Skip to Content
Technical Articles
Author's profile photo Rahul Yadav

Client Certificate Based Authentication for HTTPS/IDOC Inbound Connection in SAP CPI

HTTPS Inbound Connection :

A system sending a message to the Cloud-based integration platform using HTTPS as secure transport channel is not directly connected to the tenant. Instead of this, a load balancer component is interconnected that terminates all inbound HTTPS requests, and re-establishes a new secure connection.

In this blog, i am going to explain about the inbound HTTP connection via Client Certificate based authentication. I did long time back by following Mandy’s blog. Below is the flow diagram for the request propagation from sender to i-flow and certificate exchange between Sender and SAP CPI.


Its pretty straight forward configuration once you follow all the steps in sequence.I will provide steps for pushing data to SAP CPI via postman with Client Certificate Based authentication.


  • Postman Application which supports Certificate based authentication.
  • SAP CPI Access for generating I Flow and getting Load Balancer root certificate
  • Client Certificate signed by CA

CA list trusted by SAP Cloud Platform Load Balancer:

SAP Cloud Platform Trusted CA List for HTTPS

We are mocking Postman as our Sender client and hence will be using SAP Passport as Client certificate. You can go to below URL and sign with any S User and request for a Passport. You can enter any passphrase during request. This passphrase can be different from your account password.

URL for Generating SAP Passport:

This Passport will work as CA signed Sender Client certificate which contains Private Key, Public Key including chain Certificate.

Getting Load Balancer Certificate: ( Ref From Mandy’s Blog)

The easiest way to get the Load Balance root certificate would be to use the Connectivity Test in the cloud integration tenant. The Connectivity Test is available in Operations View in Web, in section Manage Security Material. Selecting the Connectivity Tests tile from Overview page opens the test tool offering tests for different protocols. To connect to a cloud integration tenant via the load balancer to get the root certificate select the TLS option. Enter the URL of your runtime node (the URL you want to call from your sender backend) in the Host field. The host name of the runtime node has the format: <tenant>-iflmap.<data center>

Execute the connectivity test. If there is in error you may have to uncheck the option ‘Validate Server Certificate‘. The response screen provides the list of certificates from the load balancer because the SSL/TLS connection is terminated by the load balancer. You can use the Download option to download the certificates. A file is created in your local download directory containing all the certificates. From the *zip file select the *.cer file of the root certificate and import this into the trust store of the sender system.

Furthermore, if you want to use Client Certificate authentication, the sender system keystore needs to contain a key pair signed by one of the CAs supported by the load balancer.

Note, that only root certificates are being imported into the Keystore of the SAP Load Balancer ! Therefore you as a customer must always assign the whole certificate chain to the certificate to enable the connected component to evaluate the chain of trust.


You need to exchange the SAP CP Load Balancer certificate with the client so that they can add it in their Trust Store. Client will share their CA signed root certificate which needs to be imported in SAP CPI Key Store so that Load balancer can authenticate incoming request and can establish a connection between client and CPI tenant.


SAP Cloud Platform configuration:

You can enable certificate based authentication in below two ways :

  • Directly importing client certificate in our I-Flow
  • Create a custom role and user. Map your certificate with the custom user.

SAP recommends 2nd option as you need not to redeploy your i-flow in case of certificate update. Same user can be used for multiple certificates too.For this you need to map all the certificates related to this user in certificate to user mapping tab.

Creating a Custom Role and User:

Goto -> Subaccount -> Subscription -> <tenant>iflmap

Click on Roles -> Custom Role

You can create Role name & User name of your own choice. It need not to be a S/P user. Same will be reflected in I-Flow under User Role drop down along with ESBMessaging.Send.

You are done with the User and Role creation in Cockpit. To configure Certificate-to-User Mappings your user needs the Group Role AuthGroup.Admin or Single Roles, NodeManager.deploysecuritycontent and


Generating the Client Certificate from SAP Passport ( Client Certificate) :

As SAP passport is a Private and Public key pair. You need to generate the Certificate from it. Simplest method is to import Passport as Key Pair in SAP CPI Keystore. Once it is imported click on Download certificate to get client certificate. This certificate will be used in SAP Keystore and Certificate to user mapping tab.

Note : If you want you can delete the Key pair as it is not needed for our integration.

Next Step will be to import the SAP Passport certificate generated in above step to the KeyStore.

After that you need to define user to certificate mapping in the Manage security tab of CPI. This will be same user defined in the subaccount.

Last step for SAP CPI will be selecting Custom Role in I Flow.

We are done with the required configuration in SAP CPI. Now we will configure the Client/Postman to send the data to our flow.

Postman/Client Configuration:

Configure Certificate based authentication in Postman.

Click on Settings tab in top right bar of Postman.


After selecting this you will get a popup for adding Certificates. Add the Passport Key here which is a pfx file and provide the passphrase you used for creation.

Host will be the CPI tenant endpoint.

