Welcome to the third part of the SAP Fiori Customization Samples tutorial series. In this tutorial I am going to show you how to configure Single Sign-On between a Fiori Launchpad deployed on a BW system, and SAP Business Objects.

A FLP with BO Reports integrated, comes with the need of entering the credentials for the SAP Business Objects server when accessing a report, a step that can be resolved once you have Single Sign-On implemented on your system. 


Having HTTPS configured/SSL Certificate is a must when you want to use the SSO functionality, because of course we are talking about accessing a server without entering it’s credentials, therefore a first word that steps in is SECURITY. 


In the next steps I will show you how to configure HTTPS on the SAP Business Objects server and after that, I will guide you through the SSO configuration. 

  1. HTTPS Setup 

In order to setup the HTTPS communication over port 8443 please access the command line where your Business Objects server is hosted. 

Please make sure that you are on the right path with administrator rights.  

  • Search for your sapjvm folder and access the bin folder. 


Run the following command to generate a keystore.

Single Sing-On SAP Fiori

Although the Keytool.exe file has many parameters, we will specify the an alias, the keysize, the keyalgorithm and the name of the keystore which is going to be generated. 

When running the command it prompts for a few inputs.

Input Command Single Sing-On

Please be sure that you enter the relevant data for your scenario. In my case I have entered some dummy data. You are asked first to choose a password, and some company details. First question „What is your first and last name?” is the most important one, here to need to specify the host name registered over the internet. After entering the all data and the password again, the keystore is generated in the bin folder.  

Now, based on this keystore, we have to generate a certificate file, which will be later uploaded on the BW side. 

Use the following command. 

Certificate Generation Single Sing-On

With the same keytool file we specify the same alias, the name of the certificate which is going to be generated, the name of the keystore file that was generated earlier and the password which we’ve used in the previous step. 

After running the command, move the generated files into a separate folder.  Now we need to modify the server.xml file for tomcat. You can find this file under:

File path

Open the file and configure the following settings:

HTTPS File Details

Connector port = 8443 

SSLEnabled = true 

Secure = true 

keystorePass = password configured when generating the keystore 

keystoreFile = location where you have moved the file 

Restart tomcat services and verify if HTTPS links is accessible.

BO Launchpad Access

Please keep in mind that the https is crossed and not secure because the certificate must be signed by a Certified Authority. 

2. SSO Setup 

We generate a pkcs file and a .cer file with the following command: 

Key store and Certificate Generation

We gave it an alias with capital letters, the name is not important but SAP ABAP takes it in caps so it is better to write it with capital letters. A password exactly like in the previous step, and the point of keeping the same CN name is that it will allow the domain to be kept the same across different products. 

Generated Files

On the left side we have the generated files in a separate folder. 

We need to upload both certificates, the one generated in the SSL Setupt and the other one in the SSO Setup, into a BW transaction called STRUSTSSO2. 

Log in into your system with administrator rights and access the transaction. 

Certificate Import in BW

Import the first certificate.  

Certificate Details in BW

ress the edit button and then Add to Certificate List. After you have added the certificate to the certificate list press ADD to ACLHere you need to enter the System ID, in my case is INSPBI4, the alias I have used when I have generated the files, and the Client must be 000 because all Logons Tickets are processing through Client 000. 

ACL Setup in BW Transaction

Make sure that you follow the same steps for the second certificate as well.  After we’ve imported both certificates into the BW site (SSL Certificate and SSO Certificate), we need to import the keystore.p12 on the BO side. 

Log in into the CMC (Central Management Console) with admin rights and go to Authentication -> SAP -> Options

Central Management Console

Here you have SAP SSO Service. Configure it with your details.

Key Store Upload

System ID =  System ID choosen when you have added the certificate in the ACL (on the BW side) 

Password = your password which you have chosen 

Private Key Alias = the alias used when you’ve generated the certificates/keystores 

Upload the keystore.p12 and press Update 

Next step, check if the APS (Adaptive Processing Server) has the STS (Security Token Service) available, under Server List – explorer.AdaptiveProcessingServer – Edit Common Services. Make sure that STS is enabled. 

Available Servers in CMC

Now we need to configure some files and, files that can be found in here: 

File Path

and which can be found here: 

File Path

In each file, scroll till the end of the file and write two settings: 


The exacts same files exists in: 

File Path

Ensure that the files from here are modified as well, to be sure that the changes are kept when an upgrade happens. 

As mentioned at the beginning of this article, this video is the third part of the tutorial series SAP Fiori Customization Samples.

The first part of this series shows you how to create an SAP Fiori Launchpad on the SAP Cloud platform and add apps on the Fiori Launchpad (German version available here).

The second part explains you how to customize your Fiori Launchpad.

Don’t miss the following 2 parts.

If you have any questions about this tutorial, don’t hesitate to contact me. I will be happy to answer these questions for you.

Cristian Moldovan Junior Consultant SAP BI
Phone: +49 (0) 7031 714 660 0