Skip to Content
Technical Articles
Author's profile photo Ali Chalhoub

How to configure HTTPS Inbound Connection in Cloud Integration Cloud Foundry using Client Certificate Authentication Step-by-Step

Welcome to How to configure HTTPS Inbound Connection in Cloud Integration Cloud Foundry using Client Certificate Authentication Step-by-Step.

In this whitepaper you will find all the details that are needed to let you configure an HTTPS Inbound Connection in Cloud Integration and the ability to create an RFC connection and establish the connection from S/4HANA on-Premise or NetWeaver to Cloud Integration.

There are many blogs in our community that talks about how to configure and implement this setup. However; one section that was missing which is how to generate the client certificate and install it in S/4HANA on-Premise system and configure an RFC connection. For that reason this whitepaper has been created to show you all the steps that are needed in order to configure the RFC connection using Client Certificate Authentication and establish an HTTPS connection to Cloud Integration on Cloud Foundry.

As well the whitepaper will show you how to configure POSTMAN and test with

  • Basic Authentication
  • Client Certificate Authentication


In this whitepaper, you will find the following:

Chapter 1 – Overview

  • Architecture
  • Creating the Integration Flow
  • Testing the connection with Basic Authentication using POSTMAN

Chapter 2 – Configuring Integration Flow with Client Certificate

  • Generate Client Certificate .PFX file using SAP Passport
  • Download the Load Balancer Certificates
  • Generate Client X.509 Certificate
  • Configuring Client User Certificate to an Instance
  • Testing Certificate Authentication with POSTMAN

Chapter 3 – Configuring Backend

  • Adding Client Certificate to STRUST
  • Adding X.509 CAs Certificates to the Trust Manager Certificate Trusted List
  • Configuring RFC Connection
  • Test RFC Connection

Chapter 4 – Troubleshooting

  • Error 1 – You are not authorized to perform this operation
  • Error 2 – RFC connection Error SSL Handshake error
  • Error 3 – STRUST Add to Certificate List is grayed it out
  • Error 4 – Using trial account, Client Certificate Authentication is failing

This whitepaper can be found in the following WiKi:

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Marco Silva
      Marco Silva

      Hello Ali,

      This is a really nice document, thank you!

      In my BTP Cloud Foundry, for service "Process Integration Runtime", I don't have the option "client_x509", even with JSON input it doesn't allow me this value:

      Should value "client_credentials" work?

      I'm struggling with this, since I still get a 401 error for my backend RFC call.

      Thank you for any help you can provide.



      Author's profile photo Ali Chalhoub
      Ali Chalhoub
      Blog Post Author

      Hello Marco,


      I am glad you liked the document. Regarding your issue, client_x509 has been deprecated. Here is the message:

      Service broker error: Service broker it-broker-rt failed with: The service instance with grant-type 'client_x509' is deprecated and supports only the following key type: External Certificate (certificate_external). Please create a new service instance in order to be able to use key type Certificate (certificate). Please try certifcate_external parameter.

      Thank you