Logging in to the BI Portal with an administrative account you need to go to the following path

  1. http://domain.com:52000/irj/portal
  2. System Administration
  3. System Configuration
  4. Keystore Administration
  5. In the table above we can see the expiration date.


  6. Now we generate new certificate via Virtual Admin
  7. Go “Server”, then “Services” and then find and click once on “Key Storage” in the “Services” list. You will be presented with the below screen.


  8. Now we click create in the Entry area.


  9. An entry name “SLTKNEW” for now
  10. The Common Name (CN) 
  11. The Organization Unit Name (OU) 
  12. We have given the certificate a validity period of 10 years in place of 1 year that was previously assigned.
  13. We need to check “Store Certificate”
  14. Leave the Key Length as the default of “1024”
  15. User the drop down on “Algorithm” and choose “DSA”
  16. Once done choose “Generate” and looks like below

  17. Now we can activate and use the new key certificate.


  18. Once we have verified that the old and the new are aligned with regards to their common attributes and the new one is active for usage we need to export the old one to keep it safe for now. This is done by clicking on the “Entry” then “Export” button.


  19. Now that we have a protected backup of the original we can instate the new one we have just created. To do this we can either delete the old one or in this case (recommended) rename the old one for now.

  20. We have chosen to rename it using a timestamp identifier of “20110103” to indicate the date this was renamed. We need to do the same with its pair (Private Key).



  21. Once this is done we take the names of the original duo and reuse them on the new ones we have just generated. Please note that these need to be given exactly the same name as the original names and are case sensitive.


    1. SLTKNEW is now (SAPLogonTicketKeypair)
    2. SLTKNEW-cert is now (SAPLogonTicketKeypair-cert)



  22. Once this has been done we can then log back into the BI Portal and verify the effectiveness of the change.





  23. We may now export the certificate to Abap system.
  24. Start by pressing the download verify .def file button above and save the file to your machine.
  25. To import, go STRUSTSSO2
  26. Click import certificate

  27. Locate the certificate you wish to add.

  28. Now check the certificate
  29. Once we have verified that the new certificate is in place. Simply delete the old one from the list using the “Delete” button once you have verified you are highlighting the correct - outdated certificate in the list
  30. Now that we have renewed the certificate we need to ensure that the old entries are removed from the ACL and that the new one is re-added as it is has a different Serial Number as previously discussed.

  31. To do this, delete one at a time and then replace it. We have started by deleting the ACL entry for B0M against client “000” first and then re-adding it as in the below screenshot

  32. We have then deleted and re-added the entry for the non-existent client “999” as follows.

  33. The resultant output is that we now have the ACL also updated with the latest certificate information for the SSO to function correctly. If this is not done and the old entries are attempted to be re-used then the resultant outcome is an issue when loading web templates as follows


  34. The below screenshot is what we are meant to see in a BI Dual Stack installation once we have completed all the necessary tasks.


  35. Completed