Skip to Content
Technical Articles

Preparing Managed System Note Assistant (SNOTE) for Digitally Signed SAP Notes

Above message would be quite familiar this days in SAP Launchpad Portal when you try to access any SAP Note. Enough has been said on the same in multiple blogs but in this blog I will try to capture entire procedure to make your ABAP system – SAP Note Assistant (SNOTE) ready to communicate to updated SAP Backbone Support to download digitally signed SAP Notes.

Quick Overview

SAP’s Support Backbone is the central infrastructure located at SAP to provide technical
support to customers. SAP has updated it’s support backbone infrastructure, but the legacy infrastructure remains in place to allow a safe transition for SAP customers.

How customer gets impacted due to SAP’s Support Backbone update?

All customers with ABAP-based SAP systems needs to switch to the new infrastructure before January 2020 to ensure smooth connectivity.

Impact on SAP Solution Manager

You need to switch the communication of SAP Solution Manager to the new infrastructure before January 2020 to ensure continuous connectivity.

SAP Solution Manager 7.2 needs to be updated to Support Package Stack 07 or 08

Impact on SAP Note Assistant

SAP Note Assistant (transaction SNOTE) needs to be enabled to handle digitally signed downloads. To achieve this, SAP Note Assistant needs to be updated in every system where it is used.

Remark: The download of SAP Notes with SNOTE is no longer possible after January 1st, 2020 if SNOTE is not updated to handle digitally signed SAP Notes before this date.

Impact on ST-PI and ST-A/PI

All ABAP-based SAP systems which have direct connectivity to SAP (i.e. sending EWA reports directly to SAP) need to be updated with the latest ST-PI AddOn. You can find the required ST-PI and ST-A/PI versions in the FAQ.

Systems which do not have direct connectivity to SAP (because, for example, EWA reports are sent through SAP Solution Manager) do not need to update ST-PI and ST-A/PI. Nevertheless, SAP generally recommends to keep ST-PI and ST-A/PI updated in the managed systems.

Minimum versions of ST-PI and ST-A/PI is required in managed system if it has direct connectivity to SAP
  • ST-PI 740 SP10
  • ST-PI 2008_1_700 SP20
  • ST-PI 2008_1_710 SP20
  • ST-A/PI 01T* SP01

Handling of Technical Communication Users

Connections using generic users will not work anymore after January 1st, 2020. For this purpose, customers need to ensure that all connections use a technical communication user in all systems which have connectivity to SAP (this includes all systems directly sending EWA data to SAP and all systems where SAP Note Assistant is being used on).

A technical communication user is an isolated user used for connectivity purposes only. No logon at any SAP portals is possible with this user. The password of a technical communication user does not expire. Technical communication users can be requested via this app.

If you are still unfamiliar on what I’m talking about kindly refer below links to get more detailed insights –

Note Assistant

Connectivity to SAP’s Support Backbone

Handling Digital Signed SAP Note 

SAP Note Assistant

SAP is making SAP Notes more secure by ensuring all SAP Notes are digitally signed. The SAP Notes files can get maliciously modified and the customer unknowingly can upload the maliciously modified SAP Notes files into their ABAP systems. Therefore, SAP plans to deliver all SAP Notes files with digital signature to protect SAP Notes files with increased authenticity and improved security. SAP strongly recommend customers to upload only digitally signed SAP Note files

Till now, we were using SAPOSS RFC connection to download any SAP Notes from SAP’s Backbone support, but this is changed as now generic user like OSS_RFC will no longer be used to communicate to SAP Backbone system. Instead, we have to use technical communication users in all systems which have connectivity to SAP.

Pre-requisites SAP Notes

If you have TCI enabled, kindly implement SAP Note

  1. 2576306 – Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes

But if you don’t have TCI enabled, kindly implement below SAP Note.

  1. You have implemented the SAP Note 2408073 and SAP Note 2546220 for uploading digitally signed SAP Note and digital signature verification.
  2. You have implemented the SAP Note 2508268 for downloading digitally signed SAP Note

NOTE: It is recommended to enable TCI in the system, as it is a new way to deliver ABAP correction instructions to customer in flexible manner. Below is the high-level overview on when TCI is been used.

