Technical Articles
Preparing Managed System Note Assistant (SNOTE) for Digitally Signed SAP Notes
Update on 09 December, 2019
SAP has released SAP Note “2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes” which simplifies the process of configuring individual steps to enable Note Assistant (SNOTE transaction) for Digitally Signed SAP Notes
RCWB_TCI_DIGITSIGN_AUTOMATION report provided with SAP Note 2836302 eliminates following individual steps –
- Implement SAP Notes 2408073, 2546220, 2508268 or Implement SAP TCI Note 2576306
- Configuring the SNOTE transaction to use the right procedure (RFC or HTTP or Download Service) for download of Digitally Signed SAP Note.
This note simplifies the process by providing guided steps for enabling your system for TCI and Digitally Signed SAP Notes. Refer pdf attached to SAP Note 2836302 for more details.
SAP now recommend to use RCWB_TCI_DIGITSIGN_AUTOMATION report to avoid unnecessary issues while enabling Note Assistant to work with digitally signed SAP Notes
Above message would be quite familiar this days in SAP Launchpad Portal when you try to access any SAP Note. Enough has been said on the same in multiple blogs but in this blog I will try to capture entire procedure to make your ABAP system – SAP Note Assistant (SNOTE) ready to communicate to updated SAP Backbone Support to download digitally signed SAP Notes.
Quick Overview
SAP’s Support Backbone is the central infrastructure located at SAP to provide technical
support to customers. SAP has updated it’s support backbone infrastructure, but the legacy infrastructure remains in place to allow a safe transition for SAP customers.
How customer gets impacted due to SAP’s Support Backbone update?
All customers with ABAP-based SAP systems needs to switch to the new infrastructure before January 2020 to ensure smooth connectivity.
Impact on SAP Solution Manager
You need to switch the communication of SAP Solution Manager to the new infrastructure before January 2020 to ensure continuous connectivity.
SAP Solution Manager 7.2 needs to be updated to Support Package Stack 07 or 08
Impact on SAP Note Assistant
SAP Note Assistant (transaction SNOTE) needs to be enabled to handle digitally signed downloads. To achieve this, SAP Note Assistant needs to be updated in every system where it is used.
Remark: The download of SAP Notes with SNOTE is no longer possible after January 1st, 2020 if SNOTE is not updated to handle digitally signed SAP Notes before this date.
Impact on ST-PI and ST-A/PI
All ABAP-based SAP systems which have direct connectivity to SAP (i.e. sending EWA reports directly to SAP) need to be updated with the latest ST-PI AddOn. You can find the required ST-PI and ST-A/PI versions in the FAQ.
Systems which do not have direct connectivity to SAP (because, for example, EWA reports are sent through SAP Solution Manager) do not need to update ST-PI and ST-A/PI. Nevertheless, SAP generally recommends to keep ST-PI and ST-A/PI updated in the managed systems.
- ST-PI 740 SP10
- ST-PI 2008_1_700 SP20
- ST-PI 2008_1_710 SP20
- ST-A/PI 01T* SP01
Handling of Technical Communication Users
Connections using generic users will not work anymore after January 1st, 2020. For this purpose, customers need to ensure that all connections use a technical communication user in all systems which have connectivity to SAP (this includes all systems directly sending EWA data to SAP and all systems where SAP Note Assistant is being used on).
A technical communication user is an isolated user used for connectivity purposes only. No logon at any SAP portals is possible with this user. The password of a technical communication user does not expire. Technical communication users can be requested via this app.
If you are still unfamiliar on what I’m talking about kindly refer below links to get more detailed insights –
Connectivity to SAP’s Support Backbone
Handling Digital Signed SAP Note
SAP Note Assistant
SAP is making SAP Notes more secure by ensuring all SAP Notes are digitally signed. The SAP Notes files can get maliciously modified and the customer unknowingly can upload the maliciously modified SAP Notes files into their ABAP systems. Therefore, SAP plans to deliver all SAP Notes files with digital signature to protect SAP Notes files with increased authenticity and improved security. SAP strongly recommend customers to upload only digitally signed SAP Note files
Till now, we were using SAPOSS RFC connection to download any SAP Notes from SAP’s Backbone support, but this is changed as now generic user like OSS_RFC will no longer be used to communicate to SAP Backbone system. Instead, we have to use technical communication users in all systems which have connectivity to SAP.
Pre-requisites SAP Notes
If you have TCI enabled, kindly implement SAP Note
- 2576306 – Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes
But if you don’t have TCI enabled, kindly implement below SAP Note.
- You have implemented the SAP Note 2408073 and SAP Note 2546220 for uploading digitally signed SAP Note and digital signature verification.
- You have implemented the SAP Note 2508268 for downloading digitally signed SAP Note
NOTE: It is recommended to enable TCI in the system, as it is a new way to deliver ABAP correction instructions to customer in flexible manner. Below is the high-level overview on when TCI is been used.
Enabling Note Assistant for TCI, kindly refer to below SAP Note and attached pdf in the note.
2187425 – Information about SAP Note Transport based Correction Instructions (TCI)
Once the pre-requisite steps has been completed, kindly follow below steps based on your system version
ABAP System: SAP_BASIS – 700 to 731 Only
SAP ABAP systems with lower SAP Releases (= lower than SAP Kernel 7.42 Patch Level 400) who want to download SAP notes or uses software components of ST-PI and ST-A/PI will still use RFC connection SAPOSS or SAPSNOTE, but changes with that RFC connection`s SAPOSS or SAPSNOTE are mandatory!
