- SAP Community
- Products and Technology
- Technology
- Technology Q&A
- cloud connector
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
cloud connector
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 03-26-2024 2:21 PM
Hello Experts,
We are using the SAP BAS to create Fiori Apps.
We established the principal propagation setup between SAP BTP and on-premise System through the SAP cloud connector. SAP CC is in DMZ Zone ( here is proxy configured)
In SAP CC are /sap services are released.
But when I try to access the SAP backend system via SAP BAS, this error occurs: "The selected system is returning an authentication error. Please verify the destination configuration"
Cloud Connector logs:
com.sap.core.connectivity.tunnel.client.handshake.AbstractClientHandshaker#tunnel-client-25-7# #Handshake with tunnel server completed successfully for tunnelId: account:///sdd/local
com.sap.core.connectivity.tunnel.core.impl.context.TunnelRegistryImpl#tunnel-client-44 #Registered tunnel channel [id: 234, L:/111.111.111:1111 - R:/222.222.222:80] for tunnelId account:///2kdkd-2/local and client Id 4dfjfff
INFO#com.sap.core.connectivity.tunnel.client.TunnelClient#tunnel-client-22# #Successfully established tunnel channel: [id: 234, L:/111.111.111:1111 - R:/222.222.222:80]
DEBUG#io.netty.channel.DefaultChannelPipeline#tunnel-client-23# #Discarded inbound message EmptyLastHttpContent that reached at the tail of the pipeline. Please check your pipeline configuration.
DEBUG#io.netty.channel.DefaultChannelPipeline#tunnel-client-25-7# #Discarded message pipeline : [idleStateHandler, ssl, wsencoder, wsdecoder, tunnelStateHandler, protocolEncoder, protocolDecoder, payloadTracer, flowControlHandler, messagePacketHandler, tunnelErrorHandler, DefaultChannelPipeline$TailContext#0]. Channel : id: 234, L:/111.111.111:1111 - R:/222.222.222:80
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23-3# #Decoding WebSocket Frame opCode=2
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23-3# #Decoding WebSocket Frame length=4309
TRACE#com.sap.core.connectivity.tunnel.core.handlers.MessagePacketHandler#tunnel-client-3333-444-34555#Received message of type 1 (open connection) over tunnel channel [id: 239i2-3, id: 234, L:/111.111.111:1111 - R:/222.222.222:80]; tunnelId: account:///sss023i4i4/local
TRACE#com.sap.core.connectivity.tunnel.core.impl.processing.TunnelSubscribingProcessor#tunnel-client-23-3#0x8207f8e0#Received subscription request for connection id: 233s-344 to tunnel channel id: 344,44,33. Tunnel id: "account:///340i-dfdf3/local"
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-2523.23344#Tunnel [ objectId [com.sap.core.connectivity.tunnel.core.impl.context.TunnelRegistryImpl$LazyTunnel@3444]; clientId [34444]; tunnelId [account:///34444/local]; currentChannel [0]; tunnelChannels [[[id: 3333, id: 234, L:/111.111.111:1111 - R:/222.222.222:80channelSubscriptions [{-3434=[id: 3444, id: 234, L:/111.111.111:1111 - R:/222.222.222:80]}] ]
#TRACE#com.sap.core.connectivity.tunnel.client.sso.SSOClientProcessor#tunnel-client-3-37#09999#Received SSO token "weweeXXXXX" with type "JWT" for principal type "BUSINESS"; connection origin Id "sb-eu10-app-studio!333", type "CF Connectivity Client ID" and name "unknown" from message packet
DEBUG#com.sap.core.connectivity.tunnel.client.sso.SessionInfoStore#tunnel-client-23-3#43434#Generated new session id 444
#TRACE#com.sap.core.connectivity.tunnel.client.sso.SSOClientSessionService#tunnel-client-23-3#3434#Retrieved connection meta info [originId: sb-eu10-app-studio!2333, originName: unknown, originType: CF Connectivity Client ID] for connectionId 3333
#TRACE#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-23-3#3434#Parsing JWT: sdsdsdsd-----END PUBLIC KEY-----
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-23-#3434#Decoded JWT with claims: {"sub":"33434444434","xs.user.attributes":{},"user_name":"user@mail.com","origin":"sap.default","iss":"... ://88033.hana.ondemand. com/ oauth...","xs.system.attributes":{"xs.rolecollections":["Destination Administrator","Subaccount Viewer","Business_Application_Studio_Extension_Deployer","Business_Application_Studio_Developer","Cloud Connector Administrator","Business_Application_Studio_Administrator","Subaccount Administrator","z_business_appl_studio","Connectivity and Destination Administrator"]},"given_name":"user","client_id":"sb-xxxxx!xx|destination-xsappname!ddd","aud":["uaa","openid","xs_account","destination-xsappname!344","sb-444!b7444|destination-xsappname!sdd","destination-xsappname!sdsd.instance","destination-xsappname!