Enabling Note Assistant for TCI, kindly refer to below SAP Note and attached pdf in the note.

2187425 – Information about SAP Note Transport based Correction Instructions (TCI)

Once the pre-requisite steps has been completed, kindly follow below steps based on your system version

ABAP System: SAP_BASIS – 700 to 731 Only

SAP ABAP systems with lower SAP Releases (= lower than SAP Kernel 7.42 Patch Level 400) who want to download SAP notes or uses software components  of ST-PI and ST-A/PI will still use RFC connection SAPOSS or SAPSNOTE, but changes with that RFC connection`s SAPOSS or SAPSNOTE are mandatory!

Check your SAP Kernel (System > Status)

As system kernel version is below 742, we can use SAPOSS connection but we need to make certain changes.

/H/<saprouter@customer>/S/3299/H/<saprouter@sap>/S/3299/H/oss001.wdf.sap.corp

Possible SAP Route entries for <saprouter@sap>

sapserv1 (194.117.106.129) Internet VPN connection
sapserv2 (194.39.131.34) Internet SNC connection
sapserv3 (147.204.2.5) for customers connected to Germany
sapserv4 (204.79.199.2) for customers in the United States
sapserv5 (194.39.138.2) for customers connected to Japan
sapserv7 (194.39.134.35) for customers in Asia Pacific Japan (APJ) including New Zealand and Australia
sapserv9 (169.145.197.110) for customers in APJ including New Zealand and Australia
sapserv10 (203.13.159.37) for customers in China

There is no change in logon group, you can use

1_PUBLIC
2_JAPANESE
EWA

SAP Note 2740667 – RFC connection SAPOSS to SAP Service & Support backbone will change (latest) in January 2020

ABAP System: SAP_BASIS 740 & Above

For system higher than 740, mandatory protocol is HTTPS so we need to configure RFC accordingly and make relevant changes so SAP Notes gets download using HTTPS protocol instead of RFC protocol i.e. SAPOSS

There is task list available to configure HTTPS communication. Task List is available in systems with at least SAP_BASIS 740 after applying TCI in SAP Note 2738426. So if you don’t have TCI enable you have to manually create RFC in SM59. For manual step follow “Digital Signature.pdf” attached to SAP Note 2576306 – Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes

Here I will be using task list to configure HTTPS communication channel, so for that SAP Note 2738426 needs to be implemented.

ssl/client_ciphersuites (step 3 in task list)

We need to set parameter ssl/client_ciphersuites and parameter value for enabling highest TLS protocol version with BEST-OPTION.

Recommended Configuration of Available TLS Protocol Versions (required for enabling TLSv1.2)

ssl/client_ciphersuites  =  150:PFS:HIGH::EC_P256:EC_HIGH

Restart the system after adding/changing parameter.

For more information, read SAP Note 510007 – Setting up SSL on Application Server ABAP

client certificate (step 4 in task list)

Once the Note has been implemented we need to export below client certificate in STRUST. Click on the link to get the certificate

STRUST > SSL client SSL Client (Standard)

Note: You can import client certificate in SSL Client (Standard) or SSL Client (Anonymous), but relative option needs to selected while running task list otherwise you will get error while running task list. I have imported all the above client in SSL client (standard)

As you can see in Certificate List all 4 client certificate has been added but make sure you save it before you exit this transaction or execute task list

Generate Task List

STC01 > SAP_BASIS_CONFIG_OSS_COMM

In task 3, we can select where it can check certificates for SSL client. As we have added all certificates in ssl client (standard) we will keep that selection.

