Symptom
Certificate based inbound authentication (KeyType: External Certificate) fails with following errors:
In case of the pinning is set to false and there are conflicting keys configured already, this can result in below symptoms:
- The inbound HTTP call fails with a generic HTTP 401 status
- The CPI server logs contain a warning log "XSUAA could not authenticate OAuth client with client ID" on logger “com.sap.it.security.multicloud.authentication.UaaTokenBroker”.
- In the AuditLog of the subscriber account will be messages like this:
-
- "Multiple clones found for certificate <SubjectDN>, <IssuerDN>"
- "Error while mapping clone certificate"
- "Error resolving master by certificate"
Note: (a) and (b) are generic errors and will also be used in other authentication failures – this alone is not sufficient. Condition (c) must be checked as well.
Read more...
Environment
SAP Cloud Integration in Cloud Foundry
Product
Keywords
pinning, Certificate Pinning, Process Integration Runtime, service key, plan, integration-flow, CF, cloud foundry, client certificate, authentication, Cloud Integration, Subject, Issuer, pinning, false, pinning, true, inbound HTTP, call fails, HTTP 401, XSUAA could not authenticate OAuth client with client ID, com.sap.it.security.multicloud.authentication.UaaTokenBroker, AuditLog, Multiple clones found for certificate, <SubjectDN>, <IssuerDN>, Error while mapping clone certificate, Error resolving master by certificate, , KBA , LOD-HCI-PI-CON-SOAP , SOAP Adapter , LOD-HCI-PI-OPS , Cloud Operations , Product Enhancement
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.