Skip to Content
0

Unable to create subaccount in sap cloud connector

May 06 at 04:15 PM

408

avatar image

Hi Experts,

I am unable to create subaccount in SAP Cloud Connector for our SCP instance located in US Ashburn (us1.hana.ondemand.com). Getting error below:

Please note that I am able to create subaccount for the trial account (hanatrial.ondemand.com) and connect to it without any issue.

  • In the log, I can find the error: #Preparation of tunnel certificate for [account_id]@us1.hana.ondemand.com account failed.
  • I found few SAP notes (2494823, 2377425) regarding this issue which did not help.
  • I am using https proxy, subaccount name, user, password correctly.

Cloud connector component versions:

Any idea?

capture.png (16.3 kB)
untitled.png (7.4 kB)
untitled2.png (21.8 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

6 Answers

Best Answer
Arijit Das May 08 at 05:47 AM
0

I am able to connect when I tried to connect from the browser within the server (logged in to SCC using https://localhost:8443). Sounds weird, but it worked.

Share
10 |10000 characters needed characters left characters exceeded
Morten Wittrock
May 06 at 06:29 PM
1

Hi Arijit

How you checked whether the required SCP hosts are reachable from the proxy? For US1, the hosts are:

The list can be found in the Network section of the Prerequisites page.

Also, the user needs the Cloud Connector Admin role in the subaccount, but that should result in a different error message.

Regards,

Morten


hosts.png (10.4 kB)
Show 2 Share
10 |10000 characters needed characters left characters exceeded

Thanks Morten.

Even I also think this is an issue with our corporate firewall. When I installed cloud connector in my personal laptop, I am able to connect without any issue.

Could you please guide on how to check connectivity to the required IP addresses ? I tried ping command, which shows request timed out message (but this is the same with my personal laptop as well where the cloud connector works fine).


Regards,

Arijit

0

Hi Arijit

If you have access to the server, you should be able to go directly to those host names (port 443). That is, of course, assuming that the browser on the Cloud Connector host uses the same proxy as Cloud Connector is configured to use.

Regards,

Morten

0
Matthieu Pelatan
May 06 at 06:29 PM
1

Hi Arijit,

do you have the right role in your subaccount? Admin or SCC admin?

Best,

Matthi

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Thanks Matthi.

I have Cloud Connector Admin role for the user. Actually I tried installing cloud connector in a different system outside our corporate firewall and there it is connecting fine. Hence I guess it is something to do with the network, not with the user/role.

0

Then check, as suggested by Morten, if the US SAP CP host is reachable. The IP are maybe blocked by your corporate firewall...

Best,

Matthieu

0
Antal Perger
May 07 at 09:26 AM
0

Hi Arijit,

The cloud connector log file contains the entry where "500" error code is logged. Could you find that in the ljs_trace.log file? The reason shold be logged as well.

If the access from browser works to the certificate signing service, ensure that same proxy settings are applied in the cloud connector.

Best regards,

Antal

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Antal,

There is no "500" error code logged in the ljs_trace.log file. I am using same proxy settings in the cloud connector as well.

Regards,

Arijit

0
Arijit Das May 07 at 08:55 AM
0

In the log I found:

When successfully connect to trial account, the sequence of events logged are as below:

#Creating an sslContextProvider for account p925088trial@hanatrial.ondemand.com without SSLContext. Keystore did not contain a certificate.|
#New RSA keypair was generated. Key size used 4096, time 72192 ms|
#Will retrieve Connectivity CA certificate from SAP Cloud Platform|
#Executing Http Get request to https://connectivitycertsigning.hanatrial.ondemand.com:443/certificate/management/v1/trusted/ca/account/p925088trial|
#Returned Http Response with code 200|
#Connectivity CA certificate retrieved successfully from SAP Cloud Platform|
#Send Certificate Signing Request for cloud connector certificate to SAP Cloud Platform|
#Executing Http Post request to https://connectivitycertsigning.hanatrial.ondemand.com:443/certificate/management/v1/sign/account/p925088trial|
#Returned Http Response with code 200|
#Cloud Connector certificate signed successfully by SAP Cloud Platform|
#User Administrator starting Tunnel account:///p925088trial for account SCP Trial in region hanatrial.ondemand.com|
#Sending handshake request for tunnel: account:///p925088trial and host connectivitynotification.hanatrial.ondemand.com:443|
#Registered tunnel channel [id: 0xf60107b5, L:/<server_ip>:52402 - R:/<proxy_ip>:<port>] for tunnel id "account:///p925088trial" and client id "16A8DAF051B711E88471C9A80A1F6545"|
#Successfully established tunnel channel to notification service: [id: 0xf60107b5, L:/<server_ip>:52402 - R:/<proxy_ip>:<port>]|

When trying to connect to the productive instance, the logged events are as below:

#Creating an sslContextProvider for account <subaccount_id>@us1.hana.ondemand.com without SSLContext. Keystore did not contain a certificate.|
#New RSA keypair was generated. Key size used 4096, time 250558 ms|
#Will retrieve Connectivity CA certificate from SAP Cloud Platform|
#Executing Http Get request to https://connectivitycertsigning.us1.hana.ondemand.com:443/certificate/management/v1/trusted/ca/account/<subaccount_id>|
#Tunnel account:///<subaccount_id> is inoperative. SccEndpoint com.sap.scc.config.TunnelSccEndpoint@25cb0c0b ok, and context == null|
#Preparation of tunnel certificate for <subaccount_id>@us1.hana.ondemand.com account failed.

I have tried to open the url https://connectivitycertsigning.us1.hana.ondemand.com:443/certificate/management/v1/trusted/ca/account/subaccount_id in browser within the server and it first prompts for credentials and then returns the certificate. Hence, I assume the host is reachable.


Share
10 |10000 characters needed characters left characters exceeded
Phil Cooley May 08 at 11:13 AM
0

Did the CA certificate you uploaded into the Cloud Connector contained the KeyCertSign attribute? If not, it needs to. This is a key attribute that needs to be included in your CA certificate so maybe check this again.

Thanks

Phil Cooley

Share
10 |10000 characters needed characters left characters exceeded