Skip to Content
Technical Articles
Author's profile photo Ricardo Israel Mata Viejo

How to .. Validate server connectivity to SAP Cloud Integration with Client Certificate Authentication using OpenSSL and cURL + tcpdump

Update: Adding Error section + tcpdump troubleshooting

This blog aims to provide a quick tutorial on how using generic tools like OpenSSL and cURL enable your systems to connect to SAP Cloud Integration with Client Certificate Authentication to validate if your Keystore (KeyPair, Private Key, Public Key, Certificates) are correct.


In our scenario, the sender application/server running on AWS has a keypair [S0022215706.p12] in .p12 or .pfx format, the public certificate [S0022215706.cer] has been shared and the required tasks to configure A) the service key in the SAP BTP cockpit for Multi-Cloud or b) certificate-to-user have been completed.

Note: I will use an S-User Passport to simulate a valid Keypair and Tenant on Multi-Cloud Environment

You want to complete a smoke test to validate that the certificate will be valid and communication enabled in SAP Cloud Integration for Client Certificate Authentication (TLS Mutual Authentication).


You are having errors communicating using your application and want to decouple the complexity and want to validate the Keys (Keystore) using standard software tools.


OpenSSL is available in the sender server.

cURL is available in the sender server.

Certificates/Keys are available on your server in *.p12 or *.pfx formats.

Public Certificate has been configured in SAP BTP cockpit (Multi-Cloud Environment) or  in the iFlow + Certificate-2-User mapping (Neo Environment)

iFlow has been deployed


Step 1: Convert your Keys/Certificate into PEM format

If your certificates/keys are not in PEM format, this needs to be transformed.

Command: openssl pkcs12 -in {NAME_FILE.p12} -out {NAME_FILE.pem}

Output: Keys have been converted to PEM format.

Step 2: Execute an HTTP(S) request to SAP Cloud Integration using cURL

Note: Enable the trace on SAP Cloud Integration to be able to corroborate.

Execute the following command:

curl --location --request POST '{SAP_CLOUD_INTEGRATION_ENDPOINT}' --header 'Content-Type: text/plain' --data-raw 'Hello from YOUR_SERVER' -v --cert {NAME_FILE.pem}

curl –location –request POST ‘{SAP_CLOUD_INTEGRATION_ENDPOINT}‘ –header ‘Content-Type: text/plain’ –data-raw ‘Hello from YOUR_SERVER‘ -v –cert {NAME_FILE.pem}

Note: In this simple scenario only testing sending a string but can enhance the curl command to send files by changing the Content-Type and adding –form ‘{FILE_LOCATION}’


  1. TLS Highlevel trace: Showing (IN) Request CERT & (OUT) Certificate
  2. Server Certificates: CN=*
  3. POST Request details: Host, User-Agent, etc.
  4. Request Response: sap_messageprocessinglogid, sapauthenticatedusername, etc.
  5. Connection Status: Connection to host … left intact
  6. Response Body: Hello from BTP Cloud Integration

Step 3: Compare results against SAP Cloud Integration Trace

Review the iFlow trace

  1. iFlow Overview – Trace
  2. Validate the certificate and Certificate Subject ‘CN’
  3. Corroborate the MessageProcessingLogID and the SapAuthenticatedUserName
  4. Review the received payload (String)


Successfully decouple the certificates/keys from our application and tested connectivity to SAP Cloud Integration using cURL with client certificate authentication, hope this helps you in your integration projects, keep integrating ūüĖĖūüŹĽ



This is not a perfect world, we will encounter errors all the time, please find the most common ones:

unknown CA: Public and Private Certificates are included but intermediate or root are missing.


openssl pkcs12 -in {NAME_FILE.p12} -out {client.pem} -clcerts -nokeys

openssl pkcs12 -in {NAME_FILE.p12} -out {key.pem} -nocerts

cURL command to simulate sending only public and private key

curl --location --request POST '{sap_cloud_integration_endpoint_uri}' --header 'Content-Type: text/plain' --data-raw 'Hello from server_name' -v --key key.pem --cert client.pem:

curl –location –request POST ‘{sap_cloud_integration_endpoint_uri}‘ –header ‘Content-Type: text/plain’ –data-raw ‘Hello from server_name‘ -v –key key.pem –cert client.pem:

Troublehooting: tcpdump

Sometimes identifying the root cause is more complex, for these scenarios one option is to use tcpdump utility to log and another tool to facilitate the analysis.

I will install it on the server.

Command: sudo yum install tcpdump

Step 1: identify interfaces

Command: tcpdump -D

Step 2: Execute tcpdump to save dump to a file for a selected network interface


sudo tcpdump -i {{interface_name}} -vv -XX -w {{file_name}}.pcap

-i : select network interface to listen

-vv : used for added verbose

-XX : used for printing headers of each packet, data of each packet in hex and ASCII
Note: Please use -XXX to include the link-level header.

-w : used to save output to file

Example: sudo tcpdump -i eth0 -vv -XX -w eth0-tcpdump-log-001.pcap

Step 3: Download the file from the server.


scp {{server_user}}@{{remoteserver_address_or_IP}}:/{{remote_folder_path}}/{{remote_file_name}}.pcap {{local_file_name}}.pcap

Example: scp -i rhel_8.cer ec2-user@ eth0-tcpdump-log-001.pcap

Step 4: Analyze tcpdump log

The file has a binary format, you can use some hex/binary text editor or pcap such as Wireshark.

If you are an expert on TCP/IP and TLS you may filter the data on the file for example:

tcp[TCP header size] points to the first byte of the data in the packet. And thus the term, tcp[((tcp[12] & 0xf0) >>2)] = 0x16 checks whether this byte is equal to 22, the numerical code for SSL handshake. And, tcp[((tcp[12] & 0xf0) >>2)+5] = 0x01 will filter packets where the sixth byte is 1, representing Client Hello.

Similarly, we can capture any handshake message we discussed earlier. For example, we can use tcp[((tcp[12] & 0xf0) >>2)+5] = 0x02 for Server Hello messages.

I recommend an application like Wireshark, where you can select a log file from the menu. File > Open and select the downloaded file.

After importing the file, Wireshark will show TCP/IP step by step where you can analyze the TLS process in detail.

Please find example packet analysis where the client sends a “Certificate” response.

Please refer to the following blog for detailed step-by-step instructions and details on how to use Wireshark >> Troubleshoot client certificate authentication with Wireshark


Assigned tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.