Dear Security Experts,
I need your kind help in case you can support about a problem which is preventing us to use a quite critical (UK HMRC Gov site) web service based application which use to work like a charm till before replacing SSL certificate downloaded from web service application host.
What we see changed is that:
WITH PREVIOUS SSL CERTIFICATE NO PROBLEM:
at expiry (as required by certificate+host owner) we used to download new certificate from ‘https://emcs.ws.hmrc.gov.uk’ and after importing it in SAP with STRUST and testing it we had no problem absolutely and we noticed that Target Host here under was matching website URL indicated for using the webservice we needed
WITH NEW SSL EV (Extended Validation) WE ARE BLOCKED INSTEAD:
after downloading new certificate from ‘https://emcs.ws.hmrc.gov.uk’ and importing it in SAP as always we cannot work anymore and notice two following problems:
a) Target Host hereunder does not match anymore the website URL ‘https://emcs.ws.hmrc.gov.uk’ we used to know and from where we download the new certificate itself:
and when our app calls the webservice normally expected to know URL emcs.ws... the new Target Host dispalys instead (it has a page for human manual login...)
b) application fails with different kinds of errors reported in SMICM logs (SSL_ERROR_SSL, SSSLERR_SSL_CONNECT related to icxxconn.c): in the logs we can see details of SSL NI-sock parameters from our local=IP:PORT(normally high>50000) and web service host that we need to call at peer=18.104.22.168:443
Web service providers states that issue that the endpoints we need to submit to are unchanged and remain as detailed on page 1 of the ‘EMCS Guide to Web Services’ document published at http://www.hmrc.gov.uk/softwaredevelopers/emcs/emcs-guide.pdf. For example, if we still send a message to WS https://emcs.ws.hmrc.gov.uk/EMCS/SubmitDraftMovement/3. However, the relevant certificate authentication is at ‘emcs.ws.hmrc.gov.uk’ level.
Thank you in advance for kind indications about what would you check at our SAP side in order to recover web service communication with new certificate installed and diagnostics given (for a.m. I apologize as I am no SAP Security expert but only local project demand manager).