cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Mobile Start Authentication Error

SRINIVAS_KATTA
Explorer

on ‎05-23-2023 11:47 AM

0 Kudos

Hello Experts,

I explored SAP Mobile Start with SAP Build Work Zone Standard Edition. Applications getting visible in mobile application but not loading and getting blanck scrren when open application in SAP Mobile Start.

Followed below blog

After that i added some below Resource Service in Cloud Connector, When i open application, its getting login popup again and again in system and getting blank screen in SAP Mobile Start Application.

Please Suggest.

Thank You

Show replies
Show replies
thomas-bruckner
Product and Topic Expert
Product and Topic Expert
‎05-23-2023 12:06 PM
0 Kudos

Hi srinivasnagaraju,

I would like to understand your issue(s) better, mentioned in the following statement:

"Applications getting visible in mobile application but not loading and getting blanck scrren when open application in SAP Mobile Start"

1) What exactly is not loading? Are you referring to the Monitoring Number on a Dynamic App Launcher Tile in Mobile Start, or the web application launching when tapping on one of the applications?

2) Have you checked setting up your S/4HANA On Premise system with SAP Build Work Zone? If also on your desktop browser in SAP Build Work Zone, Standard Edition the applications are not launching correctly, the issue is not related to Mobile Start but generally within the System Connectivity between BTP and your On Premise environment.

3) Is Principal Propagation for the Runtime Destination used in Work Zone, Standard to your On Premise System via the Cloud Connector properly set up? Have you verified the setup somehow?

Kind regards,

Thomas

Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

SRINIVAS_KATTA
Explorer
‎06-28-2023 7:16 AM

Issue resolved. Supported by SAP.

...............................................................................

The root cause of such issue is a simple configuration issue in the DS4 system that can be seen in the traces:

[Thr 140634502854400] HttpCertIsReverseProxyTrustworthy: intermediate cert issuer "CN=XXXXXXXXXXX, L=Mumbai, O=sap, C=IN" does not match trusted issuer "CN=YYYYYYYYYYYYYY,L=Mumbai,O=sap,C=IN"
[Thr 140634502854400] HttpCertIsReverseProxyTrustworthy: intermediate cert subject "CN=YYYYYYYYYYYYYYYYY, L=Mumbai, O=sap, C=IN" does not match trusted subject "CN=XXXXXXXXXXXXXXXX,L=Mumbai,O=sap,C=IN"
[Thr 140634502854400] HttpIsReverseProxyTrustworthy: intermediary is NOT trusted
[Thr 140634502854400] HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields

The configured icm/trusted_reverse_proxy_X parameters do not match the cloud connector system certificate, and thus, remove the client certificate from the request, resulting in no user authentication happening to a protected resource, which triggers the logon request.

As per the Cloud Connector documentation - https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/configure-principal-propagation-for-h... - the parameter must point to any middleware certificates that may be present, including CC's own:

Create the following parameter: icm/trusted_reverse_proxy_<x> = SUBJECT="<subject>", ISSUER="<issuer>".

  • Select a free index for <x>.

  • <subject> is the subject of the system certificate (example data: CN=SCC, OU=BTP Scenarios, O=Trust Community, C=DE).

  • <issuer> is the issuer of the system certificate (example data: CN=MyCompany CA, O=Trust Community, C=DE ).

    • For your scenario then, the entry that is missing would be icm/trusted_reverse_proxy_1 = SUBJECT="CN=xxxxxxxxxx, L=Mumbai, O=sap, C=IN", ISSUER="CN=xxxxxxxxxxxxxxxxxx, L=Mumbai, O=sap, C=IN", which should address the trust issue.

    Please configure such parameter, so that trust is appropriately stablished with the Cloud Connector certificate.

    Show replies
    Show replies
    robinkuck
    Product and Topic Expert
    Product and Topic Expert
    ‎05-23-2023 12:08 PM

    Hi Srinivas,

    if a login popup appears when opening an app tile indicates that SSO is not working.

    Have you setup Principal Propagation in your Cloud Connector as described in https://blogs.sap.com/2021/09/06/setting-up-principal-propagation/ ?

    Show replies
    Show replies
    SRINIVAS_KATTA
    Explorer
    ‎05-23-2023 12:42 PM
    0 Kudos

    Hello Robin,

    Thanks for your response.

    We setup Principal Propagation already. And raised same to Basis team, But they telling that we are using Standard Security mentioned in image. No need to maintain SSL.

    Is there any other configurations to do?

    SRINIVAS_KATTA
    Explorer
    ‎06-28-2023 7:16 AM
    0 Kudos

    Issue resolved. Supported by SAP.

    ...............................................................................

    The root cause of such issue is a simple configuration issue in the DS4 system that can be seen in the traces:

    [Thr 140634502854400] HttpCertIsReverseProxyTrustworthy: intermediate cert issuer "CN=XXXXXXXXXXX, L=Mumbai, O=sap, C=IN" does not match trusted issuer "CN=YYYYYYYYYYYYYY,L=Mumbai,O=sap,C=IN"
    [Thr 140634502854400] HttpCertIsReverseProxyTrustworthy: intermediate cert subject "CN=YYYYYYYYYYYYYYYYY, L=Mumbai, O=sap, C=IN" does not match trusted subject "CN=XXXXXXXXXXXXXXXX,L=Mumbai,O=sap,C=IN"
    [Thr 140634502854400] HttpIsReverseProxyTrustworthy: intermediary is NOT trusted
    [Thr 140634502854400] HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields

    The configured icm/trusted_reverse_proxy_X parameters do not match the cloud connector system certificate, and thus, remove the client certificate from the request, resulting in no user authentication happening to a protected resource, which triggers the logon request.

    As per the Cloud Connector documentation - https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/configure-principal-propagation-for-h... - the parameter must point to any middleware certificates that may be present, including CC's own:

    Create the following parameter: icm/trusted_reverse_proxy_<x> = SUBJECT="<subject>", ISSUER="<issuer>".

    • Select a free index for <x>.

    • <subject> is the subject of the system certificate (example data: CN=SCC, OU=BTP Scenarios, O=Trust Community, C=DE).

    • <issuer> is the issuer of the system certificate (example data: CN=MyCompany CA, O=Trust Community, C=DE ).

      • For your scenario then, the entry that is missing would be icm/trusted_reverse_proxy_1 = SUBJECT="CN=xxxxxxxxxx, L=Mumbai, O=sap, C=IN", ISSUER="CN=xxxxxxxxxxxxxxxxxx, L=Mumbai, O=sap, C=IN", which should address the trust issue.

      Please configure such parameter, so that trust is appropriately stablished with the Cloud Connector certificate.

      Show replies
      Show replies
      SRINIVAS_KATTA
      Explorer
      ‎05-23-2023 11:50 AM
      0 Kudos

      Inspired by Below blogs

      Installation and Configuration of SAP Cloud Connector | SAP Blogs

      Setting up SAP Launchpad Service and SAP Mobile Start with Content Federation | SAP Blogs

      Show replies
      Show replies
      Ask a Question