Skip to Content

Client Certificate Authentication and Test tool


I try to set up a Certificate based client authentication on our SAP PI 7.3 SP13 System. Steps done so far:

I take this blog as basis:

and implement all the config steps with one exception, I'd like to use UserName/Password as well as Certificate based authentication and therefore I keep ClientCertLoginModule(OPTIONAL) and BasicPasswordLoginModule(OPTIONAL)...


1. I try to test it with SOAP UI, but I always get error message saying client certificate required

That means and that I see also in secutiry log, seems like the Certificate is not beeing sent from SOAP UI... Which Tool do you use to do this kind of tests?

2. Even I configure both Modules as optional or ClientCert as optional and BasicPassword as Sufficient, and I configure UserName/Password for user I'm still getting the client certificate required exception... Do you know why?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • May 17, 2017 at 02:52 PM


    anyone able to help here please?


    Add comment
    10|10000 characters needed characters exceeded

  • May 18, 2017 at 07:41 AM

    Dear Milan,

    I do not know if you would like to reach the PI system with Client Authentication, or would like to reach some target server. If you would like to reach the PI system, please check the following page: http://host:port/ssl -> here are ports listed. If you connect to port which has Clien Atuthentication Mode "Required" it will always fail.

    Here is a blog about how to use SOAP UI to test Cerftificate based authentication:

    Best regards,


    Add comment
    10|10000 characters needed characters exceeded

  • May 24, 2017 at 12:18 PM

    Hi Bence,

    I'd like to test 3rd party to SAP PI using Client Certificate Authentication... To simulate the 3rd party for Web Service scenarios I'm usually using the SOAP UI... The same tool I try to use here as well.

    I start from the issue Nr 2:

    I have 2 login Modules for SOAP now, BasicPasswordLoginModule and ClientCertLoginModule, both configured as sufficient... If I configure the Sender SOAP channle correctly, using HTTP Security Level: HTTPS Without Client Authentication I'm able to use UserName and Password to send a message... The client certificate required comes because of the channel config and not because of the LoginModules Config...

    The second issue is still there. So I'd like to use the SOAP UI and post the message using Client Certificate I get: HTTP 401 Unauthorized... If I try to trace the channel with xpi_inspector I see in logs: No certificate provided by the callback.

    So I just expect that the SOAP UI do not include the Client Certificate in the call... Even of course I have configured the KeyStore on the Project Level and use the KeyStore on the Request level...

    If I specify at least a UserName then I see in in logs that login failed... If I do not specify UserName, like on this screenshot I see in logs that authentication failed.

    Add comment
    10|10000 characters needed characters exceeded

  • May 29, 2017 at 10:44 AM


    Is your PI system dual or single stack ? if dual then you need to have the public certificate in STRUST too.

    Recently i did this with java stack and was able to test it successfully from SOAP UI.



    Add comment
    10|10000 characters needed characters exceeded

  • May 31, 2017 at 12:10 PM

    Hi Manoj,

    sorry for the stupid question, but in which View do I need to load the Public Certifcate in STRUST?



    Add comment
    10|10000 characters needed characters exceeded