sdd.subaccount"],"ext_attr":{"enhancer":"XSUAA","subaccountid":"ddd","zdn":"ww","serviceinstanceid":"555"},"user_uuid":"333","zid":"222","grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer","user_id":"333","azp":"sb-clon2333|destination-xsappname!b404","scope":["destination-xsappname!b404.instance.readDestination","destination- xsappname!b333.instance.manageDestination","user_attributes","destination- xsappname!b333.subaccount.manageCertificate","destination- xsappname!b333.instance.manageCertificate","xs_account.access","openid","destination- xsappname!b333.subaccount.readDestination","uaa.user","destination- xsappname!b333.subaccount.readCertificate","destination- xsappname!b333.subaccount.manageDestination","destination- xsappname!b333manageSubaccountTrust","destination-xsappname!b333.readSubaccountTrust","destination-xsappname!mailc.om b404.instance.readCertificate"],"cnf":{"23#3233":"RQ-2323},"exp":2323,"family_name":"user","iat":222,"jti":"333","email":"user@.user@mail.com","rev_sig":"333","cid":"sb-wewe!wewe|destination-xsappname!b404"}
#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-25-7#sdsdsd#About to validate token expiration claims [exp, iat] for account dsdsd
DEBUG#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-25-7#777#Successfully validated token expiration claims [exp, iat] for account 34234
TRACE#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-25-7#234234#Extracting caller principal name for principal of type BUSINESS
DEBUG#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-25-wewqe#Caller principal name user@mail.com' was extracted from 'user_name' claim.
DEBUG#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-25-7#dddf#Successfully validated JWT for tunnelId: account:///asdsad/local
DEBUG#com.sap.core.connectivity.tunnel.client.sso.SessionInfoStore#tunnel-client-7777-fdsf#Stored session with id 2333333
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-25-7#sdsdssigned principal: 'user@mail.com'
DEBUG#com.sap.core.connectivity.tunnel.core.impl.context.OutboundProtocolProcessorRegistry#tunnel-client-2sd#sdsd#Fallback to default factory for protocol HTTP
DEBUG#com.sap.core.connectivity.tunnel.core.impl.context.OutboundProtocolProcessorRegistry#tunnel-client-25-7#0x8207f8e0#Acquiring outbound connection processor for protocol HTTP
DEBUG#com.sap.core.connectivity.protocol.http.HttpOutboundConnectionProcessorFactory#tunnel-client-25-7#0x8207f8e0#Creating outbound protocol processor for protocol HTTP
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23.3# #Decoding WebSocket Frame opCode=2
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-237# #Decoding WebSocket Frame length=6131
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.MessagePacketHandler#tunnel-client-25-7#0x8207f8e0#Received message of type 3 (payload) with size 6117 over tunnel channel [id: 0x6538d4ba, L:/111.111.111:3345 - R:/111.111.111.:80]; tunnelId: account:///323ddddd/local
#DEBUG#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnel-client-25-7#99999#Opening connection to backend system test:1213
#TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessingChannelInitializer#tunnel-client-25-7# #Adding SSL handler for channel: [id: 2323]
#DEBUG#com.sap.scc.security#tunnel-client-23# #Generating X.509 certificate for authentication to backend
#DEBUG#com.sap.scc.security#tunnel-client-23# #Requesting token for principal with name user@mail.com
#DEBUG#com.sap.scc.security#tunnel-client-23# #Extracted attribute from principal ‚user@mail.com‘ with name login_name: null
DEBUG#com.sap.scc.security#tunnel-client-23# #Condition "login_name EXIST" does not fit to principal ‚ user@mail.com‘ , checking next one
#DEBUG#com.sap.scc.security#tunnel-client-25-7# #Extracted attribute from principal ‚user@mail.com‘with name name: null
#com.sap.scc.security#tunnel-client-25-7# #Condition "name EXIST" does not fit to principal user@mail.com, checking next one
#DEBUG#com.sap.scc.security#tunnel-client-25-7# #Condition "true" fits to principal user@mail.com, return CN=${email},
DEBUG#com.sap.scc.security#tunnel-client-25-7# #Generated X.509 certificate with subject CN= user@mail.com,C=DE
#TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#dsd#Connection opening in progress, buffering...
