Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Preparing Managed System Note Assistant (SNOTE) for Digitally Signed SAP Notes

dennispadia
Active Contributor
‎05-02-2019 5:14 AM


Update on 09 December, 2019


 

SAP has released SAP Note "2836302 - Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes" which simplifies the process of configuring individual steps to enable Note Assistant (SNOTE transaction) for Digitally Signed SAP Notes

RCWB_TCI_DIGITSIGN_AUTOMATION report provided with SAP Note 2836302 eliminates following individual steps -  

  • Implement SAP Notes 2408073, 2546220, 2508268 or Implement SAP TCI Note 2576306 

  • Configuring the SNOTE transaction to use the right procedure (RFC or HTTP or Download Service) for download of Digitally Signed SAP Note.


This note simplifies the process by providing guided steps for enabling your system for TCI and Digitally Signed SAP Notes. Refer pdf attached to SAP Note 2836302 for more details.

SAP now recommend to use RCWB_TCI_DIGITSIGN_AUTOMATION report to avoid unnecessary issues while enabling Note Assistant to work with digitally signed SAP Notes  



 



Above message would be quite familiar this days in SAP Launchpad Portal when you try to access any SAP Note. Enough has been said on the same in multiple blogs but in this blog I will try to capture entire procedure to make your ABAP system - SAP Note Assistant (SNOTE) ready to communicate to updated SAP Backbone Support to download digitally signed SAP Notes.

Quick Overview


SAP's Support Backbone is the central infrastructure located at SAP to provide technical
support to customers. SAP has updated it's support backbone infrastructure, but the legacy infrastructure remains in place to allow a safe transition for SAP customers.

How customer gets impacted due to SAP's Support Backbone update?


All customers with ABAP-based SAP systems needs to switch to the new infrastructure before January 2020 to ensure smooth connectivity.

Impact on SAP Solution Manager


You need to switch the communication of SAP Solution Manager to the new infrastructure before January 2020 to ensure continuous connectivity.

SAP Solution Manager 7.2 needs to be updated to Support Package Stack 07 or 08

Impact on SAP Note Assistant


SAP Note Assistant (transaction SNOTE) needs to be enabled to handle digitally signed downloads. To achieve this, SAP Note Assistant needs to be updated in every system where it is used.

Remark: The download of SAP Notes with SNOTE is no longer possible after January 1st, 2020 if SNOTE is not updated to handle digitally signed SAP Notes before this date.

Impact on ST-PI and ST-A/PI


All ABAP-based SAP systems which have direct connectivity to SAP (i.e. sending EWA reports directly to SAP) need to be updated with the latest ST-PI AddOn. You can find the required ST-PI and ST-A/PI versions in the FAQ.

Systems which do not have direct connectivity to SAP (because, for example, EWA reports are sent through SAP Solution Manager) do not need to update ST-PI and ST-A/PI. Nevertheless, SAP generally recommends to keep ST-PI and ST-A/PI updated in the managed systems.
Minimum versions of ST-PI and ST-A/PI is required in managed system if it has direct connectivity to SAP


  • ST-PI 740 SP10

  • ST-PI 2008_1_700 SP20

  • ST-PI 2008_1_710 SP20

  • ST-A/PI 01T* SP01


Handling of Technical Communication Users


Connections using generic users will not work anymore after January 1st, 2020. For this purpose, customers need to ensure that all connections use a technical communication user in all systems which have connectivity to SAP (this includes all systems directly sending EWA data to SAP and all systems where SAP Note Assistant is being used on).

A technical communication user is an isolated user used for connectivity purposes only. No logon at any SAP portals is possible with this user. The password of a technical communication user does not expire. Technical communication users can be requested via this app.

If you are still unfamiliar on what I'm talking about kindly refer below links to get more detailed insights -

Note Assistant

Connectivity to SAP's Support Backbone


Handling Digital Signed SAP Note 

SAP Note Assistant


SAP is making SAP Notes more secure by ensuring all SAP Notes are digitally signed. The SAP Notes files can get maliciously modified and the customer unknowingly can upload the maliciously modified SAP Notes files into their ABAP systems. Therefore, SAP plans to deliver all SAP Notes files with digital signature to protect SAP Notes files with increased authenticity and improved security. SAP strongly recommend customers to upload only digitally signed SAP Note files

Till now, we were using SAPOSS RFC connection to download any SAP Notes from SAP's Backbone support, but this is changed as now generic user like OSS_RFC will no longer be used to communicate to SAP Backbone system. Instead, we have to use technical communication users in all systems which have connectivity to SAP.

Pre-requisites SAP Notes


If you have TCI enabled, kindly implement SAP Note

  1. 2576306 - Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes


But if you don’t have TCI enabled, kindly implement below SAP Note.

  1. You have implemented the SAP Note 2408073 and SAP Note 2546220 for uploading digitally signed SAP Note and digital signature verification.

  2. You have implemented the SAP Note 2508268 for downloading digitally signed SAP Note


NOTE: It is recommended to enable TCI in the system, as it is a new way to deliver ABAP correction instructions to customer in flexible manner. Below is the high-level overview on when TCI is been used.

