Single Sign-On configuration between ABAP AS and JAVA AS

Purpose: Set up Single Sign- On between SAP NW ABAP and Java Application Systems.

Prerequisites:   Set the following parameters in instance profile:

i. login/create_sso2_ticket = 2

ii. login/accept_sso2_ticket = 1

Installation/Activity steps 

Export Portal Private Certificate (JAVA AS) from Visual Administrator

Choose Server –> Services –> KeyStorage –> TicketKeystore


Import Portal Private Certificate into backend ABAP AS system.

Execute transaction STRUSTSSO2 in client 000

Choose System PSE from left navigation and Certificate–> Import



Specify the location of portal private certificate where you saved it in step 2


Click button “Add to Certificate List” button (Button in the Certificate box) to add the portal certificate to Certificate list


Then click “Add to ACL” button to add the certificate in Access Control List. Click SAVE


Note: We have to perform above in production client, example 100, otherwise SSO won’t work

Once it’s added to ACL, you should be able to see the entry in Login Ticket box as shown in the screenshot

Note: System ID must be Java Portal SID and client must be 000 always for Java system



Export the backend ABAP private certificate and import into Java Portal System

Execute transaction STRUSTSSO2 in client 000. Choose System PSE from  left navigation and double click the Owner Certificate and choose Certificate –> Export to save the certificate with .crt extension.



Log into Visual Administrator Choose Server –> Services –> KeyStorage –> TicketKeystore and click Load button and choose the ABAP owner certificate.


Make an entry of Backend System in “ACL” in the Portal
Choose Server –> Services –> Security Provider –> Ticket

Go to change mode, select com.sap.security.core.server.jaas.EvaluateTicketLoginModule and click on Modify button.

Add the following if does not exist already:

ume.configuration.active = true

trustedsys<n>= <ABAP SID>, <Prod. Client>

trustediss<n>= CN=<ABAP SID>

trusteddn<n>= CN=<ABAP SID>

Note: One set for client 000 and other one for production client.


Miki Barzilay

Leave a Reply