Symptom
SAP C4C Inbound Messages are being rejected with error HTTP 401 - Unauthorized in the Middleware SAP Cloud Platform Integration
Environment
- SAP Cloud for Customer
- SAP Cloud Platform Integration
Reproducing the Issue
- Check the Messages in the SAP Cloud Platform Integration Monitor and validate that some messages are failing with the error HTTP 401 - Direction ERP -> CPI -> C4C
- Check the SAP C4C Communication Arrangement Certificates for Inbound Interfaces - The CN and the Serial Number will Match the Certificate set in the CPI.
- C4C Does not have any message regarding the HTTP 401.
Cause
This issue happens if you use a newly provisioned SAP key pair within SAP CPI to do outbound authentication towards SAP C4C.
Resolution
Renew the old unsupported CPI client certificate as per KBA: 2738541 - CPI Certificate Renewal. Please ensure the full Keypair chain has been imported in the C4C trust list at Administrator > Common tasks > Edit certificate trust list.
Or
You can export the SSL Key Pair from SAP C4C, import in to SAP Cloud Platform Integration and use it to authenticate towards SAP C4C.
Sequence of Steps to be performed at SAP C4C:
1 - Open your C4C > Administrator > General Settings > Communication Arrangements > * Choose the Affected Communication Arrangement
2 - Click on View All on the Communication Arrangement:
3 - Click on the Technical Data:
4 - Click Edit Credentials:
5 - Click on the Certificate Tab
6 - Click and Download Key Pair
7 - Enter the password to Protect the SSL Keypair
8 - Download the Certificate p12 file (Please note that some Internet Browsers can block this action)
9 - Copy the Certificate Serial Number and Convert to Hexadecimal to compare with the SAP Cloud Platform Integration
10 - Don't Forget to Hit the OK Button
11 - -=# SAVE AND REACTIVATE +=- If you do not do this step the SSL Keypair Will be discarded
Importing in to your SAP Cloud Platform Integration:
1 - Logon on your SAP CPI and open the Monitoring > Keystore
2 - Add a New Key Pair on the SAP CPI
3 - Fill the options and select the file like the example :
* Use the same password you have used in the C4C Keypair Creation.
4 - The Keypair will appear on the SAP CPI Keystore List
5 - Compare the Serial Number Hexadecimal with the Serial Number Decimal with your C4C Recently Created Keypair.
* Also is a good practice to create an appointment on your calendar to alert the expiration date of the keypair.
6 - Enter on the SAP Cloud Platform Integration Design mode and Enter on your Integration Package
7 - Select the TAB Artifacts and open the iFlow that you need to change.
8 - Click on the Configure Section of the iFlow
9 - Configure the Private Key Alias on the Receiver Section of the Iflow:
10 - Click on Save and after click Deploy the iflow
Your system now should re-establish the connection with SAP C4C and the HTTP 401 will not appear anymore on the SAP Cloud Platform Monitor.
Keywords
C4C SSL Certificates, HTTP 401, Unauthorized, CPI HTTP 401, 401 , KBA , LOD-CRM-INT-ERP , Integration of C4C with ERP , How To