/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
After updating SAP Cloud Connector (SCC) and JVM to the latest version, Connection to SAP BW or SAP S/4HANA On-Premise starts to fail in SAP Analytics Cloud with the following errors:
- Error Messages in SAP Analytics Cloud (SAC):
- We couldn't connect to your BW system. For more information, see our troubleshooting page....
- We could not validate your settings for advanced features. Please double check with your administrator that...
- HTTP Status in Browser Console:
- 502 (Bad Gateway)
- Error Message in Developer Trace (HAR):
- Principal propagation forbidden for user **** on system host:port, because the backend connection is not mutually authenticated.
Environment
- SAP Analytics Cloud, Enterprise Edition
- SAP Cloud Connector 2.19.0
Reproducing the Issue
- Update SAP Cloud Connector to version 2.19.0+.
- Log on to SAC tenant.
- Try to create or modify one of the following connections which leverage SAP Cloud Connector to forward HTTPS request to backend system:
- Live Tunnel connection to SAP BW or SAP S/4HANA On-Premise
- Live Direct connection with Advanced Feature enabled to SAP BW or SAP S/4HANA On-Premise
- Import Data connection to SAP S/4HANA On-Premise
Cause
- Starting with SAP Cloud Connector (SCC) version 2.19, an additional security check was introduced to verify whether a mutual TLS (mTLS) connection has been established before adding the short-living certificate identifying the user as the SSL_CLIENT_CERT header to the request.
- If the CA certificate that issued the SAP Cloud Connector system certificate is not trusted by the ABAP back-end system (or by SAP Web Dispatcher if used in front of the system), the connection is treated only as a TLS connection instead of an mTLS connection. In such cases, identity propagation may fail.
- Please refer to SAP KBA 3452851 for additional details.
Resolution
Ensure there is no third-party proxy with TLS termination between SAP components. If a load balancer exists between Cloud Connector and Web Dispatcher, TLS must not be terminated by the load balancer.
Also check the Web Dispatcher documentation under: Certificate Forwarding Security Considerations | SAP Help Portal
Configure Identity Propagation for HTTPS | SAP Help Portal
Workaround
If immediate restoration is required and trust configuration changes cannot be performed immediately:
- Revert to a previous SAP Cloud Connector version where mTLS enforcement check was not active
See Also
- KBA 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
- KBA 2487011 - What information do I need to provide when opening a case for SAP Analytics Cloud?
- KBA 2511489 - Troubleshooting performance issues in SAP Analytics Cloud
- SAP Analytics Cloud Connection Guide
- SAP Analytics Cloud Get More Help and SAP Support
- Need More Help? Contact Support
Your feedback is important to help us improve our knowledge base.
Keywords
SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped, sap analyst cloud, predictive analytics (analysis), data analysis (analytics) tools, analytics tools, sap analytics cloud, data literacy, advanced analytics, data democratization, analytics software, real time analytics, self service analytics, advanced data analytics, analytics as a service, analytics cloud / cloud analytics, saas analytics, cloud bi, enterprise planning, cloud data analytics, cloud based analytics, analytics cloud platform, modern analytics, real time analysis, cloud analytics solution(s), what is sap analytics cloud, cloud analytics tools, analytics in the cloud, cloud analytics software epm, business intelligence, sap analyst cloud,sac hot news sac kba , KBA , LOD-ANA-LDC-HAN , SAC Live Data Connection HANA , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , LOD-ANA-AQU , Import Data Connections (Acquiring Data) , Problem
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)