on 03-26-2024 2:21 PM
Hello Experts,
We are using the SAP BAS to create Fiori Apps.
We established the principal propagation setup between SAP BTP and on-premise System through the SAP cloud connector. SAP CC is in DMZ Zone ( here is proxy configured)
In SAP CC are /sap services are released.
But when I try to access the SAP backend system via SAP BAS, this error occurs: "The selected system is returning an authentication error. Please verify the destination configuration"
Cloud Connector logs:
com.sap.core.connectivity.tunnel.client.handshake.AbstractClientHandshaker#tunnel-client-25-7# #Handshake with tunnel server completed successfully for tunnelId: account:///sdd/local
com.sap.core.connectivity.tunnel.core.impl.context.TunnelRegistryImpl#tunnel-client-44 #Registered tunnel channel [id: 234, L:/111.111.111:1111 - R:/222.222.222:80] for tunnelId account:///2kdkd-2/local and client Id 4dfjfff
INFO#com.sap.core.connectivity.tunnel.client.TunnelClient#tunnel-client-22# #Successfully established tunnel channel: [id: 234, L:/111.111.111:1111 - R:/222.222.222:80]
DEBUG#io.netty.channel.DefaultChannelPipeline#tunnel-client-23# #Discarded inbound message EmptyLastHttpContent that reached at the tail of the pipeline. Please check your pipeline configuration.
DEBUG#io.netty.channel.DefaultChannelPipeline#tunnel-client-25-7# #Discarded message pipeline : [idleStateHandler, ssl, wsencoder, wsdecoder, tunnelStateHandler, protocolEncoder, protocolDecoder, payloadTracer, flowControlHandler, messagePacketHandler, tunnelErrorHandler, DefaultChannelPipeline$TailContext#0]. Channel : id: 234, L:/111.111.111:1111 - R:/222.222.222:80
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23-3# #Decoding WebSocket Frame opCode=2
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23-3# #Decoding WebSocket Frame length=4309
TRACE#com.sap.core.connectivity.tunnel.core.handlers.MessagePacketHandler#tunnel-client-3333-444-34555#Received message of type 1 (open connection) over tunnel channel [id: 239i2-3, id: 234, L:/111.111.111:1111 - R:/222.222.222:80]; tunnelId: account:///sss023i4i4/local
TRACE#com.sap.core.connectivity.tunnel.core.impl.processing.TunnelSubscribingProcessor#tunnel-client-23-3#0x8207f8e0#Received subscription request for connection id: 233s-344 to tunnel channel id: 344,44,33. Tunnel id: "account:///340i-dfdf3/local"
#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-25-7#0x8207f8e0#Successfully opened backend connection [id: 0xa026c4cf, L:/111.111.111.111:2334 - R:hostname/111.111.11.111:773]
TRACE#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnel-client-444#03444e0#Report open connection 774 to http://test:1213
#TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#774#Will send packet with size 6,117 to backend channel [id: 333, L:/ L:/111.111.111.111:2334- R:hostname/111.111.111:3333]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#344#Starting, switching state to PROCESSING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#34344#Start sending http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled to backend
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-223#233#Set autoread=FALSE on Backend channel: [id: 3333 isOpen: true; isActive: true; isRegistered: true; isWritable: true; bytesBeforeWritable: 0; bytesBeforeUnwritable: 44,444; autoRead: false]
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23-7#3333#Set request description to statistics instance: http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled on [virtualHost=test, virtualPort=1213, protocol=HTTP]
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23#233#Report invoke started for connection 0x8207f8e0 to http://test:1213 request /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-3#0x8207f8e0#Updating caller principal.
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.SSOClientSessionService#tunnel-client-23# #Reusing existing session with id 2333
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-25-7# #Assigned principal: 'user@mail.com'
DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-25-7#0x8207f8e0#Will use X.509 certificate for authentication to backend: 2333333(SHA-256)
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthorizationHandler#tunnel-client-25-7#34344#Access allowed to http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled for virtual host test:1213
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-25-7#3444#Last http request object, switching state to SWALLOWING
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#344#Set autoread=TRUE on Backend channel: [id: 0xa026c4cf isOpen: true; isActive: true; isRegistered: true; isWritable: true; bytesBeforeWritable: 0; bytesBeforeUnwritable: 4,444; autoRead: true]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-343444#Last http request object, switching state to STARTING
#DEBUG#io.netty.handler.ssl.SslHandler#tunnel-client-23# #[id: 333, L:/111.111.111.:3333 - R:hostname.com/111.111.111:2333] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#233#Sent packet with size 3 to backend channel [id: 233, L:/111.111.111:3333- R:hostname.com/111.111.111.46667]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-23eeee#Starting, switching state to PROCESSING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpSapStatisticsHandler#tunnel-client-33-7#333#Performance statistics is disabled,sap-statistics-scc header is not set
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7# #Will send message of type 3 (payload) with size 328 over tunnel channel [id: 333, L:/111.111.111:3333 - R:/111.111.111:80] with tunnelId account:///34444/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=2 length=342
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Sent message of type 3 (payload) with payload size 328 over tunnel channel [id: 0x6538d4ba, L:/111.111.111:3444 - R:/111.111.111:80] with tunnelId account:///33444444/local
com.sap.core.connectivity.spi.processing.OutboundConnectionReader#tunnel-client-2344#Sent message of type 3 (payload) with payload size 328 to tunnel channel [id: 344, L:/111.111.111:3444 - R:/111.111.111:80]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-23#wewe#Last http response object, switching state to SWALLOWING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-25-7#344#Last http response object, switching state to STARTING
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Will send message of type 3 (payload) with size 6612 over tunnel channel [id: 0x6538d4ba, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account://wewewe/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-25-7# #Encoding WebSocket Frame opCode=2 length=6626
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7# #Sent message of type 3 (payload) with payload size 6612 over tunnel channel [id: 23423, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///11111/local
#TRACE#com.sap.core.connectivity.spi.processing.OutboundConnectionReader#tunnel-client-23233#Sent message of type 3 (payload) with payload size 6,612 to tunnel channel [id: 2323, L:/111.111.111:3444 - R:/111.111.111:80]]
TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23333#Report http request on connection 3444 to http://test:1213 request /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-34#0x8207f8e0#Report http request time statistics: total=73,ext=34,latency=3,openRemoteConn=28,generateSSOToken=24,validateSSOToken=0
#TRACE#com.sap.scc.monitor#tunnel-client-25-7# #Request HTTP://test:1213 resource /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/ with total time 73 is added to top list.
