on 03-26-2024 2:21 PM
Hello Experts,
We are using the SAP BAS to create Fiori Apps.
We established the principal propagation setup between SAP BTP and on-premise System through the SAP cloud connector. SAP CC is in DMZ Zone ( here is proxy configured)
In SAP CC are /sap services are released.
But when I try to access the SAP backend system via SAP BAS, this error occurs: "The selected system is returning an authentication error. Please verify the destination configuration"
Cloud Connector logs:
com.sap.core.connectivity.tunnel.client.handshake.AbstractClientHandshaker#tunnel-client-25-7# #Handshake with tunnel server completed successfully for tunnelId: account:///sdd/local
com.sap.core.connectivity.tunnel.core.impl.context.TunnelRegistryImpl#tunnel-client-44 #Registered tunnel channel [id: 234, L:/111.111.111:1111 - R:/222.222.222:80] for tunnelId account:///2kdkd-2/local and client Id 4dfjfff
INFO#com.sap.core.connectivity.tunnel.client.TunnelClient#tunnel-client-22# #Successfully established tunnel channel: [id: 234, L:/111.111.111:1111 - R:/222.222.222:80]
DEBUG#io.netty.channel.DefaultChannelPipeline#tunnel-client-23# #Discarded inbound message EmptyLastHttpContent that reached at the tail of the pipeline. Please check your pipeline configuration.
DEBUG#io.netty.channel.DefaultChannelPipeline#tunnel-client-25-7# #Discarded message pipeline : [idleStateHandler, ssl, wsencoder, wsdecoder, tunnelStateHandler, protocolEncoder, protocolDecoder, payloadTracer, flowControlHandler, messagePacketHandler, tunnelErrorHandler, DefaultChannelPipeline$TailContext#0]. Channel : id: 234, L:/111.111.111:1111 - R:/222.222.222:80
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23-3# #Decoding WebSocket Frame opCode=2
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23-3# #Decoding WebSocket Frame length=4309
TRACE#com.sap.core.connectivity.tunnel.core.handlers.MessagePacketHandler#tunnel-client-3333-444-34555#Received message of type 1 (open connection) over tunnel channel [id: 239i2-3, id: 234, L:/111.111.111:1111 - R:/222.222.222:80]; tunnelId: account:///sss023i4i4/local
TRACE#com.sap.core.connectivity.tunnel.core.impl.processing.TunnelSubscribingProcessor#tunnel-client-23-3#0x8207f8e0#Received subscription request for connection id: 233s-344 to tunnel channel id: 344,44,33. Tunnel id: "account:///340i-dfdf3/local"
#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-25-7#0x8207f8e0#Successfully opened backend connection [id: 0xa026c4cf, L:/111.111.111.111:2334 - R:hostname/111.111.11.111:773]
TRACE#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnel-client-444#03444e0#Report open connection 774 to http://test:1213
#TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#774#Will send packet with size 6,117 to backend channel [id: 333, L:/ L:/111.111.111.111:2334- R:hostname/111.111.111:3333]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#344#Starting, switching state to PROCESSING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#34344#Start sending http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled to backend
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-223#233#Set autoread=FALSE on Backend channel: [id: 3333 isOpen: true; isActive: true; isRegistered: true; isWritable: true; bytesBeforeWritable: 0; bytesBeforeUnwritable: 44,444; autoRead: false]
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23-7#3333#Set request description to statistics instance: http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled on [virtualHost=test, virtualPort=1213, protocol=HTTP]
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23#233#Report invoke started for connection 0x8207f8e0 to http://test:1213 request /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-3#0x8207f8e0#Updating caller principal.
