Skip to Content
Author's profile photo Jens Koster

Connect SAP HANA Cloud Platform to an on-premise SAP AS Java using SAP Assertion Tickets

This is the second part (click here for the first part) of the two blogs to describe how SAP Mobile Documents running on the HANA Cloud Platform can be connected to an on-premise KM system using SAP Assertion tickets. However, the trust settings will apply to any other application that you want to connect from HCP to an AS Java system.

0. Prerequisites

The SAP Assertion Ticket technology requires the user names to be identical for the HCP application and the AS Java System.

1. Set up trust with SAP Assertion Tickets

In the first part I described how to connect SAP Mobile Documents on HCP to an on premise KM (AS Java) using a service user connection.

In this second part, I describe how to use the same user in AS Java (KM) using the SAP Assertion Ticket technology.

For more information about AS Java and SAP Assertion Tickets see the official documentation.

To enable the trust I did create a signing certificate for the HCP destination with the AS Java, as there is no option in HCP to create one. To simplify the overall process, I created this certificate directly in the view LogonTicketKeypair. By doing so, you automatically have the certificate trust enabled.

2. Creating a Signing Certificate for the HCP Destination

In the AS Java system, go to the NetWeaver Administrator of your AS Java (https://<YourServerURL>:<Port>/nwa).

Search for Key

Click on Key Storage

Select View TicketKeystore

In the tab View Entries click Create

Enter the following values:

Choose a meaningful name for the HCP certificate

Select the algorithm DSA

Leave the Key Length and Validity (or change them according to your needs)

Select Store Certificate

Click Next


Enter the country name value (e.g. DE for Germany – this does not have a functional affect)

Enter the commonName for the HCP destination (e.g. HCP) – this will identify the HCP as a client.

Click Next


As in this case I chose to create a self signed certificate, I skipped this screen. If you choose to have your certificate signed by some other certificate authority, you could select a signing key pair here.

Click Next


In the summary, just click Finish


The certificate and the private key is now available in the list (you can distinguish them by the description in column Entry Type).

3. Exporting the Certificate

You can now export the HCP certificate to put it into the trust ACL of the AS Java.

To do this, select the certificate entry (with postfix -cert) and click Export Entry


Choose the export format Base64 X.509

Click Download

Save the file on your hard drive.


In addition, export the HCP certificate including the private key (to import into the HCP destination later):

Select the HCP certificate (with Entry Type PRIVATE KEY)

Click Export Entry

Select PKCS#12 Key Pair as the export format

Provide a password to protect access to the export.

Click Generate

Click Download

Save the file on your hard disk.


4. Maintain Trusted Systems List of AS Java

To finalize the trust settings of the newly created certificate to the AS Java, you need to add it to the list of Trusted Systems.

Navigate to the NetWeaver Administrator – Configuration Management – Security Management – Trusted Systems (/nwa/trusted-systems)

In Trusted Systems view select Add Trusted System – By Uploading Certificate Manually


Enter a System ID for the HCP destination (e.g. HCP)

Enter 000 as the client

Upload the certificate file (not the one containing the private key) that you have exported before.

Click Next


Click Finish


Now you have done all the steps required to set the trust in the AS Java System.

You now need to enter the certificate and the private key into the HCP destination fields.

Before you can do this, you need to convert it to a .pem file.

5. Converting the HCP Certificate into the Correct Format for HCP

To convert the .p12 file to a PEM format that allows you to copy and paste the required information, I used an Open Source tool called OpenSSL.

It is available for different platforms. Just google for it and install it on your local machine.

Once installed, to make life easier, copy the .p12 file that you have exported in one of the previous steps into the OpenSSL sub-folder bin


Open a Command Prompt Window and navigate into the bin subfolder of the OpenSSL installation.

I converted the .p12 file to a so-called .pem file using the following command (the file name of my file is HCPCert.p12):

openssl.exe pkcs12 -in HCPCert.p12 -out HCPCert.pem -nodes


This will create a file called HCPCert.pem in the .bin directory.

You will need this file in the next configuration step.

6. Change the HCP Destination to use SAP Assertion Tickets

Navigate into the HCP Cockpit of your HCP account.

Navigate to Destinations on the left navigation menu

Open the destination that you did create in the previous step (or create a new one)

Switch the Authentication to SAPAssertionSSO

Maintain the Issuer SID and Client (this needs to be the SID that you have entered in the Trusted Systems list in chapter 4.)

Maintain the Recipient SID and Client (This info you find also the screen Trusted Systems under Accepting System)

Open the .pem file (that you have generated in the previous step) with Wordpad.

It will look similar to this one here:


Now copy the text between —–BEGIN CERTIFICATE—– and –—-END CERTIFICATE—- and paste it into the Certificate field of the HCP destination.

