There was a case in recent time where in our customer environment, we are making use of HTTP proxy as a mandate.
Landscape Information –
- S4HANA 2022 with NW 757 on IBM PowerVs with HANA 2.0 SP05 in IBM Cloud.
- Squid Proxy with IPaddress-1 and IPaddress-2 hosted on VPC(x86).
- PBS - 3rd party Archiving Solution hosted on Windows in On-Prem.
Problem Statement – HTTP Server was not reachable directly from S4HANA and fails using HTTP Proxy. As per the screenshot below, it complains client connection to
http://<3rd party-http-server>:<port-no.> fails.
Solution –
Phase 1: Connection Test / Send Certificate Issue – Fixed
Added Global Proxy configuration in Tx-SM59 -> Goto -> HTTP Proxy Configuration
Maintain the HTTP proxy under HTTP Protocol and HTTPS Protocol –
Based on the SAP note – 3165420, it talks about the symptom via “NIECONN_REFUSED” whereas our symptom is different i.e., “Connection Broken”. Secondly, the resolution part says – “Check whether the HTTP proxy is configured and deactivate it
if it should not be used for the connection to the HTTP content server.” In addition to it, SAP note also suggests checking multiple configurations.
So, we should not be caught by the information that Archiving/Content Server does not work with HTTP Proxy. We’ll learn going further parts of this blog!
When tried to put Global Proxy in QA system temporarily and observed change in behaviour of the error message to “
HTTP error: 403 forbidden Access denied for client <>” from OAC0. When further tried from Client VPN as a client reported same error because my Laptop’s IP is not whitelisted in PBS content server.
https://me.sap.com/notes/3165420
2.) After enforcing the proxy configuration, connection test started showing Denied entries for our Proxy IPs. Hence, requested PBS administrator to add/whitelist Proxy IPs in PBS server under Programs -> PBS -> PCS -> options.ini
IPaddress-1/rw
IPaddress-2/rw
After adding the IPs, Content Repo from PBS server was restarted from IIS on the Windows box.
This resulted in fixing Connection Test and Send Certificate issue from Tx – OAC0.
Certificate received successfully at PBS server side and Connection test was successful.
But this is not end of solution. There were many challenges after this.
Phase -2: URL and corrupted certificate when traversed from SAP to PBS.
If I try to do connection test from within the repository from Tx-OAC0.
The repository was giving an error “Access denied: Verification of signed URL failed”. Connection tests are successful, however, logs indicate "SsfVerify: there are signer errors".
Troubleshooting Steps:
- When I try to reach content repository via proxy from OS level. It publishes 200 (OK) return code which is fine from connectivity perspective.
curl -S -v
http://<pbs-http-server ip>:<port-no.>/PclHttp.dll?serverInfo&pVersion=0045&contRep=Q0
curl -S -v
http://<pbs-http-server ip>:<port-no.>/PclHttp.dll?serverInfo&pVersion=0047&contRep=Q0
- It sends the signal via serverProtocol HTTP/1.1 from QA server to PBS.
- When we are sending the data via OAC0 from Q0 repository it is sending certificates using HTTP/1.0.
- As per SAP note – 2763564 below, it was checked internet options in PBS windows server to allow HTTP/1.1 through proxy connections as we wanted to ensure there are no restrictions there in PBS windows box.
https://me.sap.com/notes/2763564
Later, when PBS logs were checked thoroughly, it was found that when SAP S4HANA (or ABAP) sends the certificate to content repository from STRUSTSSO2, it fills the comma or space field/area within the certificate to
small-letter strings %2c or %3d instead of
capital letters %3D or %2C. From PBS side, it seems it understands capital letter strings.
For sending signURL or secKey to ContentServer, function module SCMS_URL_SIGN is responsible as below SDN Link.
https://answers.sap.com/questions/6106124/archivelink-seckey-generation.html
With reference to below SAP note
2520326 where it says
URL gets corrupted when proxy is in place which is exactly the same case as ours. I also checked; it is applicable for our release NW – 757.
2520326 – URL corrupted when proxy configuration is in place.
https://me.sap.com/notes/2520326
Connection in OAC0 using HTTP Proxy is successful.
Phase – 3: Final Solution
But problem did not finish in Phase-2, we noticed that Connection test in SARA was successful for functional archiving object but its store file job still fails with error message in Tx - SM37–
Connection to http://<pbs-http-server>:<port-no>/PclHttp.dll?create&pVersion: TCP/IP error
We generated more traces using SAPHTTP and SAPHTTPA by changing its setting from SM59, to select the ‘Set trace flag’ under the Special Options.
Later, use report RSHTTP40 with both RFC destinations SAPHTTP and SAPHTTPA.
From the logs, we can make out the log which came to use the SAP Note – 2570180.
2570180 – ICM Plugin usage over SAPHTTP in Knowledge Provider framework
Maintain the entry in your customer’s client(other than 000).
After which retrieval and storage jobs were successful.
Finally, 3rd party Archiving solution worked fine using HTTP Proxy.
Best Regards,
Ashish Verma
Disclaimer - Please always follow the latest copy of the SAP notes from SAP Service Market Place.