Skip to Content
Technical Articles
Author's profile photo Claus Burgaard

Setting up Principal Propagation


This blog post is part of the series covering SAP Mobile start app empowerment and is a continuation of the blog post “Installation and Configuration of SAP Cloud Connector” where we installed the SCC to work with a hardcoded user credentials for the backend. This works fine for verifying that the end-to-end flow is working, but it is not useful in a productive landscape, since all users will access the same backend data due to the hardcoded user credentials.

Therefore, we need to configure principal propagation to ensure that any given user only can access the backend data that they should.

This is archived by propagating the user id from the Business Technology Platform through the Cloud Connector to the backend system.


You have either followed the steps in the blog post Installation and Configuration of SAP Cloud Connector or you have already installed and configured your SAP Cloud Connector plus created to destinations in BTP – a Design-Time and a Runtime on your own.

We also assume that your SU01 user has the email filled with the mail address you use to logon to BTP.


SU01 email mapping

Generate Cloud Connector Certificates

In the newest versions of the Cloud Connector, it is possible to generate self-signed certificates which makes it a lot easier to setup principal propagation for a PoC for example. However, for a productive scenario, it is highly recommended to use signed certificates.

We need three different certificates to get the setup working

  • System certificate
  • CA certificate
  • User certificate

System certificate

Logon to the Cloud Connector cockpit and navigate to “Configuration” and select the tab ON PREMISE. In this blog we will use the self-signed certificates but the process is the same for a signed certificate, once you get the signed certificate back.

Click on the “Create and import a self-signed certificate”


Generate self-signed certificate

Fill in the required information, which as a minimum is the Common Name, CN is the name of the server where the Cloud Connector is installed.


Fill in certificate info

It is good practice to use the full host name for the CN for example

Tip: The system certificate needs to be renewed periodically, if not connections that use the Cloud Connector will stop working. Make a note in your calendar for a reminder a couple of weeks before so that you remember to renew it.

Next download the new certificate and save it on your local computer. We will need it later in the SAP S/4HANA and/or SAP Business Suite system.

Tip: use the default name sys_cert.der as this is used in the rest of this homework


Download the certificate

Now we have created the system certificate, next is the CA certificate.

Create CA Certificate

The CA certificate is used to sign all the certificates when a request is forwarded from the Business Technology Platform.

Like with the system certificate we will create a self-signed CA certificate. Under the same tab “ON PREMISE” scroll down to CA Certificate and click “Create and import a self-signed certificate”


Create CA certificate

Fill in information needed again just like with the system certificate.


Fill in CA information

Also, here it is good practice to use the full host name for the CN

The SAP Cloud Connector now acts as CA whenever a request is coming from the BTP to the onpremise system, SAP S/4HANA or SAP Business Suite. This means that every request from the BTP i.e., Launchpad in this case, is signed in the Cloud Connector with this certificate. The backend system must trust the certificate to establish the link between BTP and onpremise.

User Certificate

The last certificate is the user certificate, scroll down to “Principal Propagation” and click on “Edit”


User certificate

Verify that the Principal Propagation template is mapping the CN with ${mail}


Edit principal propagation values

Next, we need to create a sample certificate which we will use in the backend – click on “Create a sample certificate”


Generate sample user certificate

Save the sample certificate in the same locations as system certificate and keep the suggested name scc_sample_cert.der

Sync the cloud trust with IDP

By default, the Cloud Connector does not trust any entries which issues tokens for principal propagation. For this reason, we must establish the trust between the Cloud Connector and the IDP of your subaccount on BTP.

Navigate to the “Cloud to On-Premise” and select the tab Principal Propagation. Click on Synchronise this populate the trust configuration.


After sync of trust configuration

Configure mapping to backend

The last step in the Cloud Connector is to change the HTTPS mapping to use X.509 as principal type.

In the same page as trust sync click on “Access Control” and identify the mapping using HTTPS.


Edit mapping properties

Change the Principal Type to “X.509 Certificate (General Usage)” and save the change.


Change principal type to use X.509

In the Subaccount we also need to change the Runtime Destination to use Principal Propagation.

Navigate to Destination and select the Runtime Destination and change the authentication to “PrincipalPropagation” and save the change.

