Process Overview

Pre-requisites:

1. Ensure that the following parameters are enabled on the SAP Entitlement system (BW System) (RZ11): login/accept_sso2_ticket=1 , login/create_sso2_ticket=2
2. Access to SAP Entitlement system (such as BW) either directly or through your SAP BASIS contact.
3. Get the SAP Entitlement system details (BW system) such as hostname, Instance number, Logical system name, Username and Password from customer/Basis to add it in BOBJ.

Perform the below steps to configure Security Token Service (STS):

1. Creating/Testing a connection to BW system from BI. 
2. Adding SAP Entitlement System (BW system) to BI.
3. Creating the certificates in the BI Platform to enable the trust between BI and BW system.

1. Creating/Testing a connection to BW system from BI Platform. 

Before configuring STS, we need to validate that an OLAP connection to a SAP Entitlement system works by providing credentials manually to rule out any non-STS/SSO related issues.

Login to BI system using below URL:
http://<hostname>:<port>/BOE/CMC
From CMC Home --> OLAP Connections --> Create/edit the connection --> provide SAP Entitlement system details --> connect.
When you click on "Connect" you're prompted for Username and Password of an SAP account that has access to the data in the SAP Entitlement system. Provide those credentials and click OK

The connection is successful if you are shown a list of cubes on the SAP Entitlement system. Click OK to exit this window.

2. Adding SAP Entitlement System (BW system) to BI.

Navigate to CMC Home --> Authentication --> SAP --> Add the SAP Entitlement system details (BW System) --> Update.

Import the roles in the Role tab which are given by customer or maintain the roles as per source system and update it.

Go to the User Update tab and update the user and groups.

We can validate the above settings by navigating to CMC Home --> User and Groups. The system details will be reflecting in the format of <SID>~<Client>@<Imported Role>.

3. Creating the certificates in the BI Platform to enable the trust between BI and BW system.

3.1 Creating certificates in BI system of Windows Server:

Login to the BI Target system and open command prompt and navigate to the folder where keytool is installed. 
Windows Default Directory  : <INSTALLDIR>\SAP BusinessObjects Enterprise XI4.0\win64_x64\sapjvm\bin

Linux Default Directory: <INSTALLDIR>/sap_bobj/enterprise_xi40/<UNIX-base>/sapjvm/bin
Ex: D:/Program Files (x86)/SAP BusinessObjects/SAP BusinessObjects Enterprise XI 4.0/win64_x64/sapjvm/bin

Execute the below commands to generate pkcs12 certificate. Replace the Alias name and password in the below commands. When the below command is finished, a new file is created in the SAPJVM bin directory called "keystore.p12"

keytool -genkey -alias <ALIAS> -keystore keystore.p12 -storepass <PASSWORD> -dname CN=<ALIAS> -validity 365 -keyalg DSA -keysize 1024 -storetype pkcs12

Execute the below commands to generate cert.der. When the command is finished, a new file is created in the SAPJVM bin directory called "cert.der".

keytool -exportcert -keystore keystore.p12 -storetype pkcs12 -file cert.der -alias <ALIAS>

Now upload the keystore.p12 file in BI launchpad and upload cert.der in BW system to establish trust.

Login to BW system --> enter Tcode STRUSTSSO2 --> Import the certificate.

Connect with BW team to do validation.

Conclusion

The above steps complete the STS configuration in BOBJ BI Launchpad. Please refer the below KBA for entire solution

2781286 - How To: Configure Security Token Service (STS) communication on BI 4.2, BI 4.3 and above