search cancel

SAP Intelligent RPA API error with WSS Agent active


Article ID: 239077


Updated On:


Cloud Secure Web Gateway - Cloud SWG


While running the API call in SAP Intelligent RPA Portal, users report "local issuer certificate error" when the WSS Agent is running as shown below

When disabling the WSS Agent, the script works fine

Tried to bypass SSL inspection for a number of domains but problem persists 


WSS Agent

SAP Intelligent RPA Web Application


Certificate pinning issue with SAP Application

CASB Gatelet enabled for some of the domains being SSL intercepted, making standard solution to these types of problems more difficult 


A number of potential solutions exist for this problem but ultimately ended up bypassing SSL inspection and CASB for when users part of a local developer group.

;; Tab: [SEA Force SSL Disable Accounts Google]

<SSL-Intercept> condition=Google_Accounts_SSL policy.BC_UPE_Set_ssl_forward_proxy_issuer_keyring
condition=Google_Accounts ssl.forward_proxy(no)
define condition BC_Elastica_SSL_Exempt

define condition Google_Accounts

define condition Google_Accounts_SSL
group='SG-US DLP Symantec UG7'


Other options include the following:

1. Can the SAP Application be configured to accept the SSL certificate returned by WSS - options exist on the SAP side which would disable certificate pinning

2. Use SAP thick client application instead of Web based, so that an Application level bypass can be done on the WSS side

3. Add a protocol detection bypass for the IP address and apply it to subset of users. This is slightly more aggressive than the option customer went with above, but also works.

Additional Information