We are using the SAP BAS to create Fiori Apps.
We established the principal propagation setup between SAP BTP and on-premise System through the SAP cloud connector. SAP CC is in DMZ Zone ( here is proxy configured) In SAP CC are /sap services are released. But when I try to access the SAP backend system via SAP BAS, this error occurs: "The selected system is returning an authentication error. Please verify the destination configuration"
Cloud Connector logs:
com.sap.core.connectivity.tunnel.client.handshake.AbstractClientHandshaker#tunnel-client-25-7# #Handshake with tunnel server completed successfully for tunnelId: account:///sdd/local
com.sap.core.connectivity.tunnel.core.impl.context.TunnelRegistryImpl#tunnel-client-44 #Registered tunnel channel [id: 234, L:/111.111.111:1111 - R:/222.222.222:80] for tunnelId account:///2kdkd-2/local and client Id 4dfjfff
INFO#com.sap.core.connectivity.tunnel.client.TunnelClient#tunnel-client-22# #Successfully established tunnel channel: [id: 234, L:/111.111.111:1111 - R:/222.222.222:80]
DEBUG#io.netty.channel.DefaultChannelPipeline#tunnel-client-23# #Discarded inbound message EmptyLastHttpContent that reached at the tail of the pipeline. Please check your pipeline configuration.
DEBUG#io.netty.channel.DefaultChannelPipeline#tunnel-client-25-7# #Discarded message pipeline : [idleStateHandler, ssl, wsencoder, wsdecoder, tunnelStateHandler, protocolEncoder, protocolDecoder, payloadTracer, flowControlHandler, messagePacketHandler, tunnelErrorHandler, DefaultChannelPipeline$TailContext#0]. Channel : id: 234, L:/111.111.111:1111 - R:/222.222.222:80
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23-3# #Decoding WebSocket Frame opCode=2
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23-3# #Decoding WebSocket Frame length=4309
TRACE#com.sap.core.connectivity.tunnel.core.handlers.MessagePacketHandler#tunnel-client-3333-444-34555#Received message of type 1 (open connection) over tunnel channel
[id: 239i2-3, id: 234, L:/111.111.111:1111 - R:/222.222.222:80]; tunnelId: account:///sss023i4i4/local
TRACE#com.sap.core.connectivity.tunnel.core.impl.processing.TunnelSubscribingProcessor#tunnel-client-23-3#0x8207f8e0#Received subscription request for connection id: 233s-344 to tunnel channel id: 344,44,33. Tunnel id: "account:///340i-dfdf3/local"
Spoiler
DEBUG#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23-3 3444#Subscribed connectionId 2333 to tunnel channel [id: 3444, id: 234, L:/111.111.111:1111 - R:/222.222.222:80] with tunnelId account:///4543545öfdff/local
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-2523.23344#Tunnel [ objectId [com.sap.core.connectivity.tunnel.core.impl.context.TunnelRegistryImpl$LazyTunnel@3444]; clientId [34444]; tunnelId [account:///34444/local]; currentChannel [0]; tunnelChannels [[[id: 3333, id: 234, L:/111.111.111:1111 - R:/222.222.222:80channelSubscriptions [{-3434=[id: 3444, id: 234, L:/111.111.111:1111 - R:/222.222.222:80]}] ]
#TRACE#com.sap.core.connectivity.tunnel.client.sso.SSOClientProcessor#tunnel-client-3-37#09999#Received SSO token "weweeXXXXX" with type "JWT" for principal type "BUSINESS"; connection origin Id "sb-app-studio!333", type "CF Connectivity Client ID" and name "unknown" from message packet
DEBUG#com.sap.core.connectivity.tunnel.client.sso.SessionInfoStore#tunnel-client-23-3#43434#Generated new session id 444
#TRACE#com.sap.core.connectivity.tunnel.client.sso.SSOClientSessionService#tunnel-client-23-3#3434#Retrieved connection meta info [originId: sb-app-studio!2333, originName: unknown, originType: CF Connectivity Client ID] for connectionId 3333
#TRACE#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-23-3#3434#Parsing JWT: sdsdsdsd-----END PUBLIC KEY-----
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-23-#3434#Decoded JWT with claims: {"sub":"33434444434","xs.user.attributes":{},"user_name":"[email protected]","origin":"sap.default","iss":"... ://88033.hana.ondemand. com/ oauth...","xs.system.attributes":{"xs.rolecollections":["Destination Administrator","Subaccount Viewer","Business_Application_Studio_Extension_Deployer","Business_Application_Studio_Developer","Cloud Connector Administrator","Business_Application_Studio_Administrator","Subaccount Administrator","z_business_appl_studio","Connectivity and Destination Administrator"]},"given_name":"user","client_id":"sb-xxxxx!xx|destination-xsappname!ddd","aud":["uaa","openid","xs_account","destination-xsappname!344","sb-444!b7444|destination-xsappname!sdd","destination-xsappname!sdsd.instance","destination-xsappname!
