How To Configure Note Assistant Tool(SNOTE) For Digitally Signed SAP Notes
This blog provides a detailed information regarding the upload and download of digitally signed SAP Notes using SNOTE transaction
Customers download SAP Notes from SAP ONE Support Launchpad or Note Assistant (SNOTE) tool in a secured way. Customers also upload the downloaded SAP Notes from SAP ONE Support Launchpad to their ABAP system using the Note Assistant (SNOTE) tool.
SAP recognizes a security threat during upload of SAP Note into customer landscape. The SAP Note can get modified maliciously and the customer can upload unknowingly the maliciously modified SAP Note into their landscape.
Therefore, SAP delivers all SAP Notes having ABAP corrections with digital signature to protect SAP Notes with increased authenticity and improved security. SAP strongly recommends uploading or download only digitally signed SAP Notes. The digital signature verification feature is enabled for both uploading or downloading of SAP Notes.
UPGRADE: Act now! SAP Notes Download and Upload Process will be impacted starting January 1, 2020. The download and upload process will stop working unless Note Assistant is enabled in ABAP system to work with Digitally Signed SAP Notes! To learn more about this, please view this video:https://www.msgp.pl/vH9XAQw
To ensure authenticity of the delivered SAP Notes, you enable the Note Assistant tool or SNOTE to consume digitally signed SAP Notes having ABAP corrections.
- You have implemented the SAP Note 2408073 and SAP Note 2546220 for uploading digitally signed SAP Note and digital signature verification.
- You have implemented the SAP Note 2508268 for downloading digitally signed SAP Note.
SAP recommends Implementing SAP Note 2576306 instead of applying the above individual SAP Notes.
The SAP Note 2576306 contains Transport-Based Correction Instruction (TCI)
Please see here for more information.
Information about SAP Note 2576306
The SAP Note 2576306 contains transport-Based Correction Instruction (TCI).
The TCI bundles the following SAP Notes
- SAP Security Note 2408073
- SAP Security Note 2546220
- SAP Note 2508268.
In implementing SAP Note 2576306 there is no manual activities to be performed.
It is highly recommended to implement the SAP Note 2576306 containing the TCI instead of separately implementing each of the 3 SAP Notes listed above.
Please refer to the SAP Note 2187425 to learn about preparing the Note Assistant (Transaction SNOTE) to consume TCIs (i.e. SNOTE to be able to implement SAP Note containing TCI).
Preparing Note Assistant (Transaction SNOTE) is also called as bootstrapping. Once the SNOTE is bootstrapped, any SAP Note containing TCI can be implemented in the same way as implementing any other SAP Note. The bootstrapping of SNOTE is not transportable. Whereas the implementation of SAP Note containing TCI, in SNOTE, is locked in Transport Request and is transportable.
While uploading the TCI package if there is a failure in signature verification please refer to the SAP Note 2520826 for solution.
If the verification of digital signature for an SAP Note fails, the Note Assistant tool logs the security event in the application server using log object (CWBDS). To view the application logs, you should have authorization to the S_APPL_LOG authorization object.
How to Consume Digitally Signed SAP Notes
Following are the two modes through which you can consume the digitally signed SAP Notes:
- How to Upload Digitally Signed SAP Notes Using SNOTE Transaction
- How to Download Digitally Signed SAP Notes Using SNOTE Transaction
How to Upload Digitally Signed SAP Notes Using SNOTE Transaction
Digitally signed SAP Notes are available from SAP ONE Support Launchpad. You can upload the digitally signed SAP Notes into the SNOTE transaction as follows:
- Download the digitally signed SAP Note from SAP ONE Support Launchpad
- Run the SNOTE transaction
- From the menu bar, choose Goto -> Upload SAP Note
How to Download Digitally Signed SAP Notes Using SNOTE Transaction
Based on your SAP NetWeaver version, you have the following ways to download SAP Notes into your system.
NetWeaver 700 to 731:
- Download service
- RFC (Enabled by default)
NetWeaver 740 and later:
- Download service
- RFC (Enabled by default until end of 2019. Please see Prerequisites section below for more details)
To directly download the digitally signed SAP Notes using SNOTE transaction, proceed as follows:
You have performed the Customizing using the following reports:
- Defining Procedure for Downloading SAP Note (RCWB_SNOTE_DWNLD_PROC_CONFIG)
- Defining File Type for Downloading SAP Note (RCWB_UNSIGNED_NOTE_CONFIG)
- This customization is an optional step for preparing SNOTE to consume digitally signed SAP Note. However, for NetWeaver 740 and higher, this is an optional step only until the end of 2019.
Starting 1st January 2020, downloading SAP Note using RFC procedure will no longer be supported. You need to choose a download procedure between Download Service Application or HTTP Protocol.
- Defining the settings in the reports is a one-time event. If required, you can change the settings in these reports at any given point in time.
Before we start using SAP NetWeaver download service, make sure several configuration steps mentioned in the below link are performed.
Configuring the SAP NetWeaver download service involves the following steps:
1. You set up the connection to the SAP Support Portal:
- a) You maintain the S-user configurationusing the transaction SDS_CONFIGURATION.
- b) You configure the client certificates.
- c) You adapt the proxy settings.
- d) You configure the HTTPS service.
2. You set up the download directory.
3. You maintain execution parametersusing the transaction SDS_CONFIGURATION.
a)Maintaining S-User Configuration
With transaction SDS_CONFIGURATION, you specify the logon credentials (that is, S-user and password) for each user who is going to use the SAP NetWeaver download service. If no specific entry for a logon user exists, you can specify credentials to be used for a system default entry. The configuration for the system default is taken into account if no configuration exists for the particular logon user in question
b) Configuring Client Certificates
- To import certificates, call transaction STRUST and, under SSL client SSL Client (Standard), choose Import certificate.