Check your SAP Kernel (System > Status)
As system kernel version is below 742, we can use SAPOSS connection but we need to make certain changes.
/H/<saprouter@customer>/S/3299/H/<saprouter@sap>/S/3299/H/oss001.wdf.sap.corp
Possible SAP Route entries for <saprouter@sap>
sapserv1 (194.117.106.129) Internet VPN connection
sapserv2 (194.39.131.34) Internet SNC connection
sapserv3 (147.204.2.5) for customers connected to Germany
sapserv4 (204.79.199.2) for customers in the United States
sapserv5 (194.39.138.2) for customers connected to Japan
sapserv7 (194.39.134.35) for customers in Asia Pacific Japan (APJ) including New Zealand and Australia
sapserv9 (169.145.197.110) for customers in APJ including New Zealand and Australia
sapserv10 (203.13.159.37) for customers in China
There is no change in logon group, you can use
1_PUBLIC
2_JAPANESE
EWA
ABAP System: SAP_BASIS 740 & Above
For system higher than 740, mandatory protocol is HTTPS so we need to configure RFC accordingly and make relevant changes so SAP Notes gets download using HTTPS protocol instead of RFC protocol i.e. SAPOSS
There is task list available to configure HTTPS communication. Task List is available in systems with at least SAP_BASIS 740 after applying TCI in SAP Note 2738426. So if you don’t have TCI enable you have to manually create RFC in SM59. For manual step follow “Digital Signature.pdf” attached to SAP Note 2576306 – Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes
Here I will be using task list to configure HTTPS communication channel, so for that SAP Note 2738426 needs to be implemented.
ssl/client_ciphersuites (step 3 in task list)
We need to set parameter ssl/client_ciphersuites and parameter value for enabling highest TLS protocol version with BEST-OPTION.
Recommended Configuration of Available TLS Protocol Versions (required for enabling TLSv1.2)
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
Restart the system after adding/changing parameter.
For more information, read SAP Note 510007 – Setting up SSL on Application Server ABAP
client certificate (step 4 in task list)
Once the Note has been implemented we need to export below client certificate in STRUST. Click on the link to get the certificate
- VeriSign Class 3 Public Primary Certification Authority – G5
- DigiCert Global Root CA
- DigiCert Global Root G2
- Baltimore CyberTrust Root
STRUST > SSL client SSL Client (Standard)
Note: You can import client certificate in SSL Client (Standard) or SSL Client (Anonymous), but relative option needs to selected while running task list otherwise you will get error while running task list. I have imported all the above client in SSL client (standard)
As you can see in Certificate List all 4 client certificate has been added but make sure you save it before you exit this transaction or execute task list
Generate Task List
STC01 > SAP_BASIS_CONFIG_OSS_COMM
In task 3, we can select where it can check certificates for SSL client. As we have added all certificates in ssl client (standard) we will keep that selection.
Enter parameter for 4th task – New OSS Comm: Create HTTPS Connections for SAP Services (SM59)
Only insert first three field i.e. Technical Communication User, Password and Router String and press enter. Remaining field under HTTPS Connection for Support Portal will automatically populated. Save the variant and go back
Direct download of Digital SAP Note – Setting
To directly download the digitally signed SAP Notes using SNOTE transaction, proceed as follows:
Defining Procedure for Downloading SAP Note (RCWB_SNOTE_DWNLD_PROC_CONFIG)
Defining File Type for Downloading SAP Note (RCWB_UNSIGNED_NOTE_CONFIG)
For SAP version 740 and above we have to set HTTPS Protocol to download SAP Note, to make this setting we need to define procedure for downloading SAP Note using RCWB_SNOTE_DWNLD_PROC_CONFIG report
On saving above procedure, SAP Notes will be downloaded using SAP-SUPPORT_NOTE_DOWNLOAD RFC destination and connection to SAP Support portal will be using SAP-SUPPORT_PORTAL
Download of unsigned SAP Notes as fallback. Following customization is also provided to choose download of unsigned SAP Note as fallback via the report RCWB_UNSIGNED_NOTE_CONFIG
Download of unsigned SAP Note in SNOTE will be supported only until end of 2019.
Validation
Download any SAP Note using SNOTE and in log you can see it is been downloaded to HTTPS protocol which is connected to SAP Backbone support system.
Regards,
Dennis Padia
Hi Dennis,
thanks for you blog! I have a question about this topic. My settings are done and I can download notes via HTTPS connection. But every time when I try to download a note I have to enter the User data for my Technical S-User. The following pupup appears:
It seems to be wrong for me or is this normal? Why should I enter the data when it is already set in the RFC destination. For me it is really annoying, because I need to remember all the S-User password combinations for different systems.
Thanks for comments!
Hello Sebastian,
It's not normal. When you download SAP Note it should not prompt you for credentials.
Can you please check below two RFC connection test. Result should be as below:
SAP-SUPPORT_PORTAL
SAP-SUPPORT_NOTE_DOWNLOAD
MANUAL connection test of the connection SAP-SUPPORT_NOTE_DOWNLOAD returns http code 404 - not found: connection is ok, for note download the path of the note is added
Kindly let me know your output for above two RFCs
Regards,
Dennis
Thanks for you comment Dennis. It was a simple password problem. At first the user was locked and i had to change the password. And then I forgot to enter the new password into the RFC-Destination. Now everything is fine!