#TRACE#com.sap.core.connectivity.tunnel.core.impl.processing.OutboundPacketProcessor#tunnel-client-23# #Sent packet with size 6,117 to processor com.sap.core.connectivity.protocol.http.HttpProtocolProcessor@23233
#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-25-7#0x8207f8e0#Successfully opened backend connection [id: 0xa026c4cf, L:/111.111.111.111:2334 - R:hostname/111.111.11.111:773]
TRACE#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnel-client-444#03444e0#Report open connection 774 to http://test:1213
#TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#774#Will send packet with size 6,117 to backend channel [id: 333, L:/ L:/111.111.111.111:2334- R:hostname/111.111.111:3333]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#344#Starting, switching state to PROCESSING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#34344#Start sending http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled to backend
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-223#233#Set autoread=FALSE on Backend channel: [id: 3333 isOpen: true; isActive: true; isRegistered: true; isWritable: true; bytesBeforeWritable: 0; bytesBeforeUnwritable: 44,444; autoRead: false]
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23-7#3333#Set request description to statistics instance: http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled on [virtualHost=test, virtualPort=1213, protocol=HTTP]
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23#233#Report invoke started for connection 0x8207f8e0 to http://test:1213 request /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-3#0x8207f8e0#Updating caller principal.
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.SSOClientSessionService#tunnel-client-23# #Reusing existing session with id 2333
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-25-7# #Assigned principal: 'user@mail.com'
DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-25-7#0x8207f8e0#Will use X.509 certificate for authentication to backend: 2333333(SHA-256)
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthorizationHandler#tunnel-client-25-7#34344#Access allowed to http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled for virtual host test:1213
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-25-7#3444#Last http request object, switching state to SWALLOWING
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#344#Set autoread=TRUE on Backend channel: [id: 0xa026c4cf isOpen: true; isActive: true; isRegistered: true; isWritable: true; bytesBeforeWritable: 0; bytesBeforeUnwritable: 4,444; autoRead: true]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-343444#Last http request object, switching state to STARTING
#DEBUG#io.netty.handler.ssl.SslHandler#tunnel-client-23# #[id: 333, L:/111.111.111.:3333 - R:hostname.com/111.111.111:2333] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#233#Sent packet with size 3 to backend channel [id: 233, L:/111.111.111:3333- R:hostname.com/111.111.111.46667]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-23eeee#Starting, switching state to PROCESSING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpSapStatisticsHandler#tunnel-client-33-7#333#Performance statistics is disabled,sap-statistics-scc header is not set
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7# #Will send message of type 3 (payload) with size 328 over tunnel channel [id: 333, L:/111.111.111:3333 - R:/111.111.111:80] with tunnelId account:///34444/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=2 length=342
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Sent message of type 3 (payload) with payload size 328 over tunnel channel [id: 0x6538d4ba, L:/111.111.111:3444 - R:/111.111.111:80] with tunnelId account:///33444444/local
com.sap.core.connectivity.spi.processing.OutboundConnectionReader#tunnel-client-2344#Sent message of type 3 (payload) with payload size 328 to tunnel channel [id: 344, L:/111.111.111:3444 - R:/111.111.111:80]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-23#wewe#Last http response object, switching state to SWALLOWING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-25-7#344#Last http response object, switching state to STARTING
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Will send message of type 3 (payload) with size 6612 over tunnel channel [id: 0x6538d4ba, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account://wewewe/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-25-7# #Encoding WebSocket Frame opCode=2 length=6626
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7# #Sent message of type 3 (payload) with payload size 6612 over tunnel channel [id: 23423, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///11111/local
#TRACE#com.sap.core.connectivity.spi.processing.OutboundConnectionReader#tunnel-client-23233#Sent message of type 3 (payload) with payload size 6,612 to tunnel channel [id: 2323, L:/111.111.111:3444 - R:/111.111.111:80]]
TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23333#Report http request on connection 3444 to http://test:1213 request /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-34#0x8207f8e0#Report http request time statistics: total=73,ext=34,latency=3,openRemoteConn=28,generateSSOToken=24,validateSSOToken=0
#TRACE#com.sap.scc.monitor#tunnel-client-25-7# #Request HTTP://test:1213 resource /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/ with total time 73 is added to top list.
#TRACE#com.sap.scc.monitor#tunnel-client-25-7# #Request HTTP://test:1213 resource /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/ with total time 73 is added to top list.
