Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

HCI/ECC connection issue with reverse proxy

Hi,

we are struggling to set up the connection from C4C to ECC using a reverse proxy (apache).

Thank you for any help!

Best Regards

Florian

Our apache config is as follows:

<VirtualHost *:443>

  ServerName customer.reverseproxy.com

  SSLEngine             On

  SSLProxyEngine             On

  ErrorLog              /var/www/customer/log/error.log

  Customlog             /var/www/customer/log/access.log "common"

# TransferLog  "<Apache_home>/logs/access.log"

# Offical SSL Certificate for customer.reverseproxy.com

  SSLCertificateFile    "/etc/apache2/ssl/customer/customer_cert.pem"

  SSLCertificateKeyFile "/etc/apache2/ssl/customer/customer_key_np.pem"

  SSLCACertificateFile "/etc/apache2/ssl/customer/SSL123_CA_Bundle.pem"

# SSLCertificateChainFile "<Apache_home>/conf/proxy-server-ca.crt"   # activate the client certificate  authentication

#SSLCertificateChainFile "/etc/apache2/ssl/customer/SAP-CA.crt"

# Signing CA's for SAP client certificate (Baltimore CyberTrust Root & Verizon Public SureServer CA G14-SHA2 + more)

SSLCertificateChainFile "/etc/apache2/ssl/customer/SAPClientCA.pem"

SSLVerifyClient require

SSLVerifyDepth  10

SSLOptions +ExportCertData +StdEnvVars

# CA's from SAP and customer for backend connections between Proxy and SAP system (Baltimore CyberTrust Root & Verizon Public SureServer CA G14-SHA2 + more)

SSLProxyCACertificateFile "/etc/apache2/ssl/customer/SAP-CA.crt"

# SSLProxyMachineCertificateFile <Apache_home>/conf/proxy-client.pem

  # initialize the special headers to a blank  value to avoid http header forgeries

  RequestHeader set  SSL_CLIENT_CERT ""

  <Location /> 

     # add  SSL_CLIENT_CERT header to forward real client certificate

    RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"

    ProxyPass        https://sap.internal.com:8300/

    ProxyPassReverse https://sap.internal.com:8300/

  </Location>

</VirtualHost>


On the HCI we get the following error shown

Message Processing Log{

  ContextName         = com.sap.scenarios.cod2erp.customermaster.replicate

  IntermediateError   = true

  MessageGuid         = AFU2MVOblsS5yIwpSvYiCt7XnLaT

  Node                = vsaxxxxxx.od.sap.biz

  OverallStatus       = FAILED

  ReceiverId          = Q47_

  StartTime           = Tue Apr 21 11:15:31 UTC 2015

  StopTime            = Tue Apr 21 11:15:31 UTC 2015

  Children [

    Invoked endpoint{

      Cxf.EndpointAddress = https://HCI.intaas.hana.ondemand.com/cxf/COD/ERP/BP_MASTER_REPLICATION

      Error               = Inbound processing in endpoint at https://HCI.intaas.hana.ondemand.com/cxf/COD/ERP/BP_MASTER_REPLICATION failed with message "Sequential processing failed for number 0. Exchange[Message: [Body is not logged]]. Caused by: [org.apache.cxf.interceptor.Fault - Could not send Message.]", caused by "SunCertPathBuilderException:unable to find valid certification path to requested target"

      StartTime           = Tue Apr 21 11:15:31 UTC 2015

      Status              = FAILED

      StopTime            = Tue Apr 21 11:15:31 UTC 2015

      Children [

        Entering Camel route route52{

          StartTime           = Tue Apr 21 11:15:31 UTC 2015

          Children [

            Exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 created in Endpoint[cxf://bean:my308416_]{

              StartTime           = Tue Apr 21 11:15:31 UTC 2015

              Children [

                Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in ref:encodingProcessor{

                  StartTime           = Tue Apr 21 11:15:31 UTC 2015

                  StepId              = process151

                  StopTime            = Tue Apr 21 11:15:31 UTC 2015

                  Children [

                    Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in removeHeaders[*]{

                      StartTime           = Tue Apr 21 11:15:31 UTC 2015

                      StepId              = removeHeaders52

                      StopTime            = Tue Apr 21 11:15:31 UTC 2015

                      Children [

                        Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in setHeader[MessageId]{

                          StartTime           = Tue Apr 21 11:15:31 UTC 2015

                          StepId              = setHeader76

                          StopTime            = Tue Apr 21 11:15:31 UTC 2015

                          Children [

                            Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in sap-map-pi:COD_ERP_BusinessPartnerERPBulkReplicateRequest{

