3017609 - Reject untrusted forwarded certificate in Principal Propagation

Symptom

Principal propagation is configured between Business Technology Platform, Cloud Connector and a backend on premise system such as ABAP or S4Hana. Connection is either direct between Cloud Connector and ABAP/S4Hana or there is an additional intermediary such as a proxy, SAP Web Dispatcher or a Load balancer in between the Cloud Connector and the backend system.

A principal propagation Single sign-on (SSO) is failing with the following errors seen in the dev_icm trace of the backend ABAP or S4Hana on premise system:
HttpCertIsReverseProxyTrustworthy: no trust relationship to intermediary specified (see documentation for parameter "icm/HTTPS/trust_client_with_issuer" or "icm/trusted_reverse_proxy")
HttpIsReverseProxyTrustworthy: intermediary is NOT trusted
HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields
Reject untrusted forwarded certificate

Additionally you might see:
(received via HTTPS with untrusted certificate) or (received via HTTP) or (received via HTTPS without certificate)

Environment

SAP NetWeaver
SAP Business Technology Platform Connectivity

Product

SAP BTP, Neo environment 1.0 ; SAP Connectivity service 2.0 ; SAP NetWeaver all versions ; SAP Web Dispatcher all versions ; cloud connector 1.0 for SAP HANA Cloud Platform

Keywords

intermediary is NOT trusted, SCC, SAP Cloud Connector, backend, principal propagation, ABAP, S4HANA, (received via HTTPS without certificate), BTP, Business Technology Platform , KBA , BC-CST-IC , Internet Communication Manager , BC-CST-WDP , Web Dispatcher , BC-SEC-LGN , Authentication , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.