You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
how to declare the HTTP connectivity proxy (on port 20003) with an http client of your choice.
The connectivity proxy is there to make the effort of calling the target resource ODATA or REST inbound endpoints – as seamless and transparent, as it can possibly be.
It offers the following proxies: an HTTP proxy (on port 20003), a SOCKS5 proxy (on port 20004) and a RFC/LDAP one (on port 20001).
For instance, the below snippet shows how to declare the HTTP connectivity proxy (on port 20003) with an http client of your choice.
The QUOVADIS_A4H-JWT destination configuration has a number of mandatory headers and attributes and may have several additional properties as well. To make it easier to understand what header/attribute/property is there for, I broke them down into the following three categories:
User JWT identity (input)
SAML Assertion (internal)
OAuth2.0 resource provider
X-user-token header with the digitally signed user JWT token
x_user_token.jwks_uri property that points to the URI with the public keys to allow to decode a user JWT.
KeyStoreLocation and KeyStorePassword with the certificate keypair: that's the assertion signing certificate (if not using the default destination service trust)
assertionIssuer (if different from CN of the assertion signing certificate
audience (it designates a local service provider)
assertionRecipient (if different from tokenServiceURL)
userIdSource (it is the user principal claim if different from user_name)
nameIdFormat: either unspecified or email
authnContextClassRef
clientKey (OAuth2 client id, a mandatory saml assertion attribute)
tokenServiceUser (OAuth2 client id)
tokenServicePassword (client secret)
tokenServiceURL (OAuth2 service token endpoint)
Please note the destination URL and the tokenServiceURL below both feature HTTP schema, despite the fact that on premise side both URLs are HTTPS.
This is because the connectivity proxy business data tunnel is HTTP only. Failure to do so will result in HTTP error 405 - not allowed.
By design, for cloud-to-premise connections, the TLS is controlled the following way:
if HTTP proxy is used on the cloud side, then TLS or non-TLS is controlled in SCC itself. For instance you may opt for HTTP or HTTPS mapping (and I opted for the HTTPS mapping)
if SOCKS5 proxy is used on the cloud side, and there is the TCP mapping on SCC side, then the cloud app can use TLS with whatever higher level protocol it fancies doing, e.g. HTTPS, JDBS with TLS, etc.
Last but not least. The below is the basic authentication destination definition.
Albeit not suitable for productive use it can come in very handy for testing purposes.
it is fairly easy to troubleshoot the saml assertion which is internally generated in the above find destination call by changing "Authentication": "OAuth2SAMLBearerAssertion" into "Authentication": "SAMLAssertion"
Step of user QUOVADIS_A4H, session 1 , step 1
H HTTPS> [1] Client/User specified trace activated (level: 3, path /sap/bc/sec/oauth2/token, request path: /sap/bc/sec/oauth2/token
H -----> Registerd path : :b=:l=3:v=/sap/bc/sec/oauth2/token:c=001:u=
H -----> Server name : vhcala4hci
H -----> ThExtDebuggingPossible : Y
H -----> Login : N
H -----> CallerIP :
H -----> Action : 1
H -----> Protocol : 2
H -----> Statistic : 0
H -----> Trace : 0
H -----> ContextID : SID:ANON:vhcala4hci_A4H_...-ATT
H -----> KernelVersion : 2
H -----> ABAPVersion : 1
H -----> CPoolingActive : 0 (type: 0)
H -----> AcceptSSO2Ticket : 1
H -----> VirtualServer : 0
H -----> CertificateAvailable : 0
H -----> AcceptRemoteTraceLevel : 1
H -----> AcceptRemoteProfileLevel: 0
H -----> AcceptRemoteRecorderLevel: 1
H -----> IcfOptions :
H -----> InstanceID : vhcala4hci_A4H_00
H -----> Logon RC : 0
H
{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTPS> [1] ab_HttpRequestHandler: pooled context type 0 (role=2, action=1, handle=0, protocol=2)
H
{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTP> System_Call_Http: T (syrepid: CL_HTTP_SERVER_NET============CP )
H HTTP> HTTP Application> [Info]; Starting of: System Login Execution for initial/expired Passwords
H HTTP> System_Call_Http: z (syrepid: SAPLHTTP_RUNTIME )
N OAUTH2: Tracer started. TL: 3, WPNO: **
N OAUTH2: Entering CL_OAUTH2_S_TOKEN_ENDPOINT->HANDLE_REQUEST
N OAUTH2: Start time: 20220202102254.2458640
N Wed Feb 2 10:22:54:246 2022
N OAUTH2: Identified GRANT_TYPE grant_type: urn:ietf:params:oauth:grant-type:saml2-bearer
N OAUTH2: Entering CL_OAUTH2_S_PROT_SAML2=>IF_OAUTH2_S_PROTOCOL~ACCESS_TOKEN_REQUEST
N OAUTH2: Entering CL_OAUTH2_S_PROT_SAML2=>READ_REQUEST_PARAMETERS
N OAUTH2: assertion:
N OAUTH2: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2Fz
N OAUTH2: ................... truncated.......................................
