Skip to Content
Author's profile photo Aashish Sinha

Sender SOAP Adapter: HTTPS with Client Authentication

I worked on multiple scenarios where we used to receive data from our partners and I know most of you including me used to exchange certificate rather using simple username/password combination for exchanging data with partners with HTTPS protocol.

Very commonly, after exchanging certificates and completing all configuration with respect to SSL, partners are not able to post data to us and getting errors due to username/password. Partners are getting below error while calling SAP PI SOAP URL.

401 – Unauthorized error.

A very simple solution to this error is to create a username/password and provide it to partner to include this user in program and post data. Sometime partners ask to make it anonymous so that they can post data anonymously.

To make SOAP Adapter call anonymous, look into below thread for William Li’s reply.

Personally, I don’t like this solution as it is disabling XISOAPAdapter login for all requests.

Now again we are back to square one and question still with use.

What is the use of exchanging certificate?

We exchange certificate because we don’t want to use username and password in between and it should be automatic communication between Partners and our system.

Let’s go a bit inside of this issue.

I will say, below things are done from our side

  1. Certificate exchanged and installed.
  2. SSL configured (means HTTPS ports are created)

Once above 2 are done, we normally completes our scenario. In SOAP Sender channel, and choose one of the HTTP Security levels. we have HTTP security level with 3 options –

  • – HTTP
  • – HTTPS Without Client Authentication
  • – HTTPS With Client Authentication

Use HTTP is our normal scenario. When we use HTTPS without Client Authentication, it won’t look out for certificates. When we choose HTTPS with Client Authentication it will look out for certificates. So when we exchange certificates we need to select option 3.

But when we choose, partners start getting unauthorized error, as our system is not ready to receive data from partners. We need to made changes in our system.

We faced similar issues and we have dig it deep to find solution.

Alas, we succeeded to do client authentication with certificate exchange for Sender SOAP Adapter with our partners.

Requirement was to receive Data (XML data) from partners to our system using SOAP Adapter. While establishing connection and posting data to our PI Box, partner were getting 401 – Unauthorized error.

Scenario for this interface was SOAP (XML Message from partner) -> SAP PI -> SAP ECC (Standard Server Proxy). Development procedure is normal procedure and I expect all development is complete with respect to PI development.

Note: PI development is not part of this weblog.


  1. Certificate Exchanged are done.
  2. SSL Ports are configured
  3. Certificates are already installed in PI system (STRUST/NWA : Certificates)
  4. All network/DNS things are done – e.g.: Port Opening, Public IP etc.

First we will check configuration of SOAP Sender Channel for this scenario.

SOAP Sender Communication Channel –

Communication Channel.png

As you can see above, in HTTP security level, value selected is HTTPS with Client Authentication. This indicates that SAP PI will authenticate Certificate coming with SOAP request and then only it will get posted to pi and ECC.

How does it works?

When SOAP request come to SAP PI through partners, system reads information from certificate and then it does a lookup for the user associated with this certificate and authenticate this user against SOAP Adapter. Once this authentication is successful, system looks out for the authorizations of associated user if the user is capable enough to post data to PI system. If everything is fine, data will get posted to SAP PI.

Now the question is how we do all these settings in PI. Below are the steps:

Step 1 – Find one service user for which we will install certificate. To do so, go to below location in NWA.

NWA -> Configuration -> Identity Management

Give username and click on go. (You can use service user PIISUSER). Then select user and check below if you have Certificates Tab. If you don’t have Certificates Tab follow as below.

UserRoles tab 1.PNG

Go to –

NWA -> Configuration -> Authentication and Single Sign On

Click on Properties and Modify value of ume.logon.allow_cert as below.

Authentication and SSO_Ume.PNG

Once above setting is saved, move back to Identity management and open the user for which you want to install the certificate. In my case, I am using user PIISUSER service user. You will see Certificate tab appeared.

Certificate tab.PNG

Click on certificate tab, Click on modify and then upload the certificate you have with your partner.

Certificate Installed.PNG

Once above is done, we are halfway through.

Step 2 – Go to – NWA -> Configuration -> Authentication and Single Sign on -> Authentication Tab

Authentication and SSO_step 2.PNG

From Type Filter Choose Other and press enter.

Other Filter_SSO.PNG

Now we need to change value of CertLogon and Default of Policy Configuration Name.


Click on Edit and provide values of both Policies as client_cert, like below screenshot.


We are done with second step. Final step will take care of Soap Adapter Authentication.

