SAP Knowledge Base Article - Preview

3283317 - On-premise service access fails from SAP Business Application Studio due to TLS-terminating firewall/proxy

Symptom

From Business Application Studio the on-premise system access fails.

Testing the backend system from BAS Terminal results in 503 HTTP code:

curl -v -i https://ABAP.dest/sap/opu/odata/iwfnd/catalogservice;v=2/ServiceCollection?%24top=1

HTTP/1.1 503 Service Unavailable

In SAP Cloud Connector log file such exception is logged:

#INFO#com.sap.core.connectivity.tunnel.client.notification.NotificationClientEventHandler#notification-client-10-0#          #Received "open tunnel event" message (packet type: 1 (open tunnel)) for tunnel id account:///12345678-abcd-efgha-123456789abc and hostId null|

#INFO#com.sap.core.connectivity.tunnel.client.notification.NotificationClientEventHandler#notification-client-10-0#          #Opening a tunnel to S4HANA System connectivity.eu10.applicationstudio.cloud.sap:443|

#INFO#com.sap.core.connectivity.tunnel.client.handshake.ClientProtocolHandshaker#tunnel-client-12-8#          #Sending handshake request for tunnel: account:///12345678-abcd-efgha-123456789abc and host connectivity.eu10.applicationstudio.cloud.sap:443|

#WARN#io.netty.util.concurrent.DefaultPromise#tunnel-client-12-8#          #An exception was thrown by com.sap.core.connectivity.tunnel.client.ssl.TunnelClientSSLHandshakeValidator.operationComplete()
java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at io.netty.util.concurrent.DefaultPromise.get(DefaultPromise.java:349)
    at com.sap.core.connectivity.tunnel.client.ssl.TunnelClientSSLHandshakeValidator.operationComplete(TunnelClientSSLHandshakeValidator.java:54)
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
    ... 38 more|
    
#ERROR#com.sap.core.connectivity.tunnel.client.notification.NotificationClientEventHandler#Thread-10#          #Unexpected exception while establishing tunnel connection for tunnel: account:///12345678-abcd-efgha-123456789abc
javax.net.ssl.SSLException: SSLEngine closed already
    at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:829)


Read more...

Environment

SAP Business Application Studio

SAP Cloud Connector

Product

SAP Business Application Studio all versions ; SAP Cloud Platform Web IDE all versions

Keywords

503 Service Unavailable, BAS, On-premise, Business Application Studio, Cloud Connector, HTTP 503, SCC, 503, Service Unavailable, Handshake Exception, SSL, SSLHandshakeException, Unexpected exception while establishing tunnel connection for tunnel, SunCertPathBuilderException, TLS, Proxy, Firewall , KBA , CA-BAS-SRVC , Consume SAP Services - SAP Business Application Studio , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.