ztis keystore is not refreshed after expiry #1134
Description
Describe the Bug
ZTIS Cert is incorrectly cached . It never refreshed. isKeyStoreCached only checks if the SVID is the same and nothing else
Steps to Reproduce
cannot be reproduced until the cert expires:
Event ERROR published: 2026-03-30T00:04:28.177051495Z[Etc/UTC]: CircuitBreaker 'mfedevprovider.accounts400.ondemand.com-c5f4927e-9af2-4177-9269-cadcae99f554' recorded an error: 'com.sap.cloud.sdk.cloudplatform.thread.exception.ThreadContextExecutionException: com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestFailedException: Failed to resolve access token.'.
com.sap.cds.CdsCommunicationException: com.sap.cds.services.utils.lib.tools.exception.ServiceException: com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: Header provider 'OAuth2HeaderProvider' threw an exception: com.sap.cloud.sdk.cloudplatform.thread.exception.ThreadContextExecutionException: com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestFailedException: Failed to resolve access token.
CircuitBreaker 'mfedevprovider.accounts400.ondemand.com-c5f4927e-9af2-4177-9269-cadcae99f554' recorded an exception as failure:
com.sap.cloud.sdk.cloudplatform.thread.exception.ThreadContextExecutionException: com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestFailedException: Failed to resolve access token.
at com.sap.cloud.sdk.cloudplatform.thread.ThreadContextExecutor.execute(ThreadContextExecutor.java:242) ~[cloudplatform-core-5.24.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.thread.DefaultThreadContextExecutorService.lambda$decorate$0(DefaultThreadContextExecutorService.java:68) ~[cloudplatform-core-5.24.0.jar:na]
at com.sap.cds.integration.cloudsdk.decorator.CdsThreadContextDecorator.lambda$decorateCallable$0(CdsThreadContextDecorator.java:37) ~[cds-integration-cloud-sdk-4.5.0.jar:na]
at com.sap.cds.services.impl.runtime.RequestContextRunnerImpl.run(RequestContextRunnerImpl.java:301) ~[cds-services-impl-4.5.0.jar:na]
at com.sap.cds.integration.cloudsdk.decorator.CdsThreadContextDecorator.lambda$decorateCallable$1(CdsThreadContextDecorator.java:34) ~[cds-integration-cloud-sdk-4.5.0.jar:na]
at java.base/java.util.concurrent.FutureTask.run(Unknown Source) ~[na:na]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) ~[na:na]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) ~[na:na]
at java.base/java.lang.Thread.run(Unknown Source) ~[na:na]
Caused by: com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestFailedException: Failed to resolve access token.
at com.sap.cloud.sdk.cloudplatform.connectivity.OAuth2Service.buildException(OAuth2Service.java:222) ~[connectivity-oauth-5.24.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.OAuth2Service.lambda$executeClientCredentialsFlow$1(OAuth2Service.java:208) ~[connectivity-oauth-5.24.0.jar:na]
at io.vavr.control.Try.getOrElseThrow(Try.java:747) ~[vavr-0.10.7.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.OAuth2Service.executeClientCredentialsFlow(OAuth2Service.java:208) ~[connectivity-oauth-5.24.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.OAuth2Service.lambda$retrieveAccessToken$0(OAuth2Service.java:154) ~[connectivity-oauth-5.24.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.resilience4j.Resilience4jDecorationStrategy.lambda$decorateCallable$2(Resilience4jDecorationStrategy.java:175) ~[resilience4j-5.24.0.jar:na]
at io.github.resilience4j.bulkhead.Bulkhead.lambda$decorateCallable$5(Bulkhead.java:173) ~[resilience4j-bulkhead-2.3.0.jar:2.3.0]
at com.sap.cloud.sdk.cloudplatform.thread.ThreadContextExecutor.call(ThreadContextExecutor.java:293) ~[cloudplatform-core-5.24.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.thread.ThreadContextExecutor.execute(ThreadContextExecutor.java:236) ~[cloudplatform-core-5.24.0.jar:na]
... 8 common frames omitted
Caused by: com.sap.cloud.security.xsuaa.client.OAuth2ServiceException: Error requesting access token!. Server URI https://mfedevprovider.accounts400.ondemand.com/oauth2/token. Response body '(certificate_expired) Received fatal alert: certificate_expired'. Request Headers [Content-Type: application/x-www-form-urlencoded, Accept: application/json, X-CorrelationID: 75add900-ef96-47a4-a9c7-f010a8d1df0a, User-Agent: token-client/3.6.5]
at com.sap.cloud.security.xsuaa.client.OAuth2ServiceException$Builder.build(OAuth2ServiceException.java:146) ~[token-client-3.6.5.jar:na]
at com.sap.cloud.security.xsuaa.client.DefaultOAuth2TokenService.executeRequest(DefaultOAuth2TokenService.java:117) ~[token-client-3.6.5.jar:na]
at com.sap.cloud.security.xsuaa.client.DefaultOAuth2TokenService.requestAccessToken(DefaultOAuth2TokenService.java:63) ~[token-client-3.6.5.jar:na]
at com.sap.cloud.security.xsuaa.client.AbstractOAuth2TokenService.getAndCacheToken(AbstractOAuth2TokenService.java:289) ~[token-client-3.6.5.jar:na]
at com.sap.cloud.security.xsuaa.client.AbstractOAuth2TokenService.getOrRequestAccessToken(AbstractOAuth2TokenService.java:248) ~[token-client-3.6.5.jar:na]
at com.sap.cloud.security.xsuaa.client.AbstractOAuth2TokenService.getOAuth2TokenResponse(AbstractOAuth2TokenService.java:231) ~[token-client-3.6.5.jar:na]
at com.sap.cloud.security.xsuaa.client.AbstractOAuth2TokenService.retrieveAccessTokenViaClientCredentialsGrant(AbstractOAuth2TokenService.java:113) ~[token-client-3.6.5.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.OAuth2Service.lambda$executeClientCredentialsFlow$1c851743$1(OAuth2Service.java:201) ~[connectivity-oauth-5.24.0.jar:na]
at io.vavr.control.Try.of(Try.java:74) ~[vavr-0.10.7.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.OAuth2Service.executeClientCredentialsFlow(OAuth2Service.java:199) ~[connectivity-oauth-5.24.0.jar:na]
Expected Behavior
auto update of certificates. Certificate rotation should happen post expiry
Screenshots
No response
Used Versions
- Java and Maven version via
mvn --version: ... - SAP Cloud SDK version: .
- Spring Boot or CAP version: ...
Dependency tree via mvn dependency:tree
Dependency tree here
Code Examples
// Your code hereStack Trace
No response
Log File
[
Log](url
) file
...
Affected Development Phase
Release
Impact
Blocked
Timeline
No response