Thanks!
Hi Sebastian,
MANUAL connection test of the connection SAP-SUPPORT_NOTE_DOWNLOAD returns http code 404 – not found: connection is ok, for note download the path of the note is added
i am not able to download the note and i have disabled SAPOSS Rfc in sm59 and tested through SAP-SUPPORT_NOTE_DOWNLOAD but it was through error.
what does it mean by "for note download the path of the note is added"
any manual activity required after this
Regards
Chandra
Hello Chandra,
If you refer below SAP Note, it is mentioned that SUPPORT_NOTE_DOWNLOAD will return 404 because the path mentioned in RFC (Target host) has only URL notesdownloads.sap.com, so when you do connection test it will return 404 but when any notes are being downloaded it will append the note in the path i.e. something like this notesdownloads.sap.com/2738426.
As I can see you have disabled SAPOSS RFC and you want your SAP Notes to be downloaded via SUPPORT_NOTE_DOWNLOAD RFC. But before SAP Note can be downloaded using new HTTP RFC, you need to execute RCWB_SNOTE_DWNLD_PROC_CONFIG report and change the procedure to download SAP Note to HTTP connection (you can find that information in the blog).
After that you will be able to download SAP Note via newly created HTTP connection. If you face error even after this, kindly paste your error.
Regards,
Dennis
Hi Dennis,
Great its working as expected....Thank You So Much.
Regards
Chandra
Hi Dennis,
Post backbone connectivity activities we can see that in the Tcode SDCCN under support portal and support parcel box active is showing Red and just want to know is there any activity pending from our side in transcation SDCCN and there is a migrate tasks button which was diabled can you please suggest on this
Note:task stc01 showing green and we are solman 7.2 sp7 and STPI 740 11 and ST-A/PI 01T_731 002...can you please suggest
Hello Dennis, I have the following problem. Within report RCWB_SNOTE_DWNLD_PROC_CONFIG the "save" button is not reachabel for me. What could me the reason for it ?
Thanks for comment
Hello Robert,
What is your SAP_BASIS SP version? Have you encountered this issue in all other systems as well or it is particular to one system?
Regards,
Dennis.
Hi;
Dennis i have read your blogs very nice not i have started to follow you for upgrading myself, i have stuck while enabling snote digitalization process, i have go threw your steps but error in 3rd steps in task manager : SAP_BASIS_CONFIG_OSS_COMM, error is attached.
Hello Dennis,
I have SAP_BASIS 740 SP13 (This is the DEV System). I did the same on the Sandbox (same SP Level) and there it is fine. This is really strange. Do you have an idea ? (My user authorizations are both the same).
Regards
Robert
Hello Robert,
It's a strange behavior. If possible can you re-implement below SAP Note because that's where this program is capture.
2508268 - Download of Digitally Signed SAP Notes in SNOTE
2721941 - Download of digitally signed note - changes to configuration report and other minor changes
Also after applying above SAP note, try to give SAP_ALL to your ID and check, if in active client it cannot be given, then give SAP_ALL in 000 and try to execute report.
NOTE: It's very strange behavior, so just suggesting some of the possibility.
Regards,
Dennis
Hi Dennis,
We followed documents to configure digital Signed. Now when we are trying to download oss notes (SNOTE -> Goto --> Download SAP Notes), logs are still showing that OSS note is being using RFC. We have configured HTTP to download the OSS notes.
Note 0002632679 downloaded in version 0004 (RFC use SAPOSS)
Following RFC's created by Digital Signed process are working fine (test is good):
SAP-SUPPORT_PORTAL (Status HTTP response is 200)
SAP-SUPPORT_PARCELBOX (Status HTTP response is 200)
SAP-SUPPORT_NOTE_DOWNLOAD (Status HTTP response is 404)
Pls suggest to fix this issue.
Thanks
Amar
Hello Amarjit,
Kindly follow below step and let me know what's the result.
Regards,
Dennis
Hi Dennis,
I have ran through this without any issues and the SAPNotes seem to be downloading fine.
My question is, why is the last step (Restart ICM) there and is it needed as it's defaulted to SKIP.
I didn't do it, but I'd like to understand why you did.
Many Thanks,
J.
Hello Jason,
The reason I have opted for this option is that in one of my system when I had executed this task list keeping default options, the task executed successfully. But when I tried to download SAP Note, it was giving error. So I have restarted ICM and after that it worked fine.
P.S - Yes I know restart of ICM is not required with Netweaver version > 710 as import of certificate will be updated at run time. But as I faced issue in one of the system, I selected this option.
Regards,
Dennis Padia.
Dear Denis,
We have successfullly implement SAP note for digital signed sap note implemenatation after that when we ran report RCWB_SNOTE_DWNLD_PROC_CONFIG in that SAVE option is disabled please suggest on same.
SAP_BASIS 701 0016 SAPKB70116 SAP Basis Component
Hello Sanjay,
Has this issue encountered only in one system? If you have implemented SAP Note in Sandbox and you are encountering this issue, then can you try to implement SAP Note in Development?
This is bit unusual, but Robert Kubitza has faced similar issue. I'm just tagging him here
Robert Kubitza - Did you find resolution to the issue where your save option was disabled. It would be great if you can share the resolution
Regards,
Dennis.
