Skip to content

Instantly share code, notes, and snippets.

@ptesny
Last active February 7, 2023 12:43
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ptesny/203fed6c3b059f5880595d92113669af to your computer and use it in GitHub Desktop.
Save ptesny/203fed6c3b059f5880595d92113669af to your computer and use it in GitHub Desktop.
Reaching SAP LOB destinations with connectivity proxy

how to declare the HTTP connectivity proxy (on port 20003) with an http client of your choice.

The connectivity proxy is there to make the effort of calling the target resource ODATA or REST inbound endpoints – as seamless and transparent, as it can possibly be.

It offers the following proxies: an HTTP proxy (on port 20003), a SOCKS5 proxy (on port 20004) and a RFC/LDAP one (on port 20001).

For instance, the below snippet shows how to declare the HTTP connectivity proxy (on port 20003) with an http client of your choice.

/* const proxy = { protocol: 'http' host: 'connectivity-proxy.kyma-system', port: 20003, };*/

    await axios.get(url, {
      proxy: {
        protocol: 'http',
        host: 'connectivity-proxy.kyma-system',
        port: 20003
      },
      headers: {
        "Accept-Encoding": "gzip, deflate",
        "Content-Type": 'application/json',
        "x-csrf-token" : 'fetch',
        'sap-client' : '001',
        "Authorization": "Bearer <JWT token>"
      }
    }).then(function(response) {
      console.log('Authenticated');
      result = JSON.stringify(response.data, null, 4);
      //console.log(response.data);
      x_csrf_token_ = response.headers["x-csrf-token"];
      setcookies_ = response.headers["set-cookie"];
      console.log('x_csrf_token:' + x_csrf_token_);
      console.log('setcookies_:' + setcookies_);

    }).catch(function(error) {
      console.log('Error on Authentication');
      return error;
    });

Connectivity proxy (one-off operation)

In any user namespace pick the connectivity service from the Service Catalog as depicted below:

Wait until the service provisioning completes:

Click on create Service Binding Usage option:

As the connectivity proxy is a global service it needs to be bound to a gateway service of the kyma cluster (and not to your workload)

 

 

 

Create a destination definition

The QUOVADIS_A4H-JWT destination configuration has a number of mandatory headers and attributes and may have several additional properties as well. To make it easier to understand what header/attribute/property is there for, I broke them down into the following three categories:

User JWT identity (input) SAML Assertion (internal) OAuth2.0 resource provider
X-user-token header with the digitally signed user JWT token

x_user_token.jwks_uri  property that points to the URI with the public keys to allow to decode a user JWT.

KeyStoreLocation and KeyStorePassword with the certificate keypair: that's the assertion signing certificate (if not using the default destination service trust)

assertionIssuer (if different from CN of the assertion signing certificate

audience (it designates a local service provider)

assertionRecipient (if different from tokenServiceURL)

userIdSource (it is the user principal claim if different from user_name)

nameIdFormat: either unspecified or email

authnContextClassRef

clientKey (OAuth2 client id, a mandatory saml assertion attribute)

tokenServiceUser (OAuth2 client id)

tokenServicePassword (client secret)

tokenServiceURL (OAuth2 service token endpoint)

Please note the destination URL and the tokenServiceURL below both feature HTTP schema, despite the fact that on premise side both URLs are HTTPS.

This is because the connectivity proxy business data tunnel is HTTP only. Failure to do so will result in HTTP error 405 - not allowed.

