Step by Step guide on SAP Support Backbone Update and Enabling Note Assistant for Digitally Signed SAP Notes

Procedure for Implementing the Bootstrap SAP Note

Download the Bootstrap TCI: 

In our scenario below we are in Basis level 740

a) Search and open the relevant bootstrap SAP Note xxxxxxx from SAP One Support Launchpad. For more information on relevant bootstrap SAP Notes, refer to the above TCI notes table.

b) Choose Correction Instructions and select SAP_BASIS Software Component.

c) On the Correction Instruction view, select the relevant software component version (on the left side) and choose Download (on the right side). Save the SAR file into your directory.

d) Log on into client 000 of the ABAP system you want to install the TCI.

e) Upload the bootstrap TCI SAP Note to the system: Call transaction SPAM, then choose Support Package > Load Packages > From Front End and navigate to the directory, into which you downloaded the SAR file (for example, K70003CPSAPBASIS.SAR).

Define queue:

a) In transaction SPAM, display the new support packages.

b) From the OCS Package Directory: New Packages view, select the respective bootstrap TCI SAP Note.

c) To define the TCI queue, click the Calculate Queue button.

Click No

Note: If you receive the following message “Not allowed Support Package is already applied,” the import of TCI is not required as the required changes are already available in the system.

d) Import the TCI queue: Click the Import queue button to import the TCI queue and complete the steps.

Continue to import and complete

e) Confirming the queue: Once the queue is imported, you are prompted with the next action – to go to the SAP Note Assistant (transaction SNOTE) and download (Even if the Note is available download it again) and implement the bootstrap note; that the status of the SAP Note is completely implemented. Doing this will automatically confirm the SPAM queue.

Note: If your system is not connected to the Online Service System (OSS) confirming the queue is not possible. In this case, you first download the SAP Note from the SAP Support Portal and upload SAP Note xxxxxxx (for example, SAP Note 2446868 for 700 release) using the Note Assistant tool and then confirm the queue.

Verify the SAP Note Status: Verify if the status of the SAP Note xxxxxxx (for example, SAP Note 2446868 for 700 release) is set to Completely Implemented.

Preparing Note Assistant (Transaction SNOTE) is also called as bootstrapping.

Once the SNOTE is bootstrapped, any SAP Note containing TCI can be implemented in the same way as implementing any other SAP Note.

2. Enabling Note Assistant for Digitally Signed SAP notes

SAP recognizes a security threat during upload of SAP Note into customer landscape. The SAP Note can get modified maliciously and the customer can upload unknowingly the maliciously modified SAP Note into their landscape.

Therefore, SAP delivers all SAP Notes having ABAP corrections with digital signature to protect SAP Notes with increased authenticity and improved security.

SAP strongly recommends uploading or download only digitally signed SAP Notes. The digital signature verification feature is enabled for both uploading or downloading of SAP Notes.

The SNOTE is enabled to work with Digitally Signed SAP Notes from the following SPs of their respective releases of SAP_BASIS software component.

Note: All higher releases (753 and above) has the enablement from SP00 itself.

For the releases listed in the table above, if you are on lower SPs, perform the following steps:

Prerequisites

1. You have to implement the SAP Note 2408073 and SAP Note 2546220 for uploading digitally signed SAP Note and digital signature verification.

2. You have to implement the SAP Note 2508268 for downloading digitally signed SAP Note.

(OR)

1. Implement  TCI NOTE “2576306 – Transport-Based Correction Instruction (TCI) for                      Download of Digitally Signed SAP Notes” containing the SAP Notes 2408073, 2546220 and         2508268

While uploading the TCI package if there is a failure in signature verification please refer to the SAP Note 2520826 for solution.

“SAP recommends Implementing SAP Note 2576306 instead of applying the above individual SAP Notes.”

Follow below steps to implement the SAP Note with the corresponding TCI in your development system, use the Note Assistant via transaction SNOTE.

Note: Warnings about objects without directory entry can be ignored, since TCIs can contain deletions.

Import the adjustment transport into your productive system – to implement the TCI in productive system.

Procedure for implementing an SAP Note containing TCI

Download the SAP Note (which is also a TCI note)

Download the TCI package:
a) Search and open the relevant SAP Note xxxxxxx in SAP ONE Support Launchpad

b) Choose Correction Instructions and select the relevant software component.

c) On the Correction Instruction view, select the relevant software component version (on the left side) and choose Download (on the right side). Save the SAR file into your system.

d) Log on into client 000 of the ABAP system you want to install the TCI.

e) Upload the TCI SAR file in the Note Assistant, Choose Goto > Upload TCI

Note: Alternatively, you can upload the TCI SAR archive (for example, K700005CPSAPBASIS.SAR) through Support Package Manager or SAINT from front end to your development system

To do so, call transaction SPAM or SAINT in client 000 and choose Support Package > Load Packages > From Front End in transaction SPAM or Installation Package > Load Package > From Front End in transaction SAINT.

