Show TOC

Setting Up Trust Using the SSO WizardLocate this document in the navigation structure


Content usage mode: remote role assignment, remote delta link, WSRP application sharing (SAP NetWeaver Portal only)

Applies to: producers, consumers

To facilitate the flow of data and authentication requests between portal systems and clients in a federated portal network, you have to establish trust between the portals. Trust between producer and consumer portals is established through the use of logon tickets. Logon tickets are digitally signed by the issuing server; and the accepting systems need the public key of the issuing server to verify this digital signature. For detailed information about the use of logon tickets for Single Sign-On in an SAP system environment, see Using Logon Tickets with AS Java .

Setting up trust is a one-time procedure. You can set up trust before, during, or after you create a federated portal network (FPN) connection between two portals:

  • To set up trust before creating an FPN connection, use the SSO wizard in SAP NetWeaver Administrator.

  • To set up trust while creating an FPN connection, use the FPN Connection wizard.

    For more information, see Creating FPN Connections .

  • To set up trust after you have created an FPN connection, you can use either the FPN Trust editor in the portal or the SSO wizard in SAP NetWeaver Administrator.

    For more information, see Setting Up Trust Using the FPN Trust Editor .

This topic describes how to use the SSO wizard in SAP NetWeaver Administrator to configure trust (exchanging a server certificate file) between the systems in a federated portal network.


Since the authentication mechanisms of different portal vendors are not compatible with one another, this procedure is not relevant to WSRP connections between an SAP NetWeaver Portal and a non-SAP portal.

Do You Need to Set Up One-Way or Two-Way Trust Between a Producer and a Consumer Portal?

Whether you need to configure trust between two portals in one direction only or in both directions depends how each portal is configured (as producer, consumer, or both) and the content usage mode you have implemented. In all cases, the producer portal must trust the consumer portal; therefore, exchanging the certificate file from the consumer to the producer is mandatory. The consumer portal needs to trust the producer portal only to support a particular use case with remote role assignment usage (see the following table). If each portal in a single FPN connection operates as both a producer of and a consumer for the other, then a two-way trust configuration is mandatory.

Ticket Exchange

Ticket-Issuer System

Ticket-Accepting System



Exchange #1



This certificate file exchange ensures that remote users on the portal consumer are recognized as authenticated users when they request content from the producer portal.

A system administrator on the consumer portal exports the certificate file and transfers it to a system administrator on the producer side. The system administrator on the producer side then imports the file using the SSO wizard in SAP NetWeaver Administrator.


Exchange #2



You only need to perform this certificate file exchange if you want remote role assignments to be automatically removed on relevant consumer portals when their respective roles are deleted on the producer portal.

A system administrator on the producer exports the server certificate file and transfers it to a system administrator on the consumer. The system administrator on the consumer then imports the file using the SSO wizard in SAP NetWeaver Administrator.


  • On the ticket-issuer system, you have access to the Key Storage application in SAP NetWeaver Administrator.

  • On the ticket-accepting system, you have access to SAP NetWeaver Administrator.

  • The server clocks of the two systems must be synchronized at all times.

    To compensate for clocks running at different speeds, the authentication mechanism of AS Java provides a maximum deviation of 3 minutes in either direction.


    The procedure for setting up trust (described below) does not fail if the clocks are not synchronized. Errors resulting from unsynchronized clocks only become evident at runtime during data flow when the producer (the ticket-accepting system) receives an invalid logon ticket from the consumer (the ticket-issuing system). For example, a user on the consumer portal would receive a runtime error when the client's browser requests the navigation structure and framework of a remote role from the producer portal.


The following procedure describes how to manually exchange certificate files between the producer and the consumer systems. If you are setting up the mandatory one-way trust configuration (Exchange #1 only), perform the procedure only once. If you are setting up the two-way trust configuration (Exchanges #1 and #2), perform the procedure twice by alternating the producer and consumer.

1. Exporting Certificate Key Files from the Ticket-Issuer System

  1. Open the SAP NetWeaver Administrator locally on the ticket-issuer system, or use a central SAP NetWeaver Administrator to connect to the local instance.


    To access SAP NetWeaver Administrator, add /nwa to the AS Java URL (for example: http://<hostname>:<port>/nwa ).

  2. In SAP NetWeaver Administrator, open the Key Storage application.


    To open the Key Storage application directly without having to browse to it through the navigation structure, add the quick-link /nwa/key-storage to the AS Java URL (for example: http://<hostname>:<port>/nwa/key-storage ).

  3. On the Content tab, select TicketKeystore from the available keystore views.

  4. Choose SAPLogonTicketKeypair-cert from the available view entries.

  5. Choose Export to File button.

  6. Choose Binary X.509 as the export format.


    This file format is equivalent to the verify.der/crt file used in previous releases of SAP NetWeaver, such as SAP NetWeaver 7.0. It can be uploaded to a ticket-accepting AS ABAP or AS Java server.

  7. Choose Download to export the file.

  8. Manually transfer the file to a system administrator working on the ticket-accepting system.

2. Importing Certificate Key Files to the Ticket-Accepting System

  1. Open the SSO wizard using the following URL: http://<host>:<port>/sso2


    Alternatively, you can access the wizard by logging on to SAP NetWeaver Administrator and navigating to the Trusted Systems area.

  2. In the wizard, choose Start of the navigation path Add Trusted System Next navigation step By Uploading Certificate Manually End of the navigation path.

  3. Enter the system ID and client ID of the ticket-issuer system:

    • System ID : The three-character ID defined during the installation of the system.

    • Client : The client ID, as specified in the login.ticket_client property of the UME Provider in the portal. For a Java stack, the default client ID is 000 ; however, in an Add-In installation, the client ID must be unique and therefore cannot be 000 . For more information, see Specifying the Client to Use for Logon Tickets .

  4. In the Certificate File field, browse to the location where you stored the portal certificate file obtained from the ticket-issuer system.

  5. Choose Next and then Finish .