Skip to Content
0
Dec 31, 2020 at 12:14 AM

Error while attempting Salesforce to CPI integration using Client Cert Auth

1177 Views Last edit Dec 31, 2020 at 12:29 AM 2 rev

Hello CPI Experts, I am facing this error while attempting to send a REST request from Salesforce client to CPI. This interface call works well with a basic auth scenario, but has issues with certificate-based authentication. I appreciate expert help and thank you in advance!

For reference, I quote Mandy Krimmel’s blog that has been useful to a good extent: https://blogs.sap.com/2019/08/14/cloud-integration-on-cf-how-to-setup-secure-http-inbound-connection-with-client-certificates/

The CP and CPI accounts are in CF. These are NOT Trial accounts.

I confirmed that the CPI’s own keypair “sap_cloudintegrationcertificate” exists in the CPI keystore. (Fig 1 - sap_cloudintegrationcertificate Keypair).

I also confirmed that the CA entry for the CPI’s own keypair “sap_cloudintegrationcertificate” exists in Salesforce client’s TrustStore CA entries. I compared the serial numbers to confirm. (Fig 2 – Salesforce TrustStore Listing showing the CA cert of the sap_cloudintegrationcertificate Keypair).

For the Salesforce client keystore - For the time being, I am using a valid S-user Passport's keypair loaded in the Salesforce instance as a .jks file. Upon a successful connection test, we will change this to a proper CA-signed keypair. Using the keytool command, I converted the .pfx file of the S-user Passport keypair to a .jks file. Since the CPI Load Balancer should accept the CA for SAP Passport; so this should not be an issue. (Fig 3 – S-user Passport Keypair Used in Salesforce client).

In the CP account, I then created a new 'Service Instance' entry of type 'Process Integration Runtime', with the default role "ESBMessaging.send" and "grant-types": "client_x509"; and created a service key using the public cert BASE64 content of the S-user Passport whose keypair was loaded in Salesforce. (Fig 4 – Service Key for the Client Cert created in CP).

In my CPI Integration Flow, for the Sender HTTPS adapter, there are only two options available - Basic Auth or Client Certificate (I think CF setup does not offer a Certificate-to-User option any longer). So I chose the Client Certificate option, and loaded the public cert of the Salesforce client (i.e., the public key of the S-User Passport) and deployed the integration flow. (Fig 5 – CPI Integration Flow, with HTTPS Sender Client Certificate setup details).

However, the following error keeps on showing in Salesforce logs: (Fig 6 – Salesforce Error Log entry):

USER_DEBUG [67]|DEBUG|RESPONSE_STRING<InvalidClientException><error>invalid_client</error><error_description>Either client certificate is not configured in any service key of a Process Integration Runtime service instance or client-certificate authentication was not enabled for your tenant (key-pair with alias 'sap_cloudintegrationcertificate' does not exist in the keystore or was not mapped to the UAA instance): sb-it-rt-xxxxxxxxxxxxxxxx!b46, client certificate MIIDjzCCAnegAwIBAgINVPYo.

I can confirm that the client certificate’s BASE64 details that appear in the error text match with the client certificate details in the Service Key.

Is there anything I missed or have done incorrectly?

Thanks for your help!

Satish Bhagwat

Attachments

fig-1.png (32.7 kB)
fig-2.png (52.6 kB)
fig-3.png (83.8 kB)
fig-4.png (70.2 kB)
fig-5.png (76.3 kB)
fig-6.png (88.2 kB)