Hello CPI Experts, I am facing this error while attempting to send a REST request from Salesforce client to CPI. This interface call works well with a basic auth scenario, but has issues with certificate-based authentication. I appreciate expert help and thank you in advance!
For reference, I quote Mandy Krimmel’s blog that has been useful to a good extent: https://blogs.sap.com/2019/08/14/cloud-integration-on-cf-how-to-setup-secure-http-inbound-connection-with-client-certificates/
The CP and CPI accounts are in CF. These are NOT Trial accounts.
I confirmed that the CPI’s own keypair “sap_cloudintegrationcertificate” exists in the CPI keystore. (Fig 1 - sap_cloudintegrationcertificate Keypair).
I also confirmed that the CA entry for the CPI’s own keypair “sap_cloudintegrationcertificate” exists in Salesforce client’s TrustStore CA entries. I compared the serial numbers to confirm. (Fig 2 – Salesforce TrustStore Listing showing the CA cert of the sap_cloudintegrationcertificate Keypair).
For the Salesforce client keystore - For the time being, I am using a valid S-user Passport's keypair loaded in the Salesforce instance as a .jks file. Upon a successful connection test, we will change this to a proper CA-signed keypair. Using the keytool command, I converted the .pfx file of the S-user Passport keypair to a .jks file. Since the CPI Load Balancer should accept the CA for SAP Passport; so this should not be an issue. (Fig 3 – S-user Passport Keypair Used in Salesforce client).
In the CP account, I then created a new 'Service Instance' entry of type 'Process Integration Runtime', with the default role "ESBMessaging.send" and "grant-types": "client_x509"; and created a service key using the public cert BASE64 content of the S-user Passport whose keypair was loaded in Salesforce. (Fig 4 – Service Key for the Client Cert created in CP).
In my CPI Integration Flow, for the Sender HTTPS adapter, there are only two options available - Basic Auth or Client Certificate (I think CF setup does not offer a Certificate-to-User option any longer). So I chose the Client Certificate option, and loaded the public cert of the Salesforce client (i.e., the public key of the S-User Passport) and deployed the integration flow. (Fig 5 – CPI Integration Flow, with HTTPS Sender Client Certificate setup details).
However, the following error keeps on showing in Salesforce logs: (Fig 6 – Salesforce Error Log entry):
USER_DEBUG |DEBUG|RESPONSE_STRING<InvalidClientException><error>invalid_client</error><error_description>Either client certificate is not configured in any service key of a Process Integration Runtime service instance or client-certificate authentication was not enabled for your tenant (key-pair with alias 'sap_cloudintegrationcertificate' does not exist in the keystore or was not mapped to the UAA instance): sb-it-rt-xxxxxxxxxxxxxxxx!b46, client certificate MIIDjzCCAnegAwIBAgINVPYo.
I can confirm that the client certificate’s BASE64 details that appear in the error text match with the client certificate details in the Service Key.
Is there anything I missed or have done incorrectly?
Thanks for your help!