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.SSOClientSessionService#tunnel-client-23# #Reusing existing session with id 2333
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-25-7# #Assigned principal: 'user@mail.com'
DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-25-7#0x8207f8e0#Will use X.509 certificate for authentication to backend: 2333333(SHA-256)
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthorizationHandler#tunnel-client-25-7#34344#Access allowed to http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled for virtual host test:1213
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-25-7#3444#Last http request object, switching state to SWALLOWING
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#344#Set autoread=TRUE on Backend channel: [id: 0xa026c4cf isOpen: true; isActive: true; isRegistered: true; isWritable: true; bytesBeforeWritable: 0; bytesBeforeUnwritable: 4,444; autoRead: true]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-343444#Last http request object, switching state to STARTING
#DEBUG#io.netty.handler.ssl.SslHandler#tunnel-client-23# #[id: 333, L:/111.111.111.:3333 - R:hostname.com/111.111.111:2333] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#233#Sent packet with size 3 to backend channel [id: 233, L:/111.111.111:3333- R:hostname.com/111.111.111.46667]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-23eeee#Starting, switching state to PROCESSING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpSapStatisticsHandler#tunnel-client-33-7#333#Performance statistics is disabled,sap-statistics-scc header is not set
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7# #Will send message of type 3 (payload) with size 328 over tunnel channel [id: 333, L:/111.111.111:3333 - R:/111.111.111:80] with tunnelId account:///34444/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=2 length=342
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Sent message of type 3 (payload) with payload size 328 over tunnel channel [id: 0x6538d4ba, L:/111.111.111:3444 - R:/111.111.111:80] with tunnelId account:///33444444/local
com.sap.core.connectivity.spi.processing.OutboundConnectionReader#tunnel-client-2344#Sent message of type 3 (payload) with payload size 328 to tunnel channel [id: 344, L:/111.111.111:3444 - R:/111.111.111:80]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-23#wewe#Last http response object, switching state to SWALLOWING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-25-7#344#Last http response object, switching state to STARTING
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Will send message of type 3 (payload) with size 6612 over tunnel channel [id: 0x6538d4ba, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account://wewewe/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-25-7# #Encoding WebSocket Frame opCode=2 length=6626
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7# #Sent message of type 3 (payload) with payload size 6612 over tunnel channel [id: 23423, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///11111/local
#TRACE#com.sap.core.connectivity.spi.processing.OutboundConnectionReader#tunnel-client-23233#Sent message of type 3 (payload) with payload size 6,612 to tunnel channel [id: 2323, L:/111.111.111:3444 - R:/111.111.111:80]]
TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23333#Report http request on connection 3444 to http://test:1213 request /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-34#0x8207f8e0#Report http request time statistics: total=73,ext=34,latency=3,openRemoteConn=28,generateSSOToken=24,validateSSOToken=0
#TRACE#com.sap.scc.monitor#tunnel-client-25-7# #Request HTTP://test:1213 resource /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/ with total time 73 is added to top list.
#TRACE#com.sap.scc.monitor#tunnel-client-25-7# #Request HTTP://test:1213 resource /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/ with total time 73 is added to top list.
#DEBUG#com.sap.core.connectivity.spi.processing.OutboundConnectionErrorHandler#tunnel-client-25-7#weee#Backend channel [id: weee L:/111.111.111:3444 - R:/111.111.111:80] is closed
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Will send message of type 4 (error) over tunnel channel [id: wewe, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///223/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=2 length=231
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Sent message of type 4 (error) over tunnel channel [id: 0x6538d4ba, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///w343434/local
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23# #Decoding WebSocket Frame opCode=2
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23# #Decoding WebSocket Frame length=14
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.MessagePacketHandler#tunnel-client-23-wewe#Received message of type 2 (close connection) over tunnel channel [id: 2434, L:/111.111.111:3444 - R:/111.111.111:80]]; tunnelId: account:///wewewe 2/local
DEBUG#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7#0x8207f8e0#Unsubscribed connectionId 0x8207f8e0 from tunnelId account:///ewewe2/local
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-25-7#33434#Unassigned principal: user@mail.com
#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#Released backend connection channel [id: 233, L:/1111.111.111:5554 ! R:hostname.com/3111.111.111:3333]
R:hostname.com/3111.111.111:3333]
TRACE#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnel-client-24#Report close connection with id: 444
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#notification-client-24-1# #Decoding WebSocket Frame opCode=10
+0100#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-24-1# #Received pong for channel [id: erer, L:/111.111.111:3434 - R:/111.111.111:80] with tunnelId account:///232333
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-223# #Sending pong for channel [id: 333, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///23233
TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-21-1# #Sending pong for channel [id: 3434, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///67777/local
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#notification-client-21-1# #Encoding WebSocket Frame opCode=10 length=0
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-21-1# #Received pong for channel [id: wee, , L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///wee2/local
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#tunnel-client-3# #Sending pong for channel [id: 0x6538d4ba, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///wee2/local sdsdsd:06:01,740
#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=10 length=0
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-9# #execute incoming request /configuration with action 'getAccounts'
0#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-9# #incoming request /configuration action: getAccounts finished after 0 ms
0#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-2# #execute incoming request /admin with action 'fetchMessages'
TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-2# #incoming request /admin action: fetchMessages finished after 1 ms
TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-6# #execute incoming request /logAndTrace with action 'getLogSettings'
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-6# #incoming request /logAndTrace action: getLogSettings finished after 1 ms
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-10# #execute incoming request /logAndTrace with action 'getLogFiles'
Could you please help up with this problem.
Thanks.
Hi,
most probably the problem is on backend side: did you check, whether there is a CERTRULE for X.509 certificates with SubjectDNs like
CN=user@mail.com,C=DE
?
If there is no mapping of this SubjectDN pattern to ABAP users (in transaction CERTRULE), the login will of course fail.
Another possible reason could be, that the SCC's "System Certificate" is not trusted by the backend system. You can see more details, if you increase the ICM trace level on backend side (transaction SMICM), and then repeating the logon attempt.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
In addition to importing the system cert in STRUST, there is an additional step necessary, so that the SAP system (or rather the ICM) allows the SCC to logon on under multiple different User accounts via X.509 certs: a certain profile parameter for ICM needs to be set.
See Configure Identity Propagation for HTTPS | SAP Help Portal for the detailed steps.
Best Regards, Ulrich
User | Count |
---|---|
78 | |
10 | |
10 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.