Principal Propagation / User Certificate Not Sent

Dear Community,

I am trying to set up an SSL connection from HCP via the Hana Cloud Connector to an Apache2 HTTP server.

In order to do that I created a self signed CA certificate, imported it as System Certificate and CA Certificate into the Cloud Connector and registered it in Apache as SSLCACertificate.

The connection is established well. However on the Apache side I noticed that the CN of the client certificate is wrong. It is not replaced by the user name which is propagated from HCP.

How is this possible? Does the HCC send a wrong certificate? Is the short-living client certificate generated, but not send?

The logs on HCC side as always make the impression the correct certificate is sent, but I somehow doubt it:

2016-07-01 03:07:38,380#DEBUG#com.sap.scc.security#tunnelclient-4-1#0x9dab93ae#Generating X.509 certificate for authentication to backend|

2016-07-01 03:07:38,380#DEBUG#com.sap.scc.security#tunnelclient-4-1#0x9dab93ae#Requesting token for principal DXXXXXX|

2016-07-01 03:07:38,380#DEBUG#com.sap.scc.security#tunnelclient-4-1#0x9dab93ae#Using cached X.509 certificate with subject CN=DXXXXXX,EMAIL=test_static||

2016-07-01 03:07:38,381#TRACE#com.sap.core.connectivity.protocol.http.HttpProtocolProcessor#tunnelclient-4-1# #Report open connection connection -1649699922 to HTTP://xxxxx.mo.sap.corp:443|

2016-07-01 03:07:38,381#DEBUG#com.sap.core.connectivity.spi.processing.AbstractProtocolProcessor#tunnelclient-4-1# #Successfully opened backend connection [id: 0x7c81c261, /10.97.131.31:36024 => xxxxx.mo.sap.corp/10.97.173.49:443]|

2016-07-01 03:07:38,381#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpProtocolOutboundHandler#tunnelclient-4-1#0x9dab93ae#Access allowed to /w/test.php for virtual host xxxxx.mo.sap.corp:443|

2016-07-01 03:07:38,381#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpProtocolOutboundHandler#tunnelclient-4-1#0x9dab93ae#Set request description to statistics instance: /w/test.php on [virtualHost=xxxxx.mo.sap.corp, virtualPort=443, protocol=HTTP]|

2016-07-01 03:07:38,381#TRACE#com.sap.core.connectivity.protocol.http.handlers.HttpProtocolOutboundHandler#tunnelclient-4-1#0x9dab93ae#Report invoke started for  connection -1649699922 to HTTP://xxxxx.mo.sap.corp:443 request /w/test.php|

2016-07-01 03:07:38,381#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpInterceptingHandler#tunnelclient-4-1#0x9dab93ae#Start sending /w/test.php to backend.|

2016-07-01 03:07:38,381#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnelclient-4-1#0x9dab93ae#Will use X.509 certificate for authentication to backend: MIIDtzCCAp8CBQCPdXZZMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC1NBUEVESUFfU1NPMB4XDTE2MDcwMTAyNDEzN1oXDTE2MDcwMTAzNTEzN1owKTEVMBMGCSqGSIb3DQEJARYGYWRkZGRkMRAwDgYDVQQDEwdEMDY2Mzg5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6wzMm9sAFO8RYGLHEv5FAVH8JsaXFz4YXS4cnTelh8wc34wdvJ8hXD6wzF8TFD+zL7hXbsWMC8fMFYdCTx/VgTDOjqWWaSXMwV28LMeJCqL4ZnFWDu9JLO1zcxJphslJ8ZvIj6MvuyCLc8/aw4ShbrOSvgLORg9JaQ9gBbcrAWCV+oq6MZqHFvkdxiSaEXoD/vfSeS3lHR4QIGehc3sFKImgySPxMEQFflR6NRl8FJXXX2YWyPswon0xn3NsKehB9ldm3a1vLw6FK7hD2hpMPEp+5bxepO4N+38U4r60NjEKL81oJ3HH1DjzUmFXIGhVvscP0Sml6Nr/09voBV6+pEt98KCclvHuCkgn5ll2YanJFs9tqirNPgyJntvC3NsWKgOXgjKOVNaZUs0z2FLqXyaPVumjdTYXZpMyUo/1r0+NNHeOoEQlRF01tP83+costUW4lBQOHrb745E9A03ZxKBtBuX7XXrH2FSmfWl+lEiKB+zBHo0R2EIwKrhR+Uwng4y9SPjt9HHy3wo6h48eFmaEh/d+VOzDHVbwQ1xM1SsMXPThagVFGRabxVwafKcbwvtlBDwFC+EgCTt+RSRKim5KSgCz1c0aALP/BQ2T3DVe2m6tRr3TkVBCO0pq+XDF+75rvbAEeXEIZY4J3ITIhTEOrYA/eDGcWpOifewt3ZMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAgGAnTKpVgSdOTy2/vDJ+9dfIIC01o0rXTHkKCLSzOIQk0Iw8jBYC1uHWpfPYkHQmOluM0b2UZCtAtGD4FjXrg+EdR2uSBa9B9NTJ4PRjtKxp8gKE2rIt4zHNc/SQryhbDB3/2+629mjYc/SwcmKYzpzr+njjTywYNwF27HOpG7yDuICSAuiVAkIIeAcQt3R37XcENIIYIQSqlUK3esT+6L7HhDmc8ZAaUhXfuVphicpWOJUxy22kFnUm2kmHaPhtGIrnj/z8eKhdPO1TndWD8BgempI0Bf35sPNMz+JEK2CrSZtPw22jZ7VgPzi/rtk0PYSfTjAGJK5D80fp18bQdw==|

2016-07-01 03:07:38,382#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpInterceptingHandler#tunnelclient-4-1#0x9dab93ae#Start sending /w/test.php to backend.|

2016-07-01 03:07:38,383#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpInterceptingHandler#tunnelclient-4-1#0x9dab93ae#Finished sending /w/test.php to backend.|

2016-07-01 03:07:38,383#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpInterceptingHandler#tunnelclient-4-1#0x9dab93ae#Finished sending /w/test.php to backend.|

2016-07-01 03:07:38,402#DEBUG#io.netty.handler.ssl.SslHandler#tunnelclient-4-1# #[id: 0x7c81c261, /10.97.131.31:36024 => xxxxx.mo.sap.corp/10.97.173.49:443] HANDSHAKEN: TLS_RSA_WITH_AES_256_GCM_SHA384|

[…]

2016-07-01 03:07:38,418#DEBUG#com.sap.core.connectivity.tunnel.client.sso.CallerPrincipalProviderImpl#tunnelclient-4-1#0x9dab93ae#Unassigned principal 'DXXXXXX'|

As always any idea what might go wrong here is very appreciated.

Best Regards

Martin