Hi Andreas,
To do SSO between SSM system and portal you need to follow the below steps.
You configure Single Sign-On (SSO) in two steps:
...
1. Export the portal certificate from the J2EE Engine of the SAP NetWeaver 7.0 portal.
2. Import the portal certificate to the SAP NetWeaver 2004 portal (SAP EP 6.0) and add it to the Access Control List (ACL).
Exporting the Portal Certificate from the SAP Net Weaver 7.0 Portal
...
1. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go. bat.
2. Connect to the portal server.
3. Choose <SID> ® Server<#> ® Services ® Key® Storage.
4. IViews: Select the view TicketKeystore.
5. Entries: Select SAPLogonTicketKeypair-cert.
If SAPLogonTicketKeypair-cert does not exist, you need to create a portal certificate manually.
i. Entry: Choose Create. Enter the following values in Key and Certificate Generation:
● Subject Properties: Every key must have a value under Value. The value CN=Common Name is the first value that is displayed. This is the certificate name. The recommendation of <SID> from the portal server also applies.
● Entry Name: SAPLogonTicketKeypair (the system generates the entry SAPLogonTicketKeypair-cert).
● Store Certificate: X
● Algorithm: DSA
ii. To generate the certificate, choose Generate.
iii. Entries: Select SAPLogonTicketKeypair-cert.
6. Entry: Choose Export.
7. Export the portal certificate as <PORTAL_SID>certificate.crt in the file format _X.509 Certificate (*.crt).
Importing the Portal Certificate to the SAP NetWeaver 2004 Portal (SAP EP 6.0)
...
1. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.bat.
2. Connect to the portal server.
3. Choose <SID> ® Server<#> ® Services ® Key® Storage.
4. iViews: Select the view TicketKeystore.
5. Entry: Choose Load.
6. Open the file <PORTAL_SID>_certificate.crt.
In the Service Security Provider, under Ticket, perform the following steps to ensure that the SAP J2EE Engine accepts SAP logon tickets from the SAP NetWeaver 7.0 portal as an external system.
7. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.
8. Connect to the portal server.
9. Choose <SID> ® Server<#> ® Services ® Security® Provider.
10. Components: Choose Ticket.
11. Choose the Authentication tab page.
12. Add the following values for com.sap.security.core.server.jaas.EvaluateTicketLoginModule:
○ trustedsys<Number>=<PORTAL_SID>, <PORTAL_CLIENT> (for example, J2E, 000)
○ trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example, CN= J2E)
○ trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example, CN=J2E)
<Number> is an identical number for all three entries, but must be incremented by one for each external system.
<PORTAL_SID> and <PORTAL_CLIENT> are the system ID and client of the SAP NetWeaver 7.0 portal. The client is the value of the parameter login.ticket_client. The default value is 000.
<ISSUER_DISTINGUISHED_NAME> and <SUBJECT_DISTINGUISHED_NAME> are the values of [issuerDN] and [DN] of certificate SAPLogonTicketKeypair-cert (see above).
You also have to add these values under evaluate_assertion_ticket:
13. Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%\admin\go.
14. Connect to the portal server.
15. Choose <SID> ® Server<#> ® Services ® Security® Provider.
16. Components: Select evaluate_assertion_ticket.
17. Choose the Authentication tab page.
18. Add the following values for com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule:
○ trustedsys<Number>=<PORTAL_SID>, <PORTAL_CLIENT> (for example, J2E, 000)
○ trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example, CN= J2E)
○ trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example, CN=J2E)
The values are the same as the above values under Ticket.
Hope it helps.
Regards
Uday