{
  "owner": {
    "SubaccountId": "<SubaccountId>",
    "InstanceId": null
  },
  "destinationConfiguration": {
    "Name": "QUOVADIS_A4H-JWT",
    "Type": "HTTP",
    "URL": "http://vhcala4hci:50001/sap/opu/odata/sap/EPM_REF_APPS_SHOP_SRV/Products/?sap-client=001",
    "Authentication": "OAuth2SAMLBearerAssertion",
    "ProxyType": "OnPremise",
    "KeyStorePassword": "<KeyStorePassword>",
    "tokenServiceURLType": "Dedicated",
    "audience": "A4H_001",
    "Description": "QUOVADIS_A4H-JWT",
    "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:x509",
    "x_user_token.jwks_uri": "https://<SAPIAS tenant FQDN>/oauth2/certs",
    "tokenServiceUser": "QUOVADIS_A4H",
    "tokenServiceURL": "http://vhcala4hci:50001/sap/bc/sec/oauth2/token?sap-client=001",
    "assertionRecipient": "https://vhcala4hci:50001/sap/bc/sec/oauth2/token?sap-client=001",
    "tokenServicePassword": "<tokenServicePassword>",
    "clientKey": "QUOVADIS_A4H",
    "KeyStoreLocation": "quovadis_ateam-isveng.p12",
    "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
    "CloudConnectorLocationId": "vhcala4hci",
    "userIdSource": "sub"
  },
  "certificates": [
    {
      "Name": "quovadis_ateam-isveng.p12",
      "Content": "<Content>",
      "Type": "CERTIFICATE"
    }
  ],
  "authTokens": [
    {
      "type": "Bearer",
      "value": "AkKsEQACHuyopQNNf3uPK2N2aXE-CPAQFxQ7e7tWUx123456",
      "http_header": {
        "key": "Authorization",
        "value": "Bearer AkKsEQACHuyopQNNf3uPK2N2aXE-CPAQFxQ7e7tWUx123456"
      },
      "expires_in": "3600",
      "scope": "EPM_OIA_L_1_SRV_01_0001 EPM_OIA_L_SRV_0001 EPM_VP_L_SRV_0001 SAP_BW_INA_GETSERVERINFO_HTTP ZEPM_REF_APPS_PO_APV_SRV_0001 ZEPM_REF_APPS_PROD_MAN_SRV_0001 ZEPM_REF_APPS_SHOP_SRV_0001 Z_BIND_FLIGHT_R_0001 Z_BIND_TRAVEL_U_0001"
    }
  ]
}

Good to know:

By design, for cloud-to-premise connections, the TLS is controlled the following way:

  • if HTTP proxy is used on the cloud side, then TLS or non-TLS is controlled in SCC itself. For instance you may opt for HTTP or HTTPS mapping (and I opted for the HTTPS mapping)
 
  • if SOCKS5 proxy is used on the cloud side, and there is the TCP mapping on SCC side, then the cloud app can use TLS with whatever higher level protocol it fancies doing, e.g. HTTPS, JDBS with TLS, etc.
 

Last but not least. The below is the basic authentication destination definition.

Albeit not suitable for productive use it can come in very handy for testing purposes.

{
  "owner": {
    "SubaccountId": "<SubaccountId>",
    "InstanceId": null
  },
  "destinationConfiguration": {
    "Name": "QUOVADIS_A4H-BASIC",
    "Type": "HTTP",
    "URL": "http://vhcala4hci:50001/sap/opu/odata/sap/EPM_REF_APPS_SHOP_SRV/Products/?sap-client=001",
    "Authentication": "BasicAuthentication",
    "ProxyType": "OnPremise",
    "User": "QUOVADIS_A4H",
    "CloudConnectorLocationId": "vhcala4hci",
    "Password": "<user password>"
  },
  "authTokens": [
    {
      "type": "Basic",
      "value": "UVVPVkFESVNfQTRI....................=",
      "http_header": {
        "key": "Authorization",
        "value": "Basic UVVPVkFESVNfQTRI....................="
      }
    }
  ]
}

Task1. Destination definition.

{
    "Name": "QUOVADIS_A4H-JWT",
    "Type": "HTTP",
    "URL": "http://vhcala4hci:50001/sap/opu/odata/sap/EPM_REF_APPS_SHOP_SRV/Products/?sap-client=001",
    "Authentication": "OAuth2SAMLBearerAssertion",
    "ProxyType": "OnPremise",
    "KeyStorePassword": "<KeyStorePassword>",
    "tokenServiceURLType": "Dedicated",
    "audience": "A4H_001",
    "Description": "QUOVADIS_A4H-JWT",
    "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:x509",
    "x_user_token.jwks_uri": "https://<SAPIAS tenant FQDN>/oauth2/certs",
    "tokenServiceUser": "QUOVADIS_A4H",
    "tokenServiceURL": "http://vhcala4hci:50001/sap/bc/sec/oauth2/token?sap-client=001",
    "assertionRecipient": "https://vhcala4hci:50001/sap/bc/sec/oauth2/token?sap-client=001",
    "tokenServicePassword": "<tokenServicePassword>",
    "clientKey": "QUOVADIS_A4H",
    "KeyStoreLocation": "quovadis_ateam-isveng.p12",
    "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
    "CloudConnectorLocationId": "vhcala4hci",
    "userIdSource": "sub"
  }

Task3. Find destination.

