function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Webservice call from to an external system


I am working on integrating and external system (ERP).  I am making a call out using SOAP API

What I have provided to third party?
- Create a user for integration and shared the username,password&securitytoken
-Created an global apex class with webservice methods.
-Generated WSDL from above class
-Generated Enterprise WSDL

What I received from third party?
-WSDL (https end point)
-.PEM certificate and .pfx format certifcate

Development process on Salesforce side

I have generated a single Apex class (Gnerate from WSDL) from the WSDL I recieved from third party.

One of the classes generated is below

public class HTTPS_Port {
        public String endpoint_x = ‘bhla bhla…’;
        public Map<String,String> inputHttpHeaders_x;
        public Map<String,String> outputHttpHeaders_x;
        public String clientCertName_x;
        public String clientCert_x;
        public String clientCertPasswd_x;
        public Integer timeout_x;

              new String[]{endpoint_x,
            response_x = response_map_x.get('response_x');
            return response_x.FStatus;

I have generated an apex class to call the third party service (above generated class). In this class I have to provide the following

public String clientCertName_x;// may be this is required if the certificate is generated with in SAlesforce org. So I might not need to pass this info.
        public String clientCert_x; // This is the certifcate which has based64. I am good with this
        public String clientCertPasswd_x; // what is the password i need to enter  here. I asked third party to give this password but they say don't have it. Where do i get this password from?

My call fails if I don't enter the password. Error is - CertPasswd cannot be null
If the give a blank string for the password, the Error is "Error MessageIO Exception: DER input, Integer tag error"

I am stuck with the password issue here. Can someone help me out if there is something to be on Salesforce side? Am I missing something?

Any help is greatly appreciated.

Thank you!

AmitAmit (Salesforce Developers) 
There are two types of certificates. Both certificates must exist.
* Server certificate
* Client Certificate

Server Certificate:
* This certifies the web server
* Customer has to pay for this certificate to their certification agency.
* This certificate must reside on their server.
* File extension is usually .cer
* The 3rd Party has to be a trusted CA (Certificate Authority) (

Client Certificate:
* This certifies the client.
* This certificate can be signed by a trusted CA for improved security (optional, not required).
* There are two ways in which this client certificate can be created
                * Created in their web server.
                * Created in Salesforce
The Client Certificate only has the receiving web server (the Salesforce server does not matter); therefore the same Client Certificate can be used regardless of the call is made from the production ORG or from the sandbox, as long as the destination server is the same.

Client Certificate (Created in their web server):
The keystore has to be built and the certificate is exported in PKCS12 format.
When this certificate is generated, a password is also created.
This certificate is embedded in the Apex code. Since it is just ASCII letters (Base64), it goes on a String variable.

The clientCert_x is the keystore certificate in PKCS12 format

The clientCertPasswd_x is the password used for the web server's keystore (when the certificate was added).
               * This Server must be certified using a 3rd Party Signed Certificate
               * The certificate being added to the keystore is the Keystore certificate.

The keystore owner must give the developer the certificate and the password.
                * We can't help if they don't want to share the password. The whole concept of using PKCS12 is to give access to the trusted parties.
                * They don't need to share the password of their server certificate, just the private key of the certificate.

Client Certificate (Created in Salesforce):
* The certificate is generated in Salesforce (Setup > Administration Setup > Security Controls > Certificate and Key Management)
* The certificate must them be installed on the web server’s keystore.
* A link to this certificate is embedded in the Apex code.

Please refer to this doc for more information :
Hi Amit,

I was able to resolve the Issue a few days back. Anyways thanks for the information. 
Hi SFDC12,
I read your question, and realized I'm experiencing many of the same certificate and password issues. (Also sounds like we're developing very silimar solutions.) I have not resolved the issue yet, and is very interested in looking at how you did it. If we are in fact developing the same thing, I'm sure I will be able to give help and input to you in return.

I am working with a web service callout from Salesforce to the external ERP system only, so the external system will  not invoke the SFDC API. What is the certificate situation at the endpoint in this scenario? I have two possible solutions:

1. Generate SFDC sertificate and install at the endpoint. The problem with this is that the endpoint server requires private keys in all certificates, but Salesforce does not provide this.
2. Use the currently installed cerficate. The problem with this is how to pass along the HTTP auth username and password for the webservice. The stub provided by WSDLtoAPEX does only contain fields for certificate password.
Hello Deloitte_mgraff,

Sorry for the delay. I had resolved my problem by generating a certificate in as we used 2way SSL. It is important to know if its one way SSL or two way SSL.

The certificate i generated was installed at the endpoint server (Data Power -  didn't need any key). I just had to provide the certificate name in my code, So when ever I request the ERP service, automatically passes this certificate to end point and endpoint server verifies this as it was already installed. This is how it authorizes.

When you generated WSDL2APex, you get the following class too. I imported all the classes into one Apex class 'XYZ'

public class HTTPS_Port
        public String clientCertName_x;
        public String clientCert_x;             // not required with the new process
        public String clientCertPasswd_x; // not required with the new process


I am calling this class in another Apex class

XYZ.HTTPS_Port port = new XYZ.HTTPS_Port();
         port.clientCertName_x = 'TestCERT'; // TestCERT is the certificate I generated in Salesforce and the same was installed on endpoint server

Also, you will have to provide the ERP team with the interface user details (username, password+security token). This will allow them to initiate the SFDC login and then they would receive the sessionID (for this, you will have to give them your EnterpriseWSDL) automatically. This is the first you need to do.

