Downloading verify.der in NW CE7.1

Similar Messages

• Error adding verify.der to certificate list

  Dear All,
  I am trying to configure single sign on from my portal. I started by downloadind the verify.der file from the portal and configure the parameter in RZ10 as follow
  login/accept_sso2_ticket                    1  
  login/create_sso2_ticket                     2  
  Then i try to import the verify.der to R/3 in STRUSTSSO2. After i browse the verify.der file, when i click on the add to certificate list, it is giving me the following error
  Error occurred during import
  Message no. TRUST008
  Anyone know something about this?
  Thanks
  Regards,
  Bryan

  Hi Brain,
  After you download the verify.zip file and unzip it to verify.der, do you find any content being displayed.
  Also, you can try this...
  1. Go to Visual Administration.
  2. And generate a new certificate.
  3. Then download the same using system administration-key storage and try.
  Regards,
  Sandeep Tudumu

• Verify.der file missing

  Hi,
  I have installed Netweaver 2004(Portal)with the system SID as X01.
  Thus, when i use transaction STrustSSO to import the verify.der file
  from this X01 portal(NW04), it overwrites the existing system ID=X01(
  exisitng verify.der file from Enterprise portal 5).
  Is there a way to change the NW04 system ID ?
  Regards,
  BEN

  To make this consistent, you will need to do a system copy, means:
  - use sapinst to export everything
  - delete the installation
  - create a new one with a new SID using the export you just made
  http://service.sap.com/systemcopy
  Markus

• Enable to importing the verify.der file.

  Hi gurus,
             I need your help in solving some strange behave of the portal, really strange.
  I have user Administrator in our production, Im logged in with Administrator account and when i go to irj and then go to System Administration,<h5> System Configuration>Keystore Administration>Content ...Im not able to see the drop down menu with the certificates its saying "Could not access the keystore because of missing permissions. Make sure you have been assigned to the J2EE administrator role." in the alert log of the portal i see this strange error "Full Message Text Source: java.security.
  AccessControlException: Access denied (java.lang.RuntimePermission addPermission);
  Description: Code permissions for domainhttp://sap.com/irj/servlet_jsp/irj/root/web-inf/portal/portalapps/com.sap.portal.usermanagemen t.admin/private/lib/com.sap.portal.usermanagement.a dmin_core.jar and keystore operation {GET_VIEW TicketKeystore } are not granted;
  Consequences: domain http://sap.com/irj/servlet_jsp/irj/root/web-inf/portal/portalapps/com.sap.portal.usermanagemen t.admin/private/lib/com.sap.portal.usermanagement.a dmin_core.jar has not code permission to execute keystore operation {GET_VIEW TicketKeystore }];
  Please help me to solve this if you can!!!
  Thank in advance !!!

  If you are not able to import the verify.der using this irj , You have 2 other options to import it .
  1. Login to Visual admin . Go to Server > Services > Key Storage . Under Ticket , There is a Load Option to import the Certs
  2. Instead of using /irj use /sso2 .. That will take you to Import Cert page . You can import the cert from there .
  Let me know in case of any issues.

• How to import a certificate  verify.der.cer to enable SSO

  How to import a certificate  verify.der.cer to enable SSO

  Hi Chitrangada,
  You havent mentioned if you need to configure SSO between which two systems. However, assuming that you are configuing the access of an ABAP system from a portal, you can import the verify.der file in TA STRUSTSSO2.
  The entire procedure is available at:
  http://help.sap.com/saphelp_nw70/helpdata/en/12/9f244183bb8639e10000000a1550b0/frameset.htm
  Hope it helps!
  Best Regards,
  Srividya.R

• EvalLogonTicket() with verify.der instead of verify.pse

  Hi Experts,
  From the sample code of SAPSSOEXT, we use verify.pse from the producer portal to parse the SAP logon ticket. However, from NW CE, we can only generate verify.der. How can we use .der file in SAPSSOEXT library? I am trying to do SSO between NW CE and Weblogic.
  Thanks in Advanced.