Dear Denis,
Issue has been resolved now.
goto se41 -> · Enter Program name as RCWB_UNSIGNED_NOTE_CONFIG -> select radio button status and enter text CWB_SNOTE_CONFIG and then click on change option
then expand function key -> select SAVE button->click on Function code to activate this then click on SAVE and activate it and then issue resolved.
Hello Sanjay,
Good to hear that your issue is resolved. Thank you for sharing the solution.
Regards,
Dennis.
First, thank you for writing this! This is a comprehensive writing about things you have to collect manually by reading at least half a dozen different SAP notes otherwise.
Unfortunately, I still have questions.
First two questions are about the 3rd entry in RCWB_SNOTE_DWNLD_PROC_CONFIG: using the Software Download Service. I have to specify an RFC connection to the system where the SDS has been configured there.
a) can I set up the SDS on any system? Or is it specifically for the SolMan? SAPnote 2554853 looks as if it was possible on any system, then again it speaks of "the download service system" instead of "any" or "each". I'd love to have at least one system per system landscape, ideally each system downloads its own notes.
b) any info regarding the RFC connection is appreciated. Like, which roles are needed for the user given in the RFC connection data? Or, if there is no predefined role, which rights does it need? I want to use a special user for it, not my own account, because I don't want to be locked out after changing my password 😉
And another question, this time regarding "Enter parameter for 4th task – New OSS Comm: Create HTTPS Connections for SAP Services (SM59)": some of my systems need to use a web proxy, not a SAProuter. I can't see a place to add this here. If I don't add it, the following check returns an error, and thus the task can't end successfully.
I think I can address this problem in SM59. Here, I can set a "standard proxy", and I can set exceptions, like where *not* to use the proxy. I'd love to see an example for the notion of this. Would a sample exclusion entry be 10.20.30.0/24 or 10.20.30.* or something else?
Regards, Werner
Hello Werner,
a) You can configure SAP Download Service in any ABAP System. The idea of download service application is to have that service running centrally, so all ABAP system can connect to download SAP Note. Now if you are trying to have this download service application for each system, I feel it's a bit of overhead and also it will be quite tedious to maintain in future if something needs to be changed on download service application (as you need to update on each system).
Why to over engineer as SAP Notes are generally being downloaded on Sandbox and Development, whereas in rest of the environment we move changes via transport. So recommended approach will be have two download services application in place - one for non-production and one for production / you can put it in a way like One Active and other Standby (in case your primary is down for maintenance, you can change the entry via report and point it to standby so it is used to download SAP Note).
b) You can refer below link for Authorization and Roles for SAP Download Service.
https://help.sap.com/viewer/9d6aa238582042678952ab3b4aa5cc71/7.5.5/en-US/7cd5bc1666824b3eba96e8a79dd2055e.html
c) You can manually execute 4th task in your system where you want to maintain Proxy server. Also in the global configuration setting - No proxy for the following addresses, you can use 10.20.30.*
NOTE: Global settings are client dependent, so you need to maintain the same in all client. Also proxy settings are not transported.
Regards,
Dennis Padia.
Hi Dennis,
the configuration described in that link (transaction SDS_CONFIGURATION) has to be made in the central system (the one with the new support backbone infrastructure enabled and configured) or to each system that need to connect to the central system?
Thanks
Hello Marco,
It needs to be configured in central system.
Regards,
Dennis
Thanks Dennis.
Now that we've cleared that up, I need to understand one more thing: since TCI is a mandatory prerequisite for every system (700 to 731 and 740 or above) the download service application centralized on a single system allow us to avoid the TCI installation in the satellite systems?
Thanks again.
Hi Marco,
As I understand, ABAP download service is only for SAP Note download purpose. You would still need to enable SNOTE for TCI to be able to apply TCI regardless of what channel you use to download SAP Note.
Regards,
Kashyap
is there any sap notes without valid releases section ? is there any note relevant for any system ? thank you
If I've understood your question and purpose, you're looking to download any SAP Note to check whether it's being downloaded as digitally signed using HTTPS. In that case, you can try and download SAP Note 2755640 - New OSS Download Test.
Regards,
Kashyap
Hi Dennis,
Thank you for this amazing blog. I have applied the Digitally Signed SAP Notes on ECC and BPC Landscapes. I have a question about testing the functionality. I tried to download SAPNote 2755640 via snote. Looking at Note Log, I noticed that the Text of the SAPNote is in German Language. Is this expected or need to do some adjusting? Please advise.
Best Regards,
Aries
Hello Aries,
Did you got chance to check below SAP Note?
2783798 - SNOTE log messages displayed improperly after enabling Digitally Signed SAP Notes
Regards,
Dennis Padia
Hi Dennis,
I can see from Message Class Field "SCWN" that starting from No. 810 to 830, all "Message Short Text" is in German Language. I changed it to English language already. Thanks!
Best Regards,
Aries
Hi Dennis,
My current version is NW740 and basis patch level is 13 .I implemented notes 195550,2576306,2738426 and completed backbone configuration.Now i am not able to download the snotes.
Hello Potluri,
What is the error when you download SAP Note?
Regards,
Dennis Padia
Hi Dennis,
This blog was very useful. Thanks a lot.
Regards
Aneeth
Dear Dennis Padia
Thanks for your help. This post was very useful.
Best Regards!
Jorge Rodriguez.
Thanks Dennis for the blog.
