3014114 - Troubleshooting BW Live Data connection (SAPCP Cloud Connector) to on premise system

HTTPS Connection between SAP Cloud Connector and BW ABAP Server ICM fails

• SAP Cloud Connector
• SAP Netweaver ABAP server
• SAP Business Warehouse

You are following guide 'Live Data Connections Advanced Features Using the SAPCP Cloud Connector'

Technical overiew of flow 

The Cloud connector needs to send a number of SSL certificates when initiating a connection

First

a) The cloud connector will send its 'System certificate ' if the certificate is trusted by the ABAP server. This trust is checked based

     on check of the certificate list entries in transaction STRUST -> SSL Server standard (the System Certificate or its issuing Root Certificate needs to be stored here).

b) a check of the System Certificate issuer and subject attributes are made based on the value of the profile parameters

icm/HTTPS/trust_client_with_subject

icm/HTTPS/trust_client_with_issuer

or icm/trusted_reverse_proxy_<x> when SAP Note 2052899 is applied

Second

If principal propegation is to be used to logon to the BW ABAP server then client X.509 certificate unique to the end user is sent via the http header of the request

Troubleshooting tips/hints

1. Cloud connector not configured with system certificate that has Certificate Authority (CA) property

The System certificate of the connector should be generated if the cloud connector is newly installed otherwise the initial certificate existing after installation will not have the required "CA property". This property means that the certifiate can be used as a so called 'trust anchor' to verify the connectors certificate by the BW ABAP server

Otherwise in this case you will get an error in the ICM trace of the BW ABAP server like

in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
in/out: status = "new SSL session,TLSv1.2,TLS_RSA_WITH_AES128_GCM_SHA256, NO client cert"

(even if this certificate has been imported to the BW Abap server as a trust anchor) as the ICM cannot verify the SCC System Certificate as it does not have usage as a CA certificate

2. Set ICM profile parameters on BW system

Both profile parameters icm/HTTPS/trust_client_with_issuer and  icm/HTTPS/trust_client_with_subject or icm/trusted_reverse_proxy_<x> need to be set in the default profile of the BW server.

The value for these should be the subject and issuer of the SCC System certificate or wildcard value can be used for testing purposes e.g.

icm/HTTPS/trust_client_with_issuer =*

icm/HTTPS/trust_client_with_subject=*

or

icm/trusted_reverse_proxy_<x>

When setting these values via RZ10 or RZ11 in the BW server take care to include any spaces that maybe conatined between the certificate subject/issuer attributes.

For example if the subject is

CN= SCC, OU = Connectivity, O = SAP SE, C = DE

then setting icm/HTTPS/trust_client_with_subject with value

CN=SCC,OU = Connectivity,O = SAP SE,C = DE

or

icm/trusted_reverse_proxy_0 = SUBJECT="CN= SCC, OU = Connectivity, O = SAP SE, C = DE", ISSUER="CN=SCC,OU = Connectivity,O = SAP SE,C = DE"

(note no spaces between the comma and next attribute) will result in error

'HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields'

in the ICM trace as seen in transaction SMICM (or viewed at file level dev_icm). Likewise take care for any typos when setting the parameters in RZ10/11

3. ST/SP 'state or province' values of subject of SCC System certificate certificate

      state or province attribute in the certificate subject is represenented as SP in CommonCryptoLib while it is “ST” in the Cloud connector

As the Abap server uses SP, ST will not be recognnised. In this case when setting parameters icm/HTTPS/trust_client_with_subject/issuer ensure to replace ST with SP as the attribute of the subject/issuer.

4. Tracing

 If the issue still cannot be resolved then collect an ICM trace from the ABAP server see note ->  2746754 - Log and Trace files to troubleshoot scenarios involving SAP CP > SCC   > ABAP

Tutorial for setting up the connector

SAP Hana Acadamy tutorial 1

SAP Hana Acadamy tutorial 2

SSL, https , KBA , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , Problem