cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTP response '502: Host not found' when communicating with On-Premise System

Go to solution
former_member252811
Explorer

on ‎07-28-2016 2:14 PM

Hello Community,

The problem I would like to clarify is already stated in the header. The original message from browser is "HTTP Error 500, could not sent message"; that "underlying" error I see in the Logs of my Java Application in HANA Cloud.

Full underlying message looks like:

Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '502: Host not found' when communicating with https://system.virtual:port/path/to/service/

Scenario:

Destination DEST at HANA Cloud with URL "https://system.virtual:port/path/to/service/"

Cloud Connector with HTTPS connection (virtual "system.virtual:port", internal "real.system.corp:12345");

  • path and sub-paths included

Java App, which is a client to a SOAP service (JAX-WS by Apache CXF) => on HANA Cloud

  • DEST will be resolved via ConnectivityConfiguration API

On-Premise ABAP System, which provides the SOAP Web Service (got WSDL from SOA Manager, etc)

Testing locally, within the firewall is not a problem, resulting JSON will be received.

It seems, that a Cloud Connector cannot be reached from Cloud. Or won't be reached at all. What could the problem be? The connector is a master instance, registered in Cloud, etc.

Thanks in advance!

Denis

Show replies
Show replies
Answer
View Entire Topic
Ulrich_Schmidt
Product and Topic Expert
Product and Topic Expert
‎07-29-2016 9:46 AM

Hi Denis,

looks like you forgot to set the "Proxy Type" in the destination to "OnPremise". Consequently the app VM is trying to locate the hostname "system.virtual" out there in the Internet, where it of course does not exist...

Regards, Ulrich

Show replies
Show replies
former_member252811
Explorer
‎07-29-2016 10:07 AM
0 Kudos

Hi Ulrich,

yes, you actually right; I didn't use the proxy in my code, because, it returns "405 Method not allowed" (and somewhere in the documentation I saw, that https is not supported by that proxy). Could this mean, that I still shoud call the proxy, but also setup trust or something?

Best regards,

Denis

Ulrich_Schmidt
Product and Topic Expert
Product and Topic Expert
‎07-29-2016 3:08 PM
0 Kudos

Hi Denis,

if you want to make the connection via the Cloud Connector into the on-premise network, then you need to use "Proxy Type = OnPremise", otherwise your App VM will not know to go through the SSL tunnel to the SCC.

So is https supported? Yes, but differently from what you would expect... In order to understand this, you need to know a bit of background:

a) The tunnel between the SCC and your App VM is already SSL encrypted, independent of the protocoll used by the application.
b) Therefore it is not necessary to "encrypt the data twice", so the application should just use plain HTTP: the data is then encrypted, sent through the tunnel to the SCC, where it gets decrypted again and checked against the access restrictions. If the SCC finds, that this request is entitled to be forwarded to the backend system, it checks the protocol in the hostname mapping, and if it is set to HTTPS there, the SCC will make an HTTPS call to the backend (even if the data from the Cloud came as a "normal" HTTP request).

So in order to talk HTTPS to the backend, you need to

1. Use "http" in the definition of the destination (and of course "Proxy Type=OnPremise")
2. Use HTTPS as the protocol in the hostname mapping in the SCC

3. Import the necessary SSL certificate in the SCC, so that the SCC is able to establish a trusted SSL connection with the backend.

But before that I recommend to first make a "proof of concept" with plain http also for connection between SCC and backend. Once that is working ok, you can then switch it to https. (Which usually takes some trial and error until all the necessary certificates are in place...)

The error "405 Method not allowed" can probably be explained as follows: the application was set up to use https and then started the SSL handshake with the proxy. The proxy expects plain unencrypted data and interpreted the bytes from the SSL handshake as the beginning of a HTTP request... So instead of the expected GET or POST, it received some "strange" bytes from the SSL handshake and didn't know, what HTTP Method this was supposed to be...

Best Regards, Ulrich

former_member252811
Explorer
‎07-29-2016 3:59 PM
0 Kudos

Thanks, Ulrich, first of all for the explanation of that trick with "masking" - not really obvious (or are there any documentaion on that?).

I need to say, that for some reason it was necessary to explicitly specify the authorization header within the HTTP requst in Java and also not to forget the header "SAP Connectivity Consumer Account". Only having all that together I received my response.

Best regards,

Denis

Ulrich_Schmidt
Product and Topic Expert
Product and Topic Expert
‎07-29-2016 4:22 PM
0 Kudos

Hi Denis,

you are right: the documentation isn't very clear about this point...   I found only one short note, which I guess is "understandable" only, if you are already an expert in this field... :

Note

  • On-premise destinations support HTTP connections only.
  • The connection from an application to the cloud connector (through the tunnel) is encrypted on TLS level. Also, you can choose between using HTTP or HTTPS to hop from the cloud connector to the back end.

(https://help.hana.ondemand.com/help/frameset.htm?e76f9e75bb571014a7218bcd30a8771b.html)

Best Regards, Ulrich

Former Member
‎08-03-2016 2:05 PM
0 Kudos

Hello Ulrich,

We seem to be having the exact same scenario, and we face a similar issue.

We created two virtual hosts:

  • our.virtual.host:80 with internal.host:80 for http
  • our.virtual.host:443 with internal.host:443 for https

We have established, that:

  • using our.virtual.host:80, we are getting the metadata of the service
  • using our.virtual.host:443, we are getting a "401 Unauthorized"...


The full response we are getting with https is:

HttpResponseProxy{HTTP/1.1 401 Unauthorized [content-type: text/html; charset=utf-8, content-length: 2001, sap-system: XXX, www-authenticate: Basic realm="SAP Web Application Server [XXX]", sap-client: XXX, server: SAP NetWeaver Application Server / ABAP 700] ResponseEntityProxy{[Content-Type: text/html; charset=utf-8,Content-Length: 2001,Chunked: false]}}

We tried to play around with the "virtual port", using 8080, but with https, it still gives us a 401.

SAP Basis and SAP ABA are on release 700, SP 0033.

Is there anything we need to do to get the https connection working?

With best regards, Rolf

MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
‎08-03-2016 2:13 PM
0 Kudos

Hi Rolf,

If 502 is returned the intenral host is very likely not reachable. In case of HTTP it seems that logon is failing as the realm is sent back to the caller. What kind of authentication mechanism are you trying to use?

Best regards,

Markus

Former Member
‎08-03-2016 2:15 PM
0 Kudos

We are using "basic Authentication".

It works with http (80), it doesn't work with https (443) (internal mapping settings in SCC).

MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
‎08-03-2016 2:25 PM
0 Kudos

Hi Rolf,

do you have a system certificate configured? If yes, is the ICF service in the backend checking basic first or is it checking all login procedures? If certificate is checked before basic and there is no user mapping for the system certificate, backend will not continue, but fail with logon failure.

Best regards,

Markus

Former Member
‎08-03-2016 4:02 PM
0 Kudos

Hello Markus,

Thanks for the hint, I found a SAP-Note, which explains about the user mapping for the system certificate. We did not have the certificate mapped to the user. For reference, if anyone has the same problem, we used transaction EXTID_DN for the mapping.


Thanks again for the help.

With best regards, Rolf

Ask a Question