Create a Post Request. Enter the CPI I-Flow endpoint in url. In Authorization select No Auth.

Once you click on Send button, message will flow through CPI without any issue. You can see Status 200 Ok in postman.


Note : You need not to import Load balancer root Certificate in postman as it doesn’t validate the Load Balancer. If you are doing testing with client then you need to share Load balancer root certificate with sender.

You may not get an option for importing certificate in Chrome extension and you will need desktop version of Postman.


Reference Blogs :


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo srishti kumari
      srishti kumari

      Hi rahul,

      Thank you for sharing the detailed steps of the configuration fro the certificates based authentication.Indeed a very useful blog.



      Srishti kumari

      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh

      Great effort in consolidating many points at one place . Informative!

      Author's profile photo Bhaskar Mamilla
      Bhaskar Mamilla

      Good one Rahul..Indeed a very useful stuff thank you..

      Author's profile photo Michele Mangieri
      Michele Mangieri

      This is very usefull...thank you. One question regarding the S-User. Should this also work with a technical S-User?

      Author's profile photo Rahul Yadav
      Rahul Yadav
      Blog Post Author

      Yes, we can use Technical S-User.

      In real-time scenario, we will be getting CA signed certificate from the sender. That will be used in Keystore and user to certificate mapping.


      Author's profile photo Amy Huang
      Amy Huang

      Hi Rahul,

      Does the Technical S-User here mean the Technical Communication S-User in the KBA 2174416 and KBA 2532813 ?

      if yes, I did generate SAP Passport for a technical communication S-user (the passport file is .pse instead of .pfx) and tried to upload it to CPI Keystore following your steps but failed. When trying to add as Key Pair, it said "The selected archive contains multiple key pairs, please use the Add Keystore option", and when trying to add as Keystore, it failed with error "Keystore type is invalid. Supported keystore types are JCEKS, JKS, and PKCS12."

      The steps worked fine with a regular S-User passport.


      Author's profile photo Michele Mangieri
      Michele Mangieri

      This behaviour is exactly what I faced as well.

      Author's profile photo Valentin Huber
      Valentin Huber

      Hi Amy, no, technical S-users are not supported in CPI:


      EDIT: I revert my comment: Since the page

      lists SAP Passport as trusted CA, the certificate based authentication should work. The note I cite above refers only to basic authentication, not to certificate based auth.

      Maybe using the approach mentioned in allows for extracting the certificates from the  PSE...

      Author's profile photo Ajit Singh
      Ajit Singh

      Great blog, thank you so much, this will help.

      Author's profile photo Anand Patil
      Anand Patil

      Very informative, thank you for sharing this!

      Author's profile photo Jorge Luna Torres
      Jorge Luna Torres

      Thank you! great job

      Author's profile photo Naseem Muhammaed
      Naseem Muhammaed

      Hi  Rahul,

        Thank you so much for your excellent post !!.

      Issue what I am facing is, after following all the steps mentioned above, getting a 401 error from Postman,

      Response header,   "PWD_WRONG" as below, but nowhere defined any password to validate, only passphrase which i used to download SAP Passport is added in Postman certificate node.

      Highly appreciate if you can guide me to come out from this issue



      Author's profile photo Kefei Dong
      Kefei Dong

      Hi Nassem,

      have you resolved the problem?

      Now I have the same.

      I am appreciated it if you could give me hints.



      Author's profile photo Matti Leydecker
      Matti Leydecker


      I learned that in my case this can mean that the Load Balancer is not allowing the certificate and therefore my request is not authenticated. This happens when the certificate is signed by the wrong Certificate Authority. For SAP Passport CA this should work as outlined in the blog. You can check in Postman, whether any certificate is part of the request: it will be shown as "Client Certificate" on the top level (same as Request Body and Response Headers) in the console.

      Helpful blog:


      Best regards


      Author's profile photo Avinash Mallashetty
      Avinash Mallashetty

      Hi Rahul,

      does those steps mentioned above applies to CPI CF tenants ?


      thanks for the letting me know.


      reg, Avinash

      Author's profile photo Satyaki Basu
      Satyaki Basu

      Hi Avinash,

      I can tell from my end that the steps in CF will be a bit different as user-> cert mapping is still not available there.

      You can refer Cloud Integration on CF – How to Setup Secure HTTP Inbound Connection with Client Certificates | SAP Blogs for CF steps.




      Author's profile photo Nakul Thacker
      Nakul Thacker

      Hi did anyone get a resolution to the Response header,   "PWD_WRONG" issue as facing the same along with 401 error and can't seem to find an answer . Any help will be greatly appreciated

      Author's profile photo Matti Leydecker
      Matti Leydecker

      I am also facing that issue. The private key that I am using has no Password attached - did yours have one or not?

      Author's profile photo Aayush Barolia
      Aayush Barolia

      Hi Rahul,


      Thanks for this blog, its very insightful.

      I have one query, where are we uploading load balancer root certificate in Postman? Is it not required?


      Thanks in advance!