SAP connections to HMRC - Important Technical Changes from 20th April 2019

HMRC have informed software vendors that from 20th April 2019, they will stop supporting TLS 1.0 and recommend the use of TLS 1.2 for connections to their systems. SAP Note 27050539 contains SAP’s information on this change. 


The change will affect users of SAP Payroll for the Real-time Information (RTI) connection to the HMRC Transaction Engine, formerly HMRC Government Gateway. 


What is TLS?

TLS stands for Transport Layer Security and is a cryptographic protocol to provide secure communications over a network.  The predecessor to TLS is Secure Sockets Layer (SSL).


TLS version 1.2 offers security benefits over TLS 1.0 and other older versions.  Following advice from the National Cyber Security Centre, many services are now forcing clients to use TLS version 1.2 which may mean upgrades are required. 


What do I need to do?

SAP Process Integration (PI) or SAP Process Orchestration (PO) are used by payroll in SAP ERP or S/4HANA to connect to the HMRC Transaction Engine


If your SAP PI or SAP PO system has been updated to the latest support package stack in 2018 or 2019 onwards, then it is unlikely that you need to do anything to get support for TLS 1.2.


If you haven’t applied the latest support package stack for a few years, then you need to check if your system supports TLS 1.2. 



SAP Process Integration (PI)

To support TLS1.2 you need a kernel of at least release 720 with patch level 88, and CommonCryptoLib 8.4.31 or higher, and you must configure the relevant profile parameters.  Full details are in SAP Note 2110020 and SAP Note 510007



SAP Process Orchestration (PO) based on SAP NetWeaver 7.1

If your SAP PO system is based on SAP NetWeaver 7.1 or higher, you don’t need to do anything if component J2EE ENGINE SERVERCORE has at least the following minimum support package levels:


If your NetWeaver 7.1+x system does not have one of the support package levels listed above (or higher) then you need to check for a patch to your current support package level, or update to a higher level.  SAP Note 2284059 lists the available patches.


Java systems based on SAP NetWeaver 7.0x

It is unlikely that you are using a Java-only environment with NetWeaver 7.0x for an HMRC interface, but if you have any present in your landscape that need TLS 1.2 then you need to check for a patch to your current support package level, and potentially update to a higher level.  SAP Note 2503155 lists the available patches.


You should note that SAP NetWeaver 7.0x Java stacks are out of maintenance since the end of 2017, so you should upgrade or re-implement to avoid the risks of using unmaintained software.  Upgrading to the latest release with the latest support package level will also deliver TLS 1.2 support. 



Ensuring Compliance

This change is slightly out of the ordinary as it is a vital part of payroll compliance to be ready for TLS 1.2 in time, but it is not a payroll department change.  Generally handled by a systems administrator or SAP Basis specialist, it will be necessary to reach out to the right colleagues in most cases. 


If you need any assistance with verifying the software versions or configuring your systems, please feel free to contact me for specific advice.  We have a lot of experience in our technical team as we support our payroll colleagues in ensuring payroll compliance for our customers.


It’s important to start work on this now so that you have time to get it through your landscape in plenty of time for the 20th April 2019.