/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
You would like to set the certificate-based communication as the authentication method between Service Cloud and the integration suite for the Communication and API User.
- Communication System
- And for the open API integration with the API-User
However, the system raises an error that a User with the certificate holder already exists.
Environment
Sales and Service Cloud Version 2
Reproducing the Issue
Try to set the certificate-based authentication for the Communication System as well as for the API User. You will come across the error: User with certificate holder "Certificate Subject Name"; already exists
it seems you can only assign the certificate of the integration suite to one or another; it allows for the communication system OR the API-User, but not for both together, while using the same CPI key pair certificate.
Cause
This is the expected behavior.
Resolution
A certificate has to be unique for a tenant. If it is reused, there is no possibility of identifying which user or communication system is being authenticated with it.
Sales Cloud Version 2 does not offer a way to generate Key Pair certificates, so if you want to use a different certificate from the unique one generated by CPI (Key Pair), you must go for alternatives.
Possible alternatives:
- Generate a SAP Passport to be used as a client certificate. After you get the SAP passport keypair, you should also add it to CPI Key Store. This is available in https://support.sap.com/en/my-support/single-sign-on-passports.html
The procedure is described in the following SAP Article: 1296615- How to apply for and install the SAP Passport browser certificate.
- Create a new CPI Key Pair. It will come as a self-signed certificate, which means you will have to create a new request to one of the Certificate Authorities accepted by SAP. Otherwise, Sales Cloud will not accept it.
This is described in the CPI Guide: https://help.sap.com/docs/integration-suite/sap-integration-suite/setting-up-key-pairs-and-certificates
"After creating the key pair, download the certificate signing request. To do that, open the Monitor section and under Manage Security select the Keystore tile. Select the newly uploaded key pair and in the Actions column choose Download Signing Request...Once the certificate signing request has been downloaded (as .csr file), make sure to get it signed by one of the root CAs, supported by the SAP load balancer. Update the key pair with the signing response file. "
Keywords
KBA , CEC-CRM-INT , Integration for SAP Sales/Service Cloud , Problem
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)