Troubleshooting WebIDE connection error to on premise ABAP system

Published by Tobias Hofmann on

4 min read

Assume that you use SAP WebIDE for developing an application and that you have to consume an OData service from an on-premise NetWeaver ABAP system. In SCP, the destination is configured, and SAP Cloud Connector is working. For principal propagation, X.509 is used.

Problem

When you select the OData service in the WebIDE wizard, an error is shown. As you can see, the error is very specific in allowing a wide range of possibilities. As the destination is working (verify via ping in the destination settings), check the ICM log for more information.

Error

The error can be caused by several components in the stack. As the setup is: SSO with SCC and X.509 to ICM, check first the SCP and SCC. Then start looking at SCC to ICM. As the error is “undefined undefined”, it should be a problem that SAP did not map, e.g. an error between SCC and ICM. Most probably the SSO with X.509 is failing.

SAPCC -> ICM

To find the error, let’s check first if SAP CC can connect to ICM. The SAP CC client certificate and both the intermediate CA and root CA certificate are validated.

Validation succeeded: SAP CC is allowed to connect to ICM.

User certificate -> ICM

Next step is to read and validate the client certificate of the user. Request to OData service:

The client certificate issued to the SCP user by SAP CC is read from the HTTP header.

The validation of the X.509 certificate fails.

Certificate is not trusted.

The cause why the client certificate is rejected can be found just above the GET request to the OData URL.

Root cause of the error:

no trust relationship to intermediary specified

Solution

The error message includes how to fix the problem: “icm/HTTPS/trust_client_with_issuer” or “icm/trusted_reverse_proxy”. For how to configure NW ABAP ICM for this, see my blog X.509 troubleshooting – Send X.509 Certificate in HTTP Header.

Test

When NW ABAP is configured to accept the certificates send by SAP CC, the connection can be accessed from WebIDE and SCP without error and with SSO.

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.