The focus of the blog is to help you understand and analyze all the HTTP errors that happen during the connection from your sender system to your Cloud Integration (inbound). Also, this blog will provide some troubleshooting tips that will help better understand where exactly is the problem and how to avoid/prevent it in the future
To better understand this blog post, it is expected that you have some kind of knowledge of Cloud Integration Inbound configuration. It is advised to read SAP Help below, which has a great explanation of how each type of Inbound configuration works:
It is also advisable to read the Blog below (depending on whether your environment system is NEO or Cloud Foundry) for a better explanation of the configuration using Client Certificates:
After creating your scenario to connect to Cloud Integration, some types of HTTP errors may appear in the sender side. Each error has a few different causes, for example, the HTTP 404 error can be caused by a wrong endpoint configuration or an internal problem in the worker nodes of your system. To distinguish what is causing the error and how to solve it, we can use some logs and tips.
Cloud Integration has two logs that together can provide more detailed information about the problem. You can access this log from the Monitoring Dashboard. In the section Access Logs select the System Log Files tile. You get a list of log files with the most recent files at the top. There are one or more HTTP Access or LJS/Trace files with nearly the same time stamp, one for each runtime node started in your tenant. Because you don’t know at which runtime node the request arrives, you need to check all of those files. Later in the blog, I will give tips on which file to download to check for errors more precisely.
Note: The Default trace logs from Cloud Integration may be named LJS_trace.log or Trace.log (depending on whether your system is in NEO or Cloud Foundry) but they are the same logs.
HTTP Access Log:
For each inbound call reaching the Cloud Integration runtime node, one line is written into the HTTP Access Log containing the IP address of the calling system, the certificate or user contained in the request, the date, the path, and the HTTP return code. Through this blog, we can also be sure that the call has reached Cloud Integration. The line in the log file has the following format:
LJS log or Trace log:
If the certificate is received, but there is an error during the authorization check, you should consult the LJS Trace (also known as CP Default Trace) for more details about the error. The formatting of the log that is written to this trace log is varied and can depend on each thread. But it usually has this format:
Sample:
Log Node ID
The log ID is what links an HTTP to an LJS. If your tenant has multiple runtime nodes you can use the ID of your HTTP logs to know which LJS/Trace log to use to check for more details of the error. Check the name of the HTTP Access Log file, where you found the request, to get the ID of the runtime node (LJS/Trace file). The name of the file has the following format: http_access_<Node ID>_<date>.log. The Node ID is the ID of the runtime node, that received the request. Search for the corresponding CP Default Trace with the same node ID, file name format: ljs_trace_<Node ID>_<date>.log.
In addition to the logs, the following information (in the Sample part) will help in analyzing the problem. The main one is the Path of your Iflow. The Path is the URL that your Iflow uses to identify external calls. It is unique to each Iflow and when called by some system it will start the Iflow. It is set in the sender adapter (parameter Address) of your iflow.
The path of our example iflow will be 'http/Inboudtestconnection'.
Now we have the necessary information from the Iflow where the error is happening (using the Path) and we know which logs to use. For better accuracy of the analysis, it is advisable that you reproduce the problem again (calling the iflow that is responding with the HTTP error) so you don't have to download so many logs to analyze.
If it is possible to reproduce the problem, check step number 1, if not, use step number 2.
Note:
In the example below, the Sender is calling the Iflow Test Connection Inbound, which has path /http/Inboudtestconnection. The problem in the sender was an HTTP 404 - Not Found that occurred for two minutes, and the problem cannot be reproduced. The problem happened at 5:01:50 (GMT -3) on the 21st of December (which is the same timezone as my computer/tenant).
Looking at the System logs, I see that there are 4 potential logs to download because they were created or modified after the problem occurred (logs are from the same day and are above the hour and minutes when the problem occurred). Two of them are LJS logs and two HTTP logs:
After downloading the 4 files, I open them in Notepad++ (or some text editor of your choice) and search for the path /http/Inboudtestconnection, using the Find All in All Opened Documents option:
The search returns me three results in one of the two HTTP logs used. There are three lines in them, two that were successful (HTTP 200) and one with the HTTP 404 error at the same timestamp as when the problem occurred in the sender:
At number one in the screenshot above, we see the HTTP Log Node ID. We will use it to know which LJS/Trace log is the correct one to check for the problem. The Node ID in question is 1b64592, so we will use the LJS log with ID 1b64592 (number 3 in the screenshot).
