SAP Knowledge Base Article - Preview

2160678 - SSO stops working when the ICM trust parameters are configured


An SAP Web Dispatcher is in front of an SAP system (remark: this is valid for third party load balancers / reverse proxies too, although this KBA focus on the SAP Web Dispatcher).

Single Sign-on (SSO) is configured based on X.509 Client Certificates and it is working.

You want to enhance the security of the communication between the Web Dispatcher and its backend system.

To do that, you either:

  • Maintain the parameters "icm/HTTPS/trust_client_with_issuer" and "icm/HTTPS/trust_client_with_subject" at the backend system; or
  • Maintain the parameter(s) "icm/trusted_reverse_proxy_X".

After that, the SSO stops working.

The level 2 (or 3) ICM trace, at the backend system, shows the following trace entries:

[Thr 7160] <<- SapSSLGetPeerInfo(sssl_hdl=000000000C6E1160)==SAP_O_K
[Thr 7160]     out: subject  = "CN=WDP, OU=SSL CLIENT, O=SAP, C=BR"
[Thr 7160]     out: issuer   = ", O=Example CA, L=City, SP=State, C=BR"
[Thr 7160]     out: cert_len = 1828
[Thr 7160]     out: cipher   = "TLS_RSA_WITH_AES128_CBC_SHA"
[Thr 7160] HttpModGetDefRules: Client certificate received: with len=1828, subj="CN=WDP, OU=SSL CLIENT, O=SAP, C=BR", issuer=
[Thr 7160] HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields
[Thr 7160] HttpModGetDefRules: determined the defactions: REMOVE_SSL_HEADER REMOVE_EXPECT_HEADER  (72)

  • The lines in blue show the details of the Web Dispatcher's client certificate;
  • The line in red indicates one of the possible root causes of the issue (see the "Cause" section, below).

The configuration explained in Resolution section is also used for principal propagation setup.



  • Product independent
  • Release independent
  • Client/Server Technology - ICM (Internet Communication Manager)
  • Client/Server Technology - Web Dispatcher
  • Security - Secure Sockets Layer Protocol
  • Java Application Server- Security, User Management / SSO, Logon


SAP NetWeaver all versions


Single sign on, Single sign-on, SSO, X.509, WDP, WD, Web disp, PSE, Certificate, Trust, ICM, ICMAN, Web Dispatcher, Principal Propagation, SSSLERR_PEER_CERT_UNTRUSTED, Reject untrusted forwarded certificate , KBA , s4, cpi & webdispatcher certificate aut , smicm log 401 unauthorized , authentication issue , 503 service not available , client certificate rejected , BC-CST-IC , Internet Communication Manager , BC-CST-WDP , Web Dispatcher , BC-JAS-SEC , Security, User Management , BC-SEC-SSL , Secure Sockets Layer Protocol , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.