SAP Content Repository Setup with PBS Archiving Solution using HTTP Proxy

There was a case in recent time where in our customer environment, we are making use of HTTP proxy as a mandate.

Landscape Information –

• S4HANA 2022 with NW 757 on IBM PowerVs with HANA 2.0 SP05 in IBM Cloud.
• Squid Proxy with IPaddress-1 and IPaddress-2 hosted on VPC(x86).
• PBS – 3^rd party Archiving Solution hosted on Windows in On-Prem.

Problem Statement – HTTP Server was not reachable directly from S4HANA and fails using HTTP Proxy. As per the screenshot below, it complains client connection to http://<3^rd party-http-server>:<port-no.> fails.

Solution –

Phase 1: Connection Test / Send Certificate Issue – Fixed

Added Global Proxy configuration in Tx-SM59 -> Goto -> HTTP Proxy Configuration

Maintain the HTTP proxy under HTTP Protocol and HTTPS Protocol –

Based on the SAP note – 3165420, it talks about the symptom via “NIECONN_REFUSED” whereas our symptom is different i.e., “Connection Broken”. Secondly, the resolution part says – “Check whether the HTTP proxy is configured and deactivate it if it should not be used for the connection to the HTTP content server.” In addition to it, SAP note also suggests checking multiple configurations.

So, we should not be caught by the information that Archiving/Content Server does not work with HTTP Proxy. We’ll learn going further parts of this blog!

When tried to put Global Proxy in QA system temporarily and observed change in behaviour of the error message to “HTTP error: 403 forbidden Access denied for client <>” from OAC0. When further tried from Client VPN as a client reported same error because my Laptop’s IP is not whitelisted in PBS content server.

https://me.sap.com/notes/3165420

2.) After enforcing the proxy configuration, connection test started showing Denied entries for our Proxy IPs. Hence, requested PBS administrator to add/whitelist Proxy IPs in PBS server under Programs -> PBS -> PCS -> options.ini

IPaddress-1/rw

IPaddress-2/rw

After adding the IPs, Content Repo from PBS server was restarted from IIS on the Windows box.

This resulted in fixing Connection Test and Send Certificate issue from Tx – OAC0.

Certificate received successfully at PBS server side and Connection test was successful.

But this is not end of solution. There were many challenges after this.

Phase -2: URL and corrupted certificate when traversed from SAP to PBS.

If I try to do connection test from within the repository from Tx-OAC0.

The repository was giving an error “Access denied: Verification of signed URL failed”.  Connection tests are successful, however, logs indicate “SsfVerify: there are signer errors”.

Troubleshooting Steps:

• When I try to reach content repository via proxy from OS level. It publishes 200 (OK) return code which is fine from connectivity perspective.

curl -S -v http://<pbs-http-server ip>:<port-no.>/PclHttp.dll?serverInfo&pVersion=0045&contRep=Q0

curl -S -v http://<pbs-http-server ip>:<port-no.>/PclHttp.dll?serverInfo&pVersion=0047&contRep=Q0

• It sends the signal via serverProtocol HTTP/1.1 from QA server to PBS.
• When we are sending the data via OAC0 from Q0 repository it is sending certificates using HTTP/1.0.
• As per SAP note – 2763564 below, it was checked internet options in PBS windows server to allow HTTP/1.1 through proxy connections as we wanted to ensure there are no restrictions there in PBS windows box.

https://me.sap.com/notes/2763564

Later, when PBS logs were checked thoroughly, it was found that when SAP S4HANA (or ABAP) sends the certificate to content repository from STRUSTSSO2, it fills the comma or space field/area within the certificate to small-letter strings %2c or %3d instead of capital letters %3D or %2C. From PBS side, it seems it understands capital letter strings.

For sending signURL or secKey to ContentServer, function module SCMS_URL_SIGN is responsible as below SDN Link.

https://answers.sap.com/questions/6106124/archivelink-seckey-generation.html

With reference to below SAP note 2520326 where it says URL gets corrupted when proxy is in place which is exactly the same case as ours. I also checked; it is applicable for our release NW – 757.

2520326 – URL corrupted when proxy configuration is in place.

https://me.sap.com/notes/2520326

Connection in OAC0 using HTTP Proxy is successful.

Phase – 3: Final Solution

But problem did not finish in Phase-2, we noticed that Connection test in SARA was successful for functional archiving object but its store file job still fails with error message in Tx – SM37–

Connection to http://<pbs-http-server>:<port-no>/PclHttp.dll?create&pVersion: TCP/IP error

We generated more traces using SAPHTTP and SAPHTTPA by changing its setting from SM59, to select the ‘Set trace flag’ under the Special Options.

Later, use report RSHTTP40 with both RFC destinations SAPHTTP and SAPHTTPA.

From the logs, we can make out the log which came to use the SAP Note – 2570180.

2570180 – ICM Plugin usage over SAPHTTP in Knowledge Provider framework

Maintain the entry in your customer’s client(other than 000).

After which retrieval and storage jobs were successful.

Finally, 3^rd party Archiving solution worked fine using HTTP Proxy.

Best Regards,

Ashish Verma

Disclaimer – Please always follow the latest copy of the SAP notes from SAP Service Market Place.