  Hello Bert,
  the verify.der contains a X.509 standard certificate which can be used to verify the SAPLogonTickets by the Backend systems in a way which is defined by the related standards.
  This certificate and the corresponding private key are generated during the installation of your portal and are stored in a so called TicketKeystore.
  You can find it using the Visual Administrator in the Key Storage Service. Here is the documentation:
  http://help.sap.com/saphelp_nw04/helpdata/en/e9/a1dd44d2c83c43afb5ec8a4292f3e0/content.htm
  In the Key Storage Service you can replace the current certificate and private key with your own one which you can generate using tools which support the X.509 and related standards. Or you can create a new one.
  You could also request a certificate from an official trust center if you need this extra security.
  So you have plenty of possibilities...
  As always you have to check which is the best in your environment. If you create a new certificate of course you will have to reinstall it on every backend system which should trust the SAPLogon ticket from your portal.
  On the other side, you should be carefull in creating certificates which have a very long validity (life time). Because the SAPLogonTicket mechanism relies on the public key crypthografie. The longer the lifetime of a certificate the more time there is for an attacker to eventually find the corresponding private key and thus break the security of the SAPLogonTicket. Which means he could logon to your backend system with any user id he wants...
  So, it really depends on your scenario and environment.
  But I hope I could give you some hints and help about the verify.der
  Best regards,
  Stefan Brauneis

• PSE 9:Wie kann ich unter Windows 7 den Downloader in der automatischen Wiedergabe speichern?

  Ich hatte unter Vista den PhotoDownloader.exe bei der automatischen Wiedergabe für meine Kamera hinterlegt. Bei Windows 7 kriege ich das nicht mehr hin. Kann mir jemand helfen?
  Unter Windows 7 kann ich zwar den Organizer anwählen aber nicht direkt den PhotoDownloader. Wenn möglich möchte ich mir diesen Umweg sparen...

  Hallo Michael,
  auch bei mir funktioniert es nicht mit Thunderbird. Ich habe allerdings auch noch PSE 6.
  Ich finde das auch nicht so toll. Besser gesagt, es k.... mich an.
  Wollte eben mal sehen, ob es dafür eine Lösung gibt. So bin ich auf Deinen Beitrag gestoßen.
  Es hat auch nicht mit dem Adobe-Dienst geklappt bei ausgeschalteter Firewall?
  Wenn das Problem überhaupt für Dich noch relevant ist, würde ich Dir gerne helfen.
  LG Thomas

• How to create the verify.der file in portal ? valid to and valid from

  hi Experts,
  am facing the problem in SAP logon method without user mapping but it's having a problem, The problem is  create the Transaction iview it's not there . Back end server is not response how to create the Valid TO and Valid From in portal.
  Thanks & Regards
  Chandu

  Chandu,
         1.      Start the SAP J2EE Engine Visual Administrator: C:\usr\sap\<SID>\JC00\j2ee\admin\go.bat.
         2.      Navigate in the left tree panel to Cluster -Server -Services -Key Storage - Runtime  TicketKeystore - SAPLogonTicketKeypair u2013cert.
  Here you can go ahead and create a new ticket.
  Hope that helps.
  Cheers,
  Sandeep Tudumu

• SSO to R3 4.6c

  Hi,
  I have done the following (Like written in the Course Manual EP200): 
  Downloaded verify.der file from Portal.
  Imported the verify.der file with strustsso and added it to the PSE and ACL.
  Set the two 4.6c parameters to
  login/accept_sso2_ticket = 1
  login/create_sso2_ticket = 0
  My login-id is the same in both system (EP 6.0 and 4.6c)
  Both servers are in the same Domain.
  Question: Is a ITS necessary making SSO possible ? I have not maintained thise info in the EP System.
  Thanks a lot for your feedback.
  John

  Hello John,
  I have made the same hcanges to my Portal that you made, I have an ITS, and have made the changes required.
  When I test the connection, the ITS test is OK, but the other connection test is not. I have tried both UIDPWD and SAPLOGONTICKET, and i get the same result. What do you think the problem is?

