This document provides instructions for setting up single sign-on (SSO) certificates for portals and CRM systems which involves 4 steps: 1) Generate a new SAP logon ticket, 2) Setup SAP backend trust by importing the portal certificate, 3) Check that certificates are working properly, and 4) Perform connection tests. It requires R3 OS access, downtime to set a parameter, and an enterprise portal administrator user.

1. Setting up SSO certificate for Portals and CRM systems
1.Generate New SAP Logon Ticket...........................................................................2
2.Setup SAP Backend Trust.......................................................................................5
3.Checking Certificates are working OK...................................................................7
4.Connection Tests.....................................................................................................8

2. 1. Generate New SAP Logon Ticket
If this is being done after a SAP Backend Copy Back then the portals logon
ticket is still valid but the SAP Backend system doesn’t trust it so we can skip
this section and just go to Setup SAP Backend Trust.
Using the J2EE Administrator
Server 0 -> Services -> Keystorage
Select TicketKeyStore

3. Here we can see the current SAPLogonTickets which are no longer valid (this was after a
copy back from EPP to EPT see CN=EPP)
So we need to replace these with new certificates;
Rename the existing by selecting them and clicking on Rename, add _OLD to both to get;
Now click on CREATE and fill in as
Common Name EPT
Entry Name Name SAPLogonTicketKeyPair (Case sensitive very important)
Valid From Todays date and Time
Valid To Set year to 2010
Keylength Leave at 1024
Algorithm DSA
Store Certificate Ticked

4. Click on Generate
See the new entries for EPT and the expiry date.
Exit from J2EE Admin
Stop and start the Java Engines. (On all servers ie in cluster)

5. 2. Setup SAP Backend Trust
• Logon to the Portal as System Administrator.
• Navigate to
System Administration −> System Configuration −> Keystore Administration −>Content.
• Use Download verify.der file and save the file to an accessible location.
• Import the portal certificate into the SAP system/client
• Logon to the SAP System/Client using SAPgui
• Start transaction STRUSTSSO2
• Upload the Portal verify.der file by selecting the import icon.

6. Browse to the .certificate file
If it was created in previous section it will have to be unzipped
• Add the Certificate to the PSE (Cross Client) by selecting the
icon.
• Add the Certificate to the ACL (Client Dependent) by selecting the
• Input values for
WPS System : <SID>
WPS Client : 000
• Click
• Now Save your entries with the Save icon.

7. 3. Checking Certificates are working OK
In STRUSTSSO2 check all systems PSE appear with green tick ….
If a system does appear with a red error then perform actions, from menu PSE >
Check All
If this still is showing errors from menu execute PSE > Distribute All.
If this still appears with errors then you may need to stop and restart the backend
application instances to pick up the certificate.
• Exit the STRUSTSSO2 Transaction.

8. 4. Connection Tests
Rerun the Communication Test as detailed below >>>
If it is successful then you will get
Note some systems link back using more than 1 method.
5. Requirements:
In order to execute the above steps we would require the following:
1. R3 OS level access.
2. R3 system downtime to set parameter login/create_sso2_ticket = 2
3. Enterprise portal user who has administrator role as we need to get the
verify.der file from the R3 portal.