ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SAP Intelligent RPA API error with WSS Agent active

book

Article ID: 239077

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

While running the API call in SAP Intelligent RPA Portal, users report "local issuer certificate error" when the WSS Agent is running as shown below

When disabling the WSS Agent, the script works fine

Tried to bypass SSL inspection for a number of domains but problem persists 

Cause

Certificate pinning issue with SAP Application

CASB Gatelet enabled for some of the domains being SSL intercepted, making standard solution to these types of problems more difficult 

Environment

WSS Agent

SAP Intelligent RPA Web Application

Resolution

A number of potential solutions exist for this problem but ultimately ended up bypassing SSL inspection and CASB for accounts.google.com when users part of a local developer group.

;; Tab: [SEA Force SSL Disable Accounts Google]

<SSL-Intercept> condition=Google_Accounts_SSL policy.BC_UPE_Set_ssl_forward_proxy_issuer_keyring
condition=Google_Accounts ssl.forward_proxy(no)
define condition BC_Elastica_SSL_Exempt
url.domain=accounts.google.com
end

define condition Google_Accounts
url.domain=accounts.google.com
end

define condition Google_Accounts_SSL
group='SG-US DLP Symantec UG7'
end

 

Other options include the following:

1. Can the SAP Application be configured to accept the SSL certificate returned by WSS - options exist on the SAP side which would disable certificate pinning

2. Use SAP thick client application instead of Web based, so that an Application level bypass can be done on the WSS side

3. Add a protocol detection bypass for the accounts.google.com IP address and apply it to subset of users. This is slightly more aggressive than the option customer went with above, but also works.

Additional Information

Oth

Attachments