Professional Documents
Culture Documents
How-To
Guide
Importing
a
Portal
Public
Key
into
an
ECC
client
Shows
how
to
import
Portal
Public
Key
Certificates
and
grant
single
sign
on
access
to
ECC
clients
using
the
imported
key
certificate.
©
Wolfgang
Steinert
8/21/2008
Table
of
Contents
Table
of
Contents......................................................................................................................................... 2
Synopsis ....................................................................................................................................................... 3
Scope
&
Related
Documents ....................................................................................................................... 4
Intended
Audiences ................................................................................................................................. 4
Assumptions ............................................................................................................................................ 4
Scope
exclusions ...................................................................................................................................... 4
Related
Documents.................................................................................................................................. 4
Implementation ........................................................................................................................................... 5
Execution ..................................................................................................................................................... 6
Extracting
the
Key .................................................................................................................................... 6
Importing
the
Public
Key.......................................................................................................................... 6
Appendix.................................................................................................................................................... 14
Synopsis
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Scope
&
Related
Documents
This
How-‐To
document
describes
a
procedure
that
is
required
to
load
a
SAP
Enterprise
Portal
public
key
certificate
into
an
ECC
client.
This
public
key
is
used
to
verify
SSO
tickets
presented
to
the
ECC
client
in
lieu
of
a
user
name
and
password
for
users
to
gain
access.
The procedure takes into account common practices, SAP Best Practices, SAP requirements and Notes.
The
purpose
of
this
document
is
to
document
common
procedures
to
simplify
implementations
of
Portal
requirements
and
to
act
as
a
source
of
reference
for
this
and
future
implementations
or
developments
Intended
Audiences
This
document
is
intended
for
SAP
BASIS
administrators
and
related
support
groups.
It
does
not
provide
assistance
to
inexperienced
personal.
Assumptions
This
document
is
based
on
the
following
assumptions:
• The
user
has
administrative
access
to
the
instance
clients
including
client
000.
• SSO
between
the
SAP
EP
and
ECC
is
to
be
implemented
• The
user
is
able
to
initiate
operating
system
calls
Scope
exclusions
This
document
does
not
cover
all
procedures
required
to
implement
SSO.
Related
Documents
• How-‐To...
Generate
a
Portal
Public
Key
Certificate.doc
Implementation
The
SAP
Portal
public
key
certificate
is
required
to
enable
single
sign
on
using
SAP
logon
tickets.
The
key
is
used
to
verify
a
logon
ticket
that
is
presented
to
an
ECC
client
for
logon
in
lieu
of
a
user
name
and
password
a
user
normally
has
to
provide.
The
public
key
is
generated
by
the
portal,
stored
in
a
security
certificate
and
imported
into
the
SAP
R/3
client
by
means
of
transaction
STRUSTSSO2.
After
a
successful
import
the
user
may
be
signed
on
to
the
SAP
client
without
the
need
to
provide
a
user
name
and
password,
instead
a
signed
SAP
logon
ticket
is
presented,
verified
against
the
public
key
and
if
valid
the
user
is
logged
on.
This
document
shows
how
to
correctly
import
the
key
and
prepare
the
client(s)
to
accept
user
logon.
Execution
Before
the
portal
key
security
certificate
can
be
imported,
it
must
be
extracted
from
the
compressed
ZIP
file.
Once
extracted
the
portal
key
security
certificate
must
be
imported
into
the
client
000
of
the
instance
where
it
is
to
be
used.
This
ensures
the
certificate
can
be
used
in
all
clients
that
may
exist
in
the
instance.
Single
sign
on
access
to
an
ECC
client
using
the
logon
ticket
is
granted
through
the
ACL
of
each
client
and
is
client
specific.
For
this
reason
the
certificate
is
then
loaded
from
the
certificate
list
of
the
instance
and
added
to
the
ACL
of
the
selected
client.
You have now extracted and stored the portal key certificate.
1. Log on to the SAP Instance, selecting the client 000 where you want to install the key into.
3. Open
the
menu
“System
PSE”
in
the
left
window
and
select
the
SAP
system
found
there.
4. To
import
the
certificate
“verify.der”
click
on
the
import
button
under
the
section
“Certificate”
in
the
popup
window
find
the
file
“verify.der”
Select
the
file
by
clicking
the
drop
down
button
“File
Path”
and
select
the
file.
Then
click
on
the
green
check
button
to
import
the
certificate.
The
details
of
the
public
key
certificate
will
appear
in
the
section
“Certificate”
as
shown
in
the
next
step
5. To
add
the
certificate
to
the
certificate
list,
click
on
the
button
“Add
to
Certificate
List”
The
certificate
will
be
added
to
the
certificate
list.
In
our
example
we
have
two
certificates,
one
from
the
instance
LPD
and
one
from
the
instance
LXD.
6. When you leave the transaction, you will be prompted to save your certificate.
Click
on
the
“Yes”
button
to
save
the
ticket.
7. Now
log
off
client
000.
At
this
point
we
only
have
imported
the
certificate.
We
have
not
yet
granted
single
sign
on
access
to
any
client.
8. Log
on
to
the
client
where
you
want
to
provide
single
sign
on
to
using
the
key
certificate.
In
our
example
we
will
be
providing
single
sign
on
to
client
200
using
the
key
certificate
we
have
just
imported.
11. The selected certificate will appear in the section “Certificate”
12. Now
click
on
the
button
“Add
to
ACL”
13. In the popup window enter the details of the system where the ticket is from
This
includes
the
SYSTEM
ID1
and
the
CLIENT2.
1
Workplace
system
ID
2
Workplace
client
ID
In
our
example
the
selected
key
certificate
was
issued
by
the
workplace
system
LPQ
(a
J2EE
system).
Since
this
comes
from
the
J2EE
Instance
the
client
number
is
usually
(by
default)
client
000.
You
should
verify
the
source
client
number
of
the
J2EE
instance
by
using
the
Visual
Administrator
and
navigating
to
the
services
tree.
Once
there,
select
the
service
“UME
Provider”
and
check
the
entry
“login.ticket_client”.
Whatever
this
client
number
is,
this
is
the
one
you
need
to
use
as
the
entry
in
the
Workplace
client
ID
as
seen
in
the
following
diagram.
14. Once you have entered all the details, click on the green check button
15. The
certificate
will
now
have
been
added
to
the
ACL
as
shown
in
the
following
diagram
16. Again,
save
the
changes.
You
will
be
prompted
to
save
the
changes
once
you
leave
the
transaction.
Click
on
the
“Yes”
button
to
save
your
changes
We
have
now
allowed
for
single
sign
on
access
from
system
LPQ
client
000
to
client
200
of
the
instance
we
have
imported
the
key
into.
Though
we
have
loaded
the
public
keys
of
Instances
LPD
and
LXD
as
well
(see
pt.1
in
the
above
diagram),
we
have
not
granted
single
sign
on
access
of
these
instances
to
our
client
200.
Only
the
certificate
from
instance
LPQ
provides
SSO
access
to
our
system
client
200
(see
pt.
2
in
the
above
diagram)
You
will
need
to
repeat
the
procedure
“Importing
the
Public
Key”
steps
8
to
16
for
every
client
you
want
to
provide
single
sign
on
access
to.
Of
course
you
can
repeat
the
procedure
for
all
public
keys
if
so
required.
Appendix