Skip to Content

HCI Client Certificate Authorization

The idea of this blog is show how to generate a certificate for a s-user and use it to authenticate in CPI.

There is many reasons to use the certificate for authentication, the user will not be blocked because someone put wrong password, you can restrict the service that you are creating only for a specific user, security better than basic authentication, and others. In our case we used to restrict a webservice to specific users.

Just think that all technical user have the roleĀ ESBMessaging.send, they can access any service if they know the url šŸ˜€

So let’s start, to create the certificate for your s-user, use the link below and click in “Apply for an SAP Passport“.

In the next screen, you can see your name and s-user, put the password and click inĀ “Apply for an SAP Passport“.

Create a password for the certificate and click in Apply

In the next step, you can download the certificate and make a backup.

Now we have your pfx file that we will use to authenticate in CPI, but we need to get the .cer from your certificate, so one of the easy way is install the pfx in your pc, and use the Internet Explorer to export.

Let install first, double click in your pfx file, next, next, put the password of your pfx and select the three options, next and finish.

Now let generate the .cer that we will use in the integration flow, open your Internet Explorer and go to menu “Internet Options”.

In the tab “Content”, click in “Certificates”.

Select your s-user certificate and click in “Export” and next, (keep the option “No, do not export the private key” and next, next.

Select a folder to save the .cer file and Next, Finish.


Now we are ready to go to your iflow, it is very simple iflow with Soap Sender and a content modify just to create a xml for return.

The Soap adapter is in this case a SOAP 1.x, and here is the configuration.

In the Authentication, select Client Certificate, after that you should select you .cer. Save it and deploy the integration flow.

Now let’s test with SoapUI, go in to Menu -> Preferences, in the left side select SSL Settings, Select your pfx file and put the password.

Import your wsdl in to SoapUI and you don’t need to put user and password now, just execute and you can see the response xml created by the Content Modifier.

In the message monitoring you can see the message OK.

I also turn on the trace to get more information, if you go to traceMessage, you can see the certificate information used for authentication.


Thank you and I hope I’ve helped.


You must be Logged on to comment or reply to a post.