Configuring the System for Issuing Logon Tickets (SAP Library - Technical Operations Manual for mySAP Technology)

Configuring the System for Issuing Logon Tickets

Prerequisites

You must know whether the server should use a self-signed public-key certificate or a certificate signed by the SAP CA.

Procedure

If you use a certificate signed by the SAP CA, you need to obtain the certificate and import it into the server's Personal Security Environment (PSE) to use for Single Sign-On (the SSO PSE). For the SAP Web Application Server, the SSO PSE is the system PSE.

If you use a self-signed certificate, then the public-key certificate already exists.

For more information, see:

Set the following profile parameters on the SAP Web Application Server:

Profile Parameters Used for Logon Tickets

Parameter	Value	Comment
login/accept_sso2_ticket	1	Allows the server to accept an existing logon ticket.
login/create_sso2_ticket	1: If the server's certificate is to be included in the logon ticket. 2: If the server's certificate is not to be included.	For best results, set this parameter to the value 1 if the server possesses a certificate signed by the SAP CA. Set it to the value 2 if the certificate is self-signed.
login/ticket_expiration_time	Desired value	Default = 60 hours

For more information, see the documentation provided for the profile parameters in transaction RZ11.

Note

You can use the SSO administration wizard to view the current server's SSO configuration. (Execute the tool without specifying an RFC destination.)