Skip to Content
avatar image
Former Member

Blocking issue after replacing a SSL certificate ok with a new SSL EV (Extended Validation) one

Dear Security Experts,

I need your kind help in case you can support about a problem which is preventing us to use a quite critical (UK HMRC Gov site) web service based application which use to work like a charm till before replacing SSL certificate downloaded from web service application host.

What we see changed is that:

WITH PREVIOUS SSL CERTIFICATE NO PROBLEM:

at expiry (as required by certificate+host owner) we used to download new certificate from ‘https://emcs.ws.hmrc.gov.uk’ and after importing it in SAP with STRUST and testing it we had no problem absolutely and we noticed that Target Host here under was matching website URL indicated for using the webservice we needed

WITH NEW SSL EV (Extended Validation) WE ARE BLOCKED INSTEAD:

after downloading new certificate from ‘https://emcs.ws.hmrc.gov.uk’ and importing it in SAP as always we cannot work anymore and notice two following problems:


a) Target Host hereunder does not match anymore the website URL ‘https://emcs.ws.hmrc.gov.uk’ we used to know and from where we download the new certificate itself:



and when our app calls the webservice normally expected to know URL emcs.ws... the new Target Host dispalys instead (it has a page for human manual login...)


b) application fails with different kinds of errors reported in SMICM logs (SSL_ERROR_SSL, SSSLERR_SSL_CONNECT related to icxxconn.c): in the logs we can see details of SSL NI-sock parameters from our  local=IP:PORT(normally high>50000) and web service host that we need to call at peer=23.223.63.18:443


Web service providers states that issue that the endpoints we need to submit to are unchanged and remain as detailed on page 1 of the ‘EMCS Guide to Web Services’ document published at http://www.hmrc.gov.uk/softwaredevelopers/emcs/emcs-guide.pdf. For example, if we still send a message to WS https://emcs.ws.hmrc.gov.uk/EMCS/SubmitDraftMovement/3. However, the relevant certificate authentication is at ‘emcs.ws.hmrc.gov.uk’ level.


Thank you in advance for kind indications about what would you check at our SAP side in order to recover web service communication with new certificate installed and diagnostics given (for a.m. I apologize as I am no SAP Security expert but only local project demand manager).


Kind regards,

Aldo

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Former Member
    Sep 16, 2014 at 08:28 AM

    Currently checking following two notes:

    1947917 - ADS SSL configuration with Basic Authentication:

    checking if possible to setup "Target Host" according to former conevntional use that worked ok

    1835332 - STRUST test signature for SSL PSE does not work:

    checking if required SP and PL in the note could solve our current issues with new SSL EV certificate.

    Thanks if in the meanwhile anybosdy could share any additional hint from experience!

    KR++ Aldo

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Issue solved by our SAP Partner Present Milano (currently in test environment) after reference to and updating kernel patch level and SAP crypto libraries