After deploying integration-hub to SAP CX cloud, our OData service integration to an external ERP system is failing with SSL handshake errors. The same integration configuration worked perfectly in our on-premise environment.
The error occurs during the initial connection attempt to the external OData endpoint:
SSLHandshakeException: sun.security.validator.ValidatorException
PKIX path building failed
Unable to find valid certification path to requested target
Endpoint: https://erp.partner-company.com/odata/v4
The external system uses a certificate from a commercial CA that should be trusted by default. Certificate trust configuration in the cloud seems to work differently than on-premise where we had direct access to the Java keystore. How should certificates and trust stores be managed for OData integrations in SAP CX cloud deployments?
I’ve accessed the Cloud Trust Manager and can see options for uploading certificates. However, there are multiple certificate types listed (TLS, Signing, Root CA). Which type should I select for an external OData endpoint certificate? Also, do I need to restart any services after uploading certificates for them to take effect?
For external OData endpoints, select ‘TLS Client Trust’ as the certificate type. This tells the cloud platform to trust this certificate for outbound HTTPS connections. After uploading, you don’t need to restart services manually - the cloud platform automatically refreshes trust stores within 5-10 minutes. However, you may need to retry your integration connection to trigger the trust validation again.
One important detail - verify that your OData integration configuration in the Integration Hub is using the cloud-managed trust store. There’s a setting called ‘Certificate Validation Mode’ that should be set to ‘Cloud Trust Store’ rather than ‘Custom’ or ‘Disabled’. If it’s set to Custom, the integration won’t use the certificates you uploaded to Cloud Trust Manager.
The PKIX path building error typically means the certificate chain is incomplete. Even though the endpoint certificate is from a commercial CA, the cloud environment might not have the intermediate CA certificates in its default trust store. You’ll need to download the complete certificate chain from the external system and upload all certificates (root, intermediate, and endpoint) to the cloud trust manager.
Also check if the external endpoint requires mutual TLS (client certificate authentication). Some ERP systems require the client to present a certificate during the SSL handshake. If that’s the case, you’ll need to generate a client certificate in SAP CX Cloud Trust Manager and provide the public key to the external system administrator for their trust configuration. This is a common requirement for B2B integrations that wasn’t always enforced in on-premise setups.
Cloud trust store management is completely different from on-premise. You can’t directly access the Java keystore in cloud deployments. Instead, you need to upload the external system’s certificate through the SAP CX Cloud Trust Manager. Navigate to Security > Trust Configuration > External Certificates and upload the certificate chain there.