I have few questions, We have upgraded SolMan system to required support package 9 level. do we need to perform manual steps mentioned in digital signature PDF or applying this TCI snote 2738426 will be suffice ?
In SolMan Dev box, when I tested RFC connections I am getting following message
SAP-SUPPORT_PARCELBOX --- Status HTTP Response 403
SAP-SUPPORT_NOTE_DOWNLOAD --Status HTTP Response 404
Status Text Not Found
Duration Test Call 447 ms
We have applied TCI snotes to enable digital signature snote in our Managed systems, do we need to perform all the manual activities in these systems as well after this TCI snote enabling?
All TCI snote are needs to applied in 000 Client ?
Hello Lokeswar,
In managed systems, you need to perform activity mentioned in this blog and also TCI snotes are not client specific, so if you have applied note in your productive client there is no need to apply in 000 client.
Hopefully you have applied SAP Note mentioned in the pre-requisite section of this blog.
Regards,
Dennis Padia
Hello Dennis,
Thanks for this BLOG. Its really helpful.
We followed the below checklist Doc provided SAP in the link for this implementation. we are going to follow the steps mentioned in Blog but we would like to clarify below questionnaires. If Possible could you please provide your answers (Yes / No) for the below ones (particularly steps (3,4,7,8,9,10). It will help us to make sure ourselves
Check List Link :
https://support.sap.com/en/alm/solution-manager/sap-support-backbone-update/backbone-update-checklists.html
Our Questions:
Step 1 : Configuring Technical Communication User - Done
Step 2 : Req Kernel - Only in Solmon - Done
STEP 3 : Check and Install CommonCryptoLib - Done in Solmon But will it required in managed system also ? (YES / NO)
STEP 4 : Check and Adjust the TLS/SSL Protocol Version - Done in Solmon But will it required in managed system also ? (YES / NO)
STEP 5 : Configure and Activate HTTPS / SSL - Only in Solmon - Done
STEP 6 : Check the Application Server - Only in Solmon - Done
STEP 7 : Install SSL Certificates - Done in Solmon But will it required in managed system also ? (YES / NO)
STEP 8 : Execute Task List "SAP_SUPPORT_HUB_CONFIG" - Done in Solmon But will it required in managed system also ? (YES / NO)
STEP 9 : Execute Task List "SAP_BASIS_CONFIG_OSS_COMM" - Done in Solmon But will it required in managed system also ? (YES / NO)
STEP 10 : Prepare Note Assistant - Done in Solmon But will it required in managed system also ? (YES / NO)
STEP 11 : Adjust Your User Logon Information - Only in Solmon - Done
STEP 12 :Finalize Support Hub Connectivity - Only in Solmon - Done
STEP 13 :Check Jobs Using the New Connections - Only in Solmon - Done
STEP 14 :Apply Final Corrections - Only in Solmon - Done
Thanks
Anilkumar
Hello Anil,
The checklist you have mentioned needs to be followed for Solution Manager only. For managed system, you just need to perform steps mentioned in this blog.
Also, you can check below blog to check if your systems are ready for SAP's 2020 support backbone update.
https://blogs.sap.com/2019/10/23/how-to-check-if-your-systems-are-ready-for-saps-2020-support-backbone-update/
Regards,
Dennis Padia
Thanks Dennis for your inputs.
Yes, We have implemented the pre-requisite TCI snote 2576306 in all our managed system which are on less than BASIS component 740-20 and 750 -12.
I am still having question on managed system on setting up 3 HTTP connections and Technical user creation.
Another question on managed systems, as these managed systems are managing by SolMan, so while downloading the snote from Managed system like ERP ( DEV ) .. will it go through SolMan system to download the snote ? if yes, do we still need to setup the HTTP Connections in SM59 in Managed system ?
and about technical user setup for this SAP backbone portal, do we need to create individual S-ID ( Technical user) for each system ( DEV/QAS/PRD ) ?
Please advise.
Thanks
Lokeswar
Hello Lokeswar,
As RFC based communication to support backbone will no longer valid from 2020, all communication to SAP backbone will be HTTP-based. Till now SAP Notes in managed systems are being downloaded using RFC Connection (SAPOSS) but this will change after 2020.
So we need to make necessary changes in managed systems as well. There are two ways to do that
The details on the above two methods are explained in details in the attached PDF of below SAP Note.
2508268 - Download of Digitally Signed SAP Notes in SNOTE
Creation of technical users is based on your approach - HTTP Protocol or Download Service Application.
As in download service application, you need only one technical user which needs to be maintained in download service system and all managed system are connected to download service system using RFC connection.
But if you go for HTTP Protocol method, it is not advisable to maintain only one technical users in all the systems. Instead you can create technical user based on Installation Number (ERP, S/4HANA, Netweaver) or Environment (SBX, DEV, QA, PROD) or Systems (ECC, GTS, MDG etc). It's on you how you want to maintain user in your landscape.
Regards,
Dennis Padia.
Thanks Dennis for the details explanation.
Appreciate all your help
Hello Dennis,
We have implemented the requirement in one managed system. Now we able to see GREEN status in sdccn also.
For validation, Before implementation we able to notice the SNOTE downloaded via RFC and after implementation then we able to notice that SNOTE downloaded via HTTPS. Reference screenshot attached.
But, Is any other validation check list or process available to make sure our settings are appropriate and complete ?
Thanks
Anilkumar
Hello Anil,
That pretty much how you validate in managed system. Same has been highlighted in below SAP Note.
