MCP Integration Suite Server

client-certificate-authentication-for-integration-flow-processing-7f84d16.md•9.19 kB

# Client Certificate Authentication for Integration Flow Processing The sender authenticates itself with a client certificate when calling the integration flow deployed on the worker node. At runtime, the system checks if a service key is available that contains the client certificate provided by the sender. If a service key is available, the system then checks if the associated service instance has a role specified that grants permissions to call the integration flow endpoint. <a name="loio7f84d16aa42741efb08dc9875743e47c__context_jwy_4st_5hb"/> ## Context > ### Tip: > This authentication method is considered to be the recommended and secure option for HTTP inbound connections. Another recommended and secure option is [OAuth with Client Credentials Grant for Integration Flow Processing](oauth-with-client-credentials-grant-for-integration-flow-processing-6c052ce.md). As client certificate, you can either use an own \(*external*\) certificate or one generated by SAP \(see [Service Key Types](service-key-types-0fc1446.md)\). For more information, check out: - [Client Certificate Authentication \(Inbound\)](client-certificate-authentication-inbound-4ec6192.md) \(explains the concepts and how this authentication option works\) - [Cloud Integration on CF – How to Setup Secure HTTP Inbound Connection with Client Certificates](https://blogs.sap.com/2019/08/14/cloud-integration-on-cf-how-to-setup-secure-http-inbound-connection-with-client-certificates/) \(SAP Community blog\) <a name="loio7f84d16aa42741efb08dc9875743e47c__steps_kwy_4st_5hb"/> ## Procedure 1. Look up the role to be used to authorize the sender to call integration flow endpoint. This role is to be specified as *User Role* parameter for the corresponding sender adapter of the integration flow to be called. This can be either the standard role `ESBMessaging.send` or a custom role \(see [Managing User Roles](../50-Development/managing-user-roles-4e86f0d.md)\). To check out the roles defined for your tenant, go to the SAP Integration Suite *Monitor* section, and under *Manage Security*, select the *User Roles* tile. 2. Get the sender client certificate from the administrator of the sender system. 3. In SAP BTP cockpit, select the subaccount that hosts your SAP Integration Suite virtual environment and create a service instance and service key. Proceed as described under [Creating Service Instance and Service Key for Inbound Authentication](creating-service-instance-and-service-key-for-inbound-authentication-19af5e2.md). For this use case, specify the service instance and service key parameters as follows: **** <table> <tr> <th valign="top"> </th> <th valign="top" colspan="3"> Service Instance </th> <th valign="top" colspan="4"> Service Key </th> </tr> <tr> <th valign="top"> Option \(Certificate Type\) </th> <th valign="top"> Plan </th> <th valign="top"> Roles </th> <th valign="top"> Grant-types </th> <th valign="top"> Key Type </th> <th valign="top"> External Certificate </th> <th valign="top"> Validity </th> <th valign="top"> Key Size </th> </tr> <tr> <td valign="top"> SAP certificate </td> <td valign="top"> *integration-flow* </td> <td valign="top"> Keep standard role `ESBMessaging.send` or use one or more custom roles. </td> <td valign="top"> *Client Credentials* </td> <td valign="top"> *Certificate* </td> <td valign="top"> n.a. </td> <td valign="top"> Specify validity in days. </td> <td valign="top"> Specify key size. </td> </tr> <tr> <td valign="top"> External certificate </td> <td valign="top"> *integration-flow* </td> <td valign="top"> Keep standard role `ESBMessaging.send` or use one or more custom roles. </td> <td valign="top"> *Client Credentials* </td> <td valign="top"> *External Certificate* </td> <td valign="top"> Add PEM-encoded X.509 certificate. </td> <td valign="top"> n.a. </td> <td valign="top"> n.a. </td> </tr> </table> 4. Configure the sender system. 1. Make sure that the sender keystore contains the root certificate of the load balancer server certificate. Get this certificate using the Cloud Integration *Connectivity Test* \(pointing to the integration flow endpoint address\). From downloaded`.zip` file, select the `*.cer` file of the root certificate and import this into the sender system keystore. More information: [Using the Connectivity Test to Get the Load Balancer Server Root Certificate](using-the-connectivity-test-to-get-the-load-balancer-server-root-certificate-5d6cbf4.md) 2. Make sure that the sender keystore contains a client certificate that is signed by one of the CAs supported by the load balancer. More information: [Load Balancer Root Certificates Supported by SAP](load-balancer-root-certificates-supported-by-sap-4509f60.md) 5. Configure the inbound communication for the related integration flow. 1. Go to the SAP Integration Suite *Design* section and edit the relevant integration flow. 2. Create a sender channel with the adapter type that supports this authentication option, and select the connection for the associated sender adapter. 3. For *Authorization*choose *User Role* and specify the role. You can keep the default role name*ESBmessaging.send*. You can also select a custom role if you want to use a dedicated role to control authorization to the process the integration flow. > ### Note: > If for *Authorization* you alternatively select *Client Certificate*, you can set up a specific variant of client certificate authentication. Using this variant, sender authorization is checked on the tenant by evaluating the subject/issuer distinguished name \(DN\) of the certificate \(sent together with the inbound request\). However, we don't recommend this option anymore because it has the following disadvantages: > > - When the client certificate is renewed, the integration flow needs to be redeployed. > > - Because only the DNs are checked, and not the whole certificate, the security level is decreased. 4. After you have finished configuring the integration flow, including the processing steps for your scenario, deploy the integration flow on the tenant. To do this, save the integration flow and select *Deploy*. <a name="loio7f84d16aa42741efb08dc9875743e47c__postreq_a2n_zmz_1tb"/> ## Next Steps Configure the request from the sender to the integration flow endpoint. With the request, the sender has to pass on a certificate chain that contains a root certificate supported by the load balancer \(see [Load Balancer Root Certificates Supported by SAP](load-balancer-root-certificates-supported-by-sap-4509f60.md)\). Otherwise, the load balancer doesn't pass on the client certificate to SAP Cloud Integration. - When you use an SAP-generated client certificate \(with *Key Type* set to *Certificate*\), the service key contains a certificate chain and a private key \(see [Creating Service Instance and Service Key for Inbound Authentication](creating-service-instance-and-service-key-for-inbound-authentication-19af5e2.md)\). The certificate chain contains already a root certificate supported by the load balancer. You can use these values to configure the request. > ### Note: > To enable the related HTTP client to support this authentication option, you need to format the certificate \(including the certificate chain\) and the key accordingly. In particular, make sure to replace all `\n` in the SAP-generated certificate or key by line breaks. > > A suitable certificate, for example, would then look like the following: > > ``` > -----BEGIN CERTIFICATE----- > MIIFtDCCA5ygAwIBAgIQCUFIj6cfjiSfZi/ZvVU6IDANBgkqhkiG9w0BAQsFADB5 > ................................................................ > ................................................................ > ................................................................+ > LvHPhNDM3rMsLu06agF4JTbO8ANYtWQTx0PVrZKJu+8fcIaUp7MVBIVZ > -----END CERTIFICATE----- > ``` - When you use an external certificate \(with *Key Type* set to *External Certificate*\), the service key displays only the public key certificate provided by you \(see [Creating Service Instance and Service Key for Inbound Authentication](creating-service-instance-and-service-key-for-inbound-authentication-19af5e2.md)\). To configure the request, use the key pair exported from the application used to generate the client certificate.

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/1nbuc/mcp-integration-suite'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

client-certificate-authentication-for-integration-flow-processing-7f84d16.md•9.19 kB