Professional Documents
Culture Documents
Page 1 of 30
If your SAP system is running on a BASIS system earlier than 6.20, you must use the files listed
below: (These files are ANSI.)
Open SQL Connectivity transport (K900128.r22 and R900128.r22)
Info Set Connectivity transport (K900121.r22 and R900121.r22)
Row-level Security Definition transport (K900122.r22 and R900122.r22)
Cluster Definition transport (K900123.r22 and R900123.r22)
Authentication Helpers transport (K900124.r22 and R900124.r22)
If your SAP system is running on a 6.20 BASIS system or later, you must use the files listed below:
(These files are Unicode enabled.)
Open SQL Connectivity transport (K900732.R21 and R900732.R21)
Info Set Connectivity transport (K900688.r21 and R900688.r21)
Row-level Security Definition transport (K900689.r21 and R900689.r21)
Cluster Definition transport (K900690.r21 and R900690.r21)
Authentication Helpers transport (K900691.r21 and R900691.r21)
The following files must be used on an SAP BW system:
(These files are Unicode enabled.)
Content Administration transport (K900722.r21 and R900722.r21)
Personalization transport (K900748.r21 and R900748.r21)
ODS Connectivity transport (K900695.r21 and R900695.r21)
If your SAP BW system has not applied SAP Note 1232751, you must use the file listed below:
MDX Query Connectivity transport (K900744.r21 and R900744.r21)
If your SAP BW system has applied SAP Note 1232751, you must use the file listed below:
MDX Query Connectivity transport (K900047.R72 and R900047.R72)
Copy the relevant data and cofiles to the /usr/sap/trans/data and /usr/sap/trans/cofiles of the
relevant SAP systems (ERP / BW). Then add them to the import queue and import them using
transaction STMS.
For ERP:
Page 2 of 30
For BW:
Note: If SAPKW70102 or SAPKW71101 (or SAP Note 1232751) has been implemented, then use
K900047.R72, otherwise use K900744.R21).
Page 3 of 30
Page 4 of 30
Create a new Service user called CRYSTAL and assign the role to it.
Double-click on SAP.
Last Updated By: Kevin Ooi, 30-May-2014
Page 5 of 30
Click Update.
Page 6 of 30
Page 7 of 30
Note: The Role Import was not done and left to the SBOP BI team to perform; depending on the S&A
strategy and approach to be adopted. Only the CRYSTAL_ENTITLEMENT role was imported.
Page 8 of 30
platform. You may need to ask your administrator for the name of the web server, the port
number, or the exact URL to enter.
3. From the Authentication Type list, select SAP.
4. Type the SAP system and system client that you want to log on to.
5. Type the user name and password of a mapped user.
6. Click Log On.
7. You should be logged on to BI launch pad as the selected user.
Page 9 of 30
Page 10 of 30
2. Ensure that you have SAP administrator's credentials for within SAP and for the machine
running SAP, and administrator's credentials for BI platform and the machine (or machines)
it is running on.
3. On the SAP (BID) machine, copy the SAP Cryptographic Library and the SAPGENPSE tool to
<DRIVE>:\usr\sap\BID\SYS\exe\uc\NTAMD64 directory (on Windows).
Page 11 of 30
4. Locate the file named "ticket" that was installed with the SAP Cryptographic Library, and
copy it to the <DRIVE>:\usr\sap\<SID>\<instance>\sec\ directory (on Windows).
5. Create an environment variable named SECUDIR that points to the directory where the
ticket resides.
Note: This variable must be accessible to the user under which SAP's disp+work process
runs.
Page 12 of 30
6. In the SAP GUI, go to transaction RZ10 and change the instance profile in Extended
maintenance mode.
7. In profile edit mode, point SAP profile variables to the Cryptographic Library and give the
SAP system a Distinguished Name (DN). These variables should follow the LDAP naming
convention:
Page 13 of 30
8. Enter the following profile values, substituting for your SAP system where necessary:
Page 14 of 30
13. To assign a password to the SNC PSE, click the lock icon.
Note: Do not lose this password. You will be prompted for it by STRUST every time you view
or edit the SNC PSE.
14. Save the changes.
Note: If you do not save your changes, the application server will not start again when you
enable SNC.
15. Return to transaction RZ10 and add the remainder of the SNC profile parameters:
16. Restart your SAP system. You must now configure BI platform for server-side trust.
Page 15 of 30
Extract the SAPCRYPTOLIB.SAR file to a temporary folder. Then create the folder C:\Program
Files\SAP\Crypto. Copy the files from ..\nt-x86_64 folder to this newly created folder. Then create a
sub-folder \sec and copy the file 'ticket' from the extracted SAPCRYPTOLIB.SAR file to this folder.
Page 16 of 30
Pin: KLKOLEO1
DN: CN=BOE, OU=PG, O=BOBJ, C=CA
Page 17 of 30
Go to transaction STRUST:
Page 18 of 30
Click Save.
Page 19 of 30
Go to transaction SNC0.
Page 20 of 30
The SAP Cryptographic Library is installed on the BI platform machine. You have created a PSE that
will be used by BI platform servers to identify themselves to SAP servers. SAP and the BI platform
PSE have exchanged certificates. SAP permits entities with access to the BI platform PSE to perform
RFC calls and password-less impersonation.
Page 21 of 30
sapgenpse.exe maintain_pk -l
Page 22 of 30
Page 23 of 30
If the Active Directory (or LDAP) Single Sign-On is configured (Client side SNC), then key in the SNC
name for the users. E.g. SNC Name = p:<username>@<domain>, e.g. p:John.Smith@ACME.COM.
Page 24 of 30
2.6.3 Importing the certificate file into the target ABAP SAP system
Launch transaction STRUSTSSO2.
Page 25 of 30
Page 26 of 30
Page 27 of 30
Page 28 of 30
Page 29 of 30
3 Troubleshooting
Page 30 of 30