Hi Samuli,

For clarity, the process I have been following is:

1) Log into the ABAP stack

2) Run STRUST

3) Select the SNC PSE

4) Export the certificate (Base64 encoding)

5) Start NWA & log in as Administrator

6) Choose Configuration > Trusted Systems.

7) Add Trusted System > By Uploading Certificate manually

😎 Enter the ABAP system SID, client & point at the certificate.

At this point I get the error.

I recreated the SNC PSE on the ABAP stack.

It uses the RSA algorithm with 1024bit key.

Thanks

Tim

Samuli,

I just tried using the System PSE certificate instead of the SNC PSE & it worked.

I now have an entry in the trusted system list in AS Java for the ABAP host.

The system PSE in the ABAP system uses the DSA algorithm. I tried recreating the system PSE & you dont seem to have an option to change the algorithm to RSA for the system PSE in ABAP v7.

Do you have any experience configuring SSO from AS Java to AS ABAP?

I'm a bit stuck at this point.

Thaks again.

Tim

That's weird, the default should be RSA also for the System PSE. Try to delete the existing one and create a new one. Ever since RSA was made default, the DSA option was greyed out in STRUST.

Sure I have experience setting up SSO between AS JAVA and AS ABAP. What are you still missing? You have to upload the AS JAVA certifcate and enable SSO by setting the SSO parameters in AS ABAP.

I tried recreating the system PSE in the ABAP host via tcode STRUST. The algorithm option is set to DSA but is greyed out.

In terms of setting up SSO, we are trying to support:

* users can log in to the Java stack

* they receive an SSO token

* the token can be used to log into the ABAP stack

Our Java stack is just a plain AS Java, not Portal.

I'm trying to find an overall step by step guide but am not having any luck.

So far, all I've managed to do is import the ABAP stack 's System PSE into to AS Java trusted system section in NWA.

Thanks

Tim

You can issue a Logon Ticket from AS JAVA even if the usage types for the portal aren't installed. Export the certificate that is used to sign the Logon Ticket from AS JAVA and import into transaction STRUST of AS ABAP and set the dynamically switchable login/*_sso2_ticket parameters in transaction RZ11 of AS ABAP. Consider also the domain requirements for Logon Tickets (FQDN is required, same domain).

The only issue you might run into is once you have the Logon Ticket created in AS JAVA how to actually use it in AS ABAP. Since you don't have a portal in order to configure a iView for accessing the AS ABAP using the Logon Ticket. How have you planned to do that? Create a custom JSP and make a redirect to the AS ABAP? Which service? Webgui? Some WDA application? Can you describe your requirement in more detail?

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/412251343f2ab1e10000000a42189c/frameset.htm

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/61/42897de269cf44b35f9395978cc9cb/frameset.htm

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/75/c80b424c6cc717e10000000a155106/frameset.htm

Hi again,

Thanks for the info.

I followed the instructions in the link you provided (http://help.sap.com/saphelp_nw73ehp1/helpdata/en/61/42897de269cf44b35f9395978cc9cb/frameset.htm😞

• I exported a copy of the public certificate from the Java stack NWA (Configuration > Security > Certificate & Keys > Key Storage).
• Imported the cert into the System PSE in the ABAP host

However the steps 4 & 5 are not clear.

Step4 says to add an ACL but doesn't advise where/how to do this.

Step5 refers to a tcode STRUSTSSO2 , which in our ABAP environment runs tcode strust. Also, I'm not sure what it means by "Enter the AS Java’s system ID and Distinguished Name from the certificate found in the TicketKeystore entry".

Can you provide any guidance on these two steps?

In terms of what we're trying to do, we have developed a application to talks to an ABAP stack over RFC. We are trying to enhance this to use SNC and authenticate using SAP SSO tokens rather than user id/password.

Thanks again.

Tim

When you import the AS JAVA certificate in STRUST you first add it to the PSE (upper table) and then you add it to the list of ACLs (lower table). Specify the 3 letter SID of your AS JAVA and the client number 000.

Hi again,

I must be missing something very obvious.

Here's my screen from strust showing the System PSE & also in the top "Certificate List" pane the cert from the AS Java system. I have clicked on this certificate & it displays in the lower "Certificate" pane.

I'm not seeing an ACL option or field to enter a SID etc.

What am I missing?

Thanks

Tim

Use transaction STRUSTSSO2 then you will see the Logon Ticket area beneath the Certifcate one.