Error while attempting Salesforce to CPI integrati...

former_member668021 · ‎2020 Dec 31

Hello CPI Experts, I am facing this error while attempting to send a REST request from Salesforce client to CPI. This interface call works well with a basic auth scenario, but has issues with certificate-based authentication. I appreciate expert help and thank you in advance!

For reference, I quote Mandy Krimmel’s blog that has been useful to a good extent: https://blogs.sap.com/2019/08/14/cloud-integration-on-cf-how-to-setup-secure-http-inbound-connection...

The CP and CPI accounts are in CF. These are NOT Trial accounts.

I confirmed that the CPI’s own keypair “sap_cloudintegrationcertificate” exists in the CPI keystore. (Fig 1 - sap_cloudintegrationcertificate Keypair).

I also confirmed that the CA entry for the CPI’s own keypair “sap_cloudintegrationcertificate” exists in Salesforce client’s TrustStore CA entries. I compared the serial numbers to confirm. (Fig 2 – Salesforce TrustStore Listing showing the CA cert of the sap_cloudintegrationcertificate Keypair).

For the Salesforce client keystore - For the time being, I am using a valid S-user Passport's keypair loaded in the Salesforce instance as a .jks file. Upon a successful connection test, we will change this to a proper CA-signed keypair. Using the keytool command, I converted the .pfx file of the S-user Passport keypair to a .jks file. Since the CPI Load Balancer should accept the CA for SAP Passport; so this should not be an issue. (Fig 3 – S-user Passport Keypair Used in Salesforce client).

In the CP account, I then created a new 'Service Instance' entry of type 'Process Integration Runtime', with the default role "ESBMessaging.send" and "grant-types": "client_x509"; and created a service key using the public cert BASE64 content of the S-user Passport whose keypair was loaded in Salesforce. (Fig 4 – Service Key for the Client Cert created in CP).

In my CPI Integration Flow, for the Sender HTTPS adapter, there are only two options available - Basic Auth or Client Certificate (I think CF setup does not offer a Certificate-to-User option any longer). So I chose the Client Certificate option, and loaded the public cert of the Salesforce client (i.e., the public key of the S-User Passport) and deployed the integration flow. (Fig 5 – CPI Integration Flow, with HTTPS Sender Client Certificate setup details).

However, the following error keeps on showing in Salesforce logs: (Fig 6 – Salesforce Error Log entry):

USER_DEBUG [67]|DEBUG|RESPONSE_STRING<InvalidClientException><error>invalid_client</error><error_description>Either client certificate is not configured in any service key of a Process Integration Runtime service instance or client-certificate authentication was not enabled for your tenant (key-pair with alias 'sap_cloudintegrationcertificate' does not exist in the keystore or was not mapped to the UAA instance): sb-it-rt-xxxxxxxxxxxxxxxx!b46, client certificate MIIDjzCCAnegAwIBAgINVPYo.

I can confirm that the client certificate’s BASE64 details that appear in the error text match with the client certificate details in the Service Key.

Is there anything I missed or have done incorrectly?

Thanks for your help!

Satish Bhagwat

former_member668021 · ‎2021 Jan 15

After receiving helpful answers from Mandy Krimmel, the author of the blog that I referenced in my post, and a lot of trial-and-error, I finally was able to resolve my issue. I am repeating my comments I placed under Mandy Krimmel's blog, to close the loop here.

I was receiving the error that I reported earlier, because I had used the same S-user Passport keypair in different client applications (Salesforce, SAP CRM, etc.) for testing purpose. Not realizing that the public key contents were identical, I had created multiple service keys in different service instances for the same public certificate Base 64 content. When I removed multiple service keys having identical Base64 content and left only one service key in place, the interface started working properly.

This is the observed SAP Cloud Platform behavior –

When a service key was attempted to be created within a service instance with the same service key parameters (i.e., Base64 certificate data placed in JSON as the value of the variable “X.509”), the SAP CP logic properly stopped that attempt with an error to generate a service key.

However, multiple service keys could be generated from the same Base64 content if the keys were created in different service instances. For example, I was able to create service keys with identical Base64 content in instances “ClientCertificateAuth”, “rolenx509” and “x509only” (Service key names were same in one case and different in another; but Base64 content was identical every time.).

When there are multiple service keys with the same Base64 content, AND AFTER a lag time of exactly 1 hour, then I was able to see the error that I reported earlier. If a connection test was attempted within this 1 hour, I still received a HTTP 200 OK response. So there appears to be a lifespan of 60 minutes, similar to the OAuth2 bearer token lifetime of 4,199 seconds (appx 70 minutes).

The error was exactly the same error that I had reported earlier.

error = “invalid_client”, error_description=”Either client certificate is not configured in any service key of a Process Integration Runtime service instance or client-certificate authentication was not enabled for your tenant (key-pair with alias ‘sap_cloudintegrationcertificate’ does not exist in the keystore or was not mapped to the UAA instance): sb-it-rt-xxxxxxxnonprodcpi!b46, client certificate MIIDjzCC<Rest of the Base64 stuff>cF5sKGPn, message: 400 Bad Request”

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My SAP Profile

My SAP Profile

Error while attempting Salesforce to CPI integration using Client Cert Auth

Know the answer?

Need more details?

Accepted Solutions (0)

Answers (1)

Answers (1)