SAP Knowledge Base Article - Preview

3017609 - Reject untrusted forwarded certificate in Principal Propagation


Principal propagation is configured between Cloud Platform, Cloud Connector and a backend on premise system such as ABAP or S4Hana. There is an intermediary such as a proxy, SAP Web Dispatcher or a Load balancer in between the Cloud Connector and the backend system.

A principal propagation Signle sign-on (SSO) is failing with the following errors seen in the dev_icm trace of the backend ABAP or S4Hana on premise system:

HttpCertIsReverseProxyTrustworthy: no trust relationship to intermediary specified (see documentation for parameter "icm/HTTPS/trust_client_with_issuer" or "icm/trusted_reverse_proxy")

HttpIsReverseProxyTrustworthy: intermediary is NOT trusted

HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields

Reject untrusted forwarded certificate

Additionally you might see

(received via HTTPS with untrusted certificate) or (received via HTTP)



SAP NetWeaver

SAP Cloud Platform Connectivity


SAP Business Technology Platform 1.0 ; SAP Connectivity service 2.0 ; SAP NetWeaver all versions ; SAP Web Dispatcher all versions ; cloud connector 1.0 for SAP HANA Cloud Platform


KBA , BC-CST-IC , Internet Communication Manager , BC-CST-WDP , Web Dispatcher , BC-SEC-LGN , Authentication and SSO , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.