Show TOC

 Accepting Logon Tickets Issued by the AS JavaLocate this document in the navigation structure


To use Single Sign-On between the AS Java and an AS ABAP system with logon tickets issued by the AS Java, you configure the corresponding AS ABAP application server to accept logon tickets.

When your AS ABAP server is integrated in a System Landscape Directory you can configure the AS ABAP for accepting logon tickets from the Trusted Systems functions of the SAP NetWeaver Administrator.


The public-key certificate to use for verifying AS Java's digital signature is available as a file in the file system. It must exist either in base 64 or in DER format.

For more information, see Managing Entries.


In either case, the certificate must exist either in base 64 or in DER format.


The AS Java uses a self-signed public-key certificate for digitally signing logon tickets. It is located in the TicketKeystore entry in the AS Java Key Store. For more information, see Managing Entries .


On the AS ABAP application server:

  1. Set the profile parameter login/accept_sso2_ticket = 1.

    Set login/create_sso2_ticket = 1 if the server should also be able to issue tickets. (Use DEFAULT.PFL .)

  2. For Releases 4.0 and 4.5, also set the profile parameter SAPSECULIB to the location (path and file name) of the SAP Security Library (or SAP Cryptographic Library).
  3. Add the AS Java's public-key certificate to the corresponding certificate list.
    • For Releases >= 6.10, use the trust manager (transaction STRUST or STRUSTSSO2). Import the AS Java's public-key certificate into the PSE that is used for logon tickets. By default this is the System PSE.

      In the following cases a PSE other than the system PSE is used:

      • If the system has been upgraded from a Release <= 4.6B, then the PSE used for logon tickets is the SAPSSO2 PSE.
      • If you have defined an explicit PSE to use for logon tickets, then this PSE (as specified in the table SSFARGS) is used.
    • For Releases <= 4.6D, use the transaction PSEMAINT.
  4. Add the AS Java's information to the access control list:
  5. Enter the AS Java's system ID and Distinguished Name from the certificate found in the T icketKeystore entry. For the client, see Determining the Client to Use for the AS Java .
    • For Releases >= 6.10, use the transaction STRUSTSSO2.
    • For Releases <= 4.6D, use table maintenance (transaction SM30) to edit the table TWPSSO2ACL.