sdd.subaccount"],"ext_attr":{"enhancer":"XSUAA","subaccountid":"ddd","zdn":"ww","serviceinstanceid":"555"},"user_uuid":"333","zid":"222","grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer","user_id":"333","azp":"sb-clon2333|destination-xsappname!b404","scope":["destination-xsappname!b404.instance.readDestination","destination- xsappname!b333.instance.manageDestination","user_attributes","destination- xsappname!b333.subaccount.manageCertificate","destination- xsappname!b333.instance.manageCertificate","xs_account.access","openid","destination- xsappname!b333.subaccount.readDestination","uaa.user","destination- xsappname!b333.subaccount.readCertificate","destination- xsappname!b333.subaccount.manageDestination","destination- xsappname!b333manageSubaccountTrust","destination-xsappname!b333.readSubaccountTrust","destination-xsappname!mailc.om b404.instance.readCertificate"],"cnf":{"23#3233":"RQ-2323},"exp":2323,"family_name":"user","iat":222,"jti":"333","email":"[email protected]@mail.com","rev_sig":"333","cid":"sb-wewe!wewe|destination-xsappname!b404"}
#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-25-7#sdsdsd#About to validate token expiration claims [exp, iat] for account dsdsd
DEBUG#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-25-7#777#Successfully validated token expiration claims [exp, iat] for account 34234
TRACE#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-25-7#234234#Extracting caller principal name for principal of type BUSINESS
DEBUG#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-25-wewqe#Caller principal name [email protected]' was extracted from 'user_name' claim.
DEBUG#com.sap.core.connectivity.tunnel.client.sso.cf.JWTValidator#tunnel-client-25-7#dddf#Successfully validated JWT for tunnelId: account:///asdsad/local
DEBUG#com.sap.core.connectivity.tunnel.client.sso.SessionInfoStore#tunnel-client-7777-fdsf#Stored session with id 2333333
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-25-7#sdsdssigned principal: '[email protected]'
DEBUG#com.sap.core.connectivity.tunnel.core.impl.context.OutboundProtocolProcessorRegistry#tunnel-client-2sd#sdsd#Fallback to default factory for protocol HTTP
DEBUG#com.sap.core.connectivity.tunnel.core.impl.context.OutboundProtocolProcessorRegistry#tunnel-client-25-7#0x8207f8e0#Acquiring outbound connection processor for protocol HTTP
DEBUG#com.sap.core.connectivity.protocol.http.HttpOutboundConnectionProcessorFactory#tunnel-client-25-7#0x8207f8e0#Creating outbound protocol processor for protocol HTTP
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23.3# #Decoding WebSocket Frame opCode=2
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-237# #Decoding WebSocket Frame length=6131
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.MessagePacketHandler#tunnel-client-25-7#0x8207f8e0#Received message of type 3 (payload) with size 6117 over tunnel channel [id: 5555, L:/111.111.111:3345 - R:/111.111.111.:80]; tunnelId: account:///323ddddd/local
#DEBUG#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnel-client-25-7#99999#Opening connection to backend system test:1213
#TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessingChannelInitializer#tunnel-client-25-7# #Adding SSL handler for channel: [id: 2323]
#DEBUG#com.sap.scc.security#tunnel-client-23# #Generating X.509 certificate for authentication to backend
#DEBUG#com.sap.scc.security#tunnel-client-23# #Requesting token for principal with name [email protected]
#DEBUG#com.sap.scc.security#tunnel-client-23# #Extracted attribute from principal ‚[email protected]‘ with name login_name: null
DEBUG#com.sap.scc.security#tunnel-client-23# #Condition "login_name EXIST" does not fit to principal ‚ [email protected]‘ , checking next one
#DEBUG#com.sap.scc.security#tunnel-client-25-7# #Extracted attribute from principal ‚[email protected]‘with name name: null
#com.sap.scc.security#tunnel-client-25-7# #Condition "name EXIST" does not fit to principal [email protected], checking next one
#DEBUG#com.sap.scc.security#tunnel-client-25-7# #Condition "true" fits to principal [email protected], return CN=${email},
DEBUG#com.sap.scc.security#tunnel-client-25-7# #Generated X.509 certificate with subject CN= [email protected],C=DE
#TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#dsd#Connection opening in progress, buffering...
