Skip to end of metadata
Go to start of metadata

Product versions: SAP BO BI4.0

1. Import certificate into SAP BW

  1. Binary import cert.der into SAP BW with STRUSTSSO2
    Log into SAP BW and run STRUSTSSO2

    Make sure that cert.der is imported Binary into System PSE
  2. Add the certificate to the certificate list
    Click button "Add to Certificate List"
    Check certificate list to make sure it is in the list ("CN=palmtree" in below example)
  3. Add the certificate to ACL
    Click button "Add to ACL" to add the certificate to the Access Control List
    Enter System ID - This System ID will be used in BI4.0 CMC for setup of SAP SSO Service
    Enter Client - Client has to be 000

    Make sure that you SAVE all changes made with STRUSTSSO2 transaction!!

How to setup SSO against SAP BW with SAP BO BI4.0 Common Semantic Layer (UNX) or BICS
Setup of SAP SSO Service in SAP BO BI4.0 CMC
Setup of SSO againt SAP BW for SAP BO BI4.0 BICS or JCO connections
Generate keystore and certificate for SAP BO BI4.0

  • No labels


  1. Former Member

    When adding the certificate to the ACL, the client definitely has to be inputted as 000 because all SAP Logons are processed on 000. The wiki says this clearly, but it bears repeating because a member of our BW admin team had inadvertently been overriding SAP’s instructions and inputting 100 for the client ID when in fact it needed to be 000. We struggled with an SSO error for OLAP Connections with WebI in the BI Launch Pad until SAP Support pointed out the client issue in the ACL and had us re-import the certificate to /nSTRUSTSSO2.

  2. Former Member

    Also, here's another painful lesson we learned that I want to share for the benefit of others:

    When using SSO, the OLAP Connection must use UPPERCASE for the SAP System Name. Using lower-case for the OLAP Connection's SAP System field will result in a Java Null pointer error when accessing the connection via WebI in the BI Launch Pad, or an "inalid password or account locked" message referring to the SAP Authentication user being locked-out if the System name for SSO OLAP Connections was in lower-case. After working with SAP Support for a while, the engineer referred us to SAP Note 2156919 ( which essentially says the SAP System name is case-sensitive when using STS for SSO OLAP Connections in BI 4.0 and 4.1. This is a good article to read as it hints at some peculiar mechanics going on with SSO OLAP Connections for BW.

    Furthermore, although the SAP Note doesn't mention this, the SAP Support engineer informed us that the SIA must also be restarted to clear-out obscure caching areas (possibly in WebI or Dashboard Cache/Processing Servers, he said). It turned out that after hours of re-creating and re-importing certificates and key stores; hours of fiddling with upper vs. lower-case System name in OLAP Connections; and hours reviewing the SAP Authentication tab for mistakes... what was needed all along to get SSO-to-DB working correctly was simply to use an UPPERCASE System name, then restart the SIA to trigger BI 4.0 to release a bad case-sensitive cache related to the old lower-case System name. SSO then worked as expect.