2836996 - How to test https connection for SAP Note download after the execution of task list SAP_BASIS_CONFIG_OSS_COMM configuration
Regards,
Dennis Padia
Hi
Can you please let me know how did you reimplement the TCi note. I get an error message that says “there is no backup for SAPK74000SCPS* package.
Vishwa
Thanks Dennis for your reply.
Is any impact in "JAVA MANAGED Systems" because of SAP Backbone... Is any configuration need to be made on JAVA Managed Systems ?
Thanks
Hello,
It impacts every ABAP Based System (below screenshot for your reference). No changes required in JAVA systems.
Regards,
Dennis Padia
Thanks Dennis.
And a final Question :),
Probably last Question from our side.
We have completed all our DEV system and captured it TR, Then imported the same and followed the steps in QAS system as well.
But since QAS are not allowed to download SNOTE directly, Is there any way to check whether SNOTE is using HTTPs instead RFC in non-DEV systems. Because we have to implement the same till PRD systems where we can't test the setting via downloading the SNOTE ?
Is the anyway around to check the settings particularly for PRD systems ?
Thanks
Anilkumar
Hi
Can you please let me know how did you reimplement the TCi note. I get an error message that says "there is no backup for SAPK74000SCPS* package.
Vishwa
Hello Vishwanath,
Kindly check my comment on below link -
https://answers.sap.com/comments/12903088/view.html
Regards,
Dennis Padia.
Hi Dinesh
Thanks for the reply.
The thing is the same steps have been followed for all the other systems and there are no issues. I remember that the first time I opened SNOTE after applying the TCI corrections, i got a pop-up that said "its not implemented correctly", but after I skipped the pop-up,the error message is no longer seen. So I believe its not implemented correctly. Can we restore the system back to some point in time and start over again?
Regards,
Vishwanath
Hi Dennis,
Thank you for blog ,
I have setup every thing as per Note, all 3 RFC working fine .
SAP-SUPPORT_NOTE_DOWNLOAD 404
SAP-SUPPORT_PARCELBOX 200
SAP-SUPPORT_PORTAL 200 ,
but when i am downloading the sap note its asking Password .
Thanks,
Vikas Katiyar
Hi all,
I’ve configured all as above but one of RFC connection failed:( Could you please help me? Probably my S-user is not permited to access SAP Support Documents so how can I get those privileges?
SAP-SUPPORT_NOTE_DOWNLOAD – OK
SAP-SUPPORT_PORTAL – OK
SAP-SUPPORT_PARCELBOX – error 403, “Permission denied. See logs for details.”
The same error I’ve got when I try to login into https://documents.support.sap.com/parcel
Hello Rybnik,
Kindly check which user you have maintained in the connection. You should use technical user, not a normal S-User (which you use to create incident, manage system data).
If you use normal S-User, you will get below error.
But if you use technical user, you won't get above error message
So make sure you maintain technical user that are under https://launchpad.support.sap.com/#/techuser
Regards,
Dennis Padia.
Thanks for the information, of course I was trying to connect with my S-user not tech-user, at the moment I'm waiting for requested tech user and let you know if it works with tech one.
Right now all of 3 RFC's are working fine but when I try to download note with new procedure via SNOTE i received below error which in Deutsch is describe: Fehler beim Erhalten der Antwort von FCMS - translated via google it means Error getting the response from FCMS. Do you know what else is wrong?
Hi Rybnik,
Did you perform the manual corrections mentioned in point 12 of SAP note 2508268?
Seems the text is missing for message class SCWN. This message is described as below:
Error receiving response from FCMS
You can troubleshoot further for this message.
Check the section Manual corrections for digitally signed note to get an idea about the short descriptions in SE91 for message class SCWN.
I missed to add English maintenance messages for SCWM, right now I have all messages in EN
The main problem was in my RFC connection SAP-SUPPORT_NOTE_DOWNLOAD, the path should end with notesdownloads.sap.com and the connection test should end with HTTP 404 Not Found which is correct on ?
Right now we’re able to download the digitally signed SAP Note, many thanks to you all for help.
Hi ALl ,
Now i am able fix it ,
I deleted that sap support rfc and created again ,I have already configured support hub that was with HTTP connection because of that it was only http connection now its is working fine .
@ Michal : Regarding your issue seems prefix not correct you should put /parcel/ in your screen shot /parcel / missing . Hope this will help you .
Thanks,
Vikas Katiyar
There is a typing mistake, in strust we need to import the mentioned certificate.
“Once the Note has been implemented, we need to export below client certificate in STRUST. Click on the link to get the certificate.”
Further, I'm stuck at the task list Check TLS Port execution phase,
RZ10 value is also assigned as you mentioned earlier,
Could anybody pls help? Even after system restart the error remains the same.
Hello Sikandar,
Its hard to figure out the issue from the error message. Can you please let us know where you have set this parameter i.e. on managed system or solution manager? Also what is your netweaver version and kernel version?
As highlighted, you can also refer below SAP Note for more details on ssl parameters
510007 - Setting up SSL on Application Server ABAP
Regards,
Dennis Padia.
The parameter was set first in the instance profile than in default in the managed system.
SAP NW 7.4 EHP7
SAP Kernel: 745
I already have gone through SAP note 510007 for setting up SSL but no luck so far.