Enter parameter for 4th task – New OSS Comm: Create HTTPS Connections for SAP Services (SM59)

Only insert first three field i.e. Technical Communication User, Password and Router String and press enter. Remaining field under HTTPS Connection for Support Portal will automatically populated. Save the variant and go back

Direct download of Digital SAP Note – Setting

To directly download the digitally signed SAP Notes using SNOTE transaction, proceed as follows:

Defining Procedure for Downloading SAP Note (RCWB_SNOTE_DWNLD_PROC_CONFIG)

Defining File Type for Downloading SAP Note (RCWB_UNSIGNED_NOTE_CONFIG)

For SAP version 740 and above we have to set HTTPS Protocol to download SAP Note, to make this setting we need to define procedure for downloading SAP Note using RCWB_SNOTE_DWNLD_PROC_CONFIG report

On saving above procedure, SAP Notes will be downloaded using SAP-SUPPORT_NOTE_DOWNLOAD RFC destination and connection to SAP Support portal will be using SAP-SUPPORT_PORTAL

Download of unsigned SAP Notes as fallback. Following customization is also provided to choose download of unsigned SAP Note as fallback via the report RCWB_UNSIGNED_NOTE_CONFIG

Download of unsigned SAP Note in SNOTE will be supported only until end of 2019.

Validation

Download any SAP Note using SNOTE and in log you can see it is been downloaded to HTTPS protocol which is connected to SAP Backbone support system.

Regards,

Dennis Padia

33 Comments
You must be Logged on to comment or reply to a post.
  • Hi Dennis,

     

    thanks for you blog! I have a question about this topic. My settings are done and I can download notes via HTTPS connection. But every time when I try to download a note I have to enter the User data for my Technical S-User. The following pupup appears:

     

     

    It seems to be wrong for me or is this normal? Why should I enter the data when it is already set in the RFC destination. For me it is really annoying, because I need to remember all the S-User password combinations for different systems.

    Thanks for comments!

     

    • Hello Sebastian,

      It’s not normal. When you download SAP Note it should not prompt you for credentials.

      Can you please check below two RFC connection test. Result should be as below:

      SAP-SUPPORT_PORTAL

      SAP-SUPPORT_NOTE_DOWNLOAD

      MANUAL connection test of the connection SAP-SUPPORT_NOTE_DOWNLOAD returns http code 404 – not found: connection is ok, for note download the path of the note is added

      Kindly let me know your output for above two RFCs

      Regards,

      Dennis

      • Thanks for you comment Dennis. It was a simple password problem. At first the user was locked and i had to change the password. And then I forgot to enter the new password into the RFC-Destination. Now everything is fine!

        Thanks!

         

      • Hi Sebastian,

        MANUAL connection test of the connection SAP-SUPPORT_NOTE_DOWNLOAD returns http code 404 – not found: connection is ok, for note download the path of the note is added

        i am not able to download the note and i have disabled SAPOSS Rfc in sm59 and tested through SAP-SUPPORT_NOTE_DOWNLOAD but it was through error.

        what does it mean by “for note download the path of the note is added”

        any manual activity required after this

        Regards

        Chandra

        • Hello Chandra,

          If you refer below SAP Note, it is mentioned that SUPPORT_NOTE_DOWNLOAD will return 404 because the path mentioned in RFC (Target host) has only URL notesdownloads.sap.com, so when you do connection test it will return 404 but when any notes are being downloaded it will append the note in the path i.e. something like this notesdownloads.sap.com/2738426.

          As I can see you have disabled SAPOSS RFC and you want your SAP Notes to be downloaded via SUPPORT_NOTE_DOWNLOAD RFC. But before SAP Note can be downloaded using new HTTP RFC, you need to execute RCWB_SNOTE_DWNLD_PROC_CONFIG report and change the procedure to download SAP Note to HTTP connection (you can find that information in the blog).

          After that you will be able to download SAP Note via newly created HTTP connection. If you face error even after this, kindly paste your error.

          Regards,

          Dennis

          • Hi Dennis,

            Post backbone connectivity activities we can see that in the Tcode SDCCN under support portal and support parcel box active is showing Red and just want to know is there any activity pending from our side in transcation SDCCN and there is a migrate tasks button which was diabled can you please suggest on this

            Note:task stc01 showing green and we are solman 7.2 sp7 and STPI 740 11 and ST-A/PI 01T_731 002…can you please suggest

  • Hello Dennis, I have the following problem. Within report RCWB_SNOTE_DWNLD_PROC_CONFIG the “save” button is not reachabel for me. What could me the reason for it ?

