Skip to Content
Technical Articles

Principal Propagation in an HTTPS Scenario – Some Hints From My Journey

If you want to setup Principal Propagation you will definitely need the following links and How-To guides. You will find nearly everything to configure your SCP and ABAP backend to use Principal Propagation!

https://launchpad.support.sap.com/#/notes/2462533
https://launchpad.support.sap.com/#/notes/2052899
https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/a8bb87a72d094e0d981d2b1f67df7bc3.html
https://blogs.sap.com/2017/06/22/how-to-guide-principal-propagation-in-an-https-scenario/
https://blogs.sap.com/?s=principal+propagation

 

But when setting up Principal Propagation in different environments, I faced some other issues. Here are some more hints from my journey:

icm/trusted_reverse_proxy_<x>

Always use parameter icm/trusted_reverse_proxy_<x>, if available! icm/HTTPS/trust_client_with_subject and icm/HTTPS/trust_client_with_issuer didn’t work for me!

Browser Cache

Always completely close your browser to check a changed configuration! Also use incognito mode and sometimes even clear the whole browser cache – especially if you have several accounts, sub accounts and user.

SSSLERR_SSL_ACCEPT – received a fatal TLS certificate unknown alert message from the peer

In the ICM Trace file you see something like this:

<<- ERROR: SapSSLSessionStart(sssl_hdl=000000000790FBA0)==SSSLERR_SSL_ACCEPT
*** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1737]
SSL_get_state()==0x1180 "TLS read client certificate A"
*** ERROR during SecuSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
session uses PSE file ".....SAPSSLS.pse"
SecuSSL_SessionStart: SSL_accept() failed (536875078/0x20001046)
=> "received a fatal TLS certificate unknown alert message from the peer"

 

And in the cloud connector log ljs_trace.log you find this:

at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1226) 
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1192) 
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1106) 
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626) ... 28 more Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: MD5withRSA 
at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:295) 
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1222) ... 31 more| 
+0100#INFO#com.sap.scc.rt#Thread-13# #SccEndpointValidator has thrown exception for HTTPS://xxx.yyy.zzz:8443: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints 
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) 
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)

 

Please check Note 1848999 – Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB) and patch your Kernel and CryptoLib. Then exchange/recreate the certificates of your ABAP system (Tx STRUST).

While waiting for the Kernel patch you can change the JRE security settings used for the cloud connector (NOT RECOMMENDED – just for testing on development systems!):

Open the file …/jre/lib/security/java.security and check the parameters

jdk.certpath.disabledAlgorithms
jdk.tls.disabledAlgorithms

Remove the algorithm mentioned in the log, e.g.: 

Algorithm constraints check failed on signature algorithm: MD5withRSA 

 

Restart your cloud connector.

Unable to generate authorization token for user XXX on system YYY.

Check the cloud connector log file ljs_trace.log

+0100#ERROR#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-4-2#0xd2740796#
Unable to generate authorization token java.lang.IllegalStateException: The variable 'login_name' needed for object CN is not available in context.

 

Some attribute used in the Subject Pattern for the short-lived certificate is not available.

Change the pattern is the cloud connector configuration

 

Or change the configuration of your Trusted Identity Provider in the Cloud Cockpit:

 

 

Will be updated after my next funny hours with this cool stuff ;)!

 

Have fun,
Domi

4 Comments
You must be Logged on to comment or reply to a post.