{
  "owner": {
    "SubaccountId": "<SubaccountId>",
    "InstanceId": null
  },
  "destinationConfiguration": {
    "Name": "QUOVADIS_A4H-JWT",
    "Type": "HTTP",
    "URL": "http://vhcala4hci:50001/sap/opu/odata/sap/EPM_REF_APPS_SHOP_SRV/Products/?sap-client=001",
    "Authentication": "OAuth2SAMLBearerAssertion",
    "ProxyType": "OnPremise",
    "KeyStorePassword": "<KeyStorePassword>",
    "tokenServiceURLType": "Dedicated",
    "audience": "A4H_001",
    "Description": "QUOVADIS_A4H-JWT",
    "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:x509",
    "x_user_token.jwks_uri": "https://<SAPIAS tenant FQDN>/oauth2/certs",
    "tokenServiceUser": "QUOVADIS_A4H",
    "tokenServiceURL": "http://vhcala4hci:50001/sap/bc/sec/oauth2/token?sap-client=001",
    "assertionRecipient": "https://vhcala4hci:50001/sap/bc/sec/oauth2/token?sap-client=001",
    "tokenServicePassword": "<tokenServicePassword>",
    "clientKey": "QUOVADIS_A4H",
    "KeyStoreLocation": "quovadis_ateam-isveng.p12",
    "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
    "CloudConnectorLocationId": "vhcala4hci",
    "userIdSource": "sub"
  },
  "certificates": [
    {
      "Name": "quovadis_ateam-isveng.p12",
      "Content": "<Content>",
      "Type": "CERTIFICATE"
    }
  ],
  "authTokens": [
    {
      "type": "Bearer",
      "value": "AkKsEQACHuyopQNNf3uPK2N2aXE-CPAQFxQ7e7tWUx123456",
      "http_header": {
        "key": "Authorization",
        "value": "Bearer AkKsEQACHuyopQNNf3uPK2N2aXE-CPAQFxQ7e7tWUx123456"
      },
      "expires_in": "3600",
      "scope": "EPM_OIA_L_1_SRV_01_0001 EPM_OIA_L_SRV_0001 EPM_VP_L_SRV_0001 SAP_BW_INA_GETSERVERINFO_HTTP ZEPM_REF_APPS_PO_APV_SRV_0001 ZEPM_REF_APPS_PROD_MAN_SRV_0001 ZEPM_REF_APPS_SHOP_SRV_0001 Z_BIND_FLIGHT_R_0001 Z_BIND_TRAVEL_U_0001"
    }
  ]
}

Troubleshooting

Destination service SAML Assertion:

  • it is fairly easy to troubleshoot the saml assertion which is internally generated in the above find destination call by changing "Authentication": "OAuth2SAMLBearerAssertion" into "Authentication": "SAMLAssertion"
 
{
  "owner": {
    "SubaccountId": "afbac4de-9d13-4ef5-b480-f1d80ccb9ad4",
    "InstanceId": null
  },
  "destinationConfiguration": {
    "Name": "QUOVADIS_A4H-JWT-SAML",
    "Type": "HTTP",
    "URL": "http://vhcala4hci:50001/sap/opu/odata/sap/EPM_REF_APPS_SHOP_SRV/Products/?sap-client=001",
    "Authentication": "SAMLAssertion",
    "ProxyType": "OnPremise",
    "KeyStorePassword": "<KeyStorePassword>",
    "tokenServiceURLType": "Dedicated",
    "audience": "A4H_001",
    "Description": "QUOVADIS_A4H-JWT-SAML",
    "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:x509",
    "x_user_token.jwks_uri": "https://<SAPIAS FQDN>oauth2/certs",
    "tokenServiceUser": "QUOVADIS_A4H",
    "tokenServiceURL": "http://vhcala4hci:50001/sap/bc/sec/oauth2/token?sap-client=001",
    "assertionRecipient": "https://vhcala4hci:50001/sap/bc/sec/oauth2/token?sap-client=001",
    "tokenServicePassword": "&zWCk>fJkeJtMpqo>2/4F/SHf>r&JoeK#u<Fois9",
    "clientKey": "QUOVADIS_A4H",
    "KeyStoreLocation": "quovadis_ateam-isveng.p12",
    "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
    "CloudConnectorLocationId": "vhcala4hci",
    "userIdSource": "sub"
  },
  "certificates": [
    {
      "Name": "quovadis_ateam-isveng.p12",
      "Content": "MIIQeAIBAzCCEDIGCSqGSIb3DQEHAaCCECME.........=",
      "Type": "CERTIFICATE"
    }
  ],
  "authTokens": [
    {
      "type": "SAML2.0",
      "value": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiP.....+",
      "http_header": {
        "key": "Authorization",
        "value": "SAML2.0 PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiP......+"
      }
    }
  ]
}
 

