Skip to Content

Troubleshooting UAA Errors

Troubleshooting authentication error message when using XS Advanced client to log in to SAP HANA
You will learn
thecodesterDaniel WroblewskiJanuary 27, 2022
Created by
March 4, 2018


  • Systems used: SAP HANA SPS12, SAP HANA, express edition
Authentication failed. UAA at http://your-host:30030 uaa-security is not up.

The error occurs when trying to log in to XS in HANA using the XS Advanced Client with command:

xs login –a http://hostname:30030

There seem to be plenty of root causes for this issue, involving different components and, of course, different possible solutions. This How-To document covers some of the common root causes and how to identify them.

  • Step 1

    Discard the obvious first and make sure the service is running.

    Open the SAP HANA Cockpit and scroll to the SAP HANA Database administration:

    SAP HANA Cockpit

    Manage Services:

    Manage Services

    Find xsuaaserver in the list.

  • Step 2

    Not having the latest version of the XSA Client can also be the cause for the uaa-security is not up error. You can find the latest version of SAP Web IDE and XSA Client from the marketplace.

  • Step 3

    Lack of proper access will lead to even more notable errors, such as an XSA not authorized error. As of SPS12, Patch 1, you will need to assign the right role collections to the user you are connecting with

      i. To create role collection:
      1. Open to Application Role Builder tile
      2. Press on the menu button on the left upper corner. Choose Role Collection.
      3. Press on the **+** sign on the right bottom to create a new Role Collection.
      4. Provide the name (e.g. WebIDE_Developer, WebIDE_Administrator) and assign Application Role:
        1. WebIDE_DEVELOPER role collection, select app name - webide!1, role template = application role - WebIDE_Developer
        2. WebIDE_ADMIN role collection, select app name - webide!1, role template = application role - WebIDE_Administrator
      5. Save
      ii. Assign Role Collection to a user
      1. Open User Management tile
      2. Select a user
      3. Got to Role Collection section -> add WebIDE_xxxx role collection accordingly

    You can find more details here:

    Alternatively, you can test these steps by copying the preconfigured user into a new one, applying the proper role collections and enabling the access to the space with command xs set-space-role.

  • Step 4

    If you look at the message thrown by the client, you will find that although you explicitly call port 30030 in the API_URL parameter, the error message returns port 30032. Not having the right ports open would mean more errors when trying to connect to other sites, as login requests will go through the UAA.

    This means we need to make sure communications into those ports are free of blocks:

    1. Make sure the instance has the proper ports enabled. In CAL, the configuration would look like this for this scenario from `Access points` section in the Virtual Machines tab:
      image 1

    2. If you are running behind a local or corporate firewall, VPN and/or proxy, make sure traffic is coming in and out. There are some quick ways to check network traffic is flowing freely without installing complex tools. The following commands can be executed from a terminal or command prompt and can help uncover a network issue:
      1. - ping `hostname`, e.g: ping `http://vhcalhdbdb`
        If, for example, you forgot to configure your hosts file, the host name will not get resolved and you will get a message similar to `Ping request could not find host xxxxx. Please check the name and try again`. Please remember to configure your hosts file with the reachable, external IP of the server.
      2. - telnet `hostname port`, e.g., telnet 80
        If the connection is somehow unavailable, you will get a message similar to Could not open connection to the host, on port 22: Connect failed . Any other message probably means that the server and port are reachable, although not all servers and ports are available for telnet. A `Connect failed` clearly indicates the connection cannot be established.
  • Step 5

    If you recently performed an upgrade, make sure the hostname and Fully Qualified Domain Name (FQDN) are still correct. The file /etc/hosts in the operating system of the HANA instance contains this information

Back to top