3742580 - Communication Arrangement in C4C allows user/password authentication despite set to "Client Certificate"

• A Communication Arrangement (e.g., OData) is configured with Authentication Method: SSL Client Certificate.

• Despite this setting, the system still allows access using Basic Authentication (User ID and Password).

• Users are unable to "blank out" or remove a password once it has been set in the Edit Credentials dialog.

SAP Cloud for Customer (C4C)

Navigate to Communication Arrangements

• Go to the Administrator work center and select Communication Arrangements.
• Select/Create an Arrangement: Choose an OData-based arrangement (e.g., OData Services for Business Objects).
• Configure Authentication: * Set the Authentication Method to SSL Client Certificate.
• Click Edit Credentials.
• Crucial Step: Do not Create a certificate yet; instead, define a Password for the user and click OK.
• Activate: Save and Activate the communication arrangement.
• Test via Browser or API Client (e.g., Postman):
• Use the Service URL provided in the arrangement.
• When prompted for credentials (or using Basic Auth headers), enter the User ID shown in the arrangement and the Password you just created.

The system grants access and returns the OData metadata/data, even though the arrangement is explicitly set to "SSL Client Certificate." 

Authentication in SAP Cloud solutions is validated at the Identity Level (Technical User) rather than at the Application Level (Communication Arrangement).

1. User-Centric Authentication: The Communication System creates a technical user. This user profile acts as a container for all valid passwords and certificates.

2. Dual-Stack Support: To ensure integration flexibility, the system allows a technical user to possess both a password and a certificate simultaneously. If a caller presents either a valid password or a valid certificate, the system grants access.

3. UI Configuration vs. Enforcement: Selecting "SSL Client Certificate" in the Communication Arrangement UI defines the intended connection type and provides the interface to manage certificates, but it does not technically disable the password-checking mechanism for that user ID.

This behavior is by design to maintain compatibility across complex integration landscapes. To enforce certificate-only access or transition away from Basic Authentication, use the following methods:

New Integration (Recommended) : 

When creating a new Communication System/User intended for certificate-only access, do not enter a password during the initial setup. If the password field remains empty in the database, Basic Authentication will naturally fail, leaving the Certificate as the only viable entry point. 

Transitioning an Existing User :

If a password is already maintained, the UI will not allow you to save the credentials as "Blank." To deactivate password access:

1. Password Lockout: Intentionally attempt to connect using the User ID and an incorrect password multiple times. This will lock the password-based access for that technical user.

2. Certificate Continuity: Locking the password does not affect certificate-based authentication. The user can continue to authenticate successfully using the SSL Client Certificate/Keypair.

The system validates the User ID. If the user has a valid password, the system cannot "ignore" it based on an arrangement setting. The arrangement setting is a configuration preference, not a security firewall. For strict enforcement, the password must be absent or locked if not needed for Authentication 

Additional information: Create a Communication Arrangement | SAP Help Portal 

C4C, Integration, Communication Arrangement, Authentication, Authentication Method, SSL Client Certificate, Basic Authentication, User ID, Password,  , KBA , LOD-CRM-INT-ERP , Integration of C4C with ERP , LOD-CRM-INT-API , OData API (C4C Only) , How To