S/4HANA OP Trace Analyzer

Step of user QUOVADIS_A4H, session 1 , step 1
H HTTPS> [1] Client/User specified trace activated (level: 3, path /sap/bc/sec/oauth2/token, request path: /sap/bc/sec/oauth2/token
H -----> Registerd path : :b=:l=3:v=/sap/bc/sec/oauth2/token:c=001:u=
H -----> Server name : vhcala4hci
H -----> ThExtDebuggingPossible : Y
H -----> Login : N
H -----> CallerIP : 
H -----> Action : 1
H -----> Protocol : 2
H -----> Statistic : 0
H -----> Trace : 0
H -----> ContextID : SID:ANON:vhcala4hci_A4H_...-ATT
H -----> KernelVersion : 2
H -----> ABAPVersion : 1
H -----> CPoolingActive : 0 (type: 0)
H -----> AcceptSSO2Ticket : 1
H -----> VirtualServer : 0
H -----> CertificateAvailable : 0
H -----> AcceptRemoteTraceLevel : 1
H -----> AcceptRemoteProfileLevel: 0
H -----> AcceptRemoteRecorderLevel: 1
H -----> IcfOptions :
H -----> InstanceID : vhcala4hci_A4H_00
H -----> Logon RC : 0
H

{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTPS> [1] ab_HttpRequestHandler: pooled context type 0 (role=2, action=1, handle=0, protocol=2)
H

