Hana Cloud Connector - Principle Propagation - Peer did not return a certificate

Dear colleagues,

I have a question concerning Hana Cloud Connector again.

This time I want to propagate the identity of a user authenticated on HCP through the HCC towards an Apache server (i.e. non-SAP system).

It looks like the Cloud Connector does not add the certificate to the backend request correctly, but I might be wrong. I attach the backend and HCC logs and hope somebody who's an HCC expert can give me a hint what's going wrong.

Apache Log:

[Thu May 26 20:26:02.175391 2016] [ssl:info] [pid 57706] [client 127.0.0.1:47561] AH01964: Connection to child 3 established (server mo-xxxxxxxx.mo.sap.corp:443)

[Thu May 26 20:26:02.176096 2016] [ssl:debug] [pid 57706] ssl_engine_kernel.c(1936): [client 127.0.0.1:47561] AH02645: Server name not provided via TLS extension (using default/first virtual host)

[Thu May 26 20:26:02.188418 2016] [ssl:info] [pid 57706] [client 127.0.0.1:47561] AH02008: SSL library error 1 in handshake (server mo-xxxxxxxx.mo.sap.corp:443)

[Thu May 26 20:26:02.188546 2016] [ssl:info] [pid 57706] SSL Library Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate -- No CAs known to server for verification?

[Thu May 26 20:26:02.188608 2016] [ssl:info] [pid 57706] [client 127.0.0.1:47561] AH01998: Connection closed to child 3 with abortive shutdown (server mo-xxxxxxxx.mo.sap.corp:443)

HCC Log:

2016-05-26 20:26:02,082#DEBUG#com.sap.security.saml2.sp.sso.AssertionValidationService#tunnelclient-4-1#0xaf519c8d#Exiting method|

2016-05-26 20:26:02,082#DEBUG#com.sap.security.saml2.sp.sso.Utils#tunnelclient-4-1#0xaf519c8d#Service Provider has received SAML2Assertion from Identity Provider [accounts.sap.com] that contains authentication context [urn:oasis:names:tc:SAML:2.0:ac:classes:X509] which could not be found in the configuration.|

2016-05-26 20:26:02,088#DEBUG#com.sap.security.saml2.sp.sso.Utils#tunnelclient-4-1#0xaf519c8d#SAML2Principal successfully created: D066389 (authentication method: SAML2)

[IdP=accounts.sap.com, SP=https://netweaver.ondemand.com; NameID=D066389; NameIDFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified; AuthnContexts=[[Name: urn:oasis:names:tc:SAML:2.0:ac:classes:X509, Alias: urn:oasis:names:tc:SAML:2.0:ac:classes:X509, TimeStamp: 1464294362083]]]

; Attributes=[[Namespace: com.sap.security.saml2, Name: first_name, Values: [Martin]], [Namespace: com.sap.security.saml2, Name: display_name, Values: [Martin Loeper]], [Namespace: com.sap.security.saml2, Name: mail, Values: [martin.loeper@sap.com]], [Namespace: com.sap.security.saml2, Name: last_name, Values: [Loeper]]]

MNI terminated=false

|

2016-05-26 20:26:02,090#DEBUG#com.sap.core.connectivity.tunnel.client.sso.SessionInfoStore#tunnelclient-4-1#0xaf519c8d#Generated new session id 928944775|

2016-05-26 20:26:02,091#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnelclient-4-1#0xaf519c8d#Assigned principal 'D066389'|

2016-05-26 20:26:02,091#DEBUG#com.sap.core.connectivity.tunnel.core.impl.context.OutboundProtocolProcessorRegistry#tunnelclient-4-1#0xaf519c8d#Will use default factory for protocol HTTP|

2016-05-26 20:26:02,092#DEBUG#com.sap.core.connectivity.tunnel.core.impl.context.OutboundProtocolProcessorRegistry#tunnelclient-4-1#0xaf519c8d#Acquiring outbound connection processor for protocol HTTP|