• SSL Private Key

  Hi,
  I would like to export my Portal private key, so that it can be used for network traffic capture (Wire shark).
  Can anyone point me in the direction as to where this file can be exported.
  Thanks
  Kai
  PS. Points will be awarded.....

  The Path to export the certificate is:
  On the Portal
  System administration -> system configuration -> Keystore administration -> download verify.der file
  Regards,
  Chengappa

• How to change the existing sap logon ticket

  HI
  I did the System copy from my production server to Quality server.
  Now everthing is working except Single Sign On.  This is due to SAPlogon ticket.
  the SAPlogon ticket show the PRD sid. I am not able to change the existing sid in ticket.
  Tell me how to chage the old saplogon ticket with new one.
  Workaround i did in my server.
  generated the new certificate for Quality server  and try to import in R/3 000 client.  but not successful.

  Hello Lee,
  You dont have to import the certificate from R/3 into portal
  we have to generate the certificate in portal and then import in R/3
  To generate the portal certificate in quality Portal system and uploading in R/3,please find the method:
  Log on to the Visual Admin of Portal with administrator id and password. Go to the following node: Server 0 1_34158->services and then Key Storage
  In Key Storage, go to TicketKeyStorage
  Under Entry, choose Create.
  The Key and Certificate Generation dialog appears
  Enter the Subject Properties in the corresponding fields
  CN=<Common Name>, OU=<Organization Unit Name>, O=<Organization Name>, L=< Locality Name >, ST=<State/Province>, C=DE. give SID of portal in CN
  Give the Entry name as SAPLogonTicketKeypair.
  Select Algorithm as DSA,also click on store certificate and then generate
  You will see along with SAPLogonTicketKeypair, SAPLogonTicketKeypair-cert will also get generated.
  Now we will have to import this SAPLogonTicketKeypair-cert in the ABAP systems
  First we will have to download the certificate from the portal.
  Now logon to the SAP Netweaver Portal with user administrator
  Go to System Administration->System Configuration and then Keystore Administration.
  In the Content tab you will find the list of certificates
  We have to download SAPLogonTicketKeypair-cert .Click on Download verify.der file
  To your desktop
  Now we have to import the certificate in ABAP system.
  Log on to the ABAP system 000 client and use T-Code STRUSTSSO2
  Under Certificate, click on Import certificate
  Give the path of verify.der file. The file format should be Binary
  And upload it.
  Now you can see the certificate has been uploaded. Check for the validity
  Now click on Add to certificate to add this.
  Now click on Add to ACL.
  Enter System ID as the portal SID(i.e is SPQ) and client as 000 and click on Ok
  Then save your entries
  Hope this makes it clear
  Rohit

• How to link to an R3 system(not sure where it goes sorry)

  I was handed a netweaver04 installation and now I have to complete it. The Portal is up but I need to point it to the correct R3 system and then get the Iviews loaded and working. Anybody got any clues on where to go with this one.
  Thanks in Advance
  Troy

