of 14
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
1/14
How-ToGuideImportingaPortalPublicKeyintoanECCclient
ShowshowtoimportPortalPublicKeyCertificatesandgrant
singlesignonaccesstoECCclientsusingtheimportedkey
certificate.
WolfgangSteinert
8/21/2008
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
2/14
TableofContents
TableofContents......................................................................................................................................... 2
Synopsis ....................................................................................................................................................... 3
Scope&RelatedDocuments ....................................................................................................................... 4
IntendedAudiences ................................................................................................................................. 4
Assumptions ............................................................................................................................................ 4
Scopeexclusions ...................................................................................................................................... 4
RelatedDocuments.................................................................................................................................. 4
Implementation ........................................................................................................................................... 5
Execution ..................................................................................................................................................... 6
ExtractingtheKey.................................................................................................................................... 6
ImportingthePublicKey.......................................................................................................................... 6
Appendix.................................................................................................................................................... 14
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
3/14
Synopsis
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
4/14
Scope&RelatedDocuments
ThisHow-TodocumentdescribesaprocedurethatisrequiredtoloadaSAPEnterprisePortalpublickey
certificateintoanECCclient.ThispublickeyisusedtoverifySSOticketspresentedtotheECCclientin
lieuofausernameandpasswordforuserstogainaccess.
Theproceduretakesintoaccountcommonpractices,SAPBestPractices,SAPrequirementsandNotes.
Thepurposeofthisdocumentistodocumentcommonprocedurestosimplifyimplementationsof
Portalrequirementsandtoactasasourceofreferenceforthisandfutureimplementationsor
developments
IntendedAudiences
ThisdocumentisintendedforSAPBASISadministratorsandrelatedsupportgroups.Itdoesnotprovide
assistancetoinexperiencedpersonal.
Assumptions
Thisdocumentisbasedonthefollowingassumptions:
Theuserhasadministrativeaccesstotheinstanceclientsincludingclient000. SSObetweentheSAPEPandECCistobeimplemented TheuserisabletoinitiateoperatingsystemcallsScopeexclusions
ThisdocumentdoesnotcoverallproceduresrequiredtoimplementSSO.
RelatedDocuments How-To...GenerateaPortalPublicKeyCertificate.doc
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
5/14
Implementation
TheSAPPortalpublickeycertificateisrequiredtoenablesinglesignonusingSAPlogontickets.Thekey
isusedtoverifyalogonticketthatispresentedtoanECCclientforlogoninlieuofausernameand
passwordausernormallyhastoprovide.
Thepublickeyisgeneratedbytheportal,storedinasecuritycertificateandimportedintotheSAPR/3
clientbymeansoftransactionSTRUSTSSO2.
AfterasuccessfulimporttheusermaybesignedontotheSAPclientwithouttheneedtoprovideauser
nameandpassword,insteadasignedSAPlogonticketispresented,verifiedagainstthepublickeyandif
validtheuserisloggedon.
Thisdocumentshowshowtocorrectlyimportthekeyandpreparetheclient(s)toacceptuserlogon.
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
6/14
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
7/14
4. Toimportthecertificateverify.derclickontheimportbuttonunderthesectionCertificate
inthepopupwindowfindthefileverify.der
SelectthefilebyclickingthedropdownbuttonFilePathandselectthefile.Thenclickonthe
greencheckbuttontoimportthecertificate.Thedetailsofthepublickeycertificatewillappear
inthesectionCertificateasshowninthenextstep
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
8/14
5. Toaddthecertificatetothecertificatelist,clickonthebuttonAddtoCertificateList
Thecertificatewillbeaddedtothecertificatelist.
Inourexamplewehavetwocertificates,onefromtheinstanceLPDandonefromtheinstance
LXD.
6. Whenyouleavethetransaction,youwillbepromptedtosaveyourcertificate.
ClickontheYesbuttontosavetheticket.
7. Nowlogoffclient000.Atthispointweonlyhaveimportedthecertificate.Wehave notyetgrantedsinglesignonaccesstoanyclient.
8. Logontotheclientwhereyouwanttoprovidesinglesignontousingthekeycertificate. Inourexamplewewillbeprovidingsinglesignontoclient200usingthekeycertificatewehavejust
imported.
9. Runtransactionstrustsso2.
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
9/14
10.AccesstotheclientisgrantedthroughtheACL(Accesscontrollist),thereforeyouwillfirstneedtoselectthecertificatefromthecertificatelistbydoubleclickingonit.
11.TheselectedcertificatewillappearinthesectionCertificate
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
10/14
12.NowclickonthebuttonAddtoACL
13. Inthepopupwindowenterthedetailsofthesystemwheretheticketisfrom
ThisincludestheSYSTEMID1andtheCLIENT
2.
1WorkplacesystemID
2WorkplaceclientID
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
11/14
InourexampletheselectedkeycertificatewasissuedbytheworkplacesystemLPQ(aJ2EE
system).SincethiscomesfromtheJ2EEInstancetheclientnumberisusually(bydefault)client
000.YoushouldverifythesourceclientnumberoftheJ2EEinstancebyusingtheVisual
Administratorandnavigatingtotheservicestree.
Oncethere,selecttheserviceUMEProviderandchecktheentrylogin.ticket_client.
Whateverthisclientnumberis,thisistheoneyouneedtouseastheentryintheWorkplace
clientIDasseeninthefollowingdiagram.
14.Onceyouhaveenteredallthedetails,clickonthegreencheckbutton
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
12/14
15.ThecertificatewillnowhavebeenaddedtotheACLasshowninthefollowingdiagram
16.Again,savethechanges.Youwillbepromptedtosavethechangesonceyouleavethetransaction.
ClickontheYesbuttontosaveyourchanges
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
13/14
WehavenowallowedforsinglesignonaccessfromsystemLPQclient000 toclient200oftheinstance
wehaveimportedthekeyinto.
ThoughwehaveloadedthepublickeysofInstancesLPDandLXDaswell(seept.1intheabovediagram),
wehavenotgrantedsinglesignonaccessoftheseinstancestoourclient200.Onlythecertificatefrom
instanceLPQprovidesSSOaccesstooursystemclient200(seept.2intheabovediagram)
YouwillneedtorepeattheprocedureImportingthePublicKeysteps8to16foreveryclientyouwant
toprovidesinglesignonaccessto.
Ofcourseyoucanrepeattheprocedureforallpublickeysifsorequired.
8/8/2019 How-To... Import a Portal Public Key Into an ECC Client
14/14
Appendix