Note: If Upload TCI is not available in SNOTE transaction, then execute Report RSLANG20(Refer to SAP Notes 110910 and 48624).  After this step, launch SNOTE and choose Goto > Upload TCI

Implement the SAP Note xxxxxxx as any other SAP Note in Note Assistant

Copy the corrections to Transport request and proceed

Once the prerequisite step of implementing 2576306 – Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes is completed, follow below connection setup based on your system version

• SAP ABAP systems with lower SAP Releases (= lower than SAP Kernel 7.42 Patch Level 400) who want to download SAP notes or uses software components  of ST-PI and ST-A/PI will still use RFC connection SAPOSS or SAPSNOTE, but changes with that RFC connection`s SAPOSS or SAPSNOTE are mandatory!

• This is the default procedure for all releases of SAP_BASIS until end of 2019.

• From January 1 st 2020 the following will be enforce:

> This procedure will be the default option for SAP_BASIS releases 700 to 731 only.

>  As system kernel version is below 742, we can use SAPOSS connection but we need                          to make below changes.

> Generic user (OSS_RFC) will not be allowed in RFC destinations SAPOSS/SAPSNOTE.

>  Only customer S user (recommended is Technical Communication User) will be allowed.

>  SAPRouter string to the SAP Service and Support target system of the SAP infrastructure                   can be:

target host: /H/X1/S/S1/H/X2/S/3299/H/oss001.wdf.sap.corp with

X1 = IP address of saprouter on SAP customer side
X2 = IP address of sapservX
S1 = TCP port of SAPRouter on customer side

Possible settings for sapservX could be:

sapserv1 (194.117.106.129) Internet VPN connection
sapserv2 (194.39.131.34) Internet SNC connction
sapserv3 (147.204.2.5) SAP customers from Germany will typically use that settings
sapserv4 (204.79.199.2)SAP customers from US region will typically use that settings
sapserv5 (194.39.138.2) SAP customers from Japan will typically use that settings
sapserv7 (194.39.134.35) SAP customers from region APJ (Asia Pacific) inclusive                                              New Zealand and Australia will typically use  that settings
sapserv9 (169.145.197.110) SAP customers from region APJ (Asia Pacific) inclusive                                          New Zealand and Australia will typically use  that settings
sapserv10 (203.13.159.37) SAP customers from China will typically use that settings.

> There is no change in logon group, you can use 1_PUBLIC, 2_JAPANESE, EWA

>  It is mandatory to use “oss001.wdf.sap.corp” and Load Balancing and a Technical                               Communiation User in your RFC connection to SAP Backbone.

RFC destinations SAPOSS/SAPSNOTE will not work in ABAP systems on SAP_BASIS release 740 and above. Instead HTTPS communication should be used.

2> HTTPS procedure for SAP_BASIS release 740 and above

• For system higher than 740, mandatory protocol is HTTPS so we need to configure RFC accordingly and make relevant changes so SAP Notes gets download using HTTPS protocol instead of RFC protocol i.e. SAPOSS

• By following recommended destination names, configuration can be reused in other scenarios

Either manual or automatic configuration of HTTP connection setup can be followed. For manual step follow “Digital Signature.pdf” attached to SAP Note 2576306

In our scenario we will see automatic setup.“SNOTE 2738426 for Automated Configuration of new Support Backbone Communication”HTTPS prerequisites can be configured in ABAP Task Manager (STC01) by executing automated Task List SAP_BASIS_CONFIG_OSS_COMM.This task list contains common configuration steps for the ABAP task manager, and automatically creates the required connections to the support backbone.Technical Communication User and SAP Router string needs to be prepared before execution

Check SPAM version – minimum level 70, Implemented TCI note 2738426

Execute task list ‘New OSS Communication’:Run transaction STC01 to open Task Manager for Technical Configuration

Select task list ‘SAP_BASIS_CONFIG_OSS_COMM’ – New OSS Communication

Task 1: Check CommonCryptoLib.

Task 2: We need to set parameter ssl/client_ciphersuites and parameter value for enabling highest TLS protocol version with BEST-OPTION.