#TRACE#com.sap.core.connectivity.tunnel.core.impl.processing.OutboundPacketProcessor#tunnel-client-23# #Sent packet with size 6,117 to processor com.sap.core.connectivity.protocol.http.HttpProtocolProcessor@23233
#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-25-7#0x8207f8e0#Successfully opened backend connection [id: 7777, L:/111.111.111.111:2334 - R:hostname/111.111.11.111:773]
TRACE#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnel-client-444#03444e0#Report open connection 774 to http://test:1213
#TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#774#Will send packet with size 6,117 to backend channel [id: 333, L:/ L:/111.111.111.111:2334- R:hostname/111.111.111:3333]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#344#Starting, switching state to PROCESSING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#34344#Start sending http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled to backend
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-223#233#Set autoread=FALSE on Backend channel: [id: 3333 isOpen: true; isActive: true; isRegistered: true; isWritable: true; bytesBeforeWritable: 0; bytesBeforeUnwritable: 44,444; autoRead: false]
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23-7#3333#Set request description to statistics instance: http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled on [virtualHost=test, virtualPort=1213, protocol=HTTP]
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23#233#Report invoke started for connection 0x8207f8e0 to http://test:1213 request /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-3#0x8207f8e0#Updating caller principal.
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.SSOClientSessionService#tunnel-client-23# #Reusing existing session with id 2333
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-25-7# #Assigned principal: '[email protected]'
DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-25-7#0x8207f8e0#Will use X.509 certificate for authentication to backend: 2333333(SHA-256)
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthorizationHandler#tunnel-client-25-7#34344#Access allowed to http://test:1213/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled for virtual host test:1213
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-25-7#3444#Last http request object, switching state to SWALLOWING
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-23#344#Set autoread=TRUE on Backend channel: [id: 777 isOpen: true; isActive: true; isRegistered: true; isWritable: true; bytesBeforeWritable: 0; bytesBeforeUnwritable: 4,444; autoRead: true]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-343444#Last http request object, switching state to STARTING
#DEBUG#io.netty.handler.ssl.SslHandler#tunnel-client-23# #[id: 333, L:/111.111.111.:3333 - R:hostname.com/111.111.111:2333] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TRACE#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#233#Sent packet with size 3 to backend channel [id: 233, L:/111.111.111:3333- R:hostname.com/111.111.111.46667]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-23eeee#Starting, switching state to PROCESSING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpSapStatisticsHandler#tunnel-client-33-7#333#Performance statistics is disabled,sap-statistics-scc header is not set
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7# #Will send message of type 3 (payload) with size 328 over tunnel channel [id: 333, L:/111.111.111:3333 - R:/111.111.111:80] with tunnelId account:///34444/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=2 length=342
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Sent message of type 3 (payload) with payload size 328 over tunnel channel [id: 7777, L:/111.111.111:3444 - R:/111.111.111:80] with tunnelId account:///33444444/local
com.sap.core.connectivity.spi.processing.OutboundConnectionReader#tunnel-client-2344#Sent message of type 3 (payload) with payload size 328 to tunnel channel [id: 344, L:/111.111.111:3444 - R:/111.111.111:80]
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-23#wewe#Last http response object, switching state to SWALLOWING
#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-25-7#344#Last http response object, switching state to STARTING
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Will send message of type 3 (payload) with size 6612 over tunnel channel [id: 777, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account://wewewe/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-25-7# #Encoding WebSocket Frame opCode=2 length=6626
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7# #Sent message of type 3 (payload) with payload size 6612 over tunnel channel [id: 23423, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///11111/local
#TRACE#com.sap.core.connectivity.spi.processing.OutboundConnectionReader#tunnel-client-23233#Sent message of type 3 (payload) with payload size 6,612 to tunnel channel [id: 2323, L:/111.111.111:3444 - R:/111.111.111:80]]
TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-23333#Report http request on connection 3444 to http://test:1213 request /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/
#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-34#0x8207f8e0#Report http request time statistics: total=73,ext=34,latency=3,openRemoteConn=28,generateSSOToken=24,validateSSOToken=0
#TRACE#com.sap.scc.monitor#tunnel-client-25-7# #Request HTTP://test:1213 resource /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/ with total time 73 is added to top list.
