Troubleshooting
This section provides information about the most common errors and possible solutions for error handling while configuring the connection to SAP Jam.
If an API connection to SAP Jam does not work, try to log on to SAP Jam using the browser of your choice. If SAP Jam is in maintenance mode, you may not be able to log on for a short period of time. The API calls will also fail.
The following errors occur occasionally when you change system settings:
| Error | Reason | Solution |
|---|---|---|
| HTTP code 407 | SAP Jam certificate was not added to the list of certificates in transaction STRUST. | See Service Provider Certificate. |
| SAP Jam certificate has reached the end of its validity. | Get a new certificate as described in Service Provider Certificate. | |
| No SAML assertion | The IdP in the back-end system has a different name than in SAP Jam. | Check the IdP names. For more information, see Registering Identity Provider. |
| No signature | The SSFA certificate used the wrong algorithm for the public key. | Delete the PSE and try again with RSA as the algorithm. For more information, see Creating an SSFA Instance. |
You may encounter situations in which you followed all of the instructions in this document and still get errors. In the table below we list some topics that will help you determine what the problem is. The table does not show the exact error message but only the most important key words.
| Error | Possible Reason | Solution |
|---|---|---|
| No signature | No PSE has been distributed. | In transaction STRUST, search the node for your SSFA (the standard delivery contains node SSF Collaboration Integration), right-click and perform the Distribute command. |
| Signature validation failed | The SSF parameters of the SAML SSF application are incorrect. | In transaction SSFA, look for entry SAML2 Service Provider – Signature. Ensure that the SSF format is set to PKCS#1 and that the hash algorithm is set to SHA1. |
| The SSF parameters of the SSF application CLBOAU are incorrect. | See the info for SAML SSF in the previous line. | |
| Invalid SAML2 signature | The certificate has expired, is not valid yet, or simply missing. | In transaction STRUST, double-click the SSF SAML2 Service Provider – S) node. Then double-click the Subject field on the Details screen and check the validity of the certificate. Export the certificate from STRUST again and enter it on Jam side to corresponding IdP. |
| SAML Service Provider does not match audience | The IdP name as listed in transaction SAML2 is different from the name in SAP Jam. | Use the same name as in the back end when creating an IdP. See Registering Identity Provider. |
| SAML authentication failed: Issuer is not a trusted IdP | The IdP of the back-end system has not been entered into the SAP Jam configuration. | Use the same name as in the back end when creating an IdP. See Registering Identity Provider. |
| Wrong encryption set for SAML2. | In transaction SSFA, search the node for your SSFA (the standard delivery contains node SAML2 Service Provider – Signature. Ensure that the SSF format is set to PKCS#1 and that the hash algorithm is set to SHA1. Export the certificate from STRUST again and enter it on Jam side to corresponding IdP. | |
| HTTP code 404 (Not Found) | You are trying to access an endpoint of the REST API that either does not exist or that is spelled incorrectly. | Check whether the endpoint you are trying to access in the productive environment has been transported there. |
| HTTP code 407 | When connecting to the cloud you get a code 407 although the SSL certificate has been added to the trusted certificates of the client SSL ANONYM. | The certificate chain provided by SAP Jam has been broken. Reinstall the SSL certificate according to the procedure in Service Provider Certificate. |
| HTTP code 405: Method not allowed | ICM is not configured properly. |
If the error text is ICM_HTTP_INTERNAL_ERROR do the following: Run transaction SICF and check the SSL settings of the host and port that you specified in transaction CLB2_PLATF. If the settings are correct, verify that the http request method corresponds to the service definition of the service provider. You can start an ICF trace to check the requests that are sent. |
| HTTP code 401: account not activated | The account has just been created or the password of the account has been reset. | Log in to SAP Jam using the browser of your choice. |
| HTTP code 401: OAuth authorization failed | SSFA certificate has been changed in the back end, a new SAPCryptolib has been installed. | Download the consumer application certificate; see Creating an SSFA Instance. Import the certificate into your OAuth Client; see Setting Up the OAuth Client. |
| Error “E-Mail address … does not exist” | Email address is not maintained in the user data in the back end. | Enter the email address in the user master record (transaction SU01). |
| User does not belong to an organization this IdP can provision users into | The consumer key of the OAuth client is incorrect. | Go to SAP Jam and check whether the user has been created or if it does not exist; then check whether the user is assigned to your company. |
| Invalid OAuth protected resource access request | The request has been sent to an HTTPS port but as plain HTTP. | Get the consumer key (See Setting Up the OAuth Client) and compare it with the application settings in the back end (See Defining Application Settings). |
| HTTP code 402: Timeout | The request has been sent to an HTTPS port but as plain HTTP. | Check that the SAP Jam server is available. If so, the proxy settings you made in section Defining Server Settings (proxy and host) possibly are not correct. This happens for example, when you use a proxy server and the target is behind the firewall. |
| HTTP code 400: Bad request | The server URL uses protocol HTTP instead of HTTPS. | Verify that the server URL matches the target URL (See Defining Server Settings). |
| One of the parameters in the request sent to SAP Jam is out of range. | This is most likely an application problem or program error. To check which parameters are out of range, set a breakpoint in CL_CLB2_CONNECTOR, method DO_RECEIVE, and debug the request. | |
| HTTP code 400 with ICM_HTTP_CONNECTION_FAILED | The authentication methods are not fully customized. | Check whether the authentication methods are properly customized. See Defining Server Settings. |
| The server URL uses protocol HTTP instead of HTTPS. | Verify that the server URL matches the target URL. See Defining Server Settings. | |
| Settings for proxy host and/or proxy port are wrong. | Check trace using SMICM. Error message shows: *** WARNING => Connection request from (46/28019/0) to host: <proxy>, service: <port> failed (NIEHOST_UNKNOWN) Adapt server settings appropriately. See Defining Server Settings. |