2016-05-26 20:26:02,092#DEBUG#com.sap.core.connectivity.protocol.http.HttpOutboundConnectionProcessorFactory#tunnelclient-4-1#0xaf519c8d#Acquiring outbound protocol processor for protocol HTTP|

2016-05-26 20:26:02,092#DEBUG#com.sap.core.connectivity.protocol.http.HttpOutboundConnectionProcessorFactory#tunnelclient-4-1#0xaf519c8d#Creating outbound protocol processor for protocol HTTP|

2016-05-26 20:26:02,096#DEBUG#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnelclient-4-1#          #Decoding WebSocket Frame opCode=2|

2016-05-26 20:26:02,096#DEBUG#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnelclient-4-1#          #Decoding WebSocket Frame length=861|

2016-05-26 20:26:02,096#DEBUG#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnelclient-4-1#0xaf519c8d#Opening connection to backend system opensapedia.cloud:443|

2016-05-26 20:26:02,115#DEBUG#com.sap.scc.security#tunnelclient-4-1#0xaf519c8d#Generating X.509 certificate for authentication to backend|

2016-05-26 20:26:02,115#DEBUG#com.sap.scc.security#tunnelclient-4-1#0xaf519c8d#Requesting token for principal D066389|

2016-05-26 20:26:02,159#DEBUG#com.sap.scc.security#tunnelclient-4-1#0xaf519c8d#Generated X.509 certificate with subject CN=D066389,EMAIL=martin.loeper@sap.com,OU=Tools,O=SAP-AG|

2016-05-26 20:26:02,163#TRACE#com.sap.core.connectivity.tunnel.core.impl.processing.OutboundPacketProcessor#tunnelclient-4-1#0xaf519c8d#Sent packet with size 847 to processor|

2016-05-26 20:26:02,164#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnelclient-4-1#          #Successfully opened backend connection [id: 0xb5d0fa7f, /127.0.0.1:47561 => /127.0.0.1:443]|

2016-05-26 20:26:02,169#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpProtocolOutboundHandler#tunnelclient-4-1#0xaf519c8d#Access allowed to /w/test.php for virtual host opensapedia.cloud:443|

2016-05-26 20:26:02,169#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpProtocolOutboundHandler#tunnelclient-4-1#0xaf519c8d#set request description to statistics instance: /w/test.php on [virtualHost=opensapedia.cloud, virtualPort=443, protocol=HTTP]|

2016-05-26 20:26:02,170#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpProtocolOutboundHandler#tunnelclient-4-1#0xaf519c8d#Report open  connection connection -1353606003 to HTTP://opensapedia.cloud:443 request /w/test.php|

2016-05-26 20:26:02,170#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpProtocolOutboundHandler#tunnelclient-4-1#0xaf519c8d#Report open  connection connection -1353606003 to HTTP://opensapedia.cloud:443 request /w/test.php|

2016-05-26 20:26:02,170#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpInterceptingHandler#tunnelclient-4-1#0xaf519c8d#Start sending /w/test.php to backend.|