Step 3 – This step requires to assign whatever you did above to XISOAPAdapter. Do you remember this parameter in SOAP Sender URL? Yes we need to set value for this field as well to make this scenario working with client authentication.


To configure XISOAPAdapter go to

NWA -> Configuration -> Authentication and Single Sign on -> Authentication Tab

From Type dropdown choose Web. In next screen filter *SOAP* in Policy Configuration Name and you will get SOAP Adapter details.


Select XISOAPAdapter line and click on edit to modify value. Assign Value as client_cert below in used template.



Now we are ready to receive data with SOAP Sender Adapter – HTTPS with Client Authentication.

Below are the traces of message received when partner sent soap request to us –

Trace 1 -XPI.png

Trace 2.png

message monitoring.PNG

We are done with configuration and message started flowing to our system.

Most Important part of this scenario is – “SOAP request should have Certificate”. Then only it will lookup for certificate and authenticate the user.

Above configuration changes are applicable only for Client Authentication and you SOAP Adapter will only accept Client authentication method. To make you configuration working for both kind of authentication, do as per below –

Go to NWA -> Configuration -> Authentication and Single Sign On and Edit Client_Cert Poilicy configuration to add BasicPasswordLoginModule as Optional.

Have a look below.

SDN_SOAP Adapter For both Client and Basic.PNG

After above configuration, Your SOAP adapter will work in Basic authentication as well as with Client certificate.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Ramesh Badham
      Ramesh Badham

      Hello Ashish,

      Thanks for excellent blog. I am trying to implement similar one using Sender Adapter in PI 7.1 EHP1.

      I don't see SSO option from NWA. It will be great if you can suggest something on same lines.

      Author's profile photo Aashish Sinha
      Aashish Sinha
      Blog Post Author

      HI Ramesh,

      In PI 7.1, Can you please check in below location?

      NWA -> Configuration Management -> Security -> Authentication

      Thanks and Regards

      Aashish Sinha

      Author's profile photo Ramesh Badham
      Ramesh Badham

      I am using PI 7.1.1 and followed note 891877 to enable the steps to make this happen.

      My scenario works with HTTPS without client authentication. But requirement is to elminate passing ID and password.

      I am trying to implement HTTPS with client authentication similar one like yours.

      After configuring all those steps, when I launch SOAP sender URL, it still expects user ID and password.

      Whatever we enter, it come back as error "no authorization".

      Appreciate if you can suggest something on it.

      Author's profile photo Aashish Sinha
      Aashish Sinha
      Blog Post Author

      Hi Ramesh,

      When you open your sender SOAP Url in browser or SOAP UI it will always ask for authentication. After setting up SOAP Adapter with Client Authentication, Whenever you are sending a SOAP request attach certificate along with it. Then XISOAPAdapter will validate certificate with request as well as user assigned to this certificate for authentication.

      Main points are -

      1. SOAP URL in Browser/SOAP UI will always ask for Authentiation

      2. Send Certificate Along with SOAP Request

      3. User Lookup, based on certificate with SOAP Request

      4. Once user lookup successful, No Authorization error - 401 - Unauthorized or No Authorization.

      5. Configure SOAP UI to send certificate along with SOAP request for testing else you can ask your partner to send SOAP request with Certificate.


      Aashish Sinha

      Author's profile photo Ramesh Badham
      Ramesh Badham

      Yes I did have setup in SOAPUI along with keystore. Since it was giving 401 error, I ended up going directly to that URL from browser.

      I am still getting the error. Let me know if you have any other ideas.

      Author's profile photo Aashish Sinha
      Aashish Sinha
      Blog Post Author

      Hi Ramesh,

      If you are getting 401 error in SOAP, it simply means that certificate is not going along with request. You may run trace and see the issue -

      use - http://ipserver:port/tshw

      also check in XPI Inspector.

      If it is configured you will complete trace.


      Aashish Sinha

      Author's profile photo Former Member
      Former Member

      Nice Blog Aashis....keep up the good work..

      Author's profile photo Former Member
      Former Member

      Hi Aashish,

      Good Day!



      Hari Suseelan

      Author's profile photo Former Member
      Former Member

      Hi Aashish,

      Nice blog!!

      I have an Asynchronous scenario ( Soap -> Idoc) being developed in XI. Very randomly we see the error " 401 : Unauthorized " in SXMB_MONI. When we restart it manually, it would get processed. What could be the reason behind..!! There are also some cases, where the user also gets the same error when trying to send sales order requests. In that case, we cannot process them manually, the only option is to resend from the source system.