#TRACE#com.sap.scc.monitor#tunnel-client-25-7# #Request HTTP://test:1213 resource /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/ with total time 73 is added to top list.
#DEBUG#com.sap.core.connectivity.spi.processing.OutboundConnectionErrorHandler#tunnel-client-25-7#weee#Backend channel [id: weee L:/111.111.111:3444 - R:/111.111.111:80] is closed
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Will send message of type 4 (error) over tunnel channel [id: wewe, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///223/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=2 length=231
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Sent message of type 4 (error) over tunnel channel [id: 0x6538d4ba, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///w343434/local
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23# #Decoding WebSocket Frame opCode=2
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23# #Decoding WebSocket Frame length=14
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.MessagePacketHandler#tunnel-client-23-wewe#Received message of type 2 (close connection) over tunnel channel [id: 2434, L:/111.111.111:3444 - R:/111.111.111:80]]; tunnelId: account:///wewewe 2/local
DEBUG#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7#0x8207f8e0#Unsubscribed connectionId 0x8207f8e0 from tunnelId account:///ewewe2/local
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-25-7#33434#Unassigned principal: user@mail.com
#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#Released backend connection channel [id: 233, L:/1111.111.111:5554 ! R:hostname.com/3111.111.111:3333]
R:hostname.com/3111.111.111:3333]
TRACE#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnel-client-24#Report close connection with id: 444
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#notification-client-24-1# #Decoding WebSocket Frame opCode=10
+0100#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-24-1# #Received pong for channel [id: erer, L:/111.111.111:3434 - R:/111.111.111:80] with tunnelId account:///232333
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-223# #Sending pong for channel [id: 333, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///23233
TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-21-1# #Sending pong for channel [id: 3434, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///67777/local
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#notification-client-21-1# #Encoding WebSocket Frame opCode=10 length=0
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-21-1# #Received pong for channel [id: wee, , L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///wee2/local
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#tunnel-client-3# #Sending pong for channel [id: 0x6538d4ba, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///wee2/local sdsdsd:06:01,740
#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=10 length=0
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-9# #execute incoming request /configuration with action 'getAccounts'
0#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-9# #incoming request /configuration action: getAccounts finished after 0 ms
0#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-2# #execute incoming request /admin with action 'fetchMessages'
TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-2# #incoming request /admin action: fetchMessages finished after 1 ms
TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-6# #execute incoming request /logAndTrace with action 'getLogSettings'
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-6# #incoming request /logAndTrace action: getLogSettings finished after 1 ms
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-10# #execute incoming request /logAndTrace with action 'getLogFiles'
Could you please help up with this problem.
Thanks.
Hello @tskwin
here are some helpful resources I used to enable principal propagation:
BTP BAS (own developed app) <--> Cloud Connector <--> SAP Fiori Odata frontend <--> ECC Backend
(to be honest, the certificate settings etc are a pain - probaly also in the future when the renewal comes up)
https://community.sap.com/t5/technology-blogs-by-sap/setting-up-principal-propagation/ba-p/13510251 |
https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/rule-based-mapping-of-certificates |
https://me.sap.com/notes/0002462533 Configuring Principal Propagation to an ABAP System for HTTPS in SAP Business Technology Platform |
https://me.sap.com/notes/3335949/ Improved robustness in parsing the certificate subject and issuer for icm/trusted_reverse_proxy_<x> |
https://me.sap.com/notes/3371621/ Common mistakes when setting ICM parameters related to SAP Cloud Connector |
https://me.sap.com/notes/2805092/ Usage of icm/trusted_reverse_proxy_<x> = SUBJECT=*, ISSUER=* |
Further hint: enable ICM trace and follow the connect and where it fails, keyword trusted_reverse_proxy
Best regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
80 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.