Analyzing Authorization Problems (http 401) with ICM and Security Audit Log

This document describes how to analyze authorization errors in regards to SAP Cloud or Customer and SAP OP connectivity.  This was written by SAP architect Berthold Wocher.

Relevant SAP Notes:

495911 – Trace-Analysis of logon problems

2012562 –  HTTP Information and Problem Analysis

Security Audit Log

The security audit log can be very helpful to analyze complex 401 errors. If you have already performed the more simple checks like correctness of logon credentials or logon user is not locked, then  you might continue with this tool.

Set the security parameter:

Activate security Audit Log with transaction SM19. There are some release dependent options to do this. For details check SAP note 495911.

In transaction SM50 select all processes by hitting F5.

Press CTRL+SHIFT+F7 and select security checkbox and tracelevel = 2 in the popup.

Save it and repeat this for every app server (switch app server via SM51).

Now the trace is active and you should reset these parameters at the end of your session.

Analyzing the Audit Log:

Go to transaction SM20.  Select the application server and select to Reread Audit Log for the specific client. 

Search for authorization error and double-click.

Type = H means http logon

Reason = 34 means for example:

Extracting forwarded client certificate from http header

In above example we have received a client certificate within http header but the system could not map it to an application user. Therefore you might want to trace the forwarded client certificate within http header in order to check if the correct one was sent.  This has to be done in ICM trace.

In transaction RZ11 turn on dynamic parameter icm/trace_secured_data

Note:  The ICM is tracing now also sensitive data so don’t forget to reset this parameter after your tests!!

This parameter will provide full access to the http request within ICM trace – especially http header fields.

Execute an ICM trace with level 3 and search the http request e.g. via CNTRL+f and some part of the endpoint URL.

The client certificate within http header is now visible. The tricky thing is: how to copy the encoded certificate in file for further analysis? One option is this:

Open the trace file with MS word in order to copy the coded client certificate (In MS word you can select vertically aligned characters if you use „Alt“button together with the mouse)

Paste the client cert in notepad and decorate it with BEGIN CERTIFICATE and END CERTIFICATE.

Save the file with extension .crt

Open the .crt file by double click.

Now you can see the forwarded client certificate.

Within ICM trace you should also check if the intermediate is trustworthy.

This trace piece means basically that the backend has recognized a client certificate within http header and trusts the sender of the http request. So the client certificate in http header will be handed over to the application for logon purpose.

Some basic information of the forwarded client certificate you can see directly in the trace:

However since this again a coded version it is better to follow the approach above and copying the PEM format with MS word.

Important Note:

Analyzing http header fields like e.g. forwarded client certificates gets much easier if you follow SAP note 2012562. This works only for SAP BASIS 7.40 and higher. For NGAP Basis 8.00 and higher this process is not applicable since the mentioned ICM parameter “icm/HTTP/trace_info = [TRUE|FALSE]” does not exist.

We hope this helps you analyze 401 errors!