I was able to make successfull calls (inbound & outbound). I might not have put these notes in details believing you are already aware of some info since you are in the middle of the process but plese let me know if you need anything in detail.

I hope this helps.

Thanks for the reply SFDC12, and I am sorry for the delay myself. We are only using one-way SSL, and the problem is connecting Salesforce to the ERP system. We have installed a self-signed certificate at the endpoint, but get this error when trying to connect: "System.CalloutException: IO Exception: No subject alternative names present"
Kirubakaran Shanmugam 1Kirubakaran Shanmugam 1
Hi  Deloitte_mgraff

How did you resolve this issue finally. I am alos arunning into similar situation and your inputs will be helpful.
kerlvine dussoyekerlvine dussoye

Does having a certificate on an External service mandatory for web service communication? 
Actually, I have an issue making an external callout. I have tested  my WSDL file on SOAPUI and it works fine. Only when I send data from Salesforce, I have the error  'IO Exception: input contained no data'. Is it because I don't have a certificate on the external server. The external server is on APACHE.

Thanks for advice. 
king kpking kp
Hi Mounika Dammannagari,

I have  faced on same Requirement did't get the Solutions could please help me,so help full for me,please mounika

This is my mobile Num.9731512878 or put your Mail id please help me


Hi Kullayappa,

Did you manage to find a way through this? I am facing the same requirements and issues myself.

king kpking kp
Hi Daniel,

 i got the problem this is my skype id:kullayappa.adapala
once your free please let me know

i will Explan for you

Sandip ChakrabortySandip Chakraborty
hi SFDC Devi, 
We are trying to make an outbound apex call out and we already created a CA signed certificate and get it signed by CA and udpate it back in Certificate & key management. Now I think we need to share the same with the server whome I am trying to connect so that they can install the same at their end. Later while Making a call , I will mention the Certificate name in my request. 

Is that correct steps to follow ?

Lakshmi sambandham 14Lakshmi sambandham 14
Hi Folks,

Currently working on the project  sso integration with third party,

Process 1 :- SSO Third party connection (salesforce is an identity Provider and Third party (Fidelity is a service provider) è Done

Process 2:- Testing the end point URL with SOAP UI tool, Client has sent the WSDL file, I did generated the wsdl file.

public class wwwFmrCom {
    public class Echo {
        public String endpoint_x = '';
        public Map<String,String> inputHttpHeaders_x;
        public Map<String,String> outputHttpHeaders_x;
        public String clientCertName_x='SWBC_Fidelity_2019_UAT';
        public String clientCert_x;
        public String clientCertPasswd_x;
        public Integer timeout_x;
        public xmlnsFmrComInstitutionalCommonHe.ExternalPrincipalIdentity ExternalPrincipalIdentity;
        public xmlnsFmrComInstitutionalCommonHe.ExternalProcessingDirectives ExternalProcessingDirectives;
        private String ExternalPrincipalIdentity_hns = 'ExternalPrincipalIdentity=';
        private String ExternalProcessingDirectives_hns = 'ExternalProcessingDirectives=';
        private String[] ns_map_type_info = new String[]{'', 'xmlnsFmrComInstitutionalApi', '', 'wwwFmrCom', '', 'xmlnsFmrComInstitutionalCommonHe', '', 'xmlnsFmrComInstitutionalCommonHe', '', 'xmlnsFmrComInstitutionalCommonErr'};
        public String Echo(String Input) {
            xmlnsFmrComInstitutionalApi.Echo request_x = new xmlnsFmrComInstitutionalApi.Echo();
            ExternalPrincipalIdentity = new xmlnsFmrComInstitutionalCommonHe.ExternalPrincipalIdentity();
            ExternalPrincipalIdentity.B2BPartnerPrincipalId = '6060000690'; 
            ExternalPrincipalIdentity.RequestorId = '0136500009';
            ExternalPrincipalIdentity.AuthMethod = 'Certificate';
            ExternalPrincipalIdentity.PrincipalDomain = 'Correspondent';
            ExternalPrincipalIdentity.PrincipalRole = 'Correspondent';   
            ExternalProcessingDirectives = new xmlnsFmrComInstitutionalCommonHe.ExternalProcessingDirectives();
            ExternalProcessingDirectives.LogTrackingId = 'Sample';
            request_x.Input = Input;
            xmlnsFmrComInstitutionalApi.EchoResponseType response_x;
            Map<String, xmlnsFmrComInstitutionalApi.EchoResponseType> response_map_x = new Map<String, xmlnsFmrComInstitutionalApi.EchoResponseType>();
            response_map_x.put('response_x', response_x);
              new String[]{endpoint_x,
            response_x = response_map_x.get('response_x');
            return response_x.Echo;

wwwFmrCom.Echo  echoTest = new wwwFmrCom.Echo();
String  strResponse =  echoTest.Echo('Hello there');

Line: 31, Column: 1
System.CalloutException: Web service callout failed: WebService returned a SOAP Fault: faultcode=ns2:ServiceErrors faultactor=

Please let me know any thing i need to change or is there any cert issue, i am stuck in here..

Thank you,