SAP Knowledge Base Article - Preview

3364579 - Possible Issues after Certificate Pinning is Disabled for Cloud Integration [New Feature]


Certificate based inbound authentication (KeyType: External Certificate) fails with following errors:

In case of the pinning is set to false and there are conflicting keys configured already, this can result in below symptoms: 

  1. The inbound HTTP call fails with a generic HTTP 401 status
  2. The CPI server logs contain a warning log "XSUAA could not authenticate OAuth client with client ID" on logger “”.
  3. In the AuditLog of the subscriber account will be messages like this:
    • "Multiple clones found for certificate <SubjectDN>, <IssuerDN>"
    • "Error while mapping clone certificate"
    • "Error resolving master by certificate"

Note: (a) and (b) are generic errors and will also be used in other authentication failures – this alone is not sufficient. Condition (c) must be checked as well.



SAP Cloud Integration in Cloud Foundry 


Cloud Integration all versions


pinning, Certificate Pinning, Process Integration Runtime, service key, plan, integration-flow, CF, cloud foundry, client certificate, authentication, Cloud Integration, Subject, Issuer, pinning, false, pinning, true, inbound HTTP, call fails, HTTP 401, XSUAA could not authenticate OAuth client with client ID,, AuditLog, Multiple clones found for certificate, <SubjectDN>, <IssuerDN>, Error while mapping clone certificate, Error resolving master by certificate, , KBA , LOD-HCI-PI-CON-SOAP , SOAP Adapter , LOD-HCI-PI-OPS , Cloud Operations , Product Enhancement

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.