{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTP> System_Call_Http: T (syrepid: CL_HTTP_SERVER_NET============CP )
H HTTP> HTTP Application> [Info]; Starting of: System Login Execution for initial/expired Passwords
H HTTP> System_Call_Http: z (syrepid: SAPLHTTP_RUNTIME )
N OAUTH2: Tracer started. TL: 3, WPNO: **
N OAUTH2: Entering CL_OAUTH2_S_TOKEN_ENDPOINT->HANDLE_REQUEST
N OAUTH2: Start time: 20220202102254.2458640
N Wed Feb 2 10:22:54:246 2022
N OAUTH2: Identified GRANT_TYPE grant_type: urn:ietf:params:oauth:grant-type:saml2-bearer
N OAUTH2: Entering CL_OAUTH2_S_PROT_SAML2=>IF_OAUTH2_S_PROTOCOL~ACCESS_TOKEN_REQUEST
N OAUTH2: Entering CL_OAUTH2_S_PROT_SAML2=>READ_REQUEST_PARAMETERS
N OAUTH2: assertion:
N OAUTH2: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2Fz
N OAUTH2: ................... truncated.......................................
N OAUTH2: MTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1j
N Wed Feb 2 10:22:54:248 2022
N OAUTH2: MTRuIyIgUHJlZml4TGlzdD0ieHNkIi8+PC9kczpUcmFuc2Zvcm0+CjwvZHM6VHJhbnNmb3Jtcz4KPGRzOkRpZ2VzdE1ldGhvZCBB
N OAUTH2: ................... truncated.......................................
N OAUTH2: dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj4=
N OAUTH2: client_id: QUOVADIS_A4H
N OAUTH2: Parameter "scope" was not sent by the client.
N OAUTH2: Exiting CL_OAUTH2_S_PROT_SAML2=>READ_REQUEST_PARAMETERS
N OAUTH2: HANDLE_CLIENT_ID_ALIAS - Received parameter Client ID: QUOVADIS_A4H
N OAUTH2: HANDLE_CLIENT_ID_ALIAS - Derived Client ID username: QUOVADIS_A4H
N OAUTH2: >> CL_OAUTH2_S_TOKEN_ENDPOINT=>CHECK_AUTHENTICATION_ICF
N OAUTH2: Entering CL_OAUTH2_S_TOKEN_ENDPOINT=>CERTIFICATE_AVAILABLE
H HTTP> System_Call_Http: c (syrepid: CL_HTTP_SERVER================CP )
H HTTP> HttpExists: yes (HttpInfo: 1)
H SslCertificate (certificate_available: FALSE)
N OAUTH2: Exiting CL_OAUTH2_S_TOKEN_ENDPOINT=>CERTIFICATE_AVAILABLE
N OAUTH2: Certificate available?:
N OAUTH2: << CL_OAUTH2_S_TOKEN_ENDPOINT=>CHECK_AUTHENTICATION_ICF
N OAUTH2: >> CL_OAUTH2_S_TOKEN_ENDPOINT=>CHECK_AUTHENTICATION_CLIENT
N Wed Feb 2 10:22:54:269 2022
N OAUTH2: << CL_OAUTH2_S_TOKEN_ENDPOINT=>CHECK_AUTHENTICATION_CLIENT
N OAUTH2: Parameter scope may be omitted in access token request: X
N OAUTH2: Entering CL_OAUTH2_S_PROT_SAML2=>BASE64URL_DECODE.
N ==> krn_Base64_Decode()
N <== krn_Base64_Decode()==0 (SSF_KRN_OK)
N OAUTH2: Exiting CL_OAUTH2_S_PROT_SAML2=>BASE64URL_DECODE.
N OAUTH2: >> CL_OAUTH2_S_PROT_SAML2=>VALIDATE_BEARER_OAUTH
N OAUTH2: Entering CL_OAUTH2_S_CLIENT=>GET_SAML_OAUTH_IDP
N OAUTH2: Requesting er_saml_oauth_idp object
N OAUTH2: Client IDP: 0242AC1100021EDBBC8C386D80DCA55A
N OAUTH2: Exiting CL_OAUTH2_S_CLIENT=>GET_SAML_OAUTH_IDP
N OAUTH2: IDP Key: 0242AC1100021EDBBC8C386D80DCA55A
N OAUTH2: IDP Name: quovadis/ateam-isveng
N SAML20 SP (client 001): Raw XML message:
N <?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="c94c0171-89ae-45
N <ds:SignedInfo>
N <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
N <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
N <ds:Reference URI="#c94c0171-89ae-450d-aabe-f3960d2ddb15">
N <ds:Transforms>
N <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
N <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml
N </ds:Transforms>
N <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
N <ds:DigestValue>eOZnjMKHdUZZyRqw9TNULNDD/aykJKaShhKQk/ASF18=</ds:DigestValue>
N </ds:Reference>
N </ds:SignedInfo>
N <ds:SignatureValue>
N BEwiqMULa3g14ZV2NLHeTzCx+duZqRJS9vYYKiHO3uzdWlR654tFb9/IuCN1EtSoyf6Krt/XmKd+
................... truncated.......................................
N q502onI919GKLYVE+ETN30QkVrolkJVN0PSGWdSYy+KtO0o1wlTMvpSYVZdLzRNL9b+3vGyhQ2Y=
N </ds:SignatureValue>
