HTTPS Connection between SAP Cloud Connector and BW ABAP Server ICM fails
- SAP Cloud Connector
- SAP Netweaver ABAP server
- SAP Business Warehouse
Reproducing the Issue
You are following guide 'Live Data Connections Advanced Features Using the SAPCP Cloud Connector'
Technical overiew of flow
The Cloud connector needs to send a number of SSL certificates when initiating a connection
a) The cloud connector will send its 'System certificate ' if the certificate is trusted by the ABAP server. This trust is checked based
on check of the certificate list entries in transaction STRUST -> SSL Server standard (the System Certificate or its issuing Root Certificate needs to be stored here).
b) a check of the System Certificate issuer and subject attributes are made based on the value of the profile parameters
or icm/trusted_reverse_proxy_<x> when SAP Note 2052899 is applied
If principal propegation is to be used to logon to the BW ABAP server then client X.509 certificate unique to the end user is sent via the http header of the request
1. Cloud connector not configured with system certificate that has Certificate Authority (CA) property
The System certificate of the connector should be generated if the cloud connector is newly installed otherwise the initial certificate existing after installation will not have the required "CA property". This property means that the certifiate can be used as a so called 'trust anchor' to verify the connectors certificate by the BW ABAP server
Otherwise in this case you will get an error in the ICM trace of the BW ABAP server like
in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
in/out: status = "new SSL session,TLSv1.2,TLS_RSA_WITH_AES128_GCM_SHA256, NO client cert"
(even if this certificate has been imported to the BW Abap server as a trust anchor) as the ICM cannot verify the SCC System Certificate as it does not have usage as a CA certificate
2. Set ICM profile parameters on BW system
Both profile parameters icm/HTTPS/trust_client_with_issuer and icm/HTTPS/trust_client_with_subject or icm/trusted_reverse_proxy_<x> need to be set in the default profile of the BW server.
The value for these should be the subject and issuer of the SCC System certificate or wildcard value can be used for testing purposes e.g.
When setting these values via RZ10 or RZ11 in the BW server take care to include any spaces that maybe conatined between the certificate subject/issuer attributes.
For example if the subject is
CN= SCC, OU = Connectivity, O = SAP SE, C = DE
then setting icm/HTTPS/trust_client_with_subject with value
CN=SCC,OU = Connectivity,O = SAP SE,C = DE
icm/trusted_reverse_proxy_0 = SUBJECT="CN= SCC, OU = Connectivity, O = SAP SE, C = DE", ISSUER="CN=SCC,OU = Connectivity,O = SAP SE,C = DE"
(note no spaces between the comma and next attribute) will result in error
'HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields'
in the ICM trace as seen in transaction SMICM (or viewed at file level dev_icm). Likewise take care for any typos when setting the parameters in RZ10/11
3. ST/SP 'state or province' values of subject of SCC System certificate certificate
state or province attribute in the certificate subject is represenented as SP in CommonCryptoLib while it is “ST” in the Cloud connector
As the Abap server uses SP, ST will not be recognnised. In this case when setting parameters icm/HTTPS/trust_client_with_subject/issuer ensure to replace ST with SP as the attribute of the subject/issuer.
If the issue still cannot be resolved then collect an ICM trace from the ABAP server see note -> 2746754 - Log and Trace files to troubleshoot scenarios involving SAP CP > SCC > ABAP
SSL, https , KBA , BC-SEC-SSL , Secure Sockets Layer Protocol , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , Problem