  Hi Troy
  <u><b>Connecting SAP systems to Enterprise portal with SSO.</b></u>
  So here they are, 10 simple steps :o)
  1) Export certificate from portal (verify.der and verify.pse)
  ..... a) Navigate to 'System Administration' >> 'System configuration' >> 'Keystore Administration'.
  ..... b) in 'Content' select "SAPLogonTicketKeypar-cert" and press'n'save "Download verify.pse file" and "Download verify.der file".
  2) Check existence of SAPJSF user in target system
  ..... a) Create if necessary using transaction SU01.
  ..... b) User should have two roles: SAP_BC_JSF_COMMUNICATION and SAP_BC_USR_CUA_CLIENT_RFC (if you have CUA in place).
  ..... c) Probably you will have to generate profiles for those roles in target system (transaction PFCG).
  3) Check profile parameters
  ..... a) use transaction RZ10
  ..... b) choose instance profile, 'extended maintenance', then 'Change'
  ..... c) make sure that "login/create_sso2_ticket" is set to "2" and "login/accepte_sso2_ticket" set to "1"
  4) Export certificate from target system (the system to which you want to connect using SSO from portal)
  ..... a) use transaction STRUSTSSO2
  ..... b) double-click on "Own Certif." on "CN=..." part.
  ..... c) press on "Export certificate" button in the middle of the screen and provide file name and path, where to save certificate file.
  5) Import portal certificate to target system
  ..... a) Use transaction STRUSTSSO2 in target system
  ..... b) push "Import certificate" button in the middle of the screen
  ..... c) in 'File path' field enter path to *.der file, you created in step 1 (or point at it via 'Browse' button)
  ..... d) Press "Enter"
  ..... e) Press 'Add to certificate list' button and then 'Add to ACL button
  6) Create an JCo RFC provider in J2EE engine of portal system.
  ..... a) Logon to J2EE using J2EE Admin tool (go.bat)
  ..... b) navigate to 'Server' >> 'JCo RFC provider' node
  ..... c) On the right side of the screen choose any entry in 'Available RFC destinations' area.
  ..... d) Enter information about new destination:
  ..... ..... - Program ID: name of the program (you will need it later) - sapj2ee_port, for example
  ..... ..... - Gateway host - FQDN of target system - server.domain.com, for example
  ..... ..... - Gateway service - sapgw00 for example
  ..... e) in 'Repository' section enter:
  ..... ..... - Application server host - FQDN of target system - server.domain.com, for example
  ..... ..... - system number - 00, for example
  ..... ..... - client - 100, for example
  ..... ..... - logon language - EN
  ..... ..... - user - SAPJSF (from step 2)
  ..... ..... - password (from step 2)
  ..... f) press 'Set'
  7) Add target system to Security providers list
  ..... a) Open J2EE Admin and navigate to 'Server' >> 'Services' >> 'Security Provider'. In components select 'Ticket'. Enter edit mode (button with pencil above)
  ..... b) select 'Login module' "com.sap.security.core.server.jaas.EvaluateTicketLoginModule" and press 'Modify'
  ..... c) ensure that "ume.configuration.active" is set to "true"
  ..... d) enter following info:
  ..... ..... - Name - 'trustedsysN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trustedsys1'). Enter <SID>,<client> as a value (C11,100 for example)
  ..... ..... - Name - 'trustedissN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trustediss1'). Enter CN=<SID> as a value (CN=C11 for example)
  ..... ..... - Name - 'trusteddnN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trusteddn1'). Enter CN=<SID> as a value (CN=C11 for example)
  ..... e) Press 'OK'
  ..... f) Do substeps b,c,d,e in 'evaluate_assertion_ticket' view for "com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule" login module.
  8) Import target system certificate to J2EE of portal system (from step 4)
  ..... a) Open J2EE Administrator and logon to portal instance
  ..... b) Navigate to 'Server" >> 'Services' >> 'Key storage'
  ..... c) in 'Ticket keystore' view press 'load' and select certificate of target system, you exported in step 3.
  9) Restart J2EE instance.
  10) Create RFC connection in target system
  ..... a) use transaction SM59
  ..... b) Point to TCP/IP connections and press 'New'
  ..... c) Enter name for new connection ("RFC_to_portal", for example), enter connection type "T" (external TCP/IP application) and description. Save.
  ..... d) in 'Technical settings' choose "Registered server program" and enter application name from step 6d in "Program ID" field. Provide 'Gateway host' and 'Gateway service' same as in step 6d. Save. Test connection. RFC connection ready.
  If You had to change or add parameters in RZ10 (in step 3), do not forget to restart target system.
  check the below url
  /people/sap.user72/blog/2004/09/15/quick-guide-for-setting-up-sso-between-ep-and-r3
  regards,
  kanthi