N </ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml2:NameID><s
N SAML20 SP (client 001):
N SAML20 <?xml version="1.0" encoding="utf-8"?>
N SAML20 <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
N SAML20 ID="c94c0171-89ae-450d-aabe-f3960d2ddb15"
N SAML20 IssueInstant="2022-02-02T10:22:52.671Z"
N SAML20 Version="2.0"
N SAML20 xmlns:xsd="http://www.w3.org/2001/XMLSchema">
N SAML20 <saml2:Issuer>quovadis/ateam-isveng</saml2:Issuer>
N SAML20 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
N SAML20 <ds:SignedInfo>
N SAML20 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
N SAML20 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
N SAML20 <ds:Reference URI="#c94c0171-89ae-450d-aabe-f3960d2ddb15">
N SAML20 <ds:Transforms>
N SAML20 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
N SAML20 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
N SAML20
N SAML20 <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
N SAML20 PrefixList="xsd" />
N SAML20 </ds:Transform>
N SAML20 </ds:Transforms>
N SAML20 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
N SAML20 <ds:DigestValue>
N SAML20 eOZnjMKHdUZZyRqw9TNULNDD/aykJKaShhKQk/ASF18=</ds:DigestValue>
N SAML20 </ds:Reference>
N SAML20 </ds:SignedInfo>
N SAML20 <ds:SignatureValue>
N SAML20 BEwiqMULa3g14ZV2NLHeTzCx+duZqRJS9vYYKiHO3uzdWlR654tFb9/IuCN1EtSoyf6Krt/XmKd+
................... truncated.......................................
N SAML20 q502onI919GKLYVE+ETN30QkVrolkJVN0PSGWdSYy+KtO0o1wlTMvpSYVZdLzRNL9b+3vGyhQ2Y=</ds:SignatureValue>
N SAML20 </ds:Signature>
N SAML20 <saml2:Subject>
N SAML20 <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
N SAML20 </saml2:NameID>
N SAML20 <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
N SAML20
N SAML20 <saml2:SubjectConfirmationData NotOnOrAfter="2022-02-02T11:22:52.671Z"
N SAML20 Recipient="http://vhcala4hci:50001/sap/bc/sec/oauth2/token?sap-client=001" />
N SAML20 </saml2:SubjectConfirmation>
N SAML20 </saml2:Subject>
N SAML20 <saml2:Conditions NotBefore="2022-02-02T09:22:52.671Z"
N SAML20 NotOnOrAfter="2022-02-02T11:22:52.671Z">
N SAML20 <saml2:AudienceRestriction>
N SAML20 <saml2:Audience>A4H_001</saml2:Audience>
N SAML20 </saml2:AudienceRestriction>
N SAML20 </saml2:Conditions>
N SAML20 <saml2:AuthnStatement AuthnInstant="2022-02-02T10:22:52.671Z">
N SAML20 <saml2:AuthnContext>
N SAML20 <saml2:AuthnContextClassRef>
N SAML20 urn:oasis:names:tc:SAML:2.0:ac:classes:x509</saml2:AuthnContextClassRef>
N SAML20 </saml2:AuthnContext>
N SAML20 </saml2:AuthnStatement>
N SAML20 <saml2:AttributeStatement>
N SAML20 <saml2:Attribute Name="client_id">
N SAML20 <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
N SAML20 xsi:type="xsd:string">
N SAML20 QUOVADIS_A4H</saml2:AttributeValue>
N SAML20 </saml2:Attribute>
N SAML20 </saml2:AttributeStatement>
N SAML20 </saml2:Assertion>
N SAML20
N SAML20 SP (client 001): Transformation: SAML2_ASSERTION was executed successfully.
N SAML20 SP (client 001): Received assertion is initially signed
N SAML20 SP (client 001): >> CL_SAML20_OAUTH_ASSERTION->VALIDATE_CONDITIONS
N SAML20 SP (client 001): Local entity: A4H_001
N SAML20 SP (client 001): Validating assertion conditions
N clock skew = 120
N entity name = A4H_001
N NotBefore = 20220202092252
N NotOnOrAfter = 20220202112252
N SAML20 SP (client 001): Raw XML message:
N <?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="c94c0171-89ae-45
N <ds:SignedInfo>
N <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
N <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
N <ds:Reference URI="#c94c0171-89ae-450d-aabe-f3960d2ddb15">
N <ds:Transforms>
N <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
