Skip to Content

HTTP Request to BasicAuthentication Destination fails on first request

Hello SAP Cloud Platform Experts,

I try to expose a OData Service from my ABAP Developer Edition which can be called directly via HTTPS and Basic Authentication on the Cloud Platform. There OAuth with Authorization Gran: "Client Credentials" should be used. I use the Connectivity Proxy which was initialy provided by SAP and Former Member already added OAauth authentication in his fork. But the first request to the service always fails. Only the second request when the cookies from the first request are provided works.

You can watch this video to see all in action.

Looking forward for your help.

Best regards
Gregor

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Jan 08 at 10:25 PM

    Thanks to a tip from Former Member I've checked the ICF trace and found the following. The raw HTTP request contains the authorization header with the basic authentication data maintained in the SCP Destination:

    [Thr 139668118963968] HTTP request (raw) [0/163/1]:
    [Thr 139668118963968]   GET /sap/opu/odata/sap/ZSEPMRA_C_SALESORDER_EXT_CDS/SEPM_I_Country?$format=json&$select=Country,Country_Text&sap-language=EN&$top=10 HTTP/1.1
    [Thr 139668118963968]   cache-control: no-cache
    [Thr 139668118963968]   postman-token: c8082288-a71f-42ca-ba80-8cfe9a699734
    [Thr 139668118963968]   user-agent: PostmanRuntime/7.1.1
    [Thr 139668118963968]   accept: */*
    [Thr 139668118963968]   accept-encoding: gzip, deflate
    [Thr 139668118963968]   connection: keep-alive
    [Thr 139668118963968]   x-forwarded-for: 178.27.224.226
    [Thr 139668118963968]   host: u1604snw75.basic.auth:44300
    [Thr 139668118963968]   authorization: XXX
    [Thr 139668118963968] Connection Info: role=Server, local=u1604snw75.dummy.nodomain:44300, peer=192.168.255.32, protocol=HTTPS
    [Thr 139668118963968] <<- SapSSLGetPeerInfo(sssl_hdl=7f06c80012c0)==SAP_O_K
    [Thr 139668118963968]     out: subject  = "CN=u1604snw75-system, O=CSW, C=DE"
    [Thr 139668118963968]     out: issuer   = "EMAIL=gregor@computerservice-wolf.com, CN=CSW Root CA, OU=IT, O=Computerservice Wolf, L=Tacherting, SP=Bavaria, C=DE"
    [Thr 139668118963968]     out: cert_len = 1496
    [Thr 139668118963968]     out: cipher   = "TLS_RSA_WITH_AES128_GCM_SHA256"
    [Thr 139668118963968] Client certificate info: subject="CN=u1604snw75-system, O=CSW, C=DE", issuer="EMAIL=gregor@computerservice-wolf.com, CN=CSW Root CA, OU=IT, O=Computerservice Wolf, L=Tacherting, SP=Bavaria, C=DE"
    

    but this request isn't directly processed. And the rewritten data contains this:

    [Thr 139668118963968] HTTP request (rewritten) [0/163/1]:
    [Thr 139668118963968]   GET /sap/opu/odata/sap/ZSEPMRA_C_SALESORDER_EXT_CDS/SEPM_I_Country?$format=json&$select=Country,Country_Text&sap-language=EN&$top=10 HTTP/1.1
    [Thr 139668118963968]   cache-control: no-cache
    [Thr 139668118963968]   postman-token: c8082288-a71f-42ca-ba80-8cfe9a699734
    [Thr 139668118963968]   user-agent: PostmanRuntime/7.1.1
    [Thr 139668118963968]   accept: */*
    [Thr 139668118963968]   accept-encoding: gzip, deflate
    [Thr 139668118963968]   connection: keep-alive
    [Thr 139668118963968]   x-forwarded-for: 178.27.224.226
    [Thr 139668118963968]   host: u1604snw75.basic.auth:44300
    [Thr 139668118963968]   authorization: XXX
    [Thr 139668118963968]   ssl_client_cert: MIIF1DCCA7ygAwIBAgIBFTANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExEzARBgNVBAcMClRhY2hlcnRpbmcxHTAbBgNVBAoMFENvbXB1dGVyc2VydmljZSBXb2xmMQswCQYDVQQLDAJJVDEUMBIGA1UEAwwLQ1NXIFJvb3QgQ0ExLjAsBgkqhk
    [Thr 139668118963968]   ssl_cipher_usekeysize: 128
    [Thr 139668118963968]   ssl_cipher_suite: 009c
    

    Beside the authorization header we have now also a ssl_client_cert. And because the "Logon Through SSL Certificate" is listed before the "Basic Authentication" in the Logon Procedure List of the ABAP System the authentication is tried for the ssl_client_cert. But this fails as the certificate provided is the SAP Cloud Connector System Certificate required for the transport authentication for Principal Propagation. And instead of using now the authorization header I get this:

    [Thr 139668118963968] HTTP response (raw) [0/163/1]:
    [Thr 139668118963968]   HTTP/1.1 401 Unauthorized
    [Thr 139668118963968]   content-type: text/html; charset=utf-8
    [Thr 139668118963968]   content-length: 1030
    [Thr 139668118963968]   sap-system: NPL
    [Thr 139668118963968]   www-authenticate: Basic realm="SAP NetWeaver Application Server [NPL/001]"
    [Thr 139668118963968]   content-encoding: gzip
    [Thr 139668118963968]   set-cookie: sap-usercontext=sap-language=EN&sap-client=001; path=/
    [Thr 139668118963968]   set-cookie: sap-ssolist=O2M9dTE2MDRzbnc3NV9OUExfMDBfMDAx; path=/
    

    To fix it, I've created an SICF Alias for the path /sap/opu/odata/sap/ZSEPMRA_C_SALESORDER_EXT_CDS and maintained this sequence in the Logon Procedure List:

    1 Basic Authentication
    2 Logon Through SSL Certificate

    Now both my Destinations work in parallel. The one with a maintained user using basic auth and also the one with principal propagation.

    Best regards
    Gregor

    Add comment
    10|10000 characters needed characters exceeded