Configuring the System for Issuing Logon Tickets (SAP Library - User Authentication and Single Sign-On)

Configuring the System for Issuing Logon Tickets

Prerequisites

You must know whether the server should use a self-signed public-key certificate or a certificate signed by the SAP CA.

Procedure

...

1. If you use a certificate signed by the SAP CA, you need to obtain the certificate and import it into the server's Personal Security Environment (PSE) to use for Single Sign-On (the SSO PSE). For the SAP Web Application Server, the default SSO PSE is the system PSE.

Note

Per default, the PSE used is the system PSE, however, if a different PSE is to be used, then select it. A different PSE can be used in the following cases:

● If the system has been upgraded from a Release <= 4.6B, then the PSE used for logon tickets is the SAPSSO2 PSE.

● If you have defined an explicit PSE to use for logon tickets, then this PSE (as specified in the table SSFARGS) is used.

If you use a self-signed certificate, then the public-key certificate already exists.

For more information, see:

○ Obtaining a Certificate Signed by the SAP CA

○ Using a Self-Signed Certificate

2. Set the following profile parameters on the SAP Web Application Server:

Profile Parameters Used for Logon Tickets

Parameter	Value	Comment
login/accept_sso2_ticket	1	Allows the server to accept an existing logon ticket.
login/create_sso2_ticket	1: If the server's certificate is to be included in the logon ticket. 2: If the server's certificate is not to be included.	For best results, set this parameter to the value 1 if the server possesses a certificate signed by the SAP CA. Set it to the value 2 if the certificate is self-signed.
login/ticket_expiration_time	Desired value	Default = 60 hours

For more information, see the documentation provided for the profile parameters in transaction RZ11.

This graphic is explained in the accompanying text

You can use the SSO administration wizard to view the current server's SSO configuration. (Execute the tool without specifying an RFC destination.)

Renewing the Server’s Certificate

You should replace the server’s SSO PSE before the public-key certificate expires. Otherwise users will not be able to receive a logon ticket and will not be able to use Single Sign-On. See Structure link Creating or Replacing a PSE.