Enabling Note Assistant for TCI, kindly refer to below SAP Note and attached pdf in the note.

2187425 - Information about SAP Note Transport based Correction Instructions (TCI)

Once the pre-requisite steps has been completed, kindly follow below steps based on your system version

ABAP System: SAP_BASIS - 700 to 731 Only


SAP ABAP systems with lower SAP Releases (= lower than SAP Kernel 7.42 Patch Level 400) who want to download SAP notes or uses software components  of ST-PI and ST-A/PI will still use RFC connection SAPOSS or SAPSNOTE, but changes with that RFC connection`s SAPOSS or SAPSNOTE are mandatory!



Check your SAP Kernel (System > Status)

As system kernel version is below 742, we can use SAPOSS connection but we need to make certain changes.



/H/<saprouter@customer>/S/3299/H/<saprouter@sap>/S/3299/H/oss001.wdf.sap.corp

Possible SAP Route entries for <saprouter@sap>

sapserv1 (194.117.106.129) Internet VPN connection
sapserv2 (194.39.131.34) Internet SNC connection
sapserv3 (147.204.2.5) for customers connected to Germany
sapserv4 (204.79.199.2) for customers in the United States
sapserv5 (194.39.138.2) for customers connected to Japan
sapserv7 (194.39.134.35) for customers in Asia Pacific Japan (APJ) including New Zealand and Australia
sapserv9 (169.145.197.110) for customers in APJ including New Zealand and Australia
sapserv10 (203.13.159.37) for customers in China

There is no change in logon group, you can use

1_PUBLIC
2_JAPANESE
EWA





SAP Note 2740667 - RFC connection SAPOSS to SAP Service & Support backbone will change (latest) in January 20...

ABAP System: SAP_BASIS 740 & Above


For system higher than 740, mandatory protocol is HTTPS so we need to configure RFC accordingly and make relevant changes so SAP Notes gets download using HTTPS protocol instead of RFC protocol i.e. SAPOSS



There is task list available to configure HTTPS communication. Task List is available in systems with at least SAP_BASIS 740 after applying TCI in SAP Note 2738426. So if you don't have TCI enable you have to manually create RFC in SM59. For manual step follow "Digital Signature.pdf" attached to SAP Note 2576306 - Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes

Here I will be using task list to configure HTTPS communication channel, so for that SAP Note 2738426 needs to be implemented.





ssl/client_ciphersuites (step 3 in task list)

We need to set parameter ssl/client_ciphersuites and parameter value for enabling highest TLS protocol version with BEST-OPTION.

Recommended Configuration of Available TLS Protocol Versions (required for enabling TLSv1.2)

ssl/client_ciphersuites  =  150:PFS:HIGH::EC_P256:EC_HIGH



Restart the system after adding/changing parameter.

For more information, read SAP Note 510007 - Setting up SSL on Application Server ABAP

client certificate (step 4 in task list)

Once the Note has been implemented we need to export below client certificate in STRUST. Click on the link to get the certificate

STRUST > SSL client SSL Client (Standard)

Note: You can import client certificate in SSL Client (Standard) or SSL Client (Anonymous), but relative option needs to selected while running task list otherwise you will get error while running task list. I have imported all the above client in SSL client (standard)



As you can see in Certificate List all 4 client certificate has been added but make sure you save it before you exit this transaction or execute task list

Generate Task List

STC01 > SAP_BASIS_CONFIG_OSS_COMM





In task 3, we can select where it can check certificates for SSL client. As we have added all certificates in ssl client (standard) we will keep that selection.



Enter parameter for 4th task - New OSS Comm: Create HTTPS Connections for SAP Services (SM59)



Only insert first three field i.e. Technical Communication User, Password and Router String and press enter. Remaining field under HTTPS Connection for Support Portal will automatically populated. Save the variant and go back




Direct download of Digital SAP Note – Setting


To directly download the digitally signed SAP Notes using SNOTE transaction, proceed as follows:

Defining Procedure for Downloading SAP Note (RCWB_SNOTE_DWNLD_PROC_CONFIG)

Defining File Type for Downloading SAP Note (RCWB_UNSIGNED_NOTE_CONFIG)

For SAP version 740 and above we have to set HTTPS Protocol to download SAP Note, to make this setting we need to define procedure for downloading SAP Note using RCWB_SNOTE_DWNLD_PROC_CONFIG report



On saving above procedure, SAP Notes will be downloaded using SAP-SUPPORT_NOTE_DOWNLOAD RFC destination and connection to SAP Support portal will be using SAP-SUPPORT_PORTAL

Download of unsigned SAP Notes as fallback. Following customization is also provided to choose download of unsigned SAP Note as fallback via the report RCWB_UNSIGNED_NOTE_CONFIG



Download of unsigned SAP Note in SNOTE will be supported only until end of 2019.

Validation


Download any SAP Note using SNOTE and in log you can see it is been downloaded to HTTPS protocol which is connected to SAP Backbone support system.



Regards,

Dennis Padia
98 Comments
Labels in this area
Popular Blog Posts