Skip to Content

Unable to create subaccount in sap cloud connector

Hi Experts,

I am unable to create subaccount in SAP Cloud Connector for our SCP instance located in US Ashburn (us1.hana.ondemand.com). Getting error below:

Please note that I am able to create subaccount for the trial account (hanatrial.ondemand.com) and connect to it without any issue.

  • In the log, I can find the error: #Preparation of tunnel certificate for [account_id]@us1.hana.ondemand.com account failed.
  • I found few SAP notes (2494823, 2377425) regarding this issue which did not help.
  • I am using https proxy, subaccount name, user, password correctly.

Cloud connector component versions:

Any idea?

capture.png (16.3 kB)
untitled.png (7.4 kB)
untitled2.png (21.8 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • Best Answer
    May 08 at 05:47 AM

    I am able to connect when I tried to connect from the browser within the server (logged in to SCC using https://localhost:8443). Sounds weird, but it worked.

    Add comment
    10|10000 characters needed characters exceeded

  • May 06 at 06:29 PM

    Hi Arijit

    How you checked whether the required SCP hosts are reachable from the proxy? For US1, the hosts are:

    The list can be found in the Network section of the Prerequisites page.

    Also, the user needs the Cloud Connector Admin role in the subaccount, but that should result in a different error message.

    Regards,

    Morten

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Arijit

      If you have access to the server, you should be able to go directly to those host names (port 443). That is, of course, assuming that the browser on the Cloud Connector host uses the same proxy as Cloud Connector is configured to use.

      Regards,

      Morten

  • May 06 at 06:29 PM

    Hi Arijit,

    do you have the right role in your subaccount? Admin or SCC admin?

    Best,

    Matthi

    Add comment
    10|10000 characters needed characters exceeded

  • May 07 at 09:26 AM

    Hi Arijit,

    The cloud connector log file contains the entry where "500" error code is logged. Could you find that in the ljs_trace.log file? The reason shold be logged as well.

    If the access from browser works to the certificate signing service, ensure that same proxy settings are applied in the cloud connector.

    Best regards,

    Antal

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Antal,

      There is no "500" error code logged in the ljs_trace.log file. I am using same proxy settings in the cloud connector as well.

      Regards,

      Arijit

  • May 07 at 08:55 AM

    In the log I found:

    When successfully connect to trial account, the sequence of events logged are as below:

    #Creating an sslContextProvider for account p925088trial@hanatrial.ondemand.com without SSLContext. Keystore did not contain a certificate.|
    #New RSA keypair was generated. Key size used 4096, time 72192 ms|
    #Will retrieve Connectivity CA certificate from SAP Cloud Platform|
    #Executing Http Get request to https://connectivitycertsigning.hanatrial.ondemand.com:443/certificate/management/v1/trusted/ca/account/p925088trial|
    #Returned Http Response with code 200|
    #Connectivity CA certificate retrieved successfully from SAP Cloud Platform|
    #Send Certificate Signing Request for cloud connector certificate to SAP Cloud Platform|
    #Executing Http Post request to https://connectivitycertsigning.hanatrial.ondemand.com:443/certificate/management/v1/sign/account/p925088trial|
    #Returned Http Response with code 200|
    #Cloud Connector certificate signed successfully by SAP Cloud Platform|
    #User Administrator starting Tunnel account:///p925088trial for account SCP Trial in region hanatrial.ondemand.com|
    #Sending handshake request for tunnel: account:///p925088trial and host connectivitynotification.hanatrial.ondemand.com:443|
    #Registered tunnel channel [id: 0xf60107b5, L:/<server_ip>:52402 - R:/<proxy_ip>:<port>] for tunnel id "account:///p925088trial" and client id "16A8DAF051B711E88471C9A80A1F6545"|
    #Successfully established tunnel channel to notification service: [id: 0xf60107b5, L:/<server_ip>:52402 - R:/<proxy_ip>:<port>]|

    When trying to connect to the productive instance, the logged events are as below:

    #Creating an sslContextProvider for account <subaccount_id>@us1.hana.ondemand.com without SSLContext. Keystore did not contain a certificate.|
    #New RSA keypair was generated. Key size used 4096, time 250558 ms|
    #Will retrieve Connectivity CA certificate from SAP Cloud Platform|
    #Executing Http Get request to https://connectivitycertsigning.us1.hana.ondemand.com:443/certificate/management/v1/trusted/ca/account/<subaccount_id>|
    #Tunnel account:///<subaccount_id> is inoperative. SccEndpoint com.sap.scc.config.TunnelSccEndpoint@25cb0c0b ok, and context == null|
    #Preparation of tunnel certificate for <subaccount_id>@us1.hana.ondemand.com account failed.

    I have tried to open the url https://connectivitycertsigning.us1.hana.ondemand.com:443/certificate/management/v1/trusted/ca/account/subaccount_id in browser within the server and it first prompts for credentials and then returns the certificate. Hence, I assume the host is reachable.


    Add comment
    10|10000 characters needed characters exceeded

  • May 08 at 11:13 AM

    Did the CA certificate you uploaded into the Cloud Connector contained the KeyCertSign attribute? If not, it needs to. This is a key attribute that needs to be included in your CA certificate so maybe check this again.

    Thanks

    Phil Cooley

    Add comment
    10|10000 characters needed characters exceeded