Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Blocking issue after replacing a SSL certificate ok with a new SSL EV (Extended Validation) one

Dear Security Experts,

I need your kind help in case you can support about a problem which is preventing us to use a quite critical (UK HMRC Gov site) web service based application which use to work like a charm till before replacing SSL certificate downloaded from web service application host.

What we see changed is that:

WITH PREVIOUS SSL CERTIFICATE NO PROBLEM:

at expiry (as required by certificate+host owner) we used to download new certificate from ‘https://emcs.ws.hmrc.gov.uk’ and after importing it in SAP with STRUST and testing it we had no problem absolutely and we noticed that Target Host here under was matching website URL indicated for using the webservice we needed

WITH NEW SSL EV (Extended Validation) WE ARE BLOCKED INSTEAD:

after downloading new certificate from ‘https://emcs.ws.hmrc.gov.uk’ and importing it in SAP as always we cannot work anymore and notice two following problems:


a) Target Host hereunder does not match anymore the website URL https://emcs.ws.hmrc.gov.uk’ we used to know and from where we download the new certificate itself:



and when our app calls the webservice normally expected to know URL emcs.ws... the new Target Host dispalys instead (it has a page for human manual login...)


b) application fails with different kinds of errors reported in SMICM logs (SSL_ERROR_SSL, SSSLERR_SSL_CONNECT related to icxxconn.c): in the logs we can see details of SSL NI-sock parameters from our  local=IP:PORT(normally high>50000) and web service host that we need to call at peer=23.223.63.18:443


Web service providers states that issue that the endpoints we need to submit to are unchanged and remain as detailed on page 1 of the ‘EMCS Guide to Web Services’ document published at http://www.hmrc.gov.uk/softwaredevelopers/emcs/emcs-guide.pdf. For example, if we still send a message to WS https://emcs.ws.hmrc.gov.uk/EMCS/SubmitDraftMovement/3. However, the relevant certificate authentication is at ‘emcs.ws.hmrc.gov.uk’ level.


Thank you in advance for kind indications about what would you check at our SAP side in order to recover web service communication with new certificate installed and diagnostics given (for a.m. I apologize as I am no SAP Security expert but only local project demand manager).


Kind regards,

Aldo

Tags:
Former Member
Former Member replied

Issue solved by our SAP Partner Present Milano (currently in test environment) after reference to SSSLERR_SERVER_CERT_MISMATCH and updating kernel patch level and SAP crypto libraries

1 View this answer in context
Not what you were looking for? View more on this topic or Ask a question