Page tree
Skip to end of metadata
Go to start of metadata


Since SSO is needed in both FS-QUO (on NetWeaver server) and FS-IPW (on ABAP server), however, at the time that either side of the server is newly set up, they do not recognize each other as a trusted system.

In this document, the steps of instructions on how to set SSO between the two systems are introduced in detail.

Three parts are touched to finish this task:

  1. The NetWeaver Admin Console (NWA) of the FS-QUO instance
  2. The Web Dispatcher of the FS-QUO instance's VM
  3. The ABAP Server hosting the FS-IPW apps


  1. Add the ABAP server to FS-QUO's trusted server list through NWA:
    1. Login to FS-QUO NWA
    2. Navigate to Configuration > Trusted System
    3. Under Trusted Systems, click Add Trusted System > By Querying trusted system
    4. Then the new frame will show up. Follow the steps to fill out the entries:

                                                    i.     Under System Type: Select ABAP

                                                   ii.     For Host Name, it would be rdfornaxXX (XX dependent on which ABAP server you want to use)

                                                  iii.     For System Number, enter the last digit displayed against the instance's thin client in SAP MMC

  • It would be 02 in the following example

                                                  iv.          Client: 100

                                                   v.          User NameADMIN

                                                  vi.          Password: <same_as_master_password>

                                                vii.          Click Next & Finish


  1. Export the NW's license (Marked as NWA_CERT) - Follow recreation if this instance was created Via System copy = Recreating the SAPLogonTicketKeypair 
    1. In the same NWA, Navigate to Configuration > Security > Certificate and keys
    2. Select TicketKeystore
    3. Export the SAPLogonTicketKeypair-cert (Format: Base64)
      NOTE: This would be used to be imported into ABAP server's trust list later


Web Dispatcher Setup

  1. 1.     Open SAPMMC.
  2. Make sure the following is done before look into WD server:
    1. Open the profile of the WD under D:\usr\sap\XWD\SYS\profile\XWD_WXX_mo-xxxxxxxxx, check if or not the lines similar to the sample file exist (if not, add them by customizing the values): EWD_W12_mo-b58cedd00.txt (the original file is a plain text file, which means it doesn't have ".txt" file extension.) NOTE:

                                                    i.     To finish the task of this wiki page, FS-IPW Settings section must be added by customization.

                                                   ii.     Changes may include:

  1. Comment out the line starting with "wdisp/system_0 = ... MSHOST=<same_host>" (the Message Server set up to point to the same host as the WD), then make sure the other line starting with "wdisp/system_0" and similar format is NOT commented out, because the MSHOST needs to be changed to an IPW server.
  2. In the lines starting with "wdisp/system1" or 2 or 3, replace the SID's with the new SID's, as well as the following MSHOST values.
  3. Example :


        1. In SAP MMC, restart the         WD server.
  1. Obtaining the certs for the IPW and QUO instances:
    1. Navigate to <WebdispatcherSID> ->  <instance_icon>  -> Web Dispatcher
    2. Sign in as webadm/<master_password>
    3. Look at both IPW and QUO instance (eg. <IPW INSTANCE SID>, <QUO INSTANCE SID>), and do the following for both:

                                               i.          View Monitor Application Servers

                                              ii.          In the view page on the right side, click on the instance name as the below, and choose Direct HTTPS ping to Server. Make sure it prompts up the result in an IE browser page.


                                                  iii.          In the IE browser, if a warning shows up, just choose Continue to this website

                                                  iv.          In the result page, beside the address bar, click on the red cross icon , and click View Certificates

                                                   v.          In the prompt up window, click Details tab, and click on Copy to File button.Download the cert (base 64).

  1. Be ready to copy contents of both certs (for Step 5). NOTE: If the pse does not exist, you would have to create it with Distinguished Name: CN=SAPNetCA, OU=SAPNet, O=SAP-AG, C=DE) (You can also look at an existing server, change the filter to pem and copy it over.)


  1. Server PSE (SAPSSLS.pse) setup:
    1. In WD view, navigate to SSL and Trust Configuration -> PSE Management.
    2.  Under Manage PSE block, navigate the dropdown menu to SAPSSLS.pse. 
    3. Import the following SSO_CA root CA certificate, so that the WD can ask the client for a certificate signed by this root CA: 
      1.                                                i.          Go to Trusted Certificates --> Import Certificate
      2.                                               ii.          Copy and paste below Code Block including BEGIN and END comments and click import.  The screen should show in green "Imported Certificate into PK List of PSW SAPSSLS.pse"
    1. *OPTIONAL* Make       sure that this WD server has a signed cert: Signing       a certificate from SAP Web Dispatcher for internal development use















  1. Client      PSE (SAPSSLC.pse) setup:
    1. Select       the SAPSSLC.pse
    2. In Trusted Certificates block,       import the two certs (for JAVA backend and ABAP) as downloaded above in       Step 3:
      2. Import        the public certificate of the Java back-end server, so that the Java        back-end server can accept HTTPS requests from the WD.
      4. Import        the public certificate of the ABAP front-end server, so that the ABAP        front-end server can accept HTTPS requests from the WD.

  2. Restart the WD      server. 
  3. Confirm      that Connections outlined in the WD profile file are GREEN/PINGABLE. Login      to Web dispatcher > Dispatching Module > Backend system Info.          


  1. Go to the VM with the ABAP server that hosts IPW apps (eg. rdfornaxXX).
  2. Go to SAP Logon on that machine:
    1. If the variable logon is not on the list, create one as follows (Otherwise, skip to this step):
      1.                                                                              i.          Click the Variable Logon (white paper icon) on the top
      2.                                                                             ii.          Choose User Specified System, and click Next
      3.                                                                            iii.          In the new prompted screen, fill in the form as follows:

Connection Type

Custom Application Server


<SID> [localhost] (this part can vary)


localhost (if you want to log in on the same machine)


 00 (or find out the instance number of the   "thin server" of the ABAP instance)





  1.                                                                            iv.          Click Finish
  2. Under Connections folder, open the logon shortcut named by the ABAP server SID
  3. Login as client 100, ADMIN/<Master_Password>
  4. After successfully login to the system, navigate to transaction: STRUSTSSO2
  5. Import FS-QUO SAP Logon certificate through the following steps:
    1. Change the action mode from View to Edit by clicking the small icon on top-left corner (Glasses and pencil) or pressing (Ctrl+F1)
    2. In the block titled "Certificate", click the button "Import Certificate" at the bottom.
    3. In the newly prompted window, browse the file path of the certificate exported from NWA(NWA_CERT mentioned above), and click "OK"
    4. In the same block, click buttons: Add to certificate list and Add to ACL
    5. Enter the NetWeaver instance's SID where FS-QUO resides and client 000 when prompted.
    6. To check the result, in the bottom block "LogonTicket", confirm that <SID> client 000 is included.
    7. Save the changes by clicking on the disk button on the top bar.


Now it is possible to login to IPW front-end Fiori Launchpad using your IPW users (that already have permissions that are allowed to open the apps).

  • No labels