Hello All,
I am facing one issue on the Certificate for STRUST. While running the SAP_BASIS_CONFIG_OSS_COMM tasklist i can see below certificate list for STRSUT. One certificate is different from the recommended one. It is regarding Digicert High Assurance EV root CA. Please suggest.
Hello Sudhyadeep,
I think you have also applied below SAP Note in the system, which added DigiCert High Assurance EV Root CA certificate check in the configuration task list SAP_BASIS_CONFIG_OSS_COMM
2827658 - Automated Configuration of new Support Backbone Communication - Update 02
You can get the certificate from below SAP Note and import in STRUST
2631190 - Download location of SSL certificates required for Support Hub Connectivity configuration
Regards,
Dennis Padia
Hi all, on a SAP_BASIS 740 lower than SP08 SAP Notes 1995550, 240838 and 2576306 cannot be implemented. Instead, HTTPS destinations can be manually performed (document attached to sap note 2827658).
Once created manually, the RCWB_SNOTE_DWNLD_PROC_CONFIG report is not available.
Which report should be used to set the download procedure?
Or, following what stated in the dox attached to sap note 2827658 I must still use the old RFC with a technical comm user?
Thanks
Hello Marco,
I understand that you don't have TCI enabled in your system (SAP_BASIS 740 < SP08), so below SAP Notes cannot be implemented
2576306 - Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes
1995550 - Enabling SNOTE for transport based correction instruction
But for the system where SAP Note cannot be imported using TCI, they must use below SAP Note to prepare managed system for digitally signed settings
2508268 - Download of Digitally Signed SAP Notes in SNOTE
Also you can enable TCI in your system using below SAP Note and once TCI is enabled you can import 2576306 and 1995550
2187425 - Information about SAP Note Transport based Correction Instructions (TCI)
Regards,
Dennis Padia.
Hello Dennis,
We have implemented SAP Backbone changes in all our ABAP managed systems. And we able to download few SAP Notes but few random sap notes we are getting the below error.
2176823 - Could not download the signed SAP Note
2443075 Could not download the signed SAP Note
But both above SNOTE didn't have any correction on it but is it a blocking factor even for download SNOTE or is there any check are available to know whether SAP Notes with correction can only be downloaded or not ?
Thanks
Hello,
Those are SAP Knowledge Base Articles (KBA). You can refer this link to understand the difference.
Regards,
Dennis Padia
Good morning Dennis,
thank you for the great blog.
I would like know what is the minimum Crypto Libraries of version what we need ?
Is this version enough?
Thank you for help
Hi Dennis ,
Any thing for 4.6c system ? do we need to update the technical user in RFC ?
Thanks,
Vikas Katiyar
Hello Vikas,
Kindly refer FAQ of digitally signed SAP Notes where it is mentioned how to consume digitally signed notes for SAP_BASIS lower then 700.
Regards,
Dennis Padia
Hi Dennies ,
Many thanks for your Help ,
Got it we do not have to do anything with below 700 as digitally signed SAP Notes will download automatically need to do Manually .
Thanks,
Vikas katiyar
Hi Dennis,
I have SAP_BASIS 740 and we have used SAP NOTE 2836302 to configure Digitally Signed SAP note. We have successfully completed the Implementation in Dev box and we were able to download the snote using https.
For Quality system we used the Transports created in dev to implement and everything was fine in QA all the 11 steps were successfully configured and completed yet while dowloading SNOTE am getting below error
RCWB_SNOTE_DWNLD_PROC_CONFIG - https service is set and also all other things are correctly setup.
Error in remote connection to destination
SAPSNOTE:
Error when opening an RFC connection (LB: Hostname
or service of the message server unknown#DEST =SA
Still pointing to old RFC destination
Hello Dennis,
The note 2836302- Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes
Is now available would you be able to update the post to include this as the recommended procedure ?
Best regards,
David
Thank you for the update David. Really appreciate it.
I have updated the blog with recommended procedure.
Regards,
Dennis Padia.
I configured the Solution Manager as Download Service (System).
In the managed system, I created an RFC (Type 3) to our Solution Manager and executed the report RCWB_SNOTE_DWNLD_PROC_CONFIG and selected the RFC connection "Download-service application" to the Solution Manager.
But when i am downloading the sap note in the managed System its asking for Password (Login) of the Solution Manager.Hello Tatjana,
Have you tried performing RFC authorization test between your managed system and solution manager? Usually login is asked when credentials are wrong or not entered in RFC. Can you please confirm?
Regards,
Dennis Padia
Hello Dennis,
Thanks for your answer.
I have not entered any user and passwort in the RFC connection.
Do I need probably to create a Trusted RFC between Solution Manager and Managed System?
Thanks
Hello Tatjana,
If you create trusted RFC between solution manager and managed system, then the person who is downloading SAP Note in your managed system should have access in solution manager as well. That may not be case sometime as users might not have access to solution manager or required roles.
So you need to create a user in Solution Manager with required roles mentioned in below SAP Notes and maintain the same in your managed system.
Regards,
Dennis Padia.
Hi Dennis,
Many thanks. It worked.
Another question. I ran the report RCWB_SNOTE_DWNLD_PROC_CONFIG on the DEV, QAS and the download of snotes via these systems works.
I also ran the report on the PROD system and created RFC. But when I download this note 2755640 via snote, it downloads it, but after that I don't see this s-Note and there are no error messages. And the Snote Browser does not find this snote (2755640).