Note if you do not have created a destination yet, you can skip this small step. The blog post “Setting Up SAP Launchpad Service and Mobile Start with Content Federation” describe the steps for creating a destination.

But remember to come back and perform this small step once your destination is created.


Change subaccount destination

Setup Backend for Principal Propagation

In this section we will work on the backend which for this example is a SAP S/4HANA system. A couple of steps are needed

  • Import the system certificate
  • Define rule-based mapping
  • Define RZ10 parameters
  • Restart the ICM

Import system certificate

The system certificate we created in the beginning of this homework must be imported into the backend system – go to transaction STRUST and change to edit mode. Expand the SSL Server Standard. If you have not previously created an SSL Standard Server, right click on it and create a new one as first step.

Once created scroll down and click on “Import certificate” in the pop-up navigate to the location where you saved the system certificate sys_cert.der and upload it. Click on “Add to Certificate List” to include it in the list of trusted certificates.

It will show up in the box above – “Certificate List”

Save the changes and exit the transaction.


Import system certificate using Tx strust

Define rule-based mapping

Since you are logging on to BTP using an email address this need to be mapped your SU01 user in the backend system. Now luckily, we don’t have to do that manual for all the users, we just create a mapping rule to handle this. Go to transaction CERTRULE.

Click on the “import certificate” and select the sample certificate you created earlier scc_sample_cert.der and import it


Import sample user certificate

Change to change mode and click on “Rule” to create a rule which map the BTP user, i.e. email address with user’s SU01 user id


Create mapping rule

In the “Certificate Attr.” choose you attribute mapping from the drop-down menu. In the “Login As” select E-Mail and press enter.


Modify rule attributes

Once you save your new rule you should see a similar screen as below where the “Mapping Status” and “User Status” are both green.


Verify that mapping rule is working

Define reverse proxy parameter

In the default parameter profile, you need to add a new parameter – trusted reverse proxy. In transaction RZ10 select the Default profile and click “Change”


Modify the Default profile in RZ10

Add a new parameter icm/trusted_reverse_proxy_0 adjust the last digit in case you already use the profile for other scenarios

The value for the parameter most follows this format SUBJECT=”CN=<>”, ISSUER=”CN=<>”

For example:


Make sure you use straight double quotes and not curly quotes



Add certificate parameter

Tip: Copy the value of the SUBJECT and ISSUER from Cloud Connector system certificate in tx STRUST  in this way you are sure you get the format right.

For CERTRULE to work, the parameter login/certificate_mapping_rulebased needs to be set to 1. This is the default value but make sure to verify this.

The parameter icm/HTTPS/verify_client must also be set to 1 (default) or the HTTPS port configuration in ICM needs to have VCLIENT=1

Save and activate the profile.

Restart the ICM

The last step is to restart the ICM so the changes can take effect. Call transaction SMICM

Administration -> ICM -> Exit Soft -> Global


Restart ICM

Click yes to the pop up, the restart usually only takes a minute or two, however be sure that there are no users accessing the ICM since they will be disconnected.


Confirm the restart of the ICM

This was the last step.

To verify that the change to principal propagation is working correctly, log on the Launchpad service and open one of the assigned apps. If it opens correctly and show expected data, you have done everything correctly. If you get any sort of error message or is not seeing the data, please run through this and the previous blog one more time and verify that all the configuration steps were done correctly.

If you are still facing issues have a look at this wiki site for troubleshooting:

Also, this link to on setting up the Cloud Connector provide some general information:


In this blog post we have changed the authentication method to use principal propagation for the Runtime destination. Principal propagation ensures that a user logging on to the Launchpad on BTP can access the backend data for which they have authorisations.

I look forward to your comments.

Stay up to date with latest news and post your questions or feedback about SAP Mobile Start in the Q&A area. Start by visiting your SAP Mobile Experience community page and click “follow”. We’ll be publishing more informative blog posts.

Want to be notified? Check your profile settings to ensure you have your settings activated.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Venu Ravipati
      Venu Ravipati

      Hi Claus Burgaard,

      Thank you for the blog of principal propagation configuration through cloud connector. One of the best reads on this topic.

      This is such an important topic in hybrid landscapes to propagate user identities.

