How-To

Guide

Importing a Portal Public Key into an ECC client

Shows how to import Portal Public Key Certificates and grant single sign on access to ECC clients using the imported key certificate. Wolfgang Steinert 8/21/2008

Table of Contents
Table of Contents......................................................................................................................................... 2 Synopsis ....................................................................................................................................................... 3 Scope & Related Documents ....................................................................................................................... 4 Intended Audiences ................................................................................................................................. 4 Assumptions ............................................................................................................................................ 4 Scope exclusions ...................................................................................................................................... 4 Related Documents.................................................................................................................................. 4 Implementation ........................................................................................................................................... 5 Execution ..................................................................................................................................................... 6 Extracting the Key .................................................................................................................................... 6 Importing the Public Key.......................................................................................................................... 6 Appendix.................................................................................................................................................... 14

Synopsis
Icon Meaning Caution Example Note Recommendation Syntax

Scope & Related Documents

This How-To document describes a procedure that is required to load a SAP Enterprise Portal public key certificate into an ECC client. This public key is used to verify SSO tickets presented to the ECC client in lieu of a user name and password for users to gain access. The procedure takes into account common practices, SAP Best Practices, SAP requirements and Notes. The purpose of this document is to document common procedures to simplify implementations of Portal requirements and to act as a source of reference for this and future implementations or developments

Intended Audiences
This document is intended for SAP BASIS administrators and related support groups. It does not provide assistance to inexperienced personal.

Assumptions
This document is based on the following assumptions: The user has administrative access to the instance clients including client 000. SSO between the SAP EP and ECC is to be implemented The user is able to initiate operating system calls

Scope exclusions
This document does not cover all procedures required to implement SSO.

Related Documents
How-To... Generate a Portal Public Key Certificate.doc

Implementation
The SAP Portal public key certificate is required to enable single sign on using SAP logon tickets. The key is used to verify a logon ticket that is presented to an ECC client for logon in lieu of a user name and password a user normally has to provide. The public key is generated by the portal, stored in a security certificate and imported into the SAP R/3 client by means of transaction STRUSTSSO2. After a successful import the user may be signed on to the SAP client without the need to provide a user name and password, instead a signed SAP logon ticket is presented, verified against the public key and if valid the user is logged on. This document shows how to correctly import the key and prepare the client(s) to accept user logon.

Execution
Before the portal key security certificate can be imported, it must be extracted from the compressed ZIP file. Once extracted the portal key security certificate must be imported into the client 000 of the instance where it is to be used. This ensures the certificate can be used in all clients that may exist in the instance. Single sign on access to an ECC client using the logon ticket is granted through the ACL of each client and is client specific. For this reason the certificate is then loaded from the certificate list of the instance and added to the ACL of the selected client.

Extracting the Key

1. Open the file verify.der.zip with the de-compression tool (i.e. WinZIP).

2. Extract the file verify.der contained in the archive. You have now extracted and stored the portal key certificate.

Importing the Public Key

To import the public key, you must log on to the ECC client 000 of the instance you want to import the key into. 1. Log on to the SAP Instance, selecting the client 000 where you want to install the key into. 2. Execute the transaction sstrustsso2 3. Open the menu System PSE in the left window and select the SAP system found there.

4. To import the certificate verify.der click on the import button under the section Certificate

in the popup window find the file verify.der

Select the file by clicking the drop down button File Path and select the file. Then click on the green check button to import the certificate. The details of the public key certificate will appear in the section Certificate as shown in the next step

5. To add the certificate to the certificate list, click on the button Add to Certificate List

The certificate will be added to the certificate list.

In our example we have two certificates, one from the instance LPD and one from the instance LXD. 6. When you leave the transaction, you will be prompted to save your certificate.

Click on the Yes button to save the ticket.

7. Now log off client 000. At this point we only have imported the certificate. We have not yet granted single sign on access to any client. 8. Log on to the client where you want to provide single sign on to using the key certificate. In our example we will be providing single sign on to client 200 using the key certificate we have just imported. 9. Run transaction strustsso2.

10. Access to the client is granted through the ACL (Access control list), therefore you will first need to select the certificate from the certificate list by double clicking on it.

11. The selected certificate will appear in the section Certificate

12. Now click on the button Add to ACL

13. In the popup window enter the details of the system where the ticket is from

This includes the SYSTEM ID1 and the CLIENT2.

1 2

Workplace system ID Workplace client ID

In our example the selected key certificate was issued by the workplace system LPQ (a J2EE system). Since this comes from the J2EE Instance the client number is usually (by default) client 000. You should verify the source client number of the J2EE instance by using the Visual Administrator and navigating to the services tree. Once there, select the service UME Provider and check the entry login.ticket_client. Whatever this client number is, this is the one you need to use as the entry in the Workplace client ID as seen in the following diagram.

14. Once you have entered all the details, click on the green check button

15. The certificate will now have been added to the ACL as shown in the following diagram

16. Again, save the changes. You will be prompted to save the changes once you leave the transaction.

Click on the Yes button to save your changes

We have now allowed for single sign on access from system LPQ client 000 to client 200 of the instance we have imported the key into.

Though we have loaded the public keys of Instances LPD and LXD as well (see pt.1 in the above diagram), we have not granted single sign on access of these instances to our client 200. Only the certificate from instance LPQ provides SSO access to our system client 200 (see pt. 2 in the above diagram) You will need to repeat the procedure Importing the Public Key steps 8 to 16 for every client you want to provide single sign on access to. Of course you can repeat the procedure for all public keys if so required.

Appendix