Skip to Content
Technical Articles

Principal Propagation in an HTTPS Scenario – Some Hints From My Journey

If you want to setup Principal Propagation you will definitely need the following links and How-To guides. You will find nearly everything to configure your SCP and ABAP backend to use Principal Propagation!


But when setting up Principal Propagation in different environments, I faced some other issues. Here are some more hints from my journey:


Always use parameter icm/trusted_reverse_proxy_<x>, if available! icm/HTTPS/trust_client_with_subject and icm/HTTPS/trust_client_with_issuer didn’t work for me!

Browser Cache

Always completely close your browser to check a changed configuration! Also use incognito mode and sometimes even clear the whole browser cache – especially if you have several accounts, sub accounts and user.

SSSLERR_SSL_ACCEPT – received a fatal TLS certificate unknown alert message from the peer

In the ICM Trace file you see something like this:

<<- ERROR: SapSSLSessionStart(sssl_hdl=000000000790FBA0)==SSSLERR_SSL_ACCEPT
*** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1737]
SSL_get_state()==0x1180 "TLS read client certificate A"
*** ERROR during SecuSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
session uses PSE file ".....SAPSSLS.pse"
SecuSSL_SessionStart: SSL_accept() failed (536875078/0x20001046)
=> "received a fatal TLS certificate unknown alert message from the peer"


And in the cloud connector log ljs_trace.log you find this:

at ... 28 more Caused by: Algorithm constraints check failed on signature algorithm: MD5withRSA 
at ... 31 more| #SccEndpointValidator has thrown exception for HTTPS://xxx.yyy.zzz:8443: Certificates do not conform to algorithm constraints Certificates do not conform to algorithm constraints 


Please check Note 1848999 – Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB) and patch your Kernel and CryptoLib. Then exchange/recreate the certificates of your ABAP system (Tx STRUST).

While waiting for the Kernel patch you can change the JRE security settings used for the cloud connector (NOT RECOMMENDED – just for testing on development systems!):

Open the file …/jre/lib/security/ and check the parameters


Remove the algorithm mentioned in the log, e.g.: 

Algorithm constraints check failed on signature algorithm: MD5withRSA 


Restart your cloud connector.

Unable to generate authorization token for user XXX on system YYY.

Check the cloud connector log file ljs_trace.log
Unable to generate authorization token java.lang.IllegalStateException: The variable 'login_name' needed for object CN is not available in context.


Some attribute used in the Subject Pattern for the short-lived certificate is not available.

Change the pattern is the cloud connector configuration


Or change the configuration of your Trusted Identity Provider in the Cloud Cockpit:



Will be updated after my next funny hours with this cool stuff ;)!


Have fun,

You must be Logged on to comment or reply to a post.