N OAUTH2: MTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1j
N Wed Feb 2 10:22:54:248 2022
N OAUTH2: MTRuIyIgUHJlZml4TGlzdD0ieHNkIi8+PC9kczpUcmFuc2Zvcm0+CjwvZHM6VHJhbnNmb3Jtcz4KPGRzOkRpZ2VzdE1ldGhvZCBB
N OAUTH2: ................... truncated.......................................
N OAUTH2: dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj4=
N OAUTH2: client_id: QUOVADIS_A4H
N OAUTH2: Parameter "scope" was not sent by the client.
N OAUTH2: Exiting CL_OAUTH2_S_PROT_SAML2=>READ_REQUEST_PARAMETERS
N OAUTH2: HANDLE_CLIENT_ID_ALIAS - Received parameter Client ID: QUOVADIS_A4H
N OAUTH2: HANDLE_CLIENT_ID_ALIAS - Derived Client ID username: QUOVADIS_A4H
N OAUTH2: >> CL_OAUTH2_S_TOKEN_ENDPOINT=>CHECK_AUTHENTICATION_ICF
N OAUTH2: Entering CL_OAUTH2_S_TOKEN_ENDPOINT=>CERTIFICATE_AVAILABLE
H HTTP> System_Call_Http: c (syrepid: CL_HTTP_SERVER================CP )
H HTTP> HttpExists: yes (HttpInfo: 1)
H SslCertificate (certificate_available: FALSE)
N OAUTH2: Exiting CL_OAUTH2_S_TOKEN_ENDPOINT=>CERTIFICATE_AVAILABLE
N OAUTH2: Certificate available?:
N OAUTH2: << CL_OAUTH2_S_TOKEN_ENDPOINT=>CHECK_AUTHENTICATION_ICF
N OAUTH2: >> CL_OAUTH2_S_TOKEN_ENDPOINT=>CHECK_AUTHENTICATION_CLIENT
N Wed Feb 2 10:22:54:269 2022
N OAUTH2: << CL_OAUTH2_S_TOKEN_ENDPOINT=>CHECK_AUTHENTICATION_CLIENT
N OAUTH2: Parameter scope may be omitted in access token request: X
N OAUTH2: Entering CL_OAUTH2_S_PROT_SAML2=>BASE64URL_DECODE.
N ==> krn_Base64_Decode()
N <== krn_Base64_Decode()==0 (SSF_KRN_OK)
N OAUTH2: Exiting CL_OAUTH2_S_PROT_SAML2=>BASE64URL_DECODE.
N OAUTH2: >> CL_OAUTH2_S_PROT_SAML2=>VALIDATE_BEARER_OAUTH
N OAUTH2: Entering CL_OAUTH2_S_CLIENT=>GET_SAML_OAUTH_IDP
N OAUTH2: Requesting er_saml_oauth_idp object
N OAUTH2: Client IDP: 0242AC1100021EDBBC8C386D80DCA55A
N OAUTH2: Exiting CL_OAUTH2_S_CLIENT=>GET_SAML_OAUTH_IDP
N OAUTH2: IDP Key: 0242AC1100021EDBBC8C386D80DCA55A
N OAUTH2: IDP Name: quovadis/ateam-isveng
N SAML20 SP (client 001): Raw XML message:
N <?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="c94c0171-89ae-45
N <ds:SignedInfo>
N <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
N <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
N <ds:Reference URI="#c94c0171-89ae-450d-aabe-f3960d2ddb15">
N <ds:Transforms>
N <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
N <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml
N </ds:Transforms>
N <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
N <ds:DigestValue>eOZnjMKHdUZZyRqw9TNULNDD/aykJKaShhKQk/ASF18=</ds:DigestValue>
N </ds:Reference>
N </ds:SignedInfo>
N <ds:SignatureValue>
N BEwiqMULa3g14ZV2NLHeTzCx+duZqRJS9vYYKiHO3uzdWlR654tFb9/IuCN1EtSoyf6Krt/XmKd+
................... truncated.......................................