N <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml
N </ds:Transforms>
N <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
N <ds:DigestValue>eOZnjMKHdUZZyRqw9TNULNDD/aykJKaShhKQk/ASF18=</ds:DigestValue>
N </ds:Reference>
N </ds:SignedInfo>
N <ds:SignatureValue>
N BEwiqMULa3g14ZV2NLHeTzCx+duZqRJS9vYYKiHO3uzdWlR654tFb9/IuCN1EtSoyf6Krt/XmKd+
................... truncated.......................................
N q502onI919GKLYVE+ETN30QkVrolkJVN0PSGWdSYy+KtO0o1wlTMvpSYVZdLzRNL9b+3vGyhQ2Y=
N </ds:SignatureValue>
N </ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml2:NameID><s
N SAML20 SP (client 001): Transformation: SAML2_AUDIENCE_RESTRICTION was executed successfully.
N SAML20 SP (client 001):
N SAML20 <saml2:AudienceRestriction xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
N SAML20
N SAML20 <saml2:Audience>A4H_001</saml2:Audience>
N SAML20 </saml2:AudienceRestriction>
N SAML20
N SAML20 SP (client 001): << CL_SAML20_OAUTH_ASSERTION->VALIDATE_CONDITIONS
N SAML20 SP (client 001): Validating subject confirmation
N method = urn:oasis:names:tc:SAML:2.0:cm:bearer
N NotBefore = 0
N NotOnOrAfter = 20220202112252
N expected method = urn:oasis:names:tc:SAML:2.0:cm:bearer
N clock skew = 120
N max token validity = 0
N SAML20 SP (client 001): Target client of assertion recipient url 001
N SAML20 SP (client 001): Checking recipient URL in a bearer assertion.
N Recipient from the assertion is: http://vhcala4hci:50001/sap/bc/sec/oauth2/token
N Requested recipient is: https://vhcala4hci:50001/sap/bc/sec/oauth2/token
N OAUTH2: Previous error messages:
N OAUTH2: Attribute 'Recipient' of element 'SubjectConfirmationData' is invalid
N OAUTH2: Source position: CL_SAML20_OAUTH_ASSERTION=====CM006 56
N OAUTH2: Error! CX_OAUTH2_EXCEPTION thrown, time: 20220202 102254
N OAUTH2: Error Text: Provided authorization grant is invalid. Exception was Attribute 'Recipient' of element 'SubjectConf
N OAUTH2: irmationData' is invalid. For more information, consult the kernel traces or the OAuth 2.0 trouble s
N OAUTH2: hooting SAP note 1688545
N OAUTH2: HTTP Status Code: 400
N OAUTH2: error_description: Provided authorization grant is invalid. Exception was Attribute 'Recipient' of element 'SubjectConfir
N OAUTH2: error: invalid_grant
N OAUTH2:
N OAUTH2: Add. Detail: Error during SAML2 validation.
N OAUTH2: Call Stack: CX_OAUTH2_EXCEPTION===========CM003 68, METHOD CREATE
N OAUTH2: CX_OAUTH2_EXCEPTION===========CM005 7, METHOD CREATE_AND_RAISE
N OAUTH2: CL_OAUTH2_S_PROT_SAML2========CM006 205, METHOD VALIDATE_BEARER_OAUTH
N OAUTH2: CL_OAUTH2_S_PROT_SAML2========CM002 111, METHOD IF_OAUTH2_S_PROTOCOL~ACCESS_TOKEN_REQUEST
N OAUTH2: CL_OAUTH2_S_TOKEN_ENDPOINT====CM001 126, METHOD IF_HTTP_EXTENSION~HANDLE_REQUEST
N OAUTH2: CL_HTTP_SERVER================CM00I 808, METHOD EXECUTE_REQUEST
N OAUTH2: LHTTP_RUNTIMEU02 1575, FUNCTION HTTP_DISPATCH_REQUEST
N OAUTH2: SAPMHTTP 12, MODULE (PBO) %_HTTP_START
N OAUTH2:
N OAUTH2: Prev. Ex. Text: Attribute 'Recipient' of element 'SubjectConfirmationData' is invalid
N OAUTH2: Prev. Source Position.: CL_SAML20_OAUTH_ASSERTION=====CM006 56
N OAUTH2: Error response returned to ICF framework.
N OAUTH2: End time: 20220202102254.3861410
N OAUTH2: Exiting CL_OAUTH2_S_TOKEN_ENDPOINT->HANDLE_REQUEST
H HTTP> System_Call_Http: T (syrepid: CL_ICF_SYSTEM_LOGIN===========CP )
H HTTP> Certificate service active ( icm/HTTPS/verify_client GE 1)
H HTTP> System_Call_Http: T (syrepid: CL_ICF_SYSTEM_LOGIN===========CP )
H HTTP> GET_SYSTEM_LANGUAGE: system language set to E
H HTTP> System_Call_Http: T (syrepid: CL_ICF_SYSTEM_LOGIN===========CP )
H HTTP> GET_SYSTEM_LANGUAGE: second language set to D
H HTTPS> [1] Http_InitKeepContext: 0
H

