SAP S4 to AEM channel activation error: Framed TCP client connection closed by peer

Connectors & Integrations
, ,
1

Hi,

We are trying to connect SAP S4HANA to Advanced Event Mesh. There are several blog posts on the subject that detail the steps, but we haven’t been able to get it to work.

The Broker cuts off communication after the handshake:

[Thr 140734346817808] Client certificate info: subject=“CN=*.messaging.solace.cloud, O=Solace Corporation, L=Kanata, SP=Ontario, C=CA”, issuer=“CN=Thawte TLS RSA CA G1, OU=wwwdigicert.com, O=DigiCert Inc, C=US”
[Thr 140734346817808] HTTP response [80/81879/1] statistics: icmtotal=0,icmreqrcv=0,icmext=0,icmrespsend=0
[Thr 140734346817808] HTTP response (raw) [80/81879/1]:
[Thr 140734346817808] HTTP/1.1 101 Switching Protocols
[Thr 140734346817808] upgrade: websocket
[Thr 140734346817808] connection: Upgrade
[Thr 140734346817808] sec-websocket-accept: moSoamswlNUFdgXL8w6D3ume+i8=
[Thr 140734346817808] sap-icm-internal-protocol: sap-framed-tcp-v1.0
[Thr 140734346817808] Connection Info: role=Client, local=s4hana2023.xxxxxxx.local:44301, peer=mr-connection-xxxxxxx.messaging.solace.cloud, protocol=HTTPS, SNI=missing
[Thr 140734346817808] DTRACE(80/81879/1): {root-id=B72324F7ECA71FD193D54E20B2D9728D}_{conn-id=AC18E1553BD96A044D66083500000000}_1
[Thr 140734348587280] *** WARNING => Framed TCP client connection to tcp://mr-connection-xxxxxx.messaging.solace.cloud:5671 closed by peer.

I have a few questions about this integration:

1.- Can an S4 be connected directly to the AEM without needing the add-on?

2.- When creating the user in the Broker, we use the CN from STRUST’s own certificate. We currently have a wildcard CN: CN=*.xxxx.com. However, we cannot create a user in the Broker with *, so we have created a user named xxxx.com. Is this correct, or do we need to change the certificate in the SAP Strust transaction?

3.- Why do we get Framed TCP client connection to tcp://mr-connection-xxxxxx.messaging.solace.cloud:5671 closed by peer?

Thanks

2
  1. Yes, S4 can be connected directly to the AEM broker without requiring the add-on.
    Please refer to the following blog post for the step-by-step procedure: SAP S/4HANA integration with SAP Integration Suite... - SAP Community
  2. By default, the username source is set to the Common Name (CN) from the certificate. Since wildcard characters are not supported in usernames on the AEM broker, you cannot create a user with a value such as *.xxxx.com.
    Instead, you can configure a different username source in the Broker Manager. The available options are:

  • Certificate Thumbprint—the username is computed as the SHA-1 hash over the entire DER-encoded contents of the client certificate.

  • Common Name—the username is extracted from the certificate’s first instance of the CN attribute in the subject distinguished name (DN).

  • Common Name Last—the username is extracted from the certificate’s last instance of the CN attribute in the subject DN.

  • Subject Alternate Name—the username is extracted from the certificate’s other name type of the subject alternative name and must have the Microsoft user principal name (UPN) signature.

  • User Identifier—the username is extracted from the certificate’s first instance of the user identifier attribute in the subject DN.

  • User Identifier Last—the username is extracted from the certificate’s last instance of the user identifier attribute in the subject DN.

  1. The error message below may indicate an incorrect or incomplete client certificate authentication configuration on the broker:
    “Framed TCP client connection to tcp://mr-connection-xxxxxx.messaging.solace.cloud:5671 closed by peer”
    If you continue to experience issues after completing the correct setup, please open a support case and share the relevant logs for further investigation.

Thanks,

Aman

3

Thank you for your response.
The Strust certificate itself only contains the CN with an asterisk (*) and a checksum (SHA1) with the value BE:62:21:55:D5…
I tried switching to “Certificate Thumbprint” and creating a user with that value, but it didn’t work. I created another user with the same value but without the colon (:), and that didn’t work either.

On the other hand we have this:

image
image1331×474 40.2 KB

It could be because we have “test-demo” plan in BTP Subscriptions for SAP Integration Suite, advanced event mesh.

Could this be why it isn’t working?

KR.

4

It’s working now. We simply generated a new self-signed certificate without an asterisk (*).

We didn’t even need a certificate chain with root and intermediate certificates.

5

That’s great.
A certificate chain containing the root and intermediate certificates is required when using a certificate signed by a CA.
For a self-signed certificate, there is no certificate chain, as the certificate itself acts as the root certificate.