Entering content frameProcedure documentation Changing from a Self-Signed Certificate to a Certificate Signed by the SAP CA Locate the document in its SAP Library structure

Use

Initially, you may want to use the self-signed certificate and change to a certificate signed by the SAP CA at a later date.

Caution

User authentication using logon tickets will not be available to accepting systems while you are switching from a self-signed certificate to a certificate signed by the SAP CA.

The time frame where SSO is not available starts when you save the new certificate on the issuing server and lasts until you have activated the server on all accepting systems.

Procedure

On the Issuing Server

  1. Obtain a public-key certificate signed by the SAP CA.
  2. Make sure the profile parameter login/create_sso2_ticket is set to the value 1.

On Accepting Systems

  1. Execute the SSO administration wizard (transaction SSO2) using the issuing server as the RFC destination.

    2. The SSO administration report displays the current SSO status.

  2. Delete the former public-key certificate from the accepting system's certificate list by choosing Edit ® Remove Certificate List.
  3. Activate the issuing server by choosing Edit ® Activate Workplace (This graphic is explained in the accompanying text).

The SSO administration report displays the status for the new SSO environment.

See also Configuring the System for Accepting Logon Tickets.

Result

The system now uses the key pair and public-key certificate signed by the SAP CA for digitally signing logon tickets. The accepting systems can also accept the logon tickets and verify the new digital signature.

 

Leaving content frame