Skip to Content

How do you setup SSO against SAP BW in a clustered SAP BO BI 4.x environment?

Aug 28, 2017 at 11:29 AM


avatar image


I must admit, that I have been using this guide How to setup SSO against SAP BW with SAP BO BI4.0 Common Semantic Layer (UNX) or BICS, when it comes to the SSO integration, but it does not tell what to do when you are running SAP BO BI in a cluster.

I have two CMS nodes (and two Tomcat and one Apache reverse proxy), BIT001 and BIT002.

Now, I can make two certificates, one on each server, and import them into SAP BW using STRUSTSSO2, but!

Which of the certificates do I import on the SAP BO BI platform?

Since it is running as a cluster, I connect to the cluster @BIT and not the individual node, so I cannot import two certificates on the BI platform.

So what is best practice in these situations where you have multiple servers in a cluster?

Is it to create a round robin DNS entry for my servers like:

(Assuming that is the IP address of the BIT001 and BIT002 servers)

Or is there another approach?

Any feedback is kindly appreciated


10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Best Answer
Tim Ziemba
Aug 28, 2017 at 11:47 AM

Only 1 certificate can only be added to the CMS in a clustered environment (which is used by all members of the cluster), once added you are done there is no need to create a different cert. If you have created 2 it would be good top remove everything you have and reconfigure with just 1 follow



Show 2 Share
10 |10000 characters needed characters left characters exceeded

But this is what I do not get either from the linked note

When you create the cert.der you specify the hostname in the CN parameter.

When you have two (or more hosts) do you only chose the first, eg CN=BIT001?

And in that case, how does this work on the BW side, if the firs node BIT001 is down, can it then resolve to BIT002 even though it is not specified in the cert.der file?

I am having a hard time understanding how the Security Token Service actually does work, because, in my mind if BIT001 is used and not responding, how do the STS then knows to establish the connection to BIT002?


you can call it anything, use the environment name not server.

On BW you connect to a message server for load balancing or failover, BI does not provide BW failover