Copy the text between —–BEGIN PRIVATE KEY—– and —–END PRIVATE KEY—- and paste it into the Signing Key field of the HCP destination.

Click Save.


Now you have done all required steps — Ufff! 🙂

To check if the SAP Mobile Documents Connection to KM is working, go to the Web UI of SAP Mobile Documents and click on Corporate.

If you now create a text file within the KM repository from Mobile Documents, you will see that it is now created with the user that is logged on to SAP Mobile Documents.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Jens,

      Thank you for sharing the document.I established the connection between mobile documents and on-premise portal using basic authentication.

      I am not sure as how i can make SSO established between the two as in case of our cloud mobile documents the login id is the email id but in on-premise portal the login id is a user id ,I did maintain the email id in the Email field in on-premise portal though.

      I tried with SAP Assertion SSO but it did not work as the login id's did not match.Any inputs?



      Author's profile photo Jens Koster
      Jens Koster
      Blog Post Author

      Hi Radhika,

      this is also possible. The above description covers the configuration for SSO using SAP Assertion Tickets which require the same user ID in both HCP / IDP and the AS Java.

      In your described case with different User IDs, you can use the option Principal Propagation with short-lived client certificates in the SAP Cloud Connector.

      Kind regards,

      Author's profile photo Former Member
      Former Member

      Hi Jens,

      I did setup the Principal propagation but still i was not able to view the KM folders in mobile documents and it throws error access unauthorized.I have raised a high priority message with SAP for the same.



      Author's profile photo Thomas Rauen
      Thomas Rauen

      Hi Radhika,

      have you been already able to setup the SSO scenario between Document Center and you on-premise system?
      I'm trying the same at the moment and would be thankful for any help.

      Best Regards


      Author's profile photo Alexander Rieder
      Alexander Rieder

      Hi Thomas,

      yes we have been able to get this to work. Do you face some problems?

      Best regards


      Author's profile photo Thomas Rauen
      Thomas Rauen

      Hi Alex,
      thanks for your reply.

      I face the same Problem which Radhika had.

      We have different Login-IDs in out Docs Center and on our AS Java.
      I've tried to setup the scenario which Jens Koster described in this blog, with test-users on our AS Java who has an identic Login-ID like our Docs Center users, but didn't get it run.

      Best Case for me would be to get a SSO with the different Login-IDs on both sides like:
      Doc Center User P0000XY

      AS Java User : MYUSER
      Regards Thomas

      Author's profile photo Alexander Rieder
      Alexander Rieder

      Hi Thomas,

      in that case Assertion tickets are not going to work as they rely on the same login IDs. In that case you have to use Client Certificates and a mapping on the NetWeaver side (assuming that some attribute  is the same, e.g. email). We do not have a blog yet describing it in details but here is a short summary of what Radhika and myself did:

      Target: Configure a connection between Mobile Documents (Cloud) to KM on NetWeaver AS Java using Principal Propagation. In addition we need to configure a mapping in the NetWeaver as the userId which is sent from the cloud is the email address.


      - The cloud connector is configured for Principal Propagation using CA Certificate (

      - The NetWeaver AS Java has a valid SSL configuration and is trusting the certificate used by the cloud connector

      - SAP Mobile Documents KM connector is deployed on the NetWeaver System

      - The cloud connector trusts the used SAP Cloud Identity Provider in Mobile Documents (

      How To:

      1. Configure the ICM to trust the Cloud connector and forward the header with the certificate to the NetWeaver as descriped in the link below we added the following to parameters to the instance profile of the icm "icm/HTTPS/trust_client_with_subject" and "icm/HTTPS/trust_client_with_issuer" as values we use the subject and the issuer from the CA Certificate which is used in the cloud connector. Detailed can be found here:

      2. Add the ClientCertificateLogin Module to the authentication Stack of the CMIS Endpoint in the NetWeaver. Open the NWA on the Netweaver and goto Configuration-->Authentication and Single Sign-On: Authentication. Search for Policy Configuaration with Name:*cmis. Add the ClientCertLoginModule and configure the required mapping see:

      In our case we used the following options: Rule1.AttributeName = CN, Rule1.UserMappingMode = Email, Rule1.getUserFrom = subjectName

      3. Create the System Mapping in the Cloud Connector here it's important to use the HTTPS port of the NetWeaver as well as X.509 Certificate in the Principal Type

      4. Create the destination in the Cloud Cockpit and use Principal Propagation as Authentication.

      5. Create the repository in Mobile Documents.

      Author's profile photo Thomas Rauen
      Thomas Rauen

      Hello Alex,
      what value do I have to enter for the login module option

      Rule1.getUserFrom =

      if I want to map the Logon ID of my Documents Center user?
      Best Regards