Skip to end of metadata
Go to start of metadata

Product versions: SAP BO BI4.0


1. Introduction

This article will explain how to generate the keystore file and the certificate.

  • In the below example the keystore file name is keystore.p12 and the certificate file name is cert.der
  • The keystore file keystore.p12 has to be imported in Bi4.0 CMC on SAP Authentication Option tab
  • The certificate file cert.der has to be imported in SAP BW with STRUSTSSO2 transaction.


  • plamtree in the below example is host name of machine where BI4.0 running. This name needs to be adjusted to reflect the name of your real BO server! For instance, when your BO server is known as BO4, substitute palmtree with BO4
  • mywin in the below example is alias name that you can name the way you want.

2. Generate keystore and certificate

  1. Run PKCS12Tool program to generate keystore
    PKCS12Tool Windows location: <INSTALLDIR>\SAP BusinessObjects Enterprise XI4.0\java\lib
    PKCS12Tool Unix location: <INSTALLDIR>/sap_bobj/enterprise_xi40/java/lib
    (Windos command line example: "C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\java" -jar PKCS12Tool.jar -alias mywin -storepass admin1 -dname CN=palmtree -disablefips)
    storepass: the password needed to open the keystore. Use a secure password.
    CN=palmtree: defines the name of the BO server. If you BO server's name is BO4, use CN=BO4

    Keystore file is genereated at this location

    The command creates the keystore.p12 as well as the cert.der file.

  2. Generate certificate with keytool
    Enter keystore password which is defined in the previous step. (In this example the password is: admin1)
    (Windows command line example: "C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\keytool" -exportcert -keystore keystore.p12 -storetype pkcs12 -file cert.der -alias mywin )

How to setup SSO against SAP BW with SAP BO BI4.0 Common Semantic Layer (UNX) or BICS
Import SAP BO BI4.0 certificate into SAP BW
Setup of SAP SSO Service in SAP BO BI4.0 CMC
Setup of SSO againt SAP BW for SAP BO BI4.0 BICS or JCO connections

  • No labels


  1. Former Member

    Very nice instruction!

    I am running a 2 server (Windows 2008) cluster in our Production system.  Each server runs a full stack of BI services, including CMS, to provide complete redundancy in case of hardware failure on one of the servers.  I would like to know if we need to specify both servers in the DBNAME parameter to ensure the SAP SSO certificate  will continue to work in case we lose 1 of the 2 servers.  My thinking is that if we specify Server1 in DBNAME (-dbname CN=Server1) SAP SSO will stop working if we lose Server1.  Likewise for Server2. 

    "C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\java" -jar PKCS12Tool.jar -alias mywin -storepass admin1 -dname CN=????? )

    Let's say our cluster consists of the following components:

    Cluster Name:      ClusterA

    1st Server Name:      Server1

    2nd Server Name:     Server2

    Does the syntax of DBNAME accept something like  "-dbname CN=Server1,Server2" 


    Thanks in advance for any idea or suggestions.

  2. The value for –dname can be anything unique…. Not needed to be a machine or clustername. For instance “-dname CN=STSINDEV” could be used. I like to use something that indicates it’s for a particular environment.

  3. Former Member

    Hello to all,

    where has to be keystore and certificate stored in the distributed installation, exactly? 

    a) It does not matter, it will be read from location, you specified in the SAP SSO Authentication tab and then it will be stored to the CMS database and read from it.

    b) It has to be stored to all (processing) hosts.

    c) It is enough to store it to location, where the Security Token Service is running.

    What is a correct choice?

    Thank you.

    1. A is the correct answer, once loaded to the repository the files them self are not needed.


  4. Hello!

    What's the difference between cert.der is generated by pkcs12tool.jar and keytool? And which of them have to be imported in SAP BW?

    And what does the "Private key password" mean on the "Options" tab in CMC where the SSO is configured? Where I can get it or set by the tools?

    Many thanks!


  5. Former Member

    Well since it did not work in serveral installations when Designstudio needed SSO - We had to redo it -and had a look that the ALIAS was in Capital Letters - the private key password is imho the same as defined!

    • Wobi