Obtaining a Server Certificate from SAP Trust Center (SAP Library

Obtaining a Server Certificate from SAP Trust Center

Use

By default, the Portal Server generates a self-signed certificate and uses this to digitally sign SAP logon tickets. To obtain a certificate signed by the SAP Trust Center for the Portal Server to use to digitally sign SAP logon tickets and requests for client certificates, you must generate a certificate request, which you send to the SAP Trust Center. You then import the corresponding response into the Portal Server’s keystore as described below.

This step also registers the Portal Server with the SAP Trust Center, so that the Trust Center accepts requests for client certificates generated by portal users.

Prerequisites

You must provide a unique distinguished name for the Portal Server by modifying the property login.ticket_dn in the usermanagement.properties file. For example:

The SAP Trust Center only accepts certificate requests from Portal Servers with a distinguished name that adheres to the following syntax:

CN=<SID>, OU=<CompanyName>, O=SAP Trust Community Portals, C=DE

<SID> must contain a 3-character system ID, for example EP5. We recommend that you use the same system ID as you enter in the ACL list of R/3 systems (default value is ‘WP3’, can be changed by defining property login.ticket_issuer in usermanagement.properties).

Note that the distinguished name of the Portal Server must be unique. Therefore, if necessary, include an additional organizational unit (OU) to make it unique. For example:

CN=EP5, OU=myDepartment, OU=myCompany, O=SAP Trust Community Portals, C=DE

After changing this value, delete the files ticketKeyStore and verify.* in <servlet_engine>\irj\WEB-INF\plugins\portal\services\usermanagement\data and restart the Java servlet engine.

When the Java servlet engine is restarted, it generates new verify.* and ticketKeyStore files.

Procedure

Creating and Sending the Certificate Request

...

1. Start the keystore manager.

The keystore manager is based on the master iView Administration.KeyStoreManager. If this iView is not already integrated in a role assigned to you, you can first assign it to a role.

2. Under File, choose the keystore into which you wish to import the certificate, enter the password for the keystore (if it requires one), and choose Load.

3. To initiate the certificate request, choose the PKCS#10 tab, and choose Create.

The system generates the information needed for the certificate request and displays it. The content of the request is generated in binary-code as shown below.

-----BEGIN CERTIFICATE REQUEST-----

MIIBkzCCAVICAQAwWjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0FQLmNvbS
BXb3JrcGxhY2UxDzANBgNVBAsTBlNBUCBBRzEOMAwGA1UECxMFQmFzaXMxDDAK
BgNVBAMTA0JJTzCB7jCBpgYFKw4DAhswgZwCQQCSnauC/cAfQVrmOtWznQ9I+i
4twoPq8wCE0Fk5EAVjQnX2oMqBnyoi+ee/ZH2cLwyhp5mOOw70+exS7PHEWKiF
AhUAw9FSY1AsFV4U9fC9w+Bg5H4ISYcCQARcC+7q3UkM0TF0A5zRaq7viO3Wj2
MwYUNwFkc0hxzhloUQd21megZADoFiisdzkn/nF4eIxV9vq9XxcV63xTsDQwAC
QFher18UA8YkY4/zHe4mbupBXvDSucm2nbJuQ5PgDBvVaMmtpXIisyzuAFL+qC
zQ92mkNqUR9JLWpz09ghQdISCgADAJBgcqhkjOOAQDAzAAMC0CFA7qEluP/Kfi
+6HF/8I7j4NfF44xAhUAqkDgAeR3tzmNegKUTQ+JzeCXawE=

-----END CERTIFICATE REQUEST-----

4. Copy the certificate request's content to a customer message under the component BC-SEC.

5. The SAP Trust Center validates your information and sends you a response, which contains the Portal Server’s signed public-key certificate and the Trust Center’s root certificate.

Entering the Certificate Request Response Data

After receiving a response:

...

1. Start the keystore manager as above.

2. Under File, choose the keystore into which you wish to import the certificate, enter the password for the keystore (if it requires one), and choose Load.

The default keystore is ticketKeyStore.

3. Choose the PKCS#10 tab.

4. Copy the information from the e-mail you received from the SAP Trust Center to the text area on the tab and choose Import.

The server certificate and the TCS root certificate are saved in the keystore that you chose in step 2.

NOTE: Alternatively, you can choose the Import tab and import the information as a file.

Result

The Portal Server possesses a public-key certificate signed by the SAP Trust Center. It can use the corresponding private key to digitally sign SAP logon tickets for SSO in the Enterprise Portal.

You must configure the Portal Server and SAP components systems accordingly.

The Portal Server is registered with the SAP Trust Center. When the Trust Center now receives a request for a client certificate from the Portal Server, it can verify the digital signature of the Portal Server on the request.