2016-05-26 20:26:02,170#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnelclient-4-1#0xaf519c8d#Will use X.509 certificate for authentication to backend: MIIEHzCCAwcCBQDWpVptMA0GCSqGSIb3DQEBCwUAME4xCzAJBgNVBAYTAkRFMQwwCgYDVQQKEwNTQVAxDjAMBgNVBAsTBVRvb2xzMSEwHwYDVQQDExhzYXBlZGlhLWRldi53ZGYuc2FwLmNvcnAwHhcNMTYwNTI2MjAxNjAyWhcNMTYwNTI2MjMyNjAyWjBZMQ8wDQYDVQQKEwZTQVAtQUcxDjAMBgNVBAsTBVRvb2xzMSQwIgYJKoZIhvcNAQkBFhVtYXJ0aW4ubG9lcGVyQHNhcC5jb20xEDAOBgNVBAMTB0QwNjYzODkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDM1Ve5EOxqUSzKAhWY5ZlRGebdV13DWm++/4c64kkpZJ1k7+xYK/uZOK4DZhx+33EI+XeUSEIgHrCfSG3WiuocWzHtjewnUC3E+u4vM3Rkoo2Md8L/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX+Y2/SrbWOgbfPnGv80iQ+rNBDpV09OniY5s+MyAxLZ6JbrUP/LllDH6c1Rj5jVUXzEIqivbzanbEwxK0Ot918fvRyiA2jE42BMjbVY1JB9wsVpzyGvEF/XXXXXXXXXXXXXXXXXXXXXXXXX/gX5J4uHJMBtwLwxAN1chJ3mPSwVfRTfkwjJuI6v3qxDHXDhTEXpqUjX5M0Rlt3xoVy4vKJNjKfiFKuoCtmTA14ZPzmgqdYU8kFUpv/N+7BlDK3v+Yb35/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/kLyK2OO8R9TtldejqAQClgROBaMKBKo/RC+vvjQVUu0bKHYj+fezt2f0J/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX+zYtr2Yo824+eS52l//GMUgyrk0r43c+6LdEhPtjmCmsm6OJn+k5lh6182PVCIJ9lsB7BTiJOUV89EDtFSBT+uJ3xIR383l80EK6Lvzo9EqLIs+9U63eSdgoWvxvaX38KAGp0F0F7SGS+l/B6LoW2MscVohUMtVE9PGFiR9bAlYCYUo6Ott3fO+KIj6dw0/QiG9HTHVmDQTsGD8Ugr49NWIdzqe4SfODEn7kNOLjpuRWvu/XXXXXXXXXX|

2016-05-26 20:26:02,171#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpInterceptingHandler#tunnelclient-4-1#0xaf519c8d#Start sending /w/test.php to backend.|

2016-05-26 20:26:02,172#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpInterceptingHandler#tunnelclient-4-1#0xaf519c8d#Finished sending /w/test.php to backend.|

2016-05-26 20:26:02,172#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpInterceptingHandler#tunnelclient-4-1#0xaf519c8d#Finished sending /w/test.php to backend.|

2016-05-26 20:26:02,193#ERROR#com.sap.core.connectivity.spi.processing.OutboundConnectionErrorHandler#tunnelclient-4-1#0xaf519c8d#Internal error

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: handshake_failure

  at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:380)

  at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:244)

  at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:308)

  at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:294)

  at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:846)

  at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)

  at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)

  at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)

  at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)

  at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)

  at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)

  at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)

  at java.lang.Thread.run(Thread.java:745)

Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure

  at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)

  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)

  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)

  at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)

  at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)

  at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)

  at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)

  at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

  at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1138)

  at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1028)

  at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:968)

  at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:349)

  ... 12 more|

2016-05-26 20:26:02,195#DEBUG#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnelclient-4-1#0xaf519c8d#Encoding WebSocket Frame opCode=2 length=273|

2016-05-26 20:26:02,197#ERROR#com.sap.core.connectivity.protocol.http.handlers.HttpConnectionCloseHandler#tunnelclient-4-1#          #Connection closed by backend during processing|

2016-05-26 20:26:02,198#DEBUG#io.netty.handler.codec.http.websocketx.WebSocket08FrameEncoder#tunnelclient-4-1#          #Encoding WebSocket Frame opCode=2 length=240|

2016-05-26 20:26:02,202#DEBUG#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnelclient-4-1#          #Decoding WebSocket Frame opCode=2|

2016-05-26 20:26:02,202#DEBUG#io.netty.handler.codec.http.websocketx.WebSocket08FrameDecoder#tunnelclient-4-1#          #Decoding WebSocket Frame length=14|

2016-05-26 20:26:02,203#DEBUG#com.sap.core.connectivity.tunnel.core.Tunnel#tunnelclient-4-1#0xaf519c8d#Unsubscribed connection with id 0xaf519c8d|

2016-05-26 20:26:02,204#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnelclient-4-1#0xaf519c8d#Unassigned principal 'D066389'|

2016-05-26 20:26:02,204#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnelclient-4-1#0xaf519c8d#Released backend connection [id: 0xb5d0fa7f, /127.0.0.1:47561 :> /127.0.0.1:443]|

Might there be an issue with the certificate I use?

Best regards,

Martin