- On the File tab page, browse to the downloaded certificate files and import the certificates by choosing Continue Add to Certificate List.
- Save your changes.
The Certificate List is now updated with the new certificates
For an up-to-date list of the required certificates, see SAP Note 2620478
c) Adapt Proxy Settings
Depending on the network topology, the SAP NetWeaver Application Server ABAP system might not be able to directly connect to the Internet. In this case, a proxy needs to be configured that routes the download requests to the Internet. You can choose to have a local or a global proxy server.
- Adapting settings for a global proxy server
- Call transaction SM59 and choose .
- On the Gobal Settings tab page, make sure that a proxy server exists and specify destinations that should not be accessed using the proxy server.
- On the HTTPS Protocol tab page, enter the connection information for the proxy server and choose OK.
- Adapting settings for a local proxy server
- Call transaction SDS_CONFIGURATION in change mode.
- On the Proxy Settings tab page, enter the connection information for the proxy server and choose OK.
d) Configuring the HTTPS Service
As the SAP NetWeaver download service connects to the SAP Support Portal via the HTTPS protocol, this protocol needs to be enabled at the SAP NetWeaver Application Server.
- Check if the HTTPS service is configured.
- Call transaction SMICM (ICM Monitor) and choose .
- Check if an entry for the HTTPS protocol exists and is set to active.
- If no active entry exists, choose one of the following options:
- Create a non-permanent entry that is valid until the next restart.
To create a new entry, choose Create Service., enter the required information for an HTTPS protocol and choose
- To activate an existing but inactive HTTPS entry, select the entry and choose .
- Create a permanent entry.
- Call transaction RZ10.
- Choose the default or instance profile entry and create a new parameter entryicm/server_port_<number> by choosing .
- Create a non-permanent entry that is valid until the next restart.
- To enable the download of SAP Notes from https://apps.support.sap.com, call transaction RZ10 and create the profile parameter ssl/client_ciphersuites with the value 918:PFS:HIGH::EC_P256:EC_HIGH.
For more information on the Customizing reports, see
- Defining Procedure for Downloading SAP Notes
- Defining File Type for Downloading SAP Notes
- Run the transaction SNOTE
- From the menu bar, choose Go to -> Download SAP Note
Depending upon the settings defined in the Customization, the digitally signed SAP Notes are downloaded.
Defining Procedure for Downloading SAP Notes
With the introduction of digitally signed SAP Notes, various procedures or modes are offered for downloading the SAP Notes. You use this report to define a procedure based on your requirement for downloading the SAP Note.
The RCWB_SNOTE_DWNLD_PROC_CONFIG report is applicable for download through Go To->Download SAP Note in SNOTE transaction. If you are on the support package where the feature is delivered or implemented the TCI in SAP Note 2576306, this activity can be performed through IMG customization -IMG->SAP Netweaver->Application server->Basis Services-> SNOTE. This is a one-time set up. If required,you can change the settings in this report at any given point in time.
When you run this report using the transaction SE 38, following are the various procedures offered in the report to download the SAP Note:
- Remote Function Call (RFC)
If you choose this option, the system uses RFC destination SAPOSS or SAPSNOTE, whichever is applicable, to download the digitally signed SAP Note.
By default, the system uses the RFC option when no other option is selected.
->Starting 1st January 2020, downloading SAP Note using RFC procedure will no longer be supported for NetWeaver 740 and higher. You need to choose a download procedure between Download Service Application or HTTP Protocol.
- HTTP Protocol
If you choose this option, the system uses the HTTPS protocol to download the digitally signed SAP Note. For more information, see How to Set Up RFC Destination for HTTP Protocol.
- Download Service Application
If you choose this option, the system uses the Download Service application to download the digitally signed SAP Note.
The download service can be present in the same system that you are using to download the digitally signed SAP Note or in another system. For example, the SAP Solution Manager can be used as the download service system. Ensure that you have established the RFC connection, of type 3, to the download service system.
The advantage of this option are as follows:
- The package associated with the transport-based correction instruction (TCI) is also downloaded automatically.
- The system downloads the prerequisite SAP Notes.
For example, assume you have an SAP Note and that SAP Note has around 20 prerequisite SAP Notes. When you try to download the SAP Note, the 20 prerequisite SAP Notes also get downloaded automatically. Whereas in the other two options (RFC and HTTP Protocol), the prerequisite SAP Notes get downloaded during the implementation of the present SAP Note
In my scenario I have selected option Download Service Application in the report RCWB_SNOTE_DWNLD_PROC_CONFIG as shown below
- On the Download Service System the RFC destination has been set to NONE as described in the instructions of Defining Procedure for Downloading SAP Notes
Now when I try to download a note, it gives Error I:SCWNL810 NONE
To resolve above error, please follow the note
2803658 – After configuring the Netweaver Download Service for SAP Notes, attempting to download a note gives Error I:SCWNL810 NONE.
As per the above note 2803658 to resolve issue , please implement below note into system.
2554853 – SAP NetWeaver download service for SAP Notes
->Make sure that you maintain proper s-user credentials in t-code SDS_CONFIGURATION otherwise you face error as shown below
It is simple password problem,make sure user is not locked and password is in working condition.
->SNOTE: Note Download fails when downloading a high number of Notes –2608378
->SNOTE: Timeout during download of SAP Notes via SAP Download Service –2618713
->SNOTE log messages displayed improperly after enabling Digitally Signed SAP Notes –2783798
->Download Service: Documentation and corrections -Note 2310393
->FAQ – Digitally Signed SAP Notes – 2537133
-> Cheat Sheet for enabling SNOTE for Digitally Signed SAP Notes and for TCI
->Exception handling corrected in download of digitally signed SAP Note for callers other than SNOTE –2603877