     

     

    Thanks for comment

    • Hello Robert,

      What is your SAP_BASIS SP version? Have you encountered this issue in all other systems as well or it is particular to one system?

      Regards,

      Dennis.

  • Hello Dennis,

    I have SAP_BASIS 740 SP13 (This is the DEV System). I did the same on the Sandbox (same SP Level) and there it is fine. This is really strange. Do you have an idea ? (My user authorizations are both the same).

    Regards

    Robert

  • Hi Dennis,

    We followed documents to configure digital Signed. Now when we are trying to download oss notes (SNOTE -> Goto –> Download SAP Notes), logs are still showing that OSS note is being using RFC. We have configured HTTP to download the OSS notes.

    Note 0002632679 downloaded in version 0004 (RFC use SAPOSS)

    Following RFC’s created by Digital Signed process are working fine (test is good):

    SAP-SUPPORT_PORTAL (Status HTTP response is 200)
    SAP-SUPPORT_PARCELBOX (Status HTTP response is 200)
    SAP-SUPPORT_NOTE_DOWNLOAD (Status HTTP response is 404)
    Pls suggest to fix this issue.

    Thanks

    Amar

    • Hello Amarjit,

      Kindly follow below step and let me know what’s the result.

      1. Did you ran report RCWB_SNOTE_DWNLD_PROC_CONFIG and set the variant to HTTP protocol? Only after that it will download SAP Note using HTTP RFC.
      2. If you have performed above step, then can you please hash out SAPOSS RFC and try to download SAP Note. Let me know what’s the outcome but make sure you execute step 1 before hashing out SAPOSS RFC.

      Regards,

      Dennis

  • Hi Dennis,

     

    I have ran through this without any issues and the SAPNotes seem to be downloading fine.

    My question is, why is the last step (Restart ICM) there and is it needed as it’s defaulted to SKIP.

    I didn’t do it, but I’d like to understand why you did.

     

    Many Thanks,

    J.

    • Hello Jason,

      The reason I have opted for this option is that in one of my system when I had executed this task list keeping default options, the task executed successfully. But when I tried to download SAP Note, it was giving error. So I have restarted ICM and after that it worked fine.

      P.S – Yes I know restart of ICM is not required with Netweaver version > 710 as import of certificate will be updated at run time. But as I faced issue in one of the system, I selected this option.

      Regards,
      Dennis Padia.

  • Dear Denis,

     

    We have successfullly implement SAP note  for digital signed sap note implemenatation after that when we ran report RCWB_SNOTE_DWNLD_PROC_CONFIG  in that SAVE option is disabled please suggest on same.

     

    SAP_BASIS 701 0016 SAPKB70116 SAP Basis Component

     

    • Hello Sanjay,

      Has this issue encountered only in one system? If you have implemented SAP Note in Sandbox and you are encountering this issue, then can you try to implement SAP Note in Development?

      This is bit unusual, but Robert Kubitza has faced similar issue. I’m just tagging him here

      Robert Kubitza – Did you find resolution to the issue where your save option was disabled. It would be great if you can share the resolution

      Regards,

      Dennis.

  • Dear Denis,

     

    Issue has been resolved now.

     

    goto se41 -> ·         Enter Program name as RCWB_UNSIGNED_NOTE_CONFIG -> select radio button status and enter text CWB_SNOTE_CONFIG and then click on change option

    then expand function key -> select SAVE button->click on Function code to activate this then click on SAVE and activate it and then issue resolved.

  • First, thank you for writing this! This is a comprehensive writing about things you have to collect manually by reading at least half a dozen different SAP notes otherwise.

    Unfortunately, I still have questions.

