Exporting and Importing BW Certificates

Exporting the BW Certificate

1. Run transaction STRUSTSSO2 ( Trust Manager for Single Sign-On with Logon Ticket ).

2. Choose your own certificate. This is located in the Own Certificate field under System PSE .. To display the certificate, double-click the field value under Certificate .

   Note

   If you are unable to find one, generate a certificate by choosing Create in the context menu for system PSE and choose  PSE   Distribute All  to distribute it to all BW system application servers. There may be a time delay when distributing the certificate. If necessary, check again whether the certificate has been successfully distributed.

3. In the menu, choose  Certificate  Export .

4. Enter the file path <BW_SID>_certificate.crt (<BW_SID> is the system ID of the BW system).

5. Choose Binary as the file format.

Check

You can view the <BW_SID>_certificate.crt file using Windows Explorer.

Importing the BW Certificate

To import the BW certificate to the Application Server Java, complete the following steps:

1. Start SAP NetWeaver Administrator at http://<host>:<httpport>/nwa .

2. Choose  Configuration  Security  Certificates and Keys .

3. Under Keystore Views , select the TicketKeystore view.

4. Under Display Entries , choose Import Entry .

5. Open the <BW_SID>_certificate.crt file.

Perform the following steps to ensure that the Application Server Java accepts the SAP Logon Tickets from the BW system as an external system.

1. In the SAP NetWeaver Administrator, choose  Configuration  Security  Authentication and Single Sign-On .

2. On the Authentication tab page, choose ticket under Components .

3. In the Details of policy configuration "ticket" on the Login Module Stack tab page, change the options for EvaluateTicketLoginModule and add the following values. You need the following values once for client 000 and once for client 00X (where X is the number of the client you define).

   • trustedsys<Number>=<BW_SID>, <BW_CLIENT> (z.B. BWP , 000 )

   • trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example CN= BWP , OU=I0020114583 , OU=SAPWeb AS , O=SAP Trust Community , C=DE )

   • trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example CN= BWP , OU=I0020114583 , OU=SAP Web AS , O=SAP Trust Community , C=DE )

   Note

   • <Number> is a number for all three entries, but must be incremented by one for every external system.

   • <BW_SID> and <BW_CLIENT> are the system ID and the client of the BW system.

   • <ISSUER_DISTINGUISHED_NAME> and <SUBJECT_DISTINGUISHED_NAME> correspond to the Own Certificate value in transaction Trust-Manager for Single Sign-On with Logon Ticket (transaction STRUSTSSO2). The trustediss value corresponds to the Issuer value. The trusteddn value corresponds to the Owner value.

You also have to maintain the values under evaluate_assertion_ticket :

1. On the Authentication tab page, choose evaluate_assertion_ticket under Components .

2. In the Details of policy configuration "evaluate_assertion_ticket" on the Login Module Stack tab page, change the options for EvaluateAssertionTicketLoginModule and add the following values. You need the following values once for client 000 and once for client 00X (where X is the number of the client you define).

   • trustedsys<Number>=<BW_SID>, <BW_CLIENT> (z.B. BWP , 000 )

   • trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example CN= BWP , OU=I0020114583 , OU=SAPWeb AS , O=SAP Trust Community , C=DE )

   • trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example CN= BWP , OU=I0020114583 , OU=SAPWeb AS , O=SAP Trust Community , C=DE )

   Note

   The values correspond to the values listed above under ticket .