N q502onI919GKLYVE+ETN30QkVrolkJVN0PSGWdSYy+KtO0o1wlTMvpSYVZdLzRNL9b+3vGyhQ2Y=
N </ds:SignatureValue>
N </ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml2:NameID><s
N SAML20 SP (client 001):
N SAML20 <?xml version="1.0" encoding="utf-8"?>
N SAML20 <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
N SAML20 ID="c94c0171-89ae-450d-aabe-f3960d2ddb15"
N SAML20 IssueInstant="2022-02-02T10:22:52.671Z"
N SAML20 Version="2.0"
N SAML20 xmlns:xsd="http://www.w3.org/2001/XMLSchema">
N SAML20 <saml2:Issuer>quovadis/ateam-isveng</saml2:Issuer>
N SAML20 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
N SAML20 <ds:SignedInfo>
N SAML20 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
N SAML20 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
N SAML20 <ds:Reference URI="#c94c0171-89ae-450d-aabe-f3960d2ddb15">
N SAML20 <ds:Transforms>
N SAML20 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
N SAML20 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
N SAML20
N SAML20 <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
N SAML20 PrefixList="xsd" />
N SAML20 </ds:Transform>
N SAML20 </ds:Transforms>
N SAML20 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
N SAML20 <ds:DigestValue>
N SAML20 eOZnjMKHdUZZyRqw9TNULNDD/aykJKaShhKQk/ASF18=</ds:DigestValue>
N SAML20 </ds:Reference>
N SAML20 </ds:SignedInfo>
N SAML20 <ds:SignatureValue>
N SAML20 BEwiqMULa3g14ZV2NLHeTzCx+duZqRJS9vYYKiHO3uzdWlR654tFb9/IuCN1EtSoyf6Krt/XmKd+
................... truncated.......................................
N SAML20 q502onI919GKLYVE+ETN30QkVrolkJVN0PSGWdSYy+KtO0o1wlTMvpSYVZdLzRNL9b+3vGyhQ2Y=</ds:SignatureValue>
N SAML20 </ds:Signature>
N SAML20 <saml2:Subject>
N SAML20 <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
N SAML20 </saml2:NameID>
N SAML20 <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
N SAML20
N SAML20 <saml2:SubjectConfirmationData NotOnOrAfter="2022-02-02T11:22:52.671Z"
N SAML20 Recipient="http://vhcala4hci:50001/sap/bc/sec/oauth2/token?sap-client=001" />
N SAML20 </saml2:SubjectConfirmation>
N SAML20 </saml2:Subject>
N SAML20 <saml2:Conditions NotBefore="2022-02-02T09:22:52.671Z"
N SAML20 NotOnOrAfter="2022-02-02T11:22:52.671Z">
N SAML20 <saml2:AudienceRestriction>
N SAML20 <saml2:Audience>A4H_001</saml2:Audience>
N SAML20 </saml2:AudienceRestriction>
N SAML20 </saml2:Conditions>
N SAML20 <saml2:AuthnStatement AuthnInstant="2022-02-02T10:22:52.671Z">
N SAML20 <saml2:AuthnContext>
N SAML20 <saml2:AuthnContextClassRef>
N SAML20 urn:oasis:names:tc:SAML:2.0:ac:classes:x509</saml2:AuthnContextClassRef>
N SAML20 </saml2:AuthnContext>
N SAML20 </saml2:AuthnStatement>
N SAML20 <saml2:AttributeStatement>
N SAML20 <saml2:Attribute Name="client_id">
N SAML20 <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
N SAML20 xsi:type="xsd:string">
N SAML20 QUOVADIS_A4H</saml2:AttributeValue>
N SAML20 </saml2:Attribute>
N SAML20 </saml2:AttributeStatement>
N SAML20 </saml2:Assertion>
N SAML20
N SAML20 SP (client 001): Transformation: SAML2_ASSERTION was executed successfully.
N SAML20 SP (client 001): Received assertion is initially signed
N SAML20 SP (client 001): >> CL_SAML20_OAUTH_ASSERTION->VALIDATE_CONDITIONS
N SAML20 SP (client 001): Local entity: A4H_001
N SAML20 SP (client 001): Validating assertion conditions
N clock skew = 120
N entity name = A4H_001
N NotBefore = 20220202092252
N NotOnOrAfter = 20220202112252
N SAML20 SP (client 001): Raw XML message:
N <?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="c94c0171-89ae-45
N <ds:SignedInfo>
N <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
N <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
N <ds:Reference URI="#c94c0171-89ae-450d-aabe-f3960d2ddb15">
N <ds:Transforms>
N <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
N <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml
N </ds:Transforms>
N <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
N <ds:DigestValue>eOZnjMKHdUZZyRqw9TNULNDD/aykJKaShhKQk/ASF18=</ds:DigestValue>
N </ds:Reference>
N </ds:SignedInfo>
N <ds:SignatureValue>
N BEwiqMULa3g14ZV2NLHeTzCx+duZqRJS9vYYKiHO3uzdWlR654tFb9/IuCN1EtSoyf6Krt/XmKd+
................... truncated.......................................