• How to configure a system

  Hi Friends,
  I have installed EP 7 and now when i logon to visual composer and try to look for API's in added system it shows an error
  'failed to connect to backend system. check your system definition and user privileges.'
  can anyone help me resolving this..
  Regards
  Anuj

  check all the possible solutions for your error
  see what suits your situation and apply them ...let me know if u still have errors
  1) Export certificate from portal (verify.der and verify.pse)
  ..... a) Navigate to 'System Administration' >> 'System configuration' >> 'Keystore Administration'.
  ..... b) in 'Content' select "SAPLogonTicketKeypar-cert" and press'n'save "Download verify.pse file" and "Download verify.der file".
  2) Check existence of SAPJSF user in target system
  ..... a) Create if necessary using transaction SU01.
  ..... b) User should have two roles: SAP_BC_JSF_COMMUNICATION and SAP_BC_USR_CUA_CLIENT_RFC (if you have CUA in place).
  ..... c) Probably you will have to generate profiles for those roles in target system (transaction PFCG).
  3) Check profile parameters
  ..... a) use transaction RZ10
  ..... b) choose instance profile, 'extended maintenance', then 'Change'
  ..... c) make sure that "login/create_sso2_ticket" is set to "2" and "login/accepte_sso2_ticket" set to "1"
  4) Export certificate from target system (the system to which you want to connect using SSO from portal)
  ..... a) use transaction STRUSTSSO2
  ..... b) double-click on "Own Certif." on "CN=..." part.
  ..... c) press on "Export certificate" button in the middle of the screen and provide file name and path, where to save certificate file.
  5) Import portal certificate to target system
  ..... a) Use transaction STRUSTSSO2 in target system
  ..... b) push "Import certificate" button in the middle of the screen
  ..... c) in 'File path' field enter path to *.der file, you created in step 1 (or point at it via 'Browse' button)
  ..... d) Press "Enter"
  ..... e) Press 'Add to certificate list' button and then 'Add to ACL button
  6) Create an JCo RFC provider in J2EE engine of portal system.
  ..... a) Logon to J2EE using J2EE Admin tool (go.bat)
  ..... b) navigate to 'Server' >> 'JCo RFC provider' node
  ..... c) On the right side of the screen choose any entry in 'Available RFC destinations' area.
  ..... d) Enter information about new destination:
  ..... ..... - Program ID: name of the program (you will need it later) - sapj2ee_port, for example
  ..... ..... - Gateway host - FQDN of target system - server.domain.com, for example
  ..... ..... - Gateway service - sapgw00 for example
  ..... e) in 'Repository' section enter:
  ..... ..... - Application server host - FQDN of target system - server.domain.com, for example
  ..... ..... - system number - 00, for example
  ..... ..... - client - 100, for example
  ..... ..... - logon language - EN
  ..... ..... - user - SAPJSF (from step 2)
  ..... ..... - password (from step 2)
  ..... f) press 'Set'
  7) Add target system to Security providers list
  ..... a) Open J2EE Admin and navigate to 'Server' >> 'Services' >> 'Security Provider'. In components select 'Ticket'. Enter edit mode (button with pencil above)
  ..... b) select 'Login module' "com.sap.security.core.server.jaas.EvaluateTicketLoginModule" and press 'Modify'
  ..... c) ensure that "ume.configuration.active" is set to "true"
  ..... d) enter following info:
  ..... ..... - Name - 'trustedsysN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trustedsys1'). Enter <SID>,<client> as a value (C11,100 for example)
  ..... ..... - Name - 'trustedissN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trustediss1'). Enter CN=<SID> as a value (CN=C11 for example)
  ..... ..... - Name - 'trusteddnN' (there should be a number instead "N", if target system is the first one you implementing SSO with, there should be 'trusteddn1'). Enter CN=<SID> as a value (CN=C11 for example)
  ..... e) Press 'OK'
  ..... f) Do substeps b,c,d,e in 'evaluate_assertion_ticket' view for "com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule" login module.
  8) Import target system certificate to J2EE of portal system (from step 4)
  ..... a) Open J2EE Administrator and logon to portal instance
  ..... b) Navigate to 'Server" >> 'Services' >> 'Key storage'
  ..... c) in 'Ticket keystore' view press 'load' and select certificate of target system, you exported in step 3.
  9) Restart J2EE instance.
  10) Create RFC connection in target system
  ..... a) use transaction SM59
  ..... b) Point to TCP/IP connections and press 'New'
  ..... c) Enter name for new connection ("RFC_to_portal", for example), enter connection type "T" (external TCP/IP application) and description. Save.
  ..... d) in 'Technical settings' choose "Registered server program" and enter application name from step 6d in "Program ID" field. Provide 'Gateway host' and 'Gateway service' same as in step 6d. Save. Test connection. RFC connection ready.
  If You had to change or add parameters in RZ10 (in step 3), do not forget to restart target system.
  Also double-check that portal server and target system are in a same domain, this is important for ticket issuing. This thing is always mentioned in various documents.
  Now SSO is configured. Try to test it by creating simple iView, that launches WebGUI