{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTP> ab_HttpProcess: LogonMethod 1
H HTTP> SendAndReturn: EventHandlerExist 0
H Wed Feb 2 10:22:54:422 2022
H HTTPS> [1] ab_HttpSendAndReturn (name: Me, roll_context: 1, keep_context: 0, itsContext: 0)
H

{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTPS> [1] ab_HttpSendAndReturn: PfGetDialogStep returned 0.
H

{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTP> SetHttpWriteBusyForImc: state for IMC 0x02
H HTTPS> [1] ab_HttpWrite
H (data: NULL, message: 0x67867AE8, SendAndClose: 0)
H

{0242AC1100021EDCA18242A1EFACD8A5}_{0242AC1100021EDCA18242A1EFACF8A5}_1-
H {0242AC1100021EDCA18242A1EFACD8A5}
_{ }_0-
H HTTP> IcfSetDTHeaderFields: set sap-icm-log-dtrace returned 0.
H HTTP> IcfExtLoggingHeaderFields: set sap-icm-log-uname returned 0.
H HTTP> IcfExtLoggingHeaderFields: set sap-icm-log-mandt returned 0.
H HTTP> IsFrontEndStatActive: Front End Statistic is on.
H HTTP> IcfSendServerTimeToFrontEnd: set server time for front end: 431932.000000
H HTTP> IcfSendServerTimeToFrontEnd: set SAP-Perf-FESRec returned 0.
H HTTP> IcfSendServerTimeToFrontEnd needs 148.000000 microsecs.
H HTTP> SetHttpWriteFreeForImc: state for IMC 0x00
H HTTPS> [1] ab_HttpSendAndReturn (ReqRefCount: 2)
H

.................. truncated.........................
End of step for user QUOVADIS_A4H, session 1 , step 1


 

Cloud Connector:

Connection Issue with Connection to SAP BTP. Most frequent tunnelling issues:

Suddenly the connection to a subaccount fails with 401 response code The subaccount client certificate has been expired, the certificate has to be updated. Update the Certificate for a Subaccount 2837206 - Cloud Connector suddenly stops working and the error "Invalid status of handshake response: 401 Unauthorized" is thrown

Cloud Connector frequently reconnects to SAP BTP

In Cloud Connector log, a similar entry can be seen:

#INFO#com.sap.core.connectivity.tunnel.client.reconnect.ReconnectScheduler#notificationclient-3-2#       #Reconnect attempt

See SAP KBA 2498531Load balanced HTTPS proxy server for SAP Cloud Connector

Firewall, IP address change

The Cloud Connector needs access to connectivitynotificationconnectivitycertsigning and connectivitytunnel servers in the configured regions.

When the IP address changed and company firewall blocks the new IP address, a similar entry is logged in the Cloud Connector log file: #ERROR#com.sap.scc.rt#http-bio-8443-exec-6# #Tunnel Connect Failed io.netty.channel.ConnectTimeoutException: connection timed out: connectivitynotification.ap1.hana.ondemand.com/157.133.97.47:443 or Caused by: java.net.UnknownHostException: connectivitycertsigning.ap1.hana.ondemand.com: Name or service not known The IP addresses are listed in the Cloud Connector online help Prerequisites: Network, IP changes are announced on https://sapcp.statuspage.io.

Sporadic tunnel reset

The Cloud Connector tunnel TCP connection is reset sometimes, the Cloud Connector log contains similar entries: ERROR#com.sap.core.connectivity.tunnel.client.notification.NotificationClient#notification-client-3-1 Unable to handshake with notification server connectivitynotification.hana.ondemand.com:443 java.io.IOException: Connection reset by peer This issue occurs when a firewall or some network entity resets the TCP connection. The Cloud Connector automatically re-establishes the connection.
  • 2460641 - Adding subaccount to SAP Cloud Connector fails due to network issues
  • 2571763 - Authorization problem in SAP Cloud Connector when adding Cloud Foundry subaccount
  • 2377425 - What ports need to be open in a firewall for connection with SAP Cloud Connector and what IP Addresses at SAP does it connect to?
  • 2496689 - 500 Host ap1.hana.ondemand.com unknown (check your network and proxy settings) message in SAP Cloud Connector. The list of the latest IP addresses of all regions are available in the following SAP Help Portal page.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment