Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 

Different BI platform client and back-end services interact with NetWeaver ABAP back-end systems in an integrated environment. It is useful to set up single sign-on from BI platform to these (typically BW) back-end systems. After an ABAP system is configured as an external authentication system, proprietary SAP tokens are used

to provide a mechanism that supports single sign-on for all BI platform clients and services connecting to NetWeaver ABAP systems.

To enable single sign-on to the SAP system, you need to create a keystore file and a corresponding certificate. Use the keytool command line program to generate the file and the certificate. By default the keytool program is installed in the sdk/bin directory for each platform. The certificate needs to be added to your SAP ABAP BW system, and BI platform using the CMC.

In the first milestone, the SAP authentication is completed and the SAP users imported will be able to login to BI system using the SAP authentication method.

In the following section, we will cover the steps to generate the keystore file and certificate required to setup SSO between the BI platform and a SAP BW system.

In the below example the keystore file name is keystore.p12 and the certificate file name is cert.der. The keystore file keystore.p12 has to be imported in Bi4.X CMC on SAP Authentication Option tab. The certificate file cert.der has to be imported in SAP BW with STRUSTSSO2 transaction. The user on the BW system must have rights to execute the transaction STRUSTSSO2.

1.  Generate keystore and certificate

Run PKCS12Tool program to generate keystore

PKCS12Tool Windows location: <INSTALLDIR>\SAP BusinessObjects Enterprise XI4.0\java\lib PKCS12Tool Unix location: <INSTALLDIR>/sap_bobj/enterprise_xi40/java/lib

  1. In our example we are using the Windows platform.

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI

  1. 4.0\java\lib>java -jar PKCS12Tool.jar -alias mywin -storepass Password1-dname


  1. Keystore file is generated at this location, the file names will be cert.der and keystore.p12. In the next step we use keytool command to update the certificate. The password provided in the previous command (storepass) will have to be provided.

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib>keytool -exportcert -keystore keystore.p12 -storetype pkcs12 -file cert.der -alias mywin

Enter keystore password:

Certificate stored in file <cert.der>

The files mentioned in this section will be imported in BW (cert.der) and in BI system (keystore.p12).


2.  Import SAP BO BI4.X certificate into SAP BW

  1. Logon to the BW system:

b.Run the transaction STRUSTSSO2 as shown in the screenshot below:

c. Import the certificate from the menu.

d. Provide the path to the keystore file.

e. Select the binary import options if available. This option is dependent on the BW version. For BW 7.30 version the binary option is not asked for as shown in the previous screenshot.

f. Add the certificate to the certificate list by clicking on the button "Add to Certificate List" .Check certificate list to make sure it is in the list (CN=<BOEHOSTNAME>) :

g. Add the certificate to access list and verify if the same gets reflected in the ACL list.

h. Save the settings by clicking the save icon in the SAP menu at the top and make sure that the save was successful.

3. Import Keystore file in BOE CMC

a. Make sure that the already added SAP system for SAP authenticationis selected as the default system

b. Import the keystore in the same options tab by clicking on the Choose File button:

c. The private key password entered should be the same as the one used during the certificate generation in the earlier section. The system ID used in our example is SABM and it should be same as the one used in the ACL list on the BW system (refer the previous section). Note that this is an identifier for the BOE/BI system and you should not use the BW system ID for this parameter. Finally click on Update button to finish the configuration.

4. Test the SAP SSO

  1. The SAP SSO is a platform to SAP BW machine configuration and the same can be tested using the Information Design tool (IDT).

1. Create a BICS connection in the IDT.

2. Select the “Use Single Sign on” authentication mode.

3. Enter the BW system details (Client, System ID and application server details). BW system details can be obtained by selecting SystemàProperties from SAP Logon.

4. Click on “Test Connection”.