• How to call portal from R3

  Hello Gurus,
  I have a new requirement to call portal from r3. Its regarding KM. When ever a end user is using R3 Tcode, he will get a button of online user manual about that perticular T-code,,when he clicks on that button ,,he is directed to portal and the PDF of that Tcode opens..
  Now the problem is that,,,,we have maintained SSO,,,it works fine when i login to portal and get the R3 screen,,,,but in reverse way,,,i.e when user calls portal from R3 for manual,,,it asks for password ,,,i don;t know where the problem lies,,,
  We have already pass R3 certificate to portal and portal certificate to R3,,,also maintained profile paramenters,,,,also checked by creating transaction iview,,it works fine from portal to r3 but it is asking password when we go the reverse way ,,,.i.e from r3 to  portal,,,,,kindly help,,,,,

  Hello kalaria,
  Prerequisites for using logon ticket
  u2022     SAP Netweaver Portal and the SAP Systems are in the same domain.
  u2022     SAP Systems registered in the portal
  u2022     User has Administrator roles assigned.
  Export Certificate from Portal
  1. SAP Netweaver Portal     System Administration  System Configuration  Keystore Administration
  2. Go to System Administration  System Configuration  Keystore Administration
  3. Select SAPLogonTicketKeypar-cert from the drop list menu (default)
  4     Choose Download verify.der File button.
  5.     Save file to a folder on your hard drive (i.e. verify.der.zip)
  6.     Extract the zip file and save the verify.der file to the hard drive (i.e. verify.der)
  Create a System user in SAP system with Required Roles
  Check the SAP system for the SAPJSP and required roles
  1.     Enter transaction SU01.
  2.     Choose Enter.
  3.     Enter SAPJSF in the User text field.
  a.     Choose Create button 
  4.     Enter a Last Name in the required Last Name text field.
  Roles
  5.     Choose Roles tab.
  6.     Enter SAP_BC_JSF_COMMUNICATION and SAP_BC_USR_CUA_CLIENT_RFC in the Roles table.
  7.     Choose Save button.
  Logon Data
  8.     If prompted, Enter initial password under Initial password and Repeat password
  9.     Choose Save button
  Hope it help you in connecting SAP ssytem using logon ticket.
  Let me know if you still face the problem.
  Please rewards points if helpful
  Please close the thread if problem solved
  Thankyou,
  Regards
  Vijai

• Error in importing certificate into the BW System

  Hi,
  I am trying to import the certificate from portal to BW system trough the STRUSTSSO2 transaction it is importing the certificate no issues in that but when i tried to add in the certificate list by using the "Add to certificate list" button i am grtting the error "error occured during import"
  plz any one can give input in this.
  This is very urgen...i will award the points for useful solution...
  eagerly looking for the reply from u
  Thanks
  ajay

  Hi JJ,
  Thanks for the response.
  I have unziped the file before importing the certificate,
  first i went to key Store administrator in the portal and clicked on download verify.der button there it is down loaded in the local machine then i unziped that file in that i got the certificate this certificate i have imported in to the BW system .
  the certificate has been imported without any error imported but when i click on the add to certificate list  it will throw the eooror in import.
  the same error i am getting the R/3 system also.
  can u plz give any inputs on this.
  Thanks
  Ajay