3364579 - Possible Issues after Certificate Pinning is Disabled for Cloud Integration [New Feature]

Certificate based inbound authentication (KeyType: External Certificate) fails with following errors:

In case of the pinning is set to false and there are conflicting keys configured already, this can result in below symptoms: 

1. The inbound HTTP call fails with a generic HTTP 401 status
2. The CPI server logs contain a warning log "XSUAA could not authenticate OAuth client with client ID" on logger “com.sap.it.security.multicloud.authentication.UaaTokenBroker”.
3. In the AuditLog of the subscriber account will be messages like this:

• • "Multiple clones found for certificate <SubjectDN>, <IssuerDN>"
  • "Error while mapping clone certificate"
  • "Error resolving master by certificate"

Note: (a) and (b) are generic errors and will also be used in other authentication failures – this alone is not sufficient. Condition (c) must be checked as well.

SAP Cloud Integration in Cloud Foundry 

pinning, Certificate Pinning, Process Integration Runtime, service key, plan, integration-flow, CF, cloud foundry, client certificate, authentication, Cloud Integration, Subject, Issuer, pinning, false, pinning, true, inbound HTTP, call fails, HTTP 401, XSUAA could not authenticate OAuth client with client ID, com.sap.it.security.multicloud.authentication.UaaTokenBroker, AuditLog, Multiple clones found for certificate, <SubjectDN>, <IssuerDN>, Error while mapping clone certificate, Error resolving master by certificate, , KBA , LOD-HCI-PI-CON-SOAP , SOAP Adapter , LOD-HCI-PI-OPS , Cloud Operations , Product Enhancement