N q502onI919GKLYVE+ETN30QkVrolkJVN0PSGWdSYy+KtO0o1wlTMvpSYVZdLzRNL9b+3vGyhQ2Y=
N </ds:SignatureValue>
N </ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml2:NameID><s
N SAML20 SP (client 001): Transformation: SAML2_AUDIENCE_RESTRICTION was executed successfully.
N SAML20 SP (client 001):
N SAML20 <saml2:AudienceRestriction xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
N SAML20
N SAML20 <saml2:Audience>A4H_001</saml2:Audience>
N SAML20 </saml2:AudienceRestriction>
N SAML20
N SAML20 SP (client 001): << CL_SAML20_OAUTH_ASSERTION->VALIDATE_CONDITIONS
N SAML20 SP (client 001): Validating subject confirmation
N method = urn:oasis:names:tc:SAML:2.0:cm:bearer
N NotBefore = 0
N NotOnOrAfter = 20220202112252
N expected method = urn:oasis:names:tc:SAML:2.0:cm:bearer
N clock skew = 120
N max token validity = 0
N SAML20 SP (client 001): Target client of assertion recipient url 001
N SAML20 SP (client 001): Checking recipient URL in a bearer assertion.
N Recipient from the assertion is: http://vhcala4hci:50001/sap/bc/sec/oauth2/token
N Requested recipient is: https://vhcala4hci:50001/sap/bc/sec/oauth2/token
N OAUTH2: Previous error messages:
N OAUTH2: Attribute 'Recipient' of element 'SubjectConfirmationData' is invalid
N OAUTH2: Source position: CL_SAML20_OAUTH_ASSERTION=====CM006 56
N OAUTH2: Error! CX_OAUTH2_EXCEPTION thrown, time: 20220202 102254
N OAUTH2: Error Text: Provided authorization grant is invalid. Exception was Attribute 'Recipient' of element 'SubjectConf
N OAUTH2: irmationData' is invalid. For more information, consult the kernel traces or the OAuth 2.0 trouble s
N OAUTH2: hooting SAP note 1688545
N OAUTH2: HTTP Status Code: 400
N OAUTH2: error_description: Provided authorization grant is invalid. Exception was Attribute 'Recipient' of element 'SubjectConfir
N OAUTH2: error: invalid_grant
N OAUTH2:
N OAUTH2: Add. Detail: Error during SAML2 validation.
N OAUTH2: Call Stack: CX_OAUTH2_EXCEPTION===========CM003 68, METHOD CREATE
N OAUTH2: CX_OAUTH2_EXCEPTION===========CM005 7, METHOD CREATE_AND_RAISE
N OAUTH2: CL_OAUTH2_S_PROT_SAML2========CM006 205, METHOD VALIDATE_BEARER_OAUTH
N OAUTH2: CL_OAUTH2_S_PROT_SAML2========CM002 111, METHOD IF_OAUTH2_S_PROTOCOL~ACCESS_TOKEN_REQUEST
N OAUTH2: CL_OAUTH2_S_TOKEN_ENDPOINT====CM001 126, METHOD IF_HTTP_EXTENSION~HANDLE_REQUEST
N OAUTH2: CL_HTTP_SERVER================CM00I 808, METHOD EXECUTE_REQUEST
N OAUTH2: LHTTP_RUNTIMEU02 1575, FUNCTION HTTP_DISPATCH_REQUEST
N OAUTH2: SAPMHTTP 12, MODULE (PBO) %_HTTP_START
N OAUTH2:
N OAUTH2: Prev. Ex. Text: Attribute 'Recipient' of element 'SubjectConfirmationData' is invalid
N OAUTH2: Prev. Source Position.: CL_SAML20_OAUTH_ASSERTION=====CM006 56
N OAUTH2: Error response returned to ICF framework.
