Troubleshooting WebIDE connection error to on premise ABAP system
Assume that you use SAP WebIDE for developing an application and that you have to consume an OData service from an on-premise NetWeaver ABAP system. In SCP, the destination is configured, and SAP Cloud Connector is working. For principal propagation, X.509 is used.
When you select the OData service in the WebIDE wizard, an error is shown. As you can see, the error is very specific in allowing a wide range of possibilities. As the destination is working (verify via ping in the destination settings), check the ICM log for more information.
The error can be caused by several components in the stack. As the setup is: SSO with SCC and X.509 to ICM, check first the SCP and SCC. Then start looking at SCC to ICM. As the error is “undefined undefined”, it should be a problem that SAP did not map, e.g. an error between SCC and ICM. Most probably the SSO with X.509 is failing.
SAPCC -> ICM
To find the error, let’s check first if SAP CC can connect to ICM. The SAP CC client certificate and both the intermediate CA and root CA certificate are validated.
Validation succeeded: SAP CC is allowed to connect to ICM.
User certificate -> ICM
Next step is to read and validate the client certificate of the user. Request to OData service:
The client certificate issued to the SCP user by SAP CC is read from the HTTP header.
The validation of the X.509 certificate fails.
Certificate is not trusted.
The cause why the client certificate is rejected can be found just above the GET request to the OData URL.
Root cause of the error:
no trust relationship to intermediary specified
The error message includes how to fix the problem: “icm/HTTPS/trust_client_with_issuer” or “icm/trusted_reverse_proxy”. For how to configure NW ABAP ICM for this, see my blog X.509 troubleshooting – Send X.509 Certificate in HTTP Header.
When NW ABAP is configured to accept the certificates send by SAP CC, the connection can be accessed from WebIDE and SCP without error and with SSO.