                              Sent To URI         = sap-map-pi://COD_ERP_BusinessPartnerERPBulkReplicateRequest

                              StartTime           = Tue Apr 21 11:15:31 UTC 2015

                              StepId              = CallActivity_1

                              StopTime            = Tue Apr 21 11:15:31 UTC 2015

                              Time Taken          = 11

                              Children [

                                Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in ref:idocOutboundRequest{

                                  StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                  StepId              = process152

                                  StopTime            = Tue Apr 21 11:15:31 UTC 2015

                                  com.sap.sod.utils.idoc.soap.messageid= 00163E0CB1A01EE4BA82F713C72AD65B

                                  Children [

                                    Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in split[bean{idocPackageSplitter, method=split}]{

                                      Error               = org.apache.camel.CamelExchangeException: Sequential processing failed for number 0. Exchange[Message: [Body is not logged]]. Caused by: [org.apache.cxf.interceptor.Fault - Could not send Message.], cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                                      StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                      StepId              = CallActivity_2

                                      StopTime            = Tue Apr 21 11:15:31 UTC 2015

                                      Children [

                                        Successor Exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 created with reference to Exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38{

                                          StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                          StopTime            = Tue Apr 21 11:15:31 UTC 2015

                                          Children [

                                            Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in setHeader[SapIDocContentType]{

                                              StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                              StepId              = setHeader77

                                              StopTime            = Tue Apr 21 11:15:31 UTC 2015

                                              Children [

                                                Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in removeHeader[ssl_client_cert]{

                                                  StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                                  StepId              = removeHeader197

                                                  StopTime            = Tue Apr 21 11:15:31 UTC 2015

                                                  Children [

                                                    Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in removeHeader[ssl_client_user]{

                                                      StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                                      StepId              = removeHeader198

                                                      StopTime            = Tue Apr 21 11:15:31 UTC 2015

                                                      Children [

                                                        Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in removeHeader[operationName]{

                                                          StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                                          StepId              = removeHeader199

                                                          StopTime            = Tue Apr 21 11:15:31 UTC 2015

                                                          Children [

                                                            Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in removeHeader[operationNamespace]{

                                                              StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                                              StepId              = removeHeader200

                                                              StopTime            = Tue Apr 21 11:15:31 UTC 2015

                                                              Children [

                                                                Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in cxf:bean:Q47_{

                                                                  Error               = org.apache.cxf.interceptor.Fault: Could not send Message., cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                                                                  Sent To URI         = cxf://bean:Q47_

                                                                  StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                                                  StepId              = MessageFlow_2

                                                                  StopTime            = Tue Apr 21 11:15:31 UTC 2015

                                                                  Time Taken          = 123

                                                                  Children [

                                                                    Sent message to endpoint{

                                                                      Cxf.EndpointAddress = https://customer.reverseproxy.com:443/sap/bc/srt/idoc?sap-client=310

                                                                      Error               = Outbound processing in endpoint at https://customer.reverseproxy.com:443/sap/bc/srt/idoc?sap-client=310 failed with message "Could not send Message.", caused by "SunCertPathBuilderException:unable to find valid certification path to requested target"

                                                                      StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                                                      Status              = FAILED

                                                                      StopTime            = Tue Apr 21 11:15:31 UTC 2015

                                                                   }

                                                                    Exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 failed{

                                                                      StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                                                      Status              = FAILED

                                        } ] } ] } ] } ] } ] } ] } ] }

                                        Exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 failed{

                                          StartTime           = Tue Apr 21 11:15:31 UTC 2015

                                          Status              = FAILED

                                          Children [

                                            Exiting Camel route route52{

                                              StartTime           = Tue Apr 21 11:15:31 UTC 2015

  } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ]

  ReceiverIds [

    Q47_

] }

replied

HI Abinash,

thank you. In the meanwhile we got it working. The issue were not properly set up parameters in the profile.

We added the following knowing that we have to restrict the "trust client" parameters.

icm/HTTPS/verify_client = 1

icm/HTTPS/trust_client_with_issuer = *

icm/HTTPS/trust_client_with_subject = *

Best Regards

Florian

0 View this answer in context

Helpful Answer

by
Not what you were looking for? View more on this topic or Ask a question