    First two questions are about the 3rd entry in RCWB_SNOTE_DWNLD_PROC_CONFIG: using the Software Download Service. I have to specify an RFC connection to the system where the SDS has been configured there.

    a) can I set up the SDS on any system? Or is it specifically for the SolMan? SAPnote 2554853 looks as if it was possible on any system, then again it speaks of “the download service system” instead of “any” or “each”. I’d love to have at least one system per system landscape, ideally each system downloads its own notes.

    b) any info regarding the RFC connection is appreciated. Like, which roles are needed for the user given in the RFC connection data? Or, if there is no predefined role, which rights does it need? I want to use a special user for it, not my own account, because I don’t want to be locked out after changing my password 😉

    And another question, this time regarding “Enter parameter for 4th task – New OSS Comm: Create HTTPS Connections for SAP Services (SM59)”: some of my systems need to use a web proxy, not a SAProuter. I can’t see a place to add this here. If I don’t add it, the following check returns an error, and thus the task can’t end successfully.

    I think I can address this problem in SM59. Here, I can set a “standard proxy”, and I can set exceptions, like where *not* to use the proxy. I’d love to see an example for the notion of this. Would a sample exclusion entry be 10.20.30.0/24 or 10.20.30.* or something else?

    Regards, Werner

    • Hello Werner,

      a) You can configure SAP Download Service in any ABAP System. The idea of download service application is to have that service running centrally, so all ABAP system can connect to download SAP Note. Now if you are trying to have this download service application for each system, I feel it’s a bit of overhead and also it will be quite tedious to maintain in future if something needs to be changed on download service application (as you need to update on each system).

      Why to over engineer as SAP Notes are generally being downloaded on Sandbox and Development, whereas in rest of the environment we move changes via transport. So recommended approach will be have two download services application in place – one for non-production and one for production / you can put it in a way like One Active and other Standby (in case your primary is down for maintenance, you can change the entry via report and point it to standby so it is used to download SAP Note).

      b) You can refer below link for Authorization and Roles for SAP Download Service.

      https://help.sap.com/viewer/9d6aa238582042678952ab3b4aa5cc71/7.5.5/en-US/7cd5bc1666824b3eba96e8a79dd2055e.html

      c) You can manually execute 4th task in your system where you want to maintain Proxy server. Also in the global configuration setting – No proxy for the following addresses, you can use 10.20.30.*

      NOTE: Global settings are client dependent, so you need to maintain the same in all client. Also proxy settings are not transported.

      Regards,

      Dennis Padia.

      • Hi Dennis,

        the configuration described in that link (transaction SDS_CONFIGURATION) has to be made in the central system (the one with the new support backbone infrastructure enabled and configured) or to each system that need to connect to the central system?

         

        Thanks

          • Thanks Dennis.

            Now that we’ve cleared that up, I need to understand one more thing: since TCI is a mandatory prerequisite for every system (700 to 731 and 740 or above) the download service application centralized on a single system allow us to avoid the TCI installation in the satellite systems?

            Thanks again.

          • Hi Marco,

            As I understand, ABAP download service is only for SAP Note download purpose. You would still need to enable SNOTE for TCI to be able to apply TCI regardless of what channel you use to download SAP Note.

            Regards,
            Kashyap

    • If I’ve understood your question and purpose, you’re looking to download any SAP Note to check whether it’s being downloaded as digitally signed using HTTPS. In that case, you can try and download SAP Note 2755640 – New OSS Download Test.

      Regards,
      Kashyap

  • Hi Dennis,

    Thank you for this amazing blog. I have applied the Digitally Signed SAP Notes on ECC and BPC Landscapes. I have a question about testing the functionality. I tried to download SAPNote 2755640 via snote. Looking at Note Log, I noticed that the Text of the SAPNote is in German Language. Is this expected or need to do some adjusting? Please advise.

    Best Regards,

    Aries

    • Hello Aries,

      Did you got chance to check below SAP Note?

      2783798 – SNOTE log messages displayed improperly after enabling Digitally Signed SAP Notes

      Regards,

      Dennis Padia

      • Hi Dennis,

        I can see from Message Class Field “SCWN” that starting from No. 810 to 830, all “Message Short Text” is in German Language. I changed it to English language already. Thanks!

        Best Regards,

        Aries

  • Hi Dennis,

    My current version is NW740 and basis patch level is 13 .I implemented notes 195550,2576306,2738426 and completed backbone configuration.Now i am not able to download the snotes.