.
5. Create a shared secret for your users
6. Create a file with name TrustedPrincipal.conf with the same shared secrect value set in the avoove step and place it at the following location
<BusinessObjects Installation Directory>/Business Objects/BusinessObjects Enterprise XI 12.0/win32_x86

So, in XI 3.1 we have the option to set our own shared secret.

Now Lets understand the work flow of BI 4.0
To configure the server to use Trusted Authentication in BI 4.0

1. Log on to the CMC with administrative rights.
2. Go to the Authentication management area.
3. Click the Enterprise option.
4. The “Enterprise” dialog-box opens.
5. Scroll down until you see “Trusted Authentication”.
a. Click Trusted Authentication is enabled.
b. Click New Shared Secret.
The following message is displayed:
Shared secret key is generated and ready for download
c. Click Download Shared Secret.
Note: The shared secret is used by the web server and the CMS to establish trust.
The “File Download” dialog opens.
d. Click “Save” and point to following directory to save the TrustedPrincipal.conf file:
<INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win32_x86

In BI 4.0, the shared secrect is created internally and you do not have an option to manually enter a custom shared secret.

Lets suppose, you need to have a custom shared secret value which should be configured in CMC and the TrustedPrincipal.conf file in BI 4.0. How to do it?
It can be done using BusinessObjects Enterpripse Platform Java SDKs.

Here are the steps how to do it.
1. Run the sample below and set the value of the custom shared secret you would need.
2. Go to CMC/Authentication/Enterprise and download the shared secret.
Note: If you again click on New Shared Secret then it will override the custom shared secret created through the sample.
3. Click “Save” and point to following directory to save the TrustedPrincipal.conf file:
<INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win32_x86

Below is the sample to set the custom shared secret value.

For more scripts and information on how to run these scripts refer to the blog avaiable here:

Below is the Java Server Pages (JSP) sample


•You would need to change the userName, password, cmsName and the shared secret to the values specific to your enterprise server in the provided sample code.

• The sample code is tested with BI 4.0 version of SAP BusinessObjects Platform

Set Shared Secret Value

<%@ page import = “com.crystaldecisions.sdk.plugin.authentication.enterprise.*”%>

<%@ page import = “com.crystaldecisions.sdk.framework.*” %>

<%@ page import = “com.crystaldecisions.sdk.occa.infostore.*” %>

<%@ page import = “java.util.*” %>


String CMS = “localhost:6400”;

String UserID = “Administrator”;

String Password = “Password1”;

ISessionMgr sm = CrystalEnterprise.getSessionMgr();

IEnterpriseSession es = sm.logon(UserID, Password, CMS, “secEnterprise”);

IInfoStore iStore = (IInfoStore)es.getService(“”,”InfoStore”);

IInfoObjects iObjects = (IInfoObjects)iStore.query(“Select * from ci_systemobjects where si_name=’secEnterprise'”);

IInfoObject iObject = (IInfoObject)iObjects.get(0);

IsecEnterprise secEntre = (IsecEnterprise)iObject;


secEntre.setSharedSecret(“Secure09”);//set the value of shared secret




To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Former Member

    Is it possible to have one Shared Secret per SIA in 4.X? The fact that the trustedprincipal.conf file goes into the ‘global’ folder seems to suggest that you can’t, but I am not sure I understand why it needs to go there – isn’t the shared secret stored in the CMS?

    1. Dell Stinnett-Christy

      No, the Shared Secret is global to the system.  Trustedprincipal.conf goes in the global folder on the server where the login will take place.  So, for example, if you have you’re own web application that uses the SDK and which runs on a web server that is not part of the CMS cluster, you have to put trustedprincipal.conf in the correct folder on that server in order for Trusted Authentication to work.  So, the file doesn’t necessarily get put on the server where BO is installed unless you’re doing trusted authentication from there.


      1. Former Member

        Thanks, Dell.

        That’s not exactly what I hoped to hear, but it is what I expected. Well, now I can convey that message with more confidence. 🙂


Leave a Reply