#TRACE#com.sap.scc.monitor#tunnel-client-25-7# #Request HTTP://test:1213 resource /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/ with total time 73 is added to top list.
#DEBUG#com.sap.core.connectivity.spi.processing.OutboundConnectionErrorHandler#tunnel-client-25-7#weee#Backend channel [id: weee L:/111.111.111:3444 - R:/111.111.111:80] is closed
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Will send message of type 4 (error) over tunnel channel [id: wewe, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///223/local
TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=2 length=231
#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-23# #Sent message of type 4 (error) over tunnel channel [id: 8888, L:/111.111.111:3444 - R:/111.111.111:80]] with tunnelId account:///w343434/local
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23# #Decoding WebSocket Frame opCode=2
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-23# #Decoding WebSocket Frame length=14
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.MessagePacketHandler#tunnel-client-23-wewe#Received message of type 2 (close connection) over tunnel channel [id: 2434, L:/111.111.111:3444 - R:/111.111.111:80]]; tunnelId: account:///wewewe 2/local
DEBUG#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-25-7#0x8207f8e0#Unsubscribed connectionId 77 from tunnelId account:///ewewe2/local
#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-25-7#33434#Unassigned principal: [email protected]
#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-23#Released backend connection channel [id: 233, L:/1111.111.111:5554 ! R:hostname.com/3111.111.111:3333]
R:hostname.com/3111.111.111:3333]
TRACE#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnel-client-24#Report close connection with id: 444
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#notification-client-24-1# #Decoding WebSocket Frame opCode=10
+0100#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-24-1# #Received pong for channel [id: erer, L:/111.111.111:3434 - R:/111.111.111:80] with tunnelId account:///232333
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-223# #Sending pong for channel [id: 333, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///23233
TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-21-1# #Sending pong for channel [id: 3434, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///67777/local
#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#notification-client-21-1# #Encoding WebSocket Frame opCode=10 length=0
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#notification-client-21-1# #Received pong for channel [id: wee, , L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///wee2/local
#TRACE#com.sap.core.connectivity.tunnel.core.handlers.TunnelStateHandler#tunnel-client-3# #Sending pong for channel [id: 777, L:/111.111.111:344 - R:/111.111.111:80] with tunnelId account:///wee2/local sdsdsd:06:01,740
#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-23# #Encoding WebSocket Frame opCode=10 length=0
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-9# #execute incoming request /configuration with action 'getAccounts'
0#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-9# #incoming request /configuration action: getAccounts finished after 0 ms
0#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-2# #execute incoming request /admin with action 'fetchMessages'
TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-2# #incoming request /admin action: fetchMessages finished after 1 ms
TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-6# #execute incoming request /logAndTrace with action 'getLogSettings'
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-6# #incoming request /logAndTrace action: getLogSettings finished after 1 ms
#TRACE#com.sap.scc.ui#https-jsse-nio2-43311-exec-10# #execute incoming request /logAndTrace with action 'getLogFiles
Could you please help up with this problem ?
Many Thanks Best Regards