N OAUTH2: End time: 20220202102254.3861410
N OAUTH2: Exiting CL_OAUTH2_S_TOKEN_ENDPOINT->HANDLE_REQUEST
H HTTP> System_Call_Http: T (syrepid: CL_ICF_SYSTEM_LOGIN===========CP )
H HTTP> Certificate service active ( icm/HTTPS/verify_client GE 1)
H HTTP> System_Call_Http: T (syrepid: CL_ICF_SYSTEM_LOGIN===========CP )
H HTTP> GET_SYSTEM_LANGUAGE: system language set to E
H HTTP> System_Call_Http: T (syrepid: CL_ICF_SYSTEM_LOGIN===========CP )
H HTTP> GET_SYSTEM_LANGUAGE: second language set to D
H HTTPS> [1] Http_InitKeepContext: 0
H
{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTP> ab_HttpProcess: LogonMethod 1
H HTTP> SendAndReturn: EventHandlerExist 0
H Wed Feb 2 10:22:54:422 2022
H HTTPS> [1] ab_HttpSendAndReturn (name: Me, roll_context: 1, keep_context: 0, itsContext: 0)
H
{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTPS> [1] ab_HttpSendAndReturn: PfGetDialogStep returned 0.
H
{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTP> SetHttpWriteBusyForImc: state for IMC 0x02
H HTTPS> [1] ab_HttpWrite
H (data: NULL, message: 0x67867AE8, SendAndClose: 0)
H
{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTP> IcfSetDTHeaderFields: set sap-icm-log-dtrace returned 0.
H HTTP> IcfExtLoggingHeaderFields: set sap-icm-log-uname returned 0.
H HTTP> IcfExtLoggingHeaderFields: set sap-icm-log-mandt returned 0.
H HTTP> IsFrontEndStatActive: Front End Statistic is on.
H HTTP> IcfSendServerTimeToFrontEnd: set server time for front end: 431932.000000
H HTTP> IcfSendServerTimeToFrontEnd: set SAP-Perf-FESRec returned 0.
H HTTP> IcfSendServerTimeToFrontEnd needs 148.000000 microsecs.
H HTTP> SetHttpWriteFreeForImc: state for IMC 0x00
H HTTPS> [1] ab_HttpSendAndReturn (ReqRefCount: 2)
H
.................. truncated.........................
End of step for user QUOVADIS_A4H, session 1 , step 1
Cloud Connector:
Connection Issue with Connection to SAP BTP. Most frequent tunnelling issues:
Suddenly the connection to a subaccount fails with 401 response code
The subaccount client certificate has been expired, the certificate has to be updated.
Update the Certificate for a Subaccount2837206 - Cloud Connector suddenly stops working and the error "Invalid status of handshake response: 401 Unauthorized" is thrown
Cloud Connector frequently reconnects to SAP BTP
In Cloud Connector log, a similar entry can be seen:
See SAP KBA 2498531- Load balanced HTTPS proxy server for SAP Cloud Connector
Firewall, IP address change
The Cloud Connector needs access to connectivitynotification, connectivitycertsigning and connectivitytunnel servers in the configured regions.
When the IP address changed and company firewall blocks the new IP address, a similar entry is logged in the Cloud Connector log file:
#ERROR#com.sap.scc.rt#http-bio-8443-exec-6# #Tunnel Connect Failed io.netty.channel.ConnectTimeoutException: connection timed out: connectivitynotification.ap1.hana.ondemand.com/157.133.97.47:443
or
Caused by: java.net.UnknownHostException: connectivitycertsigning.ap1.hana.ondemand.com: Name or service not known
The IP addresses are listed in the Cloud Connector online help Prerequisites: Network, IP changes are announced on https://sapcp.statuspage.io.
Sporadic tunnel reset
The Cloud Connector tunnel TCP connection is reset sometimes, the Cloud Connector log contains similar entries:
ERROR#com.sap.core.connectivity.tunnel.client.notification.NotificationClient#notification-client-3-1
Unable to handshake with notification server connectivitynotification.hana.ondemand.com:443
java.io.IOException: Connection reset by peer
This issue occurs when a firewall or some network entity resets the TCP connection. The Cloud Connector automatically re-establishes the connection.
2460641 - Adding subaccount to SAP Cloud Connector fails due to network issues
2571763 - Authorization problem in SAP Cloud Connector when adding Cloud Foundry subaccount
2377425 - What ports need to be open in a firewall for connection with SAP Cloud Connector and what IP Addresses at SAP does it connect to?
2496689 - 500 Host ap1.hana.ondemand.com unknown (check your network and proxy settings) message in SAP Cloud Connector. The list of the latest IP addresses of all regions are available in the following SAP Help Portal page.