      It would be great if you could throw some light on this..!! we are using HTTP in Soap Sender.



      Author's profile photo Gopalkrishna Baliga
      Gopalkrishna Baliga

      Nice blog Ashish!

      But I still have doubts.

      A certificate contains public and private keys.

      public key is used for encrypting while private key for decrypting.

      In your case (SOAP sender), public key stored in PI Keystore.

      When SOAPUI calls PI SOAP URL, Is the private key sent along with input request data to PI? Where does actual encryption and decryption of the message happen?

      Is the public and private keys that we use in PI and SOAPUI used only for authentication and not for encryption and decryption?

      Kindly answer my queries.



      Author's profile photo Former Member
      Former Member

      Hi Aashish,

      Thanks for your great blog! 2-way SSL is working good.

      After this change i can not use SOAP adapter without client authentication. Is there any way to work both of authentication method?



      Author's profile photo Former Member
      Former Member

      Hello Aashish,

      I solved this problem with myself.

      I dont use logon template for SOAPAdapter. I use 2 different Login module ClientCertLoginModule and BasicPasswordLoginModule.



      Author's profile photo Aashish Sinha
      Aashish Sinha
      Blog Post Author

      Hi Volkan,

      Yes that is the solution and I already updated this web log. You just need to add BasicPasswordLoginModule as optional in the Client_Cert chain.


      Aashish Sinha

      Author's profile photo Former Member
      Former Member

      Hi Aashish,

      thank you for this very nice blog. In the near future I have to implement a scenario which needs this.

      You describe the receiver part (partner) very well but I'm not sure what I have to do at the sender part (also a PI system). What do I have to do at this site? Is this digital signing (WSSE)?



      Author's profile photo Former Member
      Former Member

      Hi Aashish,

      Do you have any docs or information(steps) regarding the security methods/settings for RFC/ SOAP /MAIL  Adapter for PI 7.31 Java stack?Thanks

      Author's profile photo Bibin Gabriel
      Bibin Gabriel

      Hi Aashish,

      This Blog was handy for me. Thanks for the detailed explanation.

      Author's profile photo Rajiv Kurra
      Rajiv Kurra

      I am following the above link to install certificates under  NWA -> Configuration -> Identity Management , but it is throwing error saying that the selected file is not valid certificate, can any body suggest which extension I need to use to upload this certificates

      Author's profile photo Former Member
      Former Member

      Hi Ashish,

      Thanks a  lot for this wonderful blog. We have many partners connecting to PI using either HTTP/ HTTPS based on their needs. If we follow the blog mentioned by you for HTTPS with client authentication(without user authentication), does it in any way affect partners using HTTP(with user authentication). If yes, how do we eliminate that effect?



      Author's profile photo Former Member
      Former Member

      Hello. I think this feature is a "nice to have", I see it very useful especially when working with banks.

      But, imagine that you have done several projects without that feature, and then one day you realize that you need it. But you also realized that by configuring that feature you will also have to test (to be sure) if all interfaces using the soap adapter still working fine.

      So, why SAP PI doesn't have this feature configured by default or recommend to do it in the post installation steps ?

      Author's profile photo Michael Healy
      Michael Healy

      It's completely down to the business case and policies, if a customer wishes not to do it, it's at their own risk. Usually the business will specify their security policies which you incorporate into your design.

      Author's profile photo Imran Khan
      Imran Khan
      Hi All,
      We are trying to do HTTS with client certificate based Authentication in sender Rest channel. The 3rd party system has provided their public certificate to us. we have proxy in between and our proxy team has configured the certificate at their end. We also mapped the certificate to a technical user in NWA and have done all the steps as per this blog.
      The messages are reaching till proxy system successfully but from proxy to PI its giving 500 error. When we have the option "Perform Inbound HTTPS security checks" checked with HTTPS Security Level "HTTPS with Client Authentication" then we are getting the error. If the above option is unchecked the messages are entering into PI system. s there any step we are missing here? request you to help us resolving this issue?
      Best Regards,
      Author's profile photo Alberto Sánchez González
      Alberto Sánchez González

      Hi evreyone,

      I've succesfully configured the certificate authentication in Soap sender adapter using my self-signed certificate by my own CA on SAP PO 7.5

      But the are a few additional steps that I want to share to complete this post, you can find in my blog all the steps.