Please help
Many Thanks
Hello Tatjana,
In Production System, direct modification is not encouraged. Usually global setting in SE06 is set to non-modifiable in production system as well as changes to repository is not allowed (SCC4).
So if you download SNOTE in Production System, you usually encounter below message and your SNOTE won’t be downloaded. This is normal behavior as Production system is restrictive to download SNOTE directly.
Kindly refer SAP Note 1842219 - System setting does not allow changes to be made to object NOTE "Note Number" for more details.
Regards,
Dennis Padia.
Hi Dennis
we implemented sap note 2836302
and using report RCWB_TCI_DIGITSIGN_AUTOMATION we were able to do all the necessary steps successfully but experiecing an issue with one of our system which is on SAP_BASIS 740 SP11, all the steps executed and completed successfully but we get an error on STEP12 when it does a check download of digitally signed sap note and when clicking o the error info (To troubleshoot check if the RFC destinations(s) are configured correctly).
whats strange is that the RFC are testing successfully, used the correct tech user and hence all aother steps are green. any idea what could be the issue here?
see the attached error screenshot .
thanks
Hello Lerato,
I didn't got chance to use this method for my systems, as I have configured all my systems using old method. So I cannot comment more on this.
But did you got chance to check below SAP Note. I know it is not relevant to your version but still.
2871797 - Report RCWB_TCI_DIGITSIGN_AUTOMATION step 12 gives Error in SAP_BASIS 700, 701,702 and 731
Regards,
Dennis Padia.
Hi Dennis,
Note 2871797 helped for our systems SAP_BASIS 702. Now step 12 completed.
Regards,
Alex
Hi Lerato ,
Can you try to download SAP note using snote ?then see if you are getting any error while downloading note in RFC .
Thanks
Hello,
I have exactly same problem on my QA (my dev is OK).
RFC are 200 200 and 404 as expected.
Whether I Download through Snote or STEP 12 from the program ==> it uses RFC protocol.
I’ve checked many times that HTTP is selected, I’ve re-generated RFCs many times.
I’m in SAP-BASIS 7.50 SP13
Hello,
The reason why you are getting error in your QA system, as global setting in SE06 is set to non-modifiable as well as changes to the repository is not allowed (SCC4). If this system is your quality and production, then this setting is obvious as this systems are not allowed for direct modification (it includes download of SAP Notes)
So if you download SNOTE in Quality or Production System, you usually encounter this message and your SNOTE won’t be downloaded. This is normal behavior as Quality & Production system is restrictive to download SNOTE directly.
Kindly refer SAP Note 1842219 – System setting does not allow changes to be made to object NOTE “Note Number” for more details.
Regards,
Dennis Padia
Hi Vikas
I tried downloading via snote and i am unable to download it. see the steps below:
thanks
Hello Lerato
The reason why you are getting error in some of your systems, as global setting in SE06 is set to non-modifiable as well as changes to the repository is not allowed (SCC4). If this system is your quality and production, then this setting is obvious as this systems are not allowed for direct modification (it includes download of SAP Notes)
So if you download SNOTE in Quality or Production System, you usually encounter this message and your SNOTE won’t be downloaded. This is normal behavior as Quality & Production system is restrictive to download SNOTE directly.
Kindly refer SAP Note 1842219 – System setting does not allow changes to be made to object NOTE “Note Number” for more details.
Regards,
Dennis Padia
Hello Dennis,
Based on Report RCWB_TCI_DIGITSIGN_AUTOMATION we have completed all 13 steps for our BASIS 702 based system.
Currenlty we are using SAPOSS with Technical communaction user and we are able to download the snotes and it's working fine.
Is that any steps needs to perfrom to confirm Snote Note Assistant for TCI and Digitally Signed SAP Notes completed successfully.
Regards,
Alex
Hi Dennis
After changing the SE06 and SCC4 settings (modifiable and allow cross client changes) , step 12 completed successfully. closed the settings again afterwards.
thanks, much apprciated.
Lerato
Glad to know that it worked for you.
Regards,
Dennis Padia.
Hi Dennis,
After settings up the Digitally Signed OSS note setup on our S4 1909 systems and when we test its giving following error message
However Digital Sign test OSS note#2755640 is getting download successfully through HTTPS.
Please can you let me know whats the cause of the error "Could not download the signed SAP Note"
Regards. Srinivasa Reddy
We've discovered this problem this morning too. "Could not download the signed SAP Note".
Anyone any clues !?
Refer below information related to your problem.
-----------------------------------------------------------------------
Hi All,
Since i’m trying to download the KBA/Informative OSS note i got above error message “Could not download the signed SAP note” however when i tried to download the OSS which has corrections i could able to download the OSS note successfully.
Hope it helps.
Thanks.
Hi All,
Since i'm trying to download the KBA/Informative OSS note i got above error message "Could not download the signed SAP note" however when i tried to download the OSS which has corrections i could able to download the OSS note successfully.
Hope it helps.
Thanks.
Hi Dennis,
please help. We have configured our QAS System as a Downlod Service:

In the download service system we selected the connection to SAP via HTTPS. Is that correct ? Or do I have to select here the Download-Service-Application ?
Our TST and PROD systems should then download the snotes via the QAS system
But we get this error message when we try to download a snote in TST or PROD.
But in the QAS system (Downlaod Service) it works.
What's wrong here?
Thank you
Hello Tatjana,
Did you check below solution based on the error you are getting?
Regards,
Dennis Padia.