#DEBUG#com.sap.core.connectivity.spi.processing.OutboundConnectionErrorHandler#tunnel-client-25-7#weee#Backend channel [id: weee L:/111.111.111:3444 - R:/111.111.111:80] is closed
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Will send message of type 4 (error) over tunnel channel [id: wewe, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///223/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=2 length=231
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Sent message of type 4 (error) over tunnel channel [id: 0x6538d4ba, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///w343434/local
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23# #Decoding WebSocket Frame opCode=2
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23# #Decoding WebSocket Frame length=14
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.MessagePacketHandler#tunnel-client-23-wewe#Received message of type 2 (close connection) over tunnel channel [id: 2434, L:/111.111.111:3444 - R:/111.111.111:80]]; tunnelId: account:///wewewe 2/local
DEBUG#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7#0x8207f8e0#Unsubscribed connectionId 0x8207f8e0 from tunnelId account:///ewewe2/local
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-25-7#33434#Unassigned principal: user@mail.com
#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#Released backend connection channel [id: 233, L:/1111.111.111:5554 ! R:hostname.com/3111.111.111:3333]
R:hostname.com/3111.111.111:3333]
TRACE#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnel-client-24#Report close connection with id: 444
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#notification-client-24-1# #Decoding WebSocket Frame opCode=10
+0100#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-24-1# #Received pong for channel [id: erer, L:/111.111.111:3434 - R:/111.111.111:80] with tunnelId account:///232333
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-223# #Sending pong for channel [id: 333, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///23233
TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-21-1# #Sending pong for channel [id: 3434, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///67777/local
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#notification-client-21-1# #Encoding WebSocket Frame opCode=10 length=0
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-21-1# #Received pong for channel [id: wee, , L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///wee2/local
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#tunnel-client-3# #Sending pong for channel [id: 0x6538d4ba, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///wee2/local sdsdsd:06:01,740
#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=10 length=0
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-9# #execute incoming request /configuration with action 'getAccounts'
0#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-9# #incoming request /configuration action: getAccounts finished after 0 ms
0#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-2# #execute incoming request /admin with action 'fetchMessages'
TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-2# #incoming request /admin action: fetchMessages finished after 1 ms
TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-6# #execute incoming request /logAndTrace with action 'getLogSettings'
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-6# #incoming request /logAndTrace action: getLogSettings finished after 1 ms
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-10# #execute incoming request /logAndTrace with action 'getLogFiles'
Could you please help up with this problem.
Thanks.
- SAP Managed Tags:
- SAP Community,
- Cloud Connector
Accepted Solutions (0)
Answers (2)
Answers (2)
Ulrich_Schmidt
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
most probably the problem is on backend side: did you check, whether there is a CERTRULE for X.509 certificates with SubjectDNs like
CN=user@mail.com,C=DE
?
If there is no mapping of this SubjectDN pattern to ABAP users (in transaction CERTRULE), the login will of course fail.
Another possible reason could be, that the SCC's "System Certificate" is not trusted by the backend system. You can see more details, if you increase the ICM trace level on backend side (transaction SMICM), and then repeating the logon attempt.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Ulrich_Schmidt
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
In addition to importing the system cert in STRUST, there is an additional step necessary, so that the SAP system (or rather the ICM) allows the SCC to logon on under multiple different User accounts via X.509 certs: a certain profile parameter for ICM needs to be set.
See Configure Identity Propagation for HTTPS | SAP Help Portal for the detailed steps.
Best Regards, Ulrich
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello @tskwin
here are some helpful resources I used to enable principal propagation:
BTP BAS (own developed app) <--> Cloud Connector <--> SAP Fiori Odata frontend <--> ECC Backend
(to be honest, the certificate settings etc are a pain - probaly also in the future when the renewal comes up)
https://community.sap.com/t5/technology-blogs-by-sap/setting-up-principal-propagation/ba-p/13510251 |
https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/rule-based-mapping-of-certificates |
https://me.sap.com/notes/0002462533 Configuring Principal Propagation to an ABAP System for HTTPS in SAP Business Technology Platform |
https://me.sap.com/notes/3335949/ Improved robustness in parsing the certificate subject and issuer for icm/trusted_reverse_proxy_<x> |
https://me.sap.com/notes/3371621/ Common mistakes when setting ICM parameters related to SAP Cloud Connector |
https://me.sap.com/notes/2805092/ Usage of icm/trusted_reverse_proxy_<x> = SUBJECT=*, ISSUER=* |
Further hint: enable ICM trace and follow the connect and where it fails, keyword trusted_reverse_proxy
Best regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- In SAP Hana Cloud, do packages exist as database objects, like in Oracle? in Technology Q&A
- How to add SAP Datasphere as a datastore in Cloud Integration for data services? in Technology Q&A
- Using Integration Suite API's with Basic Auth in Technology Q&A
- S/4HANA Cloud Live connection SAP Analytcis Cloud in Technology Q&A
- SAP BW/4 - revamp and true to the line 2024 in Technology Blogs by Members
| User | Count |
|---|---|
| 82 | |
| 10 | |
| 10 | |
| 9 | |
| 7 | |
| 6 | |
| 6 | |
| 5 | |
| 5 | |
| 4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.