Check for the parameter, if it already exists with the required value no change is required if not we need to set parameter ssl/client_ciphersuites value.

Before Configuration of parameter: value of ssl/client_ciphersuites parameter is not set

Added profile parameter value as ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH,

Restart the system after adding/changing parameter.

For more information, read SAP Note 510007 – Setting up SSL on Application Server ABAP

Task 3: Check certificate for SSL Client

Checked in transaction STRUST, no certificates exist.

Obtain certificates from certificate provider websites or use below link.

• VeriSign Class 3 Public Primary Certification Authority – G5
• DigiCert Global Root CA
• DigiCert Global Root G2
• Baltimore CyberTrust Root

Add the required certificates and save it.

Note: Import client certificate in SSL Client (Standard) or SSL Client (Anonymous), but relative option needs to selected while running task list otherwise you will get error while running task list. I have imported all the above client in SSL client (standard)

Task 4: Create HTTP connection

Maintain the fields Technical Communication User, Password and Router String (optional, if required), press ‘Return’, ‘Save’ and ‘Back’

Task 5: Change the user in RFC connection SAPOSS with technical user

Task 6: Select Restart of ICM if required, optional

Execute the task list by pressing button ‘Start/Resume Task List run in Dialog (F8)’

Click on the detailed log icon of each task to see the results of the task execution

Checked in transaction SM59, new connection destinations are created by the execution of above tasks list.

Following RFC’s created by Digital Signed process are working fine (test is good):

SAP-SUPPORT_PORTAL (Status HTTP response is 200)
SAP-SUPPORT_PARCELBOX (Status HTTP response is 200)
SAP-SUPPORT_NOTE_DOWNLOAD (Status HTTP response is 404)

3> Download Service application for SAP_Basis Release 700 onwards

• Available for SAP_BASIS release 700 onwards
• Any ABAP system having download service can be used as download system.

The SAP NetWeaver download service allows you to download files directly into your SAP NetWeaver Application Server ABAP system from any SAP destination addressed through a URL.

The most important use case for the SAP NetWeaver download service is downloading from SAP file shares connected to the SAP Support Portal and the download of SAP Notes with all their dependencies and relevant SAP Notes transport-based correction instructions (TCIs).

The downloading of files from SAP file shares is only possible after a successful login to the respective SAP Support Portal system with an S-user authorized for the file download.

With below scenario we will explain what to configure to use download service. We have taken download system as our Solution Manager 7.2 system in our scenario.

Implement SAP note 2554853 SAP Netweaver Download service for SAP Notes

The following information describes how to configure the SAP NetWeaver download service to your needs.

Authorizations and Roles:

To carry out the following configuration tasks and to use the SAP NetWeaver download service, you require specific authorizations and roles.

Configuring the SAP NetWeaver download service involves the following steps:

Step 1: You set up the connection to the SAP Support Portal:

1.You maintain the S-user configuration using the transaction SDS_CONFIGURATION.

2. You configure the client certificates.

The following root certificates must be registered for the SSL client SSL Client                (Standard) in the SAP NetWeaver system:

• For access to https://smpdl.sap-ag.de or https://service.sap.com: VeriSign Class 3 Public Primary Certification Authority – G5
• For access to https://smpdla.sap.com: Baltimore CyberTrust Root
• For access to https://*.softwaredownloads.sap.com or https://*.notesdownloads.sap.com: VeriSign Class 3 Public Primary Certification Authority – G5 and GeoTrust Global CA
• For access to https://apps.support.sap.com: Symantex Class 3 Secure Server CA -G4

1. To import certificates, call transaction STRUST and, under SSL client SSL Client (Standard), choose Import certificate.
2. On the File tab page, browse to the downloaded certificate files and import the certificates by choosing Continue  Add to Certificate List.
3. Save your changes.

   The Certificate List is now updated with the new certificates.

If the SAP NetWeaver download service fails during the download from these locations, see SAP Note 2456654 .

If errors occur, restart the ICM Monitor using transaction SMICM. This restarts ICM services and reloads all certificates in your system.

  3. You adapt the proxy settings.

• On the Gobal Settings tab page, make sure that a proxy server exists and specify destinations that should not be accessed using the proxy server.

2. Adapting settings for a local proxy server

• On the Proxy Settings tab page, enter the connection information for the proxy server and choose OK

If you have proxy settings available enter them and save.

 4. You configure the HTTPS service.

Procedure

1. Check if the HTTPS service is configured.

Call transaction SMICM (ICM Monitor) and choose Goto Services.
Check if an entry for the HTTPS protocol exists and is set to active.

