3068483 - Error when trying to renew SAC subaccount certificate in Cloud Connector

On Cloud Connector, the SAC subaccount certificate expired.

When attempting to refresh it, below error message appears:

• An error occurred when trying to connect — see logs for details (unless log level is 'Off')

In the Cloud connector ljs_trace.log/scc_core.trc this can be seen:

• "at java.lang.Thread.run(Thread.java:807)
  Caused by: com.sap.scc.servlets.SccHandshakeException: SCC handshake failed: 403 — Forbidden"

In the Cloud connector ljs_trace.log/scc_core.trc this can be seen:

• #INFO#com.sap.scc.security#https-jsse-nio2-8443-exec-6# #Returned Http Response with code 401
  

In the Cloud connector ljs_trace.log/scc_core.trc this can be seen:

• Caused by: com.sap.scc.servlets.SccHandshakeException: SCC handshake failed: 401 — Unauthorized 

• SAP Cloud Connector (SCC)
• SAP Analytics Cloud (SAC)
• SAP Datasphere

1. Click "Certificate" button to refresh certificate in SAP Cloud Connector (SCC) subaccount 
2. Enter user and password -> The error is seen.

• This is usually caused by a mismatch of user between the SAC BTP Core Account info and the user credentials being used for the certificate refresh in Cloud Connector. The user needs to be the same. 
• Another reason is password of the S-user was just renewed in minutes, so the profile of the S-user was not yet updated. For example, after renewing password, when https://accounts.sap.com is opened, "reset password" is prompted instead of the profile page.

• Solution 1
  1. Access SAP Datasphere/SAP Analytics Cloud
  2. Go to the Main Menu > System > Administration
  3. Click on Data Source Configuration and scroll until "SAP BTP Core Account".
     
     
  4. Check the email that is displayed there. If it is not yours, choose Edit and set to your email which is associated to an S-user ID.
  5. Try to refresh the certificate in the Cloud Connector with this email and password.

Also, make sure that the e-mail address is associated with an active S-User ID. To avoid login issues, the e-mail must be associated to 1 S-user ID only. To validate the password try to login to https://accounts.sap.com with the same credentials entered in the Cloud Connector. If the login fails, use the "Forgot Password" link in the logon page to reset the password.

Note: Users created in the Technical Users application cannot be used in the Cloud Connector. Reason being these users are not stored in the SAP ID Service. They are only used in SAP Solution Manager's Support Hub Connectivity.

In addition, it is not possible to use SAP Universal ID in the Cloud Connector yet. Log on with the password associated with your S-user account.

• Solution 2
  1. After renewing password, double check the logon result in https://accounts.sap.com, if "reset password" is prompted then wait for a little more time until the user is synced.
     
     

Note: Changing the subaccount user will not affect the whole datasphere/SAC users.

KBA 2950537 - Subaccount certificate expired from SAP Cloud Connector

KBA 2397165 - How do I connect SAP Analytics Cloud (SAC) to the SAP BTP Cloud Connector and SAP Analytics Cloud Agent?

KBA 2701137 - SAP Cloud Connector - Guided Answers

KBA 3201518 - SAP Cloud Connector Documentation

SAP Note 3302250 - Cloud Connector support strategy

Authorization, handshake, unauthorized, 401, SCC handshake failed: 403 — Forbidden, SAP BTP Core Account, credentials, SAC Subaccount, Certificate, Refresh, Cloud Connector, datasphere, scc, SAP Cloud Connector, password, renew, refresh certificate, add subaccount, subaccount certificate, , KBA , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , LOD-ANA-ADM , SAC Administration , How To