Creating a Trusted Relationship with Enterprise Search 
To perform a search with the help of the identity (and therefore the access rights) of the user who has logged on to the Search UI, a trusted relationship must be created between the SAP NetWeaver Enterprise Search and the Application Server Java of the search provider.
Procedure
Exporting the Key Certificate from SAP NetWeaver Enterprise Search
You must work through the following steps in the SAP system for SAP NetWeaver Enterprise Search:
Run transaction STRUSTSSO2. To do this, you require authorization for client 000.
In the left tree view, navigate to the system on which SAP NetWeaver Enterprise Search is installed and double-click the entry.
In the upper area, Own Certificate, double-click the entry in the Owner field.
Choose the menu path
Certificate 
Export 
and export the SAP certificate, specifying the name LogonTicketKeypair_Cert, to a location that can be reached from the back-end system.
Importing the Key Certificate To the Application Server Java of the Back-End System
You must work through the following steps on the Application Server Java for the back-end system.
Log on to Visual Administrator as a user with administrator authorization.
Navigate to
Cluster Server Services Key Storage .Import the key certificate from SAP NetWeaver Enterprise Search as follows:
Use the key storage service on the accepting server to choose the TicketKeystore view.
Choose Load.
Select the file on the file system and choose OK.
The certificate is stored in the selected view as an entry of type CERTIFICATE.
CautionIf the ticket issuer's certificate is not signed directly, but was issued by a certification authority (CA) (the DN attribute for the certificate is different to the DN attribute for the ticket issuer), then you must also import the certification authority's certificate to the TicketKeystore view.
End of the caution.
Note the distinguished name of the server ([DN]) and the distinguished name of the issuer ([IssuerDN]). You need these two distinguished names for the entries in the access control list (ACL) in the next step.
Maintain the acces control list using the logon tickets in the options for the EvaluateTicketLoginModule logon module (or EvaluateAssertionTicketLoginModule):
Use the security provider service to choose User Management.
Choose Manage Security Stores.
Make sure that UME User Store is selected as the repository.
Choose the EvaluateTicketLoginModule entry (or EvaluateAssertionTicketLoginModule) and choose View/Change Properties.
In Options, create the following entries for the ticket output server from which the Application Server Java is to accept logon tickets:
Name
Value
trustedsys<x>
<SAP NetWeaver Enterprise Search system ID>,000
trustediss<x>
<Distinguished_Name_of_Issuer>
SAP NetWeaver Enterprise Search issuerDN, which you noted earlier.
trusteddn<x>
<Distinguished_Name_of_System>
SAP NetWeaver Enterprise Search DN, which you noted earlier.
ume.configuration.active
true
Exampletrustedsys1: AXS,000
trustediss1: OU=J2EE,CN=AXS
trusteddn1: OU=J2EE,CN=AXS
ume.configuration.active: true
End of the example.Check the logon module stack for the ticket template (or other applications that use the EvaluateTicketLoginModule).
In the security provider service, choose “Policy Configurations”.
If the fully-qualified name of the logon module, for example com.sap.security.core.server.jaas.EvaluateTicketLoginModule, appears, remove the logon module and add it again. Place it at the top of the stack. Specify the SUFFICIENT flag.
CautionChanges to the logon module options in the repository are inherited to the logon module stack for which the logon module is used.
Alternatively, you can also change the options in the logon module stacks in the security settings. However, if you change the security settings, changes made to the logon module in the repository are no longer inherited to the security settings for the applications. In this case, the fully-qualified name of the logon module appears in the logon module stack.
End of the caution.