cancel
Showing results for 
Search instead for 
Did you mean: 

Is a Trust-Center necessary for genarating a new portal certificate?

Former Member
0 Kudos

Hi everyone,

the portal certificate of my test portal is expired. I can't use Single-Sign-On to SAP backends anymore. Do I have to generate a new CSR request and order a new certificate from a Trust Center or can I generate a new certificate using the portal? It's for intranet purposes only and I have only two systems in my systemlandscape.

Regards,

Marc Dohrmann

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hello Marc,

you can generate the certificate from the portal itslf,you dont require the trust center.

below is the procedure:

Log on to the Visual Admin of Portal with administrator id and password. Go to the following node: Server 0 1_34158->services and then Key Storage.

In Key Storage, go to TicketKeyStorage. Here you will find the SAPLogonTicketKeypair certificates.

In the following screens, you will see SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert.

If you check for the validity dates, you will find the certificates have expired

First we will have to rename the expired SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert. rename them as SAPLogonTicketKeypair1 and SAPLogonTicketKeypair-cert1

Under Entry, choose Create.

The Key and Certificate Generation dialog appears

Enter the Subject Properties in the corresponding fields

CN=<Common Name>, OU=<Organization Unit Name>, O=<Organization Name>, L=< Locality Name >, ST=<State/Province>, C=DE.I have given SID of portal in CN

Give the Entry name as SAPLogonTicketKeypair .Select Algorithm as DSA and then generate

You will see along with SAPLogonTicketKeypair, SAPLogonTicketKeypair-cert will also get generated.The certificate validity will be the time you have given.

Now we will have to import this SAPLogonTicketKeypair-cert in the ABAP systems

First we will have to download the certificate from the portal.

Now logon to the SAP Netweaver Portal with user administrator

Go to System Administration->System Configuration and then Keystore Administration.

In the Content tab you will find the list of certificates.

We have to download SAPLogonTicketKeypair-cert .Click on Download verify.der file

To your desktop

Now we have to import the certificate in ABAP system.

Log on to the ABAP system and use T-Code STRUSTSSO2

Under Certificate, click on Import certificate

Give the path of verify.der file. The file format should be Binary

And upload it.

I hope this helps

Former Member
0 Kudos

Hello Rohit,

finally I could generate a valid ticket pair inside the portal. I had to activate the checkbox "Store certificate" in order to generate the ticket pair. Otherwise only SAPLogonTicketKeypair is generated.

After importing this certificate into the SAP backend (IDES) via transaction STRUSTSSO2 (client 000) the systems tells me the certifacte is valid to 17.03.2010. The certificate is inside the Certificate List and inside the Access Control List. But when I try to connect to the SAP system through a portal IView I get the message "Issuer of SSO ticket is not authorized".

The parameters "login/accept_sso2_ticket = 1" and "login/create_sso2_ticket = 1" are set correctly and transaction SSO2 reports no errors.

Regards,

Marc

Former Member
0 Kudos

hello Marc,

Import the certificate in the working client through STRUSTSSO2

After that do Add to certificate list and add To ACL

While doing ADD to ACL use CN= SID of portal and client 000

and again do ADD to ACL and this time use CN=SID of ABAP system and client must be working client

This will solve your issue

Rohit

Former Member
0 Kudos

Hello Rohit,

thank you very much it works now.

Best Regards,

Marc

Answers (0)