      Thank you,


      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Venu,


      glad you found it useful 🙂



      Author's profile photo Rajni Chellani
      Rajni Chellani

      Hello Claus,


      I have requirement where I need to connect CRM on-premise using authentication method "Principal Propagation" via cloud connector. I have done all the settings in the cloud connector and backend system.

      But getting below error in the iflow. Could you please check if you have any idea?




      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Rajni

      Most likely there is a typo somewhere in the setup. Below are a couple of steps you can try to identify the error.

      1. To ensure the end-to-end flow is working it’s always a good idea to use Basic Authentication i.e., username/password as a start to verify the whole flow is working
      2. In the Cloud Connector you have the Log and Trace Files option, there are two files locahost_http_access and ljs_trace.log
      3. In the backend system use transaction SMICM and increase the trace level of the log. Reproduce the steps and read through the ICM log
      4. Verify that parameters in RZ10 is entered correctly

      Typically the problem is a typing error like ` instead of ‘ in the parameters for example

      Hope this will help


      Author's profile photo Marian Canciu
      Marian Canciu

      Hi Claus

      Excellent blog! Many thanks.

      One thing that caught my attention and it's not mentioned in your blog: "Remember The system certificate needs to be renewed periodically, or else connections that use the cloud connector may stop working."


      How often must the system certificate be renewed and is it possible to automate this process?
      What are your thoughts?


      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Maria,

      Sorry for the late reply. Thanks for the suggestion to add the "reminder" the blog is updated with this.

      Typically the certificate is valid for 1 or 2 years, and there is no way to automate this unfortunately. Best thing is to add a reminder in your calendar so you get a pop-up a couple of weeks before so you have time to renew it.


      Author's profile photo Palak Garg
      Palak Garg

      Claus Burgaard  Thank you for the amazing blogpost. I could make it work for one user. But, the certrule seems to accept just one rule for email based propagation. how to make it work for multiple users who need to access the backend system?

      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Palak,

      Sorry for the late reply - you might have solved you issue in the meantime.

      The idea with the cert rule is to ensure that all users accessing the backed using the same format, in this case the email, can logon. For this to work, each user has to have his/her email mapped in the user record, SU01.

      In this way every user coming from for example the Launchpad service on BTP will have his/her credentials propagated and being authenticated in the backend.

      Hope this helps you


      Author's profile photo Anil Bhandary
      Anil Bhandary

      Hi Claus,

      In the section of 'CA certificate' can we generate CSR and get the signed certificate from CA authority or we have to go local sign certificate only?

      We tried to generate the CSR and  tried to generate the Certificate response in which we identified it has generate the CSR with 1024 Key and not with 2048 due to which we will not able to sign it.

      So want to understand is it mandatory to sign it with CA as we have to use this feature for production usage purpose so we want to bring as much as security in place,



      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Anil,

      It's no mandatory to have the CA signed, please have a look at this link which explain the different option for the CA certificate


      Author's profile photo Michael Rodrigo
      Michael Rodrigo

      Hello Claus,

      Can you please clarify if you need a minimum Netweaver version or Stack to work with principal propagation? for example is this supported on EHP4 for SAP ERP / NW 7.01?

      Best Regards,


      Michael R

      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Michael,

      If your NW kernel version is lower than 7.42, which it is in your case you need to use the two parameters icm/HTTPS/trust_client_with_issuer and icm/HTTPS/trust_client_with_subject instead of icm/trusted_reverse_proxy_X

      Unfortunately I have not been able to verify if those two parameters are available in NW 7.01 but I do expect there are and in that case the principle propagation is supported.


      Author's profile photo Michael Rodrigo
      Michael Rodrigo



      Thanks for the help, I will try with this parameters and get back to you if we have another issue.

      Big thank you for the response.





      Author's profile photo Dominik Eggimann
      Dominik Eggimann

      Hello Claus

      Great explanation.

      Principal Propogation directly into ABAP we have managed.

      But we use a SAP NW JAVA Enterprise Portal. So we have connected the SAP NW JAVA EP to the BTP (SAP Launchpad Service). Also here we have Principal Propogation managed.