2. If no active entry exists, choose one of the following options:

Create a non-permanent entry that is valid until the next restart.

To create a new entry, choose Service Create, enter the required information for an                            HTTPS protocol and choose Create Service.

To activate an existing but inactive HTTPS entry, select the entry and choose Service                          Activate.

Create a permanent entry.

Call transaction RZ10.

Choose the default or instance profile entry and create a new parameter entry                                      icm/server_port_<number> by choosing Extended maintenace Change Parameter                              Create.

Example: icm/server_port_2 PROT=HTTPS, PORT=44300, PROCTIMEOUT=300, TIMEOUT=300

3. To enable the download of SAP Notes from https://apps.support.sap.com, call transaction RZ10 and create the profile parameter ssl/client_ciphersuites with the value 918:PFS:HIGH::EC_P256:EC_HIGH.

Step 2: You set up the download directory.

The logical file DOWNLOAD_SERVICE_DIR is defined and delivered by default. It points to the /usr/sap/trans/EPS/in directory in UNIX nomenclature. This path is specified in the definition of the logical path DOWNLOAD_SERVICE_PATH.

If the target directory fits your system, you can use the default logical file DOWNLOAD_SERVICE_DIR. You can also adjust the directory to which the logical path DOWNLOAD_SERVICE_PATH is pointing to your target directory, or you can create your own logical file paths, assignments of physical paths to logical paths and logical file names.

Procedure

Adjusting the physical path assignment of the default logical path

1.Call transaction FILE and select the DOWNLOAD_SERVICE_PATH entry in the Create a logical file path table.

2. Go to Assignment of Physical Paths to Logical Path and adapt the physical path according to your target directory or operating system, respectively.

3. Save your changes.

(OR)

Defining a new logical file

1. Call transaction FILE, choose New Entries, and specify a logical file path.
2. Under Assignment of Physical Paths to Logical Path, assign a physical path.
3. Go to Logical File Name Definition, Cross-Client, double-click your logical file, assign your new logical file path to it, and save your changes

Step 3.You maintain execution parameters using the transaction SDS_CONFIGURATION.

1. Creating a user-specific execution parameter

On the Execution Parameters tab page, choose Create Entry.

In the upcoming dialog box, for all fields the hard-coded system defaults are set. Enter here                the respective values for your configuration. If you want to create a system default execution              parameter, enter all values except the user name.

2. Changing an existing execution parameter

On the Execution Parameters tab page, select the entry that you want to change and choose            Change Entry.

Enter your changes.

You can change all parameters but the user name.

Confirm your changes by choosing Continue and then Save.

3. Deleting an execution parameter

On the Execution Parameters tab page, select the entry that you want to delete and choose          Delete Entry.

The entry is removed from the Execution Parameters table.

Step 4. You set up the SL protocol service.

Prerequisites

You only need to perform this step if the following situations apply:

The release version of your SAP NetWeaver Application Server ABAP is 7.4 or higher.
The SL protocol is used.

Procedure

Call transaction SICF.

Set the Hirarchy Type to SERVICE and choose Execute.

Expand the nodes under default_host and navigate to the following service trees:

SL protocol: <defaulthost>/sap/bc/rest/SLProtocol

REST protocol: <defaulthost>/sap/bc/rest

Ensure that the services are active.

Following are the two modes through which you can consume the digitally signed SAP Notes:

• How to Upload Digitally Signed SAP Notes Using SNOTE Transaction
• How to Download Digitally Signed SAP Notes Using SNOTE Transaction

1.How to Upload Digitally Signed SAP Notes Using SNOTE Transaction

Digitally signed SAP Notes are available from SAP ONE Support Launchpad. You can upload the digitally signed SAP Notes into the SNOTE transaction as follows:

Procedure

1. Download the digitally signed SAP Note from SAP ONE Support Launchpad
2. Run the SNOTE transaction
3. From the menu bar, choose Goto -> Upload SAP Note

2.How to Download Digitally Signed SAP Notes Using SNOTE Transaction

Based on your SAP NetWeaver version, you have the following ways to download SAP Notes into your system.

Download Procedures for NetWeaver 700 to 731:

1. Download service
2. RFC (Enabled by default)

Download Procedures for NetWeaver 740 and later:

1. Download service
2. HTTP
3. RFC (Enabled by default until end of 2019.

To directly download the digitally signed SAP Notes using SNOTE transaction, proceed as follows:

Depending upon the settings defined in the Customization, the digitally signed SAP Notes are downloaded.

