Skip to Content

Client Certificate Authentication and Test tool

May 11, 2017 at 01:54 PM


avatar image


I try to set up a Certificate based client authentication on our SAP PI 7.3 SP13 System. Steps done so far:

I take this blog as basis:

and implement all the config steps with one exception, I'd like to use UserName/Password as well as Certificate based authentication and therefore I keep ClientCertLoginModule(OPTIONAL) and BasicPasswordLoginModule(OPTIONAL)...


1. I try to test it with SOAP UI, but I always get error message saying client certificate required

That means and that I see also in secutiry log, seems like the Certificate is not beeing sent from SOAP UI... Which Tool do you use to do this kind of tests?

2. Even I configure both Modules as optional or ClientCert as optional and BasicPassword as Sufficient, and I configure UserName/Password for user I'm still getting the client certificate required exception... Do you know why?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

5 Answers

Milan Konecny May 17, 2017 at 02:52 PM


anyone able to help here please?


10 |10000 characters needed characters left characters exceeded
Bence Somlyo
May 18, 2017 at 07:41 AM

Dear Milan,

I do not know if you would like to reach the PI system with Client Authentication, or would like to reach some target server. If you would like to reach the PI system, please check the following page: http://host:port/ssl -> here are ports listed. If you connect to port which has Clien Atuthentication Mode "Required" it will always fail.

Here is a blog about how to use SOAP UI to test Cerftificate based authentication:

Best regards,


10 |10000 characters needed characters left characters exceeded
Milan Konecny May 24, 2017 at 12:18 PM

Hi Bence,

I'd like to test 3rd party to SAP PI using Client Certificate Authentication... To simulate the 3rd party for Web Service scenarios I'm usually using the SOAP UI... The same tool I try to use here as well.

I start from the issue Nr 2:

I have 2 login Modules for SOAP now, BasicPasswordLoginModule and ClientCertLoginModule, both configured as sufficient... If I configure the Sender SOAP channle correctly, using HTTP Security Level: HTTPS Without Client Authentication I'm able to use UserName and Password to send a message... The client certificate required comes because of the channel config and not because of the LoginModules Config...

The second issue is still there. So I'd like to use the SOAP UI and post the message using Client Certificate I get: HTTP 401 Unauthorized... If I try to trace the channel with xpi_inspector I see in logs: No certificate provided by the callback.

So I just expect that the SOAP UI do not include the Client Certificate in the call... Even of course I have configured the KeyStore on the Project Level and use the KeyStore on the Request level...

If I specify at least a UserName then I see in in logs that login failed... If I do not specify UserName, like on this screenshot I see in logs that authentication failed.

10 |10000 characters needed characters left characters exceeded
Manoj K May 29, 2017 at 10:44 AM


Is your PI system dual or single stack ? if dual then you need to have the public certificate in STRUST too.

Recently i did this with java stack and was able to test it successfully from SOAP UI.



10 |10000 characters needed characters left characters exceeded
Milan Konecny May 31, 2017 at 12:10 PM

Hi Manoj,

sorry for the stupid question, but in which View do I need to load the Public Certifcate in STRUST?



Show 1 Share
10 |10000 characters needed characters left characters exceeded

It should be SSL Client ( Standard).