Hello Experts,

We are trying to configure principal propagation (X.509 certificate) for SAP BAS via the Cloud Connector to the backend through a proxy. However, we're encountering this error in BAS:

"An error occurred: Request failed with status code 401".

curl test:

curl trial100.dest

we receive the following message: "Unable to generate authorization token for user test@test.com on system test:.user:5202".

Ljs_trace.log

#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-15-1#          #Will send message of type 4 (error) over tunnel channel [id: 98098, L:/455.445.567 - R:/2233.233.233:80] with tunnelId account:///3043omf3ß24343434/test

TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnel-client-15-1#          #Encoding WebSocket Frame opCode=2 length=305

#TRACE#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-15-1#          #Sent message of type 4 (error) over tunnel channel [id: 98098, L:/455.445.567 - R:/2233.233.233:80] with tunnelId account:/// 3043omf3ß24343434/test

#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-15-1#2334#Last http request object, switching state to STARTING

#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-15-1#3434#Set autoread=TRUE on Backend channel: [id: 3434 isOpen: true; isActive: true; isRegistered: true; isWritable: true; bytesBeforeWritable: 0; bytesBeforeUnwritable: 78,445; autoRead: true]

#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-15-1#e2333#Swallowing HTTP object EmptyLastHttpContent.

#ERROR#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-15-1#34444#Write operation FAILED for payload message packet with size 5,856 for client channel [id: 034034, L:/233.33.323:3334 - R:test.com/233.345.121:5010]. Cause: com.sap.core.connectivity.protocol.http.handlers.HttpProtocolException: Unable to generate authorization token for user testuser@test.com on system test:5020.

#DEBUG#io.netty.handler.ssl.SslHandler#tunnel-client-15-1#          #[id: 3434, L:/554.455.344:3494 - R:test.com/233.344.434:5050] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-15-1#          #Decoding WebSocket Frame opCode=2

#TRACE#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnel-client-15-1#          #Decoding WebSocket Frame length=14

#TRACE#com.sap.core.connectivity.tunnel.core.handlers.MessagePacketHandler#tunnel-client-15-1#3444324#Received message of type 2 (close connection) over tunnel channel [id: 0x9bdf277b, L:/123.344.445:405i - R:/232.233.34480]; tunnelId: account:///34343´545445/test

#DEBUG#com.sap.core.connectivity.tunnel.core.Tunnel#tunnel-client-15-1#232323#Unsubscribed connectionId 2323 from tunnelId account:///2323090909405/test

#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-15-1#8887#Unassigned principal: 'testuser@test.com'

#TRACE#com.sap.core.connectivity.spi.util.ChannelUtil#tunnel-client-15-1#0x224434346e2d#Closing channel [id: 3444d34, L:/232.445.556:9293 - R:test.com/238.343.343:5020

#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnel-client-15-1#0x22446e2d#Released backend connection channel [L:/232.445.556:9293 - R:test.com/238.343.343:5020]

#TRACE#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnel-client-15-1#343434#Report close connection with id: 3434c

#DEBUG#com.sap.scc.security#tunnel-client-15-1#          #Generating X.509 certificate for authentication to backend

#DEBUG#com.sap.scc.security#tunnel-client-15-1#          #Requesting token for principal with name testuser@test.com

G#com.sap.scc.security#tunnel-client-15-1#          #Condition "true" fits to principal 'testuser.qtest.com', return CN=${mail}, EMAIL=testuser@test.com OU=SB, O=WI, C=DE

#ERROR#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-15-sdsdsdsd#Unable to generate authorization token

java.lang.IllegalStateException: The variable 'mail' needed for object CN is not available in context.

               at com.sap.scc.cert.DN.toRDN(DN.java:177)

               at com.sap.scc.cert.CertificateGenerator.generateToken(CertificateGenerator.java:135)

               at com.sap.scc.sso.SccBackendTokenGenerator.generateToken(SccBackendTokenGenerator.java:52)

               at com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler.generateAuthenticationToken(HttpAuthenticationHandler.java:145)

#ERROR#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-15-1#333434#Unexpected HTTP error:

com.sap.core.connectivity.protocol.http.handlers.HttpProtocolException: Unable to generate authorization token for user testuser@test.com.de on system test:4040.

HttpRequestStateHandler#tunnel-client-15-1#sdsd#Starting, switching state to PROCESSING

#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-15-1#Start sending http://test:8888/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled to backend

#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-15-1#asas#Set autoread=FALSE on Backend channel: [id: 8888888 isOpen: true; isActive: true; isRegistered: true; isWritable: true; bytesBeforeWritable: 0; bytesBeforeUnwritable: 65,88; autoRead: false]

#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-15-1#000ß#Set request description to statistics instance: http://test:990/sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/?$top=1&saml2=disabled on [virtualHost=test, virtualPort=9870, protocol=HTTP]

#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpInboundStatisticsHandler#tunnel-client-15-1#sdsd#Report invoke started for connection sdsd to http://test:979 request /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection/

#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-15-1#dsdsd#Updating caller principal.

#DEBUG#com.sap.core.connectivity.tunnel.client.sso.SSOClientSessionService#tunnel-client-15-1#          #Reusing existing session with id -33213142

DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnel-client-15-1#          #Assigned principal: testuser@test.com

'DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-15-1#232323#Updated caller principal from null to testuser@test.com

#DEBUG#com.sap.scc.security#tunnel-client-15-1#          #Generating X.509 certificate for authentication to backend

#DEBUG#com.sap.scc.security#tunnel-client-15-1#          #Requesting token for principal with name testuser@test.com

#DEBUG#com.sap.scc.security#tunnel-client-15-1#          #Condition "true" fits to principal ‚‘testuser@test.com‘, return CN=${mail}, EMAIL=testuser@test,com, OU=SB, O=WI, C=DE

#ERROR#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-15-1#88888#Unable to generate authorization token

java.lang.IllegalStateException: The variable 'mail' needed for object CN is not available in context.

Any ideas on how to resolve this issue ?

Thank you in advance!

Best Regards