Troubleshooting Signavio to SolutionManager

Contents
Version History..................................................................................................................................1
Reference Material and Guidance.....................................................................................................1
SAP Notes..........................................................................................................................................1
Additional Troubleshooting tips........................................................................................................2
Landscape Architecture.........................................................................................................................3
Global Account..................................................................................................................................3
SubAccount........................................................................................................................................4
IAS......................................................................................................................................................4
Cloud Connector................................................................................................................................4
IP Loadbalancer.................................................................................................................................5
WebDispatcher..................................................................................................................................5
SolutionManager...............................................................................................................................6

This Document is to be used to troubleshoot problems discovered between BTP and an OnPremise
Target Solution.

Version History
Version Information
0.1 Initial version
0.2 Updated with TOC + Ref.Material
0.3 Updated with CloudConnector version issue
0.4 Additional CC version configuration config

Reference Material and Guidance

Area Documentation
BTP Global Account Link
BTP SubAccount Entitlements Link
Trust & Federation Setup (IAS or Custom IdP) Link
Cloud Connector Link
IAS Configuration Guide Link
OnPremise SSL WebDispatcher Setup Link

SAP Notes
SAP Note Description
2616927 Troubleshooting common scenarios and errors in
 Web Dispatcher
2394406 Required information for analyzing SSL issues on
Web Dispatchers
510007 Additional considerations about setting up SSL on
Application Server ABAP
2539713 Upgrade to a new version of the Cloud
Connector

Additional Troubleshooting tips

Problem Area Instruction
WebDispatcher Host Header validation Use a Browser and run
“https://<myLoadbalancerServiceAddress.com>
/sap/bc/bsp/sap/system_test/test_proxy.htm
HTTP Error Code 401 Cross check SSL Client Certificate to be set as
Optional AND configure “Alternative Logon
Methods” per SICF Service
HTTP Error Code 403 SICF Service is not enabled
HTTP Error Code 500 Target was not able to figure out what to do
with the request (configuration or Software Bug
issue)
SSL Peer not Trusted / Verified Missing RootChain is likely the root cause
This can also be due to invalid SSL SNI Setup on
Backend System
No Data Found From SolutionManager Check the Technical User in SolutionManager
and especially the Roles
Landscape Architecture

Global Account
 To Create a SubAccount you will need the GlobalAccount Administrator Role
 Navigate to https://emea.cockpit.btp.cloud.sap/cockpit/ and perform
o Create SubAccount in EU10(AWS)
o Navigate to Entitlements -> Entity Assignment -> Select your SubAccount and
configure new Entitlement : “business process model connector for SAP Signavio
solutions"
SubAccount
Checklist

 CloudFoundry & Space completed

 Subscribed to the “business process model connector for SAP Signavio solutions”
 IAS setup done With/without RoleCollection & AzureAD Group SAML Claim Mapping

Checklist Signavio Application

 Make sure you are assigned the FullAdmin during Initial setup
 Make sure the SolutionManager settings are per below
 Host name = This is the Internal Loadbalancer Name of the SolutionManager system , or
Local ICM if no LBLayer exist
 Port = The Virtual Port which is also to be specified as Virtual Port in CloudConnector

IAS
Checklist

 IAS SubAccount Application setup properly for Azure Authentication

 IAS Application setup to allow AzureAD Group Mapping (OPTIONAL)
Cloud Connector
Checklist

 Connected to the SubAccount with/without LocationID

 Make sure System & UI Certificate is not Self-Signed using PKI or Approved SAP Root CA
 Create a Virtual Host Entry identical to the value specified in the SubAccount Generated
Destination
Note: It does not need to use the Generated names by the Signavio Application to enable
the connectivity, as long as the value in CC VirtualHost AND BTP SubAccount DESTINATION is
having the same values it will work!
This mean you can modify the DESTINATION URL according to your internal “Virtual Host”
Naming convention and update the BTP Destination accordingly
 Make sure to set Host Header to “Internal Host” to avoid Host_header mismatch on
loadbalancer layer.
 Access Control configuration
o /sap/bc/icf/info (Path Only (Sub-Paths Are Excluded)
o /sap/opu/odata/sap/ProcessManagement (Path And All Sub-Paths)

NOTE: CaseSensitive as highlighted above and not as you see it in SICF with all lowercase!

 Make sure X.509 Principal Propagation is not set for this Entry!
 CloudConnector Version 2.13 and older
o Set the Principal Propagation to NONE which will allow Basic Authentication
 CloudConnector version 2.14x
o Set the Principal propagation to “X.509 (Strict Usage)” to avoid the Local ICF
Modification which is stated below
 Cloud Connector version 2.15 and higher please follow this link:
https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/configure-access-control-
http

IP Loadbalancer
 Make sure SSL Service is having a valid SSL Certificate and not Self-Signed using PKI or
Approved SAP Root CA
 Make sure that X.509 Client Certificate Authentication is not set to MANDATORY, to allow
also Basic Authentication
 Make sure these corresponding parameters are set high enough depending on Data volume
o Client Idle Timeout 1800 seconds
o Server Idle Timeout 1800 seconds
o Client keep alive is set to YES

WebDispatcher
 Make sure SSL Service is having a valid SSL Certificate and not Self-Signed using PKI or
Approved SAP Root CA
 Make sure SSL Trust towards SolutionManager system is setup properly
 Make sure that X.509 Client Certificate Authentication is not set to MANDATORY, to allow
also Basic Authentication to lower systems
 Check 1410736 - TCP/IP: setting keepalive interval which needs to be tuned according to
runtime of the “Synchronization of Projects” runtime. Start with at least 20minutes!
SolutionManager
 Make sure the SSL Service is signed by a Root CA (Internal PKI or one of the approved SAP
Root CA)
 If you have a CloudConnector OLDER than 2.15.1 , then follow below instruction
o SICF Tcode -> sap/opu/odata/sap/processmanagement , change configuration to “All
Alternative Logon Methods” and remove SSO Auth Methods (SAML, X.509, SPNEGO)

 Make sure SSL trust works from Loadbalancer layer with Basic Authentication for the
Signavio Related Services!