1. Defining Procedure for Downloading SAP Note (RCWB_SNOTE_DWNLD _PROC_ CONFIG)

2. Defining File Type for Downloading SAP Note (RCWB_UNSIGNED_NOTE _CONFIG) Note

Defining Procedure for Downloading SAP Note (RCWB_SNOTE_DWNLD _PROC_ CONFIG)

With the introduction of digitally signed SAP Notes, various procedures or modes are offered for downloading the SAP Notes. You use this report to define a procedure based on your requirement for downloading the SAP Note.

The report RCWB_SNOTE_DWNLD_PROC_CONFIG is used for customizing the different procedures.

If you are on the SPS level where the feature is delivered or implemented the TCI 2576306, this activity can be performed through IMG customization (IMG > SAP NetWeaver Implementation Guide > Application server > Basis Services > SNOTE )

This is a one time set up. If required, you can change the settings in this report at any given point in time.

RFC procedure for download of digitally signed SAP Note

If you choose this option, the system uses RFC destination SAPOSS or SAPSNOTE, whichever is applicable, to download the digitally signed SAP Note.

By default, the system uses the RFC option when no other option is selected.

->Starting 1st January 2020, downloading SAP Note using RFC procedure will no longer be supported for NetWeaver 740 and higher. You need to choose a download procedure between Download Service Application or HTTP Protocol.

HTTPS procedure for download of digitally signed SAP Note

If you choose below option, the system uses the HTTPS protocol to download the digitally signed SAP Note.

When you run this report RCWB_SNOTE_DWNLD_PROC_CONFIG using the transaction SE38, following are the various procedures offered in the report to download the SAP Note. Select HTTPS and save configuration.

Validation:

Try to download one SNOTE and check the logs.

Logs will now contain Digitally Signed SAP note is downloaded using HTTPS as below.

Note: When using this option we faced situation where no proper messages are displayed like below, to solve it follow manual action in 2508268 snote

After maintaining above message numbers with text we were able to read the SNOTE log texts properly.

Download of digitally signed SAP Note using Download Service application

If you choose this option, the system uses the Download Service application to download the digitally signed SAP Note.

The download service can be present in the same system that you are using to download the digitally signed SAP Note or in another system. For example, the SAP Solution Manager can be used as the download service system. Ensure that you have established the RFC connection, of type 3, to the download service system.

Advantage: Associated Transport based Correction Instruction (TCI) packages and prerequisite SAP
Notes are downloaded automatically

For example, assume you have an SAP Note and that SAP Note has around 20 prerequisite SAP Notes. When you try to download the SAP Note, the 20 prerequisite SAP Notes also get downloaded automatically. Whereas in the other two options (RFC and HTTP Protocol), the prerequisite SAP Notes get downloaded during the implementation of the present SAP Note

In report RCWB_SNOTE_DWNLD_PROC_CONFIG, choose download service

On the Download Service System the RFC destination has been set to NONE and click save.

Validation:

Tried to download one SNOTE and check the logs.

Logs will now contain Digitally Signed SAP note is downloaded using Download Service as below.

Note: Refer below snotes if you face any issues while downloading SNOTE with download service.

2803658 – After configuring the Netweaver Download Service for SAP Notes, attempting to download a note gives Error I:SCWNL810 NONE.

2608378 – Download fails when downloading a high number of Notes

2618713 – Timeout during download of SAP Notes via SAP Download Service

Defining File Type for Downloading SAP Note (RCWB_UNSIGNED_NOTE _CONFIG)

Report RCWB_UNSIGNED_NOTE_CONFIG was used to set “Do not download unsigned SAP Note”

In future when you try to upload any SNOTE which is not digitally signed choosing this option will not allow that SNOTE to be implemented in our system.

Click on migrate tasks, and validate  RFC destinations in task specific settings in SDCCN are migrated.

In below scenario we explain how to manually make configuration changes in SDCCN,

Goto Settings-> task specific

Add destination SAP-SUPPORT_PORTAL and Remove destination SDCC_OSS

Delete all tasks that have the target SAP (O02).

Create the tasks again. The new tasks will use new destination SAP-SUPPORT_PORTAL or SAP-SUPPORT_PARCELBOX depending on the task type.

ANST Configuration Update:

In ANST transaction, settings change RFC Destination from SAPOSS to SAP-SUPPORT-PORTAL if the SAPOSS connection throws error while downloading SAP notes using ANST transaction.

Reference Links and SAP Notes:

->FAQ – Digitally Signed SAP Notes – 2537133 

-> Cheat Sheet for enabling SNOTE for Digitally Signed SAP Notes and for TCI