3068483 - Error when trying to renew SAC subaccount certificate in SAP Cloud Connector.

Symptom

In the SAP Cloud Connector, the SAC subaccount certificate expired.
When attempting to refresh it, below error message appears:

"An error occurred when trying to connect — see logs for details (unless log level is 'Off')"
In the Cloud Connector ljs_trace.log (<2.17)/scc_core.trc (>=2.17) this can be seen:

"at java.lang.Thread.run(Thread.java:807)

Caused by: com.sap.scc.servlets.SccHandshakeException: SCC handshake failed: 403 — Forbidden"

4. In the Cloud Connector ljs_trace.log (<2.17)/scc_core.trc (>=2.17) this can be seen:

"#INFO#com.sap.scc.security#https-jsse-nio2-8443-exec-6# #Returned Http Response with code 401"

5. In the Cloud Connector ljs_trace.log (<2.17)/scc_core.trc (>=2.17) this can be seen:

"Caused by: com.sap.scc.servlets.SccHandshakeException: SCC handshake failed: 401 — Unauthorized "

*Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental

Environment

SAP Cloud Connector(SCC) release independent.
SAP Analytics Cloud(SAC).
SAP Datasphere.

Reproducing the Issue

Login to SCC Admin UI.
Go to the specific subaccount.
Click on "Certificate" button to refresh certificate.
Enter user and password and click on Renew
"An error occurred when trying to connect..." error appears.

Cause

This is usually caused by a mismatch of user between the SAC BTP Core Account info and the user credentials being used for the certificate refresh in Cloud Connector. The user needs to be the same.
Another reason is password of the S-user was just renewed in minutes, so the profile of the S-user was not yet updated. For example, after renewing password, when https://accounts.sap.com is opened, "reset password" is prompted instead of the profile page.

Resolution

Solution 1:
1. Access SAP Datasphere/SAP Analytics Cloud;
2. Go to the Main Menu > System > Administration;
3. Click on Data Source Configuration and scroll until "SAP BTP Core Account".
4. Check the email that is displayed there. If it is not the right one, choose Edit and set the right email id which is associated to an S-user ID;
5. Try to refresh the certificate in the Cloud Connector with this email and password.

Additionally, make sure that the e-mail address is associated with an active S-User ID. To avoid login issues, the e-mail must be associated to 1 S-user ID only. To validate the password try to login to https://accounts.sap.com with the same credentials entered in the Cloud Connector. If the login fails, use the "Forgot Password" link in the logon page to reset the password.

Note: Users created in the Technical Users application cannot be used in the Cloud Connector. Reason being these users are not stored in the SAP ID Service. They are only used in SAP Solution Manager's Support Hub Connectivity.

It is not possible to use SAP Universal ID in the Cloud Connector yet. Log on with the password associated with the S-user account.

Solution 2
1. After renewing password, double check the logon result in https://accounts.sap.com, if "reset password" is prompted then wait for a little more time until the user is synced.

Note: Changing the subaccount user will not affect the whole datasphere/SAC users.

Keywords

Authorization, handshake, unauthorized, 401, SCC handshake failed: 403 — Forbidden, SAP BTP Core Account, credentials, SAC Subaccount, Certificate, Refresh, Cloud Connector, datasphere, scc, SAP Cloud Connector, password, renew, refresh certificate, add subaccount, subaccount certificate, SAP Analytics Cloud, Cloud connector, connector, hana.ondemand.com, subaccount, sub-account, sub account, , KBA , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , LOD-ANA-ADM , SAC Administration , How To

Product

SAP Analytics Cloud 1.0