/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PreviewSymptom
You are setting up a connection between PI or PO and CPI where Client Certificate Authentication is intended, and it fails with 401 Unauthorized. In PI/PO Receiver channel you are going to see errors similar to the one below:
Error while processing outbound message. HTTP POST call to https://<tenant-id>-iflmap.hcisbp.<host>.hana.ondemand.com/http/<endpoint> not successful.
The HTTP logs from CPI will show that no credentials were sent by PI/PO:
xx.xxx.xxx.x (xxx.xxx.xxx.xx) - - [10/Dec/2020:18:30:59 +0000] GET /<endpoint> HTTP/1.1 401
In the XPI Inspectors traces collected from PI/PO, it is possible to see that incorrect or no client certificate was available, therefore the system sent an incorrect or empty certificate which explains the error in CPI:
[...]
Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.af.sdk.xi.net.exception.HttpException: User is not authorized! HTTP 401
[...]
SOAP: Call failed: com.sap.aii.af.sdk.xi.net.exception.HttpException: User is not authorized! HTTP 401
[...]
Failed to call the endpoint: Error in call over HTTP: HTTP 401
If empty certificate is sent, you will also see information in the trace:
[...]
ssl_debug(105): Received server_hello_done handshake message.
ssl_debug(105): No client certificate available, sending empty certificate message...
[...]
Client Certificate check might show error:
ERROR: The issuer of the certificate doesn't match the subject of certificate #1
ERROR: The issuer of the certificate #<X> doesn't match the subject of certificate #<Y>
Read more...
Environment
- SAP Integration Suite
- SAP Cloud Integration
- SAP Netweaver
- SAP Process Integration
Product
Keywords
SAP HANA Cloud Integration, SAP HCI, SAP CPI, SCPI, tenant, iFlow, Integration Flow, SOAP receiver channel, REST receiver channel, client certificate authentication, certificate authority, CA, certificate chain, issued, trusted, MessagingException, SocketException, Connection reset, No client certificate available, sending empty certificate message, handshake failure, Connection reset by peer, socket write error, SSL, TLS, Process Integration 7.0, PI 7.0, PI 7.01, PI 7.02, Process Integration 7.10, PI 7.10, Process Integration 7.11, PI 7.11, Process Integration 7.30, PI 7.30, Process Integration 7.31, PI 7.31, Process Orchestration 7.4, PI 7.4, PO 7.4, Process Orchestration 7.5, PI 7.5, PO 7.5, XI, AEX, soap adapter, rest adapter, rest, soap, SAP Cloud Integration, SAP Integration Suite, , KBA , LOD-HCI-PI-OPS , Cloud Operations , BC-XI-CON-AFW-SEC , Security , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)