Implementing SSO (R/3 / Enterprise portal)

Implementing Single signon for Enterprise Portal and R/3 Backend

Procedure
Download public-key certificate of Portal Server

Use the Keystore Administration tool to download the verify.der file from the
portal.

Set profile parameters
On all of the component system's application servers:

1. Set the profile parameters login/accept_sso2_ticket = 1 and login/create_sso2_ticket = 0 in every instance profile.

Import public-key certificate of Portal Server to component system's certificate list and
add Portal Server to ACL of component system

Both of these steps can be performed with transaction STRUSTSSO2, which is an extended
version of transaction STRUST. For detailed documentation on transaction STRUST, see the
Web Application Server documentation under Security > Trust Manager.
In the SAP System, start transaction STRUSTSSO2.

A screen with the following layout appears

The PSE status frame on the left displays the PSEs that are defined for the system.

The PSE maintenance section on the top right displays the PSE information for the
PSE selected in the PSE status frame.

Below that, the certificate section displays certificate information for a certificate that
you have selected or imported.

The Single Sign-On ACL section on the bottom right displays the entries in the ACL of
the system.

Note that the layout of the transaction will vary slightly, depending on the
release of the SAP System.

2. In the PSE status frame on the left, choose the system PSE.
3. In the certificate section, choose Import Certificate.
   

The Import Certificate screen appears.

4. Choose the File tab.
5. In the File path field, enter the path of the portal’s verify.der file.
6. Set the file format to DER coded and confirm.
7. In the Trust Manager, choose Add to PSE.
8. Choose Add to ACL, to add the Portal Server to the ACL list.
9. In the dialog box that appears, enter the portal’s system ID and client. By default, the portal’s system ID is the common name (CN) of the Distinguished Name entered during installation of the portal. The default client is 000.

If necessary, you can change these default values by changing the properties login.ticket_issuer and login.ticket_client respectively in user
management properties.

The other values are taken from the certificate.

10. Save your entry.

11. Do not forget to set profile parameters and ITS service parameters as described in Configuring SAP Systems to Accept and Verify SAP Logon Tickets .

Result

The SAP component systems are able to accept SAP logon tickets and verify the Portal
Server's digital signature when they receive a logon ticket from a user.

Importing Portal Certificate into SAP System

Prerequisites
You have downloaded the public-key certificate of the portal server (verify.pse file). Use
the Keystore Administration tool for this.

Procedure

1. In the component system, start transaction STRUST.

The following screen appears.

This screen displays a list of the certificates contained in the PSE of the component system.

2. In the certificate group box, choose Import Certificate.

The Import Certificate screen appears.

3. Choose the File tab.
4. In the File path field, enter the path of the portal’s verify.der file.
5. Set the file format to DER coded and confirm.
6. In the Trust Manager, choose Add to PSE.
7. Save the new certificate list.

The new certificate list is automatically replicated to all application servers in the
system. You do not have to import the portal certificate onto each application
server separately.