SAP Intelligent RPA API error with WSS Agent active
Article ID: 239077
Updated On:
Products
Issue/Introduction
While running the API call in SAP Intelligent RPA Portal, users report "local issuer certificate error" when the WSS Agent is running as shown below
When disabling the WSS Agent, the script works fine
Tried to bypass SSL inspection for a number of domains but problem persists
Cause
Certificate pinning issue with SAP Application
CASB Gatelet enabled for some of the domains being SSL intercepted, making standard solution to these types of problems more difficult
Environment
WSS Agent
SAP Intelligent RPA Web Application
Resolution
A number of potential solutions exist for this problem but ultimately ended up bypassing SSL inspection and CASB for accounts.google.com when users part of a local developer group.
;; Tab: [SEA Force SSL Disable Accounts Google]
<SSL-Intercept> condition=Google_Accounts_SSL policy.BC_UPE_Set_ssl_forward_proxy_issuer_keyring
condition=Google_Accounts ssl.forward_proxy(no)
define condition BC_Elastica_SSL_Exempt
url.domain=accounts.google.com
end
define condition Google_Accounts
url.domain=accounts.google.com
end
define condition Google_Accounts_SSL
group='SG-US DLP Symantec UG7'
end
Other options include the following:
1. Can the SAP Application be configured to accept the SSL certificate returned by WSS - options exist on the SAP side which would disable certificate pinning
2. Use SAP thick client application instead of Web based, so that an Application level bypass can be done on the WSS side
3. Add a protocol detection bypass for the accounts.google.com IP address and apply it to subset of users. This is slightly more aggressive than the option customer went with above, but also works.
Additional Information
Oth
Attachments
Feedback
