Skip to Content
Author's profile photo Ricardo Israel Mata Viejo

How to .. Test SOAP/REST services on SAP Cloud Platform Integration, with Client Certificate Authentication

If you have been working with SCP Integration (HCI) probably you noticed that testing your scenarios with basic authentication sometimes is just not enough, as ultimately you will end up using client certificate authentication in your production environment and probably need to test your developments, your keystore settings and certificates, and doing so not always throughout the application. This document will walk you through step by step to test web services on SCP Integration using the soapUI client.


For the complete case, we are going to take advantage of the pre-packaged integration scenarios from SAP for SuccessFactor Integration.



  1. You have access and authorization to a Dev Tenant.
  2. Eclipse IDE installed and configured.
  3. You have imported Integration Package to your tenant.
  4. You have configured communication between your tenant and your receiver system (SuccessFactors).


  1. soapUI client
  2. Keystore Explorer
  3. Marketplace user



Obtain SAP CA Passport certificate with key-pair and SCP Integration tenant certificates.


Step 1.1: In Firefox open SMP.

Step 1.2: Login

Step 1.3: Select “Get a browser certificate (SAP Passport)” from the user menu.

And follow the instructions.

If successful you would get a confirmation and will find your certificate installed.

Step 1.4: On your Firefox explorer go to..

Menu -> Options -> Advanced -> Certificates

Click on View Certificates

Step 1.5: Select your certificate and click backup.

Save screen will open. Input a name and click Save

You will be asked to enter a Certificate password, input a strong password and click ok.

The browser will present a successful message of your certificate and private key backup.

Step 1.6: From Certificate Manager, select your certificate and click View…

Step 1.7: On the Details tab, click on Export…  and Save

To this point, you should have the following files:  one .p12  and one .crt

Step 1.8: Download certificates for SCP Integration tenant.

In your Tenant welcome email, you should have the direct link to download your certificates. Open the link

Step 1.9: Select “CRT” under Base 64 Der Encoding and click download. Zip file will be downloaded

Step 1.10: Extract the zip file, you will have a tenant certificate and load balancer certificates.

Now we have all the certificates needed to create our security artifacts.


iFlow Setup

Configure iFlow to authenticate with SAP Passport CA certificate.

Assumptions: You have already created your flow, in this case, we have copied the Integration Package to our tenant and configured receiver connectivity.

Step 2.1: Open your flow, Select Edit and select your sender system.

Step 2.2: Change the Authorization to Client Certificate

Step 2.3: Click Add button

Step 2.4: click the browse button

Step 2.5: Select you S-User certificate the one you obtain in step 1.7  and Click Open

Step 2.6: You will see your certificates details then click Save and Deploy

Step 2.7: Retrieve your endpoint URL from the Monitor page.

Now we have setup iFlow to accept only calls from our certificate.


To be able to call our service we must simulate having the correct keystore with the proper certificates to go through the Load Balancer and Authenticate versus the iFlow.

We will accomplish this with help of KeyStore Explorer software.

Step 3.1: Open KeyStore Explorer and select Create a new KeyStore

Step 3.2: Select “PKCS #12” as soapUI uses .pfx, and click OK

Step 3.3 Import Certificates.

Click on Menu ->Tools -> Imported Trusted Certificate

Select Load Balancer Certificates, one at a time.

You are prompted for an alias, click ok


Repeat for all certificates.


Step 3.4 Import Key pair
Click on Menu -> Tools ->Import Key Pair

Select PCKS #12 and OK

Step 3.5: Click on Import and browse for your S-User certificate with private Key

Prompt for alias, click OK

Prompt for Password, click OK

Step 3.6: Click Save button and input password.

Include a descriptive file name: soapUI_SUser_Keystore.p12 (extension p12 because is PKCS #12)


Step 3.7: Change the extension of your file to .pfx (.p12 and .pfx are the same binaries)

Now we need to configure the soapUI client.


soapUI setup

Assumptions: You have downloaded the soapUI client and also downloaded WSDL file from service.

Step 4.1: Open soapUI and click new project.

Step 4.2: Click Browse… and Select WSDL file

Click OK

Step 4.3: Navigate your Project on the upper left section and double click on “Request 1”

Open the request view

Step 4.4: Select current Endpoint and replace with SCP Integration Endpoint that you obtain in step 2.7

Step 4.5: Configure Client Authentication, Open File Menu à Preferences

Select SSL tab

Step 4.6: Click on Browse.. and Select your .pfx file you created in step 3.7

Step 4.7: Input Password for your keystore (same you input in step X.X ) and enable “Client Authentication” check box.

Click Ok.

Now you are ready to execute.


Test and Monitoring

Step 5.1 Fill your payload requirements and click Run.


Step 5.2: Open Monitor page on SCP Integration.
Select All Integration Flows

Select Message Processing Log

Now you are ready to test all your services using Client Certificate Authentication.



Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Yatanveer Singh
      Yatanveer Singh

      Why do we need to use the private key of the user to invoke the HCI.

      Step 3.5: Click on Import and browse for your S-User certificate with private Key

      So if someone need to consume my service I need to give him my private key ??

      Author's profile photo Ricardo Israel Mata Viejo
      Ricardo Israel Mata Viejo
      Blog Post Author

      Hi Yatanveer

      You need the public and private key, including the chain certificate from the server doing the call  (sender system)  in my example we used the SAP Passport or key pair from SAP to emulate and test.

      To answer your question, if you are exposing a service in SAP CPI the sender system needs to provide you the certificate so you may add it to the iFlow as authentication, also the sender system must use this key pair in his keystore to consume this service.

      Please do not share your private key.


      Author's profile photo Kiran Kerudi
      Kiran Kerudi

      Hi Ricardo,

      I downloaded .pfx file for my S-User from SAP Passport. I exported certificate and added this to my iFlow. The same .pfx file I used in Soap UI as described and it worked.

      Now my question is, if sender has to do this without SAP Passport, do we have to share him our Load Balancer Certficate? And along with sender's own Key-Pair, sender will use these Load Balancer Certificates and create new .pfx file? We on our SCPI should map Sender's certificate to iFlow. Please correct me if my understanding is wrong.

      Best Regards,