Exporting and Importing BW Certificates

Use

The BW certificate must be generated in and exported from the BW system so it can subsequently be imported into the portal. The BW certificate is required on the portal so that portal content can be displayed in the BW system, such as the portal roles in BEx Web Application Designer.

Procedure

Exporting the BW Certificate

Run transaction STRUSTSSO2 ( Trust Manager for Single Sign-On with Logon Ticket ).
Choose your own certificate. This is located in the Own Certificate field under System PSE .. To display the certificate, double-click the field value under Certificate .

Note

If you are unable to find one, generate a certificate by choosing Create in the context menu for system PSE and choose PSE Distribute All to distribute it to all BW system application servers. There may be a time delay when distributing the certificate. If necessary, check again whether the certificate has been successfully distributed.
In the menu, choose Certificate Export.
Enter the file path <BW_SID>_certificate.crt (<BW_SID> is the system ID of the BW system).
Choose Binary as the file format.

Check

You can view the <BW_SID>_certificate.crt file using Windows Explorer.

Importing the BW Certificate

To import the BW certificate to the Application Server Java, complete the following steps:

Start SAP NetWeaver Administrator at http://<host>:<httpport>/nwa .
Choose Configuration Security Certificates and Keys.
Under Keystore Views , select the TicketKeystore view.
Under Display Entries , choose Import Entry .
Open the <BW_SID>_certificate.crt file.

Perform the following steps to ensure that the Application Server Java accepts the SAP Logon Tickets from the BW system as an external system.

In the SAP NetWeaver Administrator, choose Configuration Security Authentication and Single Sign-On.
On the Authentication tab page, choose ticket under Components .
In the Details of policy configuration "ticket" on the Login Module Stack tab page, change the options for EvaluateTicketLoginModule and add the following values. You need the following values once for client 000 and once for client 00X (where X is the number of the client you define).
- trustedsys<Number>=<BW_SID>, <BW_CLIENT> (z.B. BWP , 000 )
- trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example CN= BWP , OU=I0020114583 , OU=SAPWeb AS , O=SAP Trust Community , C=DE )
- trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example CN= BWP , OU=I0020114583 , OU=SAP Web AS , O=SAP Trust Community , C=DE )
Note
- <Number> is a number for all three entries, but must be incremented by one for every external system.
- <BW_SID> and <BW_CLIENT> are the system ID and the client of the BW system.
- <ISSUER_DISTINGUISHED_NAME> and <SUBJECT_DISTINGUISHED_NAME> correspond to the Own Certificate value in transaction Trust-Manager for Single Sign-On with Logon Ticket (transaction STRUSTSSO2). The trustediss value corresponds to the Issuer value. The trusteddn value corresponds to the Owner value.

You also have to maintain the values under evaluate_assertion_ticket :

On the Authentication tab page, choose evaluate_assertion_ticket under Components .
In the Details of policy configuration "evaluate_assertion_ticket" on the Login Module Stack tab page, change the options for EvaluateAssertionTicketLoginModule and add the following values. You need the following values once for client 000 and once for client 00X (where X is the number of the client you define).
- trustedsys<Number>=<BW_SID>, <BW_CLIENT> (z.B. BWP , 000 )
- trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example CN= BWP , OU=I0020114583 , OU=SAPWeb AS , O=SAP Trust Community , C=DE )
- trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example CN= BWP , OU=I0020114583 , OU=SAPWeb AS , O=SAP Trust Community , C=DE )
Note

The values correspond to the values listed above under ticket .