      Unfortunately PP does not work into S/4HANA. So we show content from S/4HANA in SAP NW JAVA EP. What do we have to do to make PP work via SAP NW JAVA EP into S/4HANA?

      Best Regards

      Author's profile photo Shweta Jain
      Shweta Jain

      hi ,

      could you please elaborate how you have achieved in ABAP.

      Author's profile photo Shitij Bagga
      Shitij Bagga

      Hi Claus

      Thanks for the excellent blog. We have been following this and the original documentation as well (Configuring Principal Propagation to an ABAP System | SAP Help Portal).

      Our problem is that we have a netscaler load balancer in front of our ABAP system and we cannot figure out how to let this certificate reach ABAP through load balancer. On SAP documentation, it describes a scenario with web dispatcher but not what to do if you have another load balancer.

      Any tips?



      Author's profile photo srinivas katta
      srinivas katta

      Hello Claus,


      Thanks for your blog. It's helped me alot.

      I done SAP Mobile Start setup by following your blog and two below blogs. But am facing authentication pop-up error while accessing application.


      Please help me to resolve this error.

      Accessing My Site and scrolling through it, raises an authentication popup:

      Thank you

      Author's profile photo Diether De Coninck
      Diether De Coninck

      Hi, The fact you are seeing the basic authentication popup appear indicates something went wrong with the principal propagation configuration. I'dd recommend checking each step in the PP blog carefully and take a look at the cloud connector log & ICM traces to diagnose the root cause.


      Author's profile photo Max Bodendoerfer
      Max Bodendoerfer


      we have problems to setup the principal propagation. Our scenario is to deploy from SAP BAS UI5 APPs directly to a SAP BW Backend System (and consuming odata from there in the APP)

      As far we are aware we did every configuration mentioned in the blog. We even tried with * for subject and issuer.

      Sidenote: Basic Authentication works flawless!

      For Princ. Prop. we still get the following error in the ICM log

      • client did not sent any cert --> intermediate not trustworthy
      • intermediary is NOT trusted

      From the troubleshoot guide it seems that Client Certificate is requested but not received .I cannot see the offered CAs in the ICM log.


      How can I fix this or what steps do I need to do - Thanks in advance!



      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Max,

      This type of error is usually do to wrong configuration in the backend. Please make sure that icm/HTTPS/trust_client_with_issuer and icm/HTTPS/trust_client_with_subject  are set correctly in the backend. also have a look at this link.

      Lastly try set the parameter icm/HTTP/ssl_debug_info to true in RZ11, clear the ICM trace and reproduce the issue. This parameter gives a very detailed ICM trace.

      remember to set it back to false once you have solved the problem 😉



      Author's profile photo Max Bodendoerfer
      Max Bodendoerfer

      Hi Claus,

      thanks for the info. We were able to to get the princ. prop. authentication to run by configuring the Web Dispatcher also.

      BUT: Currently we have the reverse prox parameter configured with * for subject and issuer in ICM and Web Dispatcher. As soon as we put in the system cert info from Cloud Connector (which we imported also to STRUST) it does not work anymore.

      Currently we are trying out different values to somehow find the values it expects but we dont really know as we thought it should be simply the Sys Cert info from Cloud Connector




      Author's profile photo Diether De Coninck
      Diether De Coninck


      If the webdispatcher is in between the CC & the Gateway, then the webdispatcher has to trust the CC and the gateway has to trust the webdispatcher.

      Prefered config is that the webdispatcher terminates the TLS connection  as per

      SAP cloud platform - (VPN) - SAP cloud connector - (HTTPS) - SAP Web Dispatcher - (HTTPS) - ABAP ICM

      See also the links in this wiki for additional info on how to configure the webdispatcher for forwarding SSL Certificates.


      Author's profile photo Max Bodendoerfer
      Max Bodendoerfer

      Hi Diether,

      thx for your help. We had another look at the troubleshoot guide and especially on the WebDispatcher Links. In the end we were able to get it to run without the * everywhere.

      The ABAP Backend System needs to trust (STRUST & Subject/Issuer) the WebDispatcher SAPSSLC.pse Certificate and NOT the Cloud Connector Sys. Cert - which seems logical at the end 😉

      Kind regards and thanks everyone for your help.