I have:

1. Set up in J2EE SSL provider of the dispatcher: Set client authentication to "Request client certificate" + added trusted CAs.

2. In "Security Provider" service (for the server) added ClientCertLoginModule as the first choise for component com.sap.aii.af.soapadatper*XISOAPAdapter

3. Mapped a user to a certificate. (in UME).

4. In XI directory on the SOAP communication channel set "HTTP Security Level" to "HTTPS with Client Authentication".

All this as described in note 891877.

But...XI still just asks for a username/password. Why? It does not request a certificate at all!

-AD