3741278 - SAP Cloud Connector issue: Principal Propagation forbidden due to missing mtls after upgrade to version 2.19

Symptom

Principal propagation from a cloud application to the on-premise system stops working after upgrading SCC to version 2.19.02. Downgrading to version 2.18.x or lower restores principal propagation functionality.
Entries in the (ljs_trace.log (<2.17)/scc_core.trc (>=2.17)):
#DEBUG#com.sap.core.connectivity.spi.processing.OutboundConnectionErrorHandler#tunnel-client-41-9#0x2d532394#Protocol processing error:
com.sap.core.connectivity.protocol.http.handlers.HttpProtocolException: Principal propagation forbidden for user <username> on system <Host:Port>, because the backend connection is not mutually authenticated.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

SAP Cloud Connector On-Premise Connectivity

Product

CONNECTOR FRAMEWORK all versions

Keywords

principal propagation, forbidden, backend connection not mutually authenticated, mtls, client certificate, SSL_CLIENT_CERT, cloud connector 2.19.02, identity propagation, https, trust store, abap backend, web dispatcher, short-lived certificate, io.netty.handler.ssl.SslClosedEngineException, scc upgrade, mutual tls enforcement, PP, 2.19.0, upgrade, pp failed, , KBA , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.