Hi Victor,

You always need a valid certificate for your browser:

• Apache (Reverse Proxy), so your browser doesn't complain every time your users connect to the URL
• Tomcat (CORS): Direct Connection uses two connections, one to SAC (HTTPS) and the second one to Tomcat (also HTTPS). It won't work if Chrome doesn't trust automatically the connection to Tomcat. In KBA https://apps.support.sap.com/sap/support/knowledge/public/en/2482807 we explain that behaviour.

If you have an internal certificate authority and your computers have its root certificate installed, you can sign the certificate in Tomcat using that Certificate Authority.

Regards,

Julian

Hello Victor - please check the SAP Guided Answers at https://www.sapanalytics.cloud/guided_playlists/connect-sap-universe-live/

"

1. Set the connection type to:

• Direct, if you aren’t using reverse proxy, then specify the BI Tomcat Server’s Host and HTTPS port below that
• Path, if you have configured a reverse proxy and enter the Path Prefix “/<PATH>” value defined during reverse proxy setup

"

Source: SAP

Good luck,

Tammy

If you're using a reverse proxy (which will need a PATH connection) then in apache's httpd.conf if you add

## next 3 lines only needed if using self-signed certificates and you are not using SSL 2.4
##      Otherwise remove (comment them) to allow the remote server certificate's 
##      CN field is compared against the hostname of the request URL
##      PeerExpire checks the certificate has not expired

SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

This will allow your reverse proxy to work against a local Tomcat machine talking SSL that has a non-signed certificate. Your browser will still be prompted to trust the certificate, unless you get it signed by a Certificate Authority

Regards, Matthew

PS for universe connectivity with SAC, I'm developing a wiki site dedicated for it