SAP Knowledge Base Article - Preview

3017609 - Reject untrusted forwarded certificate in Principal Propagation


Principal propagation is configured between Business Technology Platform, Cloud Connector and a backend on premise system such as ABAP or S4Hana. Connection is either direct between Cloud Connector and ABAP/S4Hana or there is an additional intermediary such as a proxy, SAP Web Dispatcher or a Load balancer in between the Cloud Connector and the backend system.

A principal propagation Single sign-on (SSO) is failing with the following errors seen in the dev_icm trace of the backend ABAP or S4Hana on premise system:
HttpCertIsReverseProxyTrustworthy: no trust relationship to intermediary specified (see documentation for parameter "icm/HTTPS/trust_client_with_issuer" or "icm/trusted_reverse_proxy")
HttpIsReverseProxyTrustworthy: intermediary is NOT trusted
HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields
Reject untrusted forwarded certificate

Additionally you might see:
(received via HTTPS with untrusted certificate) or (received via HTTP) or (received via HTTPS without certificate)



  • SAP NetWeaver
  • SAP Business Technology Platform Connectivity


SAP BTP, Neo environment 1.0 ; SAP Connectivity service 2.0 ; SAP NetWeaver all versions ; SAP Web Dispatcher all versions ; cloud connector 1.0 for SAP HANA Cloud Platform


intermediary is NOT trusted, SCC, SAP Cloud Connector, backend, principal propagation, ABAP, S4HANA, (received via HTTPS without certificate), BTP, Business Technology Platform , KBA , BC-CST-IC , Internet Communication Manager , BC-CST-WDP , Web Dispatcher , BC-SEC-LGN , Authentication , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.