cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTP Request to BasicAuthentication Destination fails on first request

gregorw
Active Contributor

on ‎01-08-2018 5:44 PM

Hello SAP Cloud Platform Experts,

I try to expose a OData Service from my ABAP Developer Edition which can be called directly via HTTPS and Basic Authentication on the Cloud Platform. There OAuth with Authorization Gran: "Client Credentials" should be used. I use the Connectivity Proxy which was initialy provided by SAP and Former Member already added OAauth authentication in his fork. But the first request to the service always fails. Only the second request when the cookies from the first request are provided works.

You can watch this video to see all in action.

Looking forward for your help.

Best regards
Gregor

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

gregorw
Active Contributor
‎01-08-2018 10:25 PM

Thanks to a tip from Former Member I've checked the ICF trace and found the following. The raw HTTP request contains the authorization header with the basic authentication data maintained in the SCP Destination:

[Thr 139668118963968] HTTP request (raw) [0/163/1]:
[Thr 139668118963968]   GET /sap/opu/odata/sap/ZSEPMRA_C_SALESORDER_EXT_CDS/SEPM_I_Country?$format=json&$select=Country,Country_Text&sap-language=EN&$top=10 HTTP/1.1
[Thr 139668118963968]   cache-control: no-cache
[Thr 139668118963968]   postman-token: c8082288-a71f-42ca-ba80-8cfe9a699734
[Thr 139668118963968]   user-agent: PostmanRuntime/7.1.1
[Thr 139668118963968]   accept: */*
[Thr 139668118963968]   accept-encoding: gzip, deflate
[Thr 139668118963968]   connection: keep-alive
[Thr 139668118963968]   x-forwarded-for: 178.27.224.226
[Thr 139668118963968]   host: u1604snw75.basic.auth:44300
[Thr 139668118963968]   authorization: XXX
[Thr 139668118963968] Connection Info: role=Server, local=u1604snw75.dummy.nodomain:44300, peer=192.168.255.32, protocol=HTTPS
[Thr 139668118963968] <<- SapSSLGetPeerInfo(sssl_hdl=7f06c80012c0)==SAP_O_K
[Thr 139668118963968]     out: subject  = "CN=u1604snw75-system, O=CSW, C=DE"
[Thr 139668118963968]     out: issuer   = "EMAIL=gregor@computerservice-wolf.com, CN=CSW Root CA, OU=IT, O=Computerservice Wolf, L=Tacherting, SP=Bavaria, C=DE"
[Thr 139668118963968]     out: cert_len = 1496
[Thr 139668118963968]     out: cipher   = "TLS_RSA_WITH_AES128_GCM_SHA256"
[Thr 139668118963968] Client certificate info: subject="CN=u1604snw75-system, O=CSW, C=DE", issuer="EMAIL=gregor@computerservice-wolf.com, CN=CSW Root CA, OU=IT, O=Computerservice Wolf, L=Tacherting, SP=Bavaria, C=DE"

but this request isn't directly processed. And the rewritten data contains this:

[Thr 139668118963968] HTTP request (rewritten) [0/163/1]:
[Thr 139668118963968]   GET /sap/opu/odata/sap/ZSEPMRA_C_SALESORDER_EXT_CDS/SEPM_I_Country?$format=json&$select=Country,Country_Text&sap-language=EN&$top=10 HTTP/1.1
[Thr 139668118963968]   cache-control: no-cache
[Thr 139668118963968]   postman-token: c8082288-a71f-42ca-ba80-8cfe9a699734
[Thr 139668118963968]   user-agent: PostmanRuntime/7.1.1
[Thr 139668118963968]   accept: */*
[Thr 139668118963968]   accept-encoding: gzip, deflate
[Thr 139668118963968]   connection: keep-alive
[Thr 139668118963968]   x-forwarded-for: 178.27.224.226
[Thr 139668118963968]   host: u1604snw75.basic.auth:44300
[Thr 139668118963968]   authorization: XXX
[Thr 139668118963968]   ssl_client_cert: MIIF1DCCA7ygAwIBAgIBFTANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExEzARBgNVBAcMClRhY2hlcnRpbmcxHTAbBgNVBAoMFENvbXB1dGVyc2VydmljZSBXb2xmMQswCQYDVQQLDAJJVDEUMBIGA1UEAwwLQ1NXIFJvb3QgQ0ExLjAsBgkqhk
[Thr 139668118963968]   ssl_cipher_usekeysize: 128
[Thr 139668118963968]   ssl_cipher_suite: 009c

Beside the authorization header we have now also a ssl_client_cert. And because the "Logon Through SSL Certificate" is listed before the "Basic Authentication" in the Logon Procedure List of the ABAP System the authentication is tried for the ssl_client_cert. But this fails as the certificate provided is the SAP Cloud Connector System Certificate required for the transport authentication for Principal Propagation. And instead of using now the authorization header I get this:

[Thr 139668118963968] HTTP response (raw) [0/163/1]:
[Thr 139668118963968]   HTTP/1.1 401 Unauthorized
[Thr 139668118963968]   content-type: text/html; charset=utf-8
[Thr 139668118963968]   content-length: 1030
[Thr 139668118963968]   sap-system: NPL
[Thr 139668118963968]   www-authenticate: Basic realm="SAP NetWeaver Application Server [NPL/001]"
[Thr 139668118963968]   content-encoding: gzip
[Thr 139668118963968]   set-cookie: sap-usercontext=sap-language=EN&sap-client=001; path=/
[Thr 139668118963968]   set-cookie: sap-ssolist=O2M9dTE2MDRzbnc3NV9OUExfMDBfMDAx; path=/

To fix it, I've created an SICF Alias for the path /sap/opu/odata/sap/ZSEPMRA_C_SALESORDER_EXT_CDS and maintained this sequence in the Logon Procedure List:

1 Basic Authentication
2 Logon Through SSL Certificate

Now both my Destinations work in parallel. The one with a maintained user using basic auth and also the one with principal propagation.

Best regards
Gregor

Show replies
Show replies
florian_royer
Participant
‎03-11-2019 1:36 PM

We had the exact same problem and your solution also solved our issue.

Thank you very much for your post!

Ask a Question