In number two we see the problem that happened (in timezone GMT/UTC+00), and we will copy the timestamp of the problem to check the root cause in LJS:
Searching for timestamp 08:01:50 in the LJS log with ID 1b64592, we can see that the root cause of the problem is the error:
When searching for error 'No consumer to service request' in SAP KBAs (Launchpad), we found the KBA below that explains the problem and how to solve it:
Below is a description of the most common causes and most common checks for HTTP errors and their respective error codes to use more quickly in case you decide not to use the analysis described above or did not find the cause of your problem in the LJS/Trace log.
401 - Unauthorized
The configuration required to authenticate the call is dependent on several factors, including what type of authentication you are using and whether the Cloud Integration tenant is hosted on NEO or Cloud Foundry.
Using Basic Authentication
You need to verify that the Sender Adapter is configured to use Basic Authentication, ie. the Authorization is set to 'User Role'. You also need to ensure that the Sender system is passing a Valid User ID in the call. Note that technical S-Users are not supported for use with Cloud Integration, see:
Using Client Certificate Authentication on NEO
You need to ensure that all configuration steps outlined in the following SAP Community Blog have been implemented fully:
Specifically, you should verify the following points:
Using Client Certificate Authentication on Cloud Foundry
You must ensure that all configuration steps outlined in the following SAP Community Blog have been implemented in full:
Take special care to ensure the following is in place:
403 - Forbidden
This indicates that the call is failing due to missing permissions on the Cloud Integration side. If you are using Basic Authentication, or you are using Client Certificate Based Authentication with the 'Role Based Authentication' method described in either of the above blogs, then within the adapter configuration you will see the 'User Role' parameter defined in the adapter. By default, this is ESBMessaging.send. You need to ensure that the user being used to authenticate the call (or the user which is mapped to the certificate) has this role assigned to it.
Additional Note for Troubleshooting - If attempting to troubleshoot any of the above issues on a NEO Cloud Integration Tenant, it may be useful to check the inbound calls in the HTTP Access Logs. These are not available for Cloud Integration tenants on Cloud Foundry.
For every inbound call to the tenant, a line will be written to the log and this contains important information such as the IP address of the calling system, the timestamp, the path being called, and most importantly (for troubleshooting the above issues), the HTTP response code and the user or certificate which has been passed to the tenant to authenticate the call. This typically has the following format -
If the portion of the written message where the certificate or user would be expected to be displayed is blank, this would indicate that either this is not being sent by the Sender system or, the CA which has signed the certificate is not supported by the Load Balancer (and is getting blocked from being passed to the tenant).
404 - Not Found
The endpoint does not exist or is unavailable. Log into the CPI tenant and check the status of the iFlow in the 'Manage Integration Content' Monitor. Is the iFlow deployed and showing in a 'Started' state? Does the endpoint listed under the 'Endpoints' tab match the URL which you are calling exactly? If yes this can be caused by Outage or Internal problem:
500 - Internal Server Error
The HTTP 500 error can be caused by an internal problem in your Cloud Integration or a problem when processing the message on the receiver (endpoint). If you receive the HTTP 500 error in the Sender when calling Cloud Integration, but a message is generated in your Cloud Integration Monitor, the error is usually caused between Cloud Integration and the Receiver, and the cause can be checked in the message generated (in Cloud Integration Monitor). If you are getting the HTTP 500 error but no message is generated in Cloud Integration side, it is possible that the problem is occurring in the worker nodes of your Cloud Integration, as seen in the SAP KBA:
502 - Bad Gateway
This error normally occurs when the amount of messages sent to Cloud Integration at the same time is too much that the tenant with the current resources takes. This error can be seen in the SAP KBA below:
By analyzing the HTTP log and the LJS logs you can be more precise about where the problem is occurring and the root cause. And when you find the error you can look for documentation on what caused it and how to fix it. These two logs provide a deeper analysis than just an HTTP code and can help you a lot to analyze connection errors with your Cloud Integration.
From all my experience with SAP Cloud Integration support, most HTTP 401 and HTTP 403 errors are caused by misconfiguration. HTTP 404 errors can be caused by configuration or worker node errors and HTTP 500 errors can be caused by receiver or Cloud Integration tenant internal error.
For info regarding Inbound configurations, you can check:
Another related SAP Documentation which might be informative about this topic:
Note: All screenshots in this Blog were captured in my Cloud Integration test system and in the Notepad of my machine.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
20 | |
11 | |
